The Commission on Elections (Comelec) owes the voting public an explanation on the use of unauthorized servers and the unauthorized introduction of a script into the transparency server, which puts the credibility and integrity of elections in question.
The transparency server has been in use since the 2010 National and Local Elections. While sanctioned by the Comelec, there is absolutely no reference to its use in the Automated Election Law. Each precinct count optical scan (PCOS), renamed vote counting machine (VCM), is supposed to directly transmit the vote counts to the city or municipality canvassing and consolidation server (C/M CCS) to which a PCOS/VCM is assigned, and the servers of the majority party, the dominant minority party, the Kapisanan ng Brodkasters sa Pilipinas and the accredited citizens’ arm. As implemented, the PCOS/VCM transmits the election return it generates to the C/M CCS, to the central server, and the transparency server. Comelec accredited recipients receive the election returns via the transparency server or its mirror but not in the format as transmitted from the PCOS/VCM. The election returns undergo format conversion from “election markup language” to “comma separated values,” the format accredited recipients receive.
The conversion of the election returns from one format to another is an unnecessary step. The election returns generated by the PCOS/VCM are supposed to have been digitally signed by the members of the Board of Election Inspectors. If digital signing is properly implemented, the key used to encrypt the election returns prior to transmission has a corresponding key that can be used by a recipient to decrypt the election returns. Citing data security concerns, the Comelec which had sole control over the process of data format conversion had refused to release the keys that would have allowed the accredited recipients to decrypt the election returns on their own.
The results generated from the transparency server may be unofficial but such results served to counter check the official results. After all, the transparency server theoretically receives the same official copies of the election returns. But the assumption does not always hold. Case in point is the issue raised by the Confederation of Non-Stock Savings and Loan Associations (CONSLA) Party List. It had asked the Comelec to conduct an investigation into what it alleges as a case of manipulation of the results of the May 9 National and Local Elections. It cites the discrepancy of the vote counts it garnered based on the count made by the Parish Pastoral Council for Responsible Voting (PPCRV) vis-à-vis the counts done by the Comelec.
In 2013, the transparency server worked in conjunction with a “work file” server. The Comelec Advisory Council, in its 2013 post-election report, cites that the “work file” server “may have made the system vulnerable, resulting in security breach, open to online interference or manipulation.” The “work file” server was uncovered when Smartmatic-TIM personnel were made to explain the deletion of certain files from the transparency server.
Following the conclusion of the 2016 national and local elections, Smartmatic’s Marlon Garcia admitted to the existence of a “fourth server” and other servers in a “meet-me room” (MMR). The admission came about during the preliminary investigation of the case filed for violation of the Cybercrime Prevention Act against Smartmatic and Comelec personnel.
The “meet me room” is where all telecommunications services converge and the servers in the “meet-me room” are supposed to serve only a pass-through function. A look into the transmission of election returns from some 92,509 PCOS/VCMs shows that transmissions reached a peak rate of over 2,100 election returns per minute during the period 6:30 pm to 6:38 PM on May 9, 2016. At the end of this peak period, some 28.36 percent of expected election returns had been received. By 7:30 pm, about 51.85 percent of expected election returns had been received. By 11:59 pm of May 9, 2016, about 81.16 percent of all expected election returns had been received. The risk of data loss may have been mitigated by the “meet-me room” servers, especially during the peak period. However, it is unknown if the “meet-me room” servers served other functions since the “meet-me room” did not undergo review by interested political parties and groups.
Let’s face IT! The non-disclosure of the “meet-me room,” coupled with the unauthorized introduction of a script in the transparency server during live operations have certainly placed a cloud of doubt over the credibility of the election results and the integrity of the automated election system. The Comelec certainly has some explaining to do – before the 2019 midterm elections.