Automated Election System (AES) Watch has again predicted that on February 9, 2016, three (3) months before the national and local elections (NLEs) on May 9, 2016, Comelec will not comply with RA 9369 or the automated election law. The prediction is based on Comelec’s past performances in 2010 and 2013, specifically its violation of Section 11 and other provisions associated with information technology (IT).
Section 11 stipulates that the Comelec’s Technical Evaluation Committee (TEC) shall certify, through an established international certification entity (ICE), not later than three (3) months before the date of the electoral exercises, categorically stating that the Automated Election System, including its hardware and software components, is operating properly, securely, and accurately, in accordance with the provisions of RA 9369 based, among others, on the following \results (which should be documented results):
1. The successful conduct of a field testing process followed by a mock election event in one or more cities/municipalities;
2. The successful completion of audit on the accuracy, functionally and security controls of the AES software;
3. The successful completion of a source code review;
4. A certification that the source code is kept in escrow with the Bangko Sentral ng Pilipinas (BSP);
5. A certification that the source code reviewed is one and the same as that used by the equipment; and
6. The development, provisioning, and operationalization of a continuity plan to cover risks to the AES at all points in the process such that a failure of elections, whether at voting, counting or consolidation, may be avoided.
Since Comelec has not complied with Section 37 of RA 9369 since January 2007, there has been no promulgated Implementing Rules and Regulations (IRR) as reference for detailed proper actions in handling the AES project or even in interpreting the provisions of the AES law correctly. After nine (9) years, Comelec never bothered to comply and will never conform until May 9, 2016. But for all election-related laws (e.g., Biometrics), Comelec promulgated its corresponding IRRs.
What could be the problem that prevents Comelec from promulgating the Implementing Rules and Regulation? Don’t they have the capacity to do it when in fact Comelec has lots of lawyers? From another perspective, Comelec has been receiving taxpayers’ money worth billions of pesos but not a single cent was allotted to tap professionals who can help them craft the implementing rules and regulations. Without the IRR, how can the Comelec properly assess the performance of the people and companies involved in implementing the Automated Election System?
Without IRR, how do you interpret Section 11? It is very clear that the TEC shall certify those six documented results through an ICE (i.e., SLI Global Solutions for 2010, 2013 and 2016). But what really happened in the past NLEs?
Let’s review the 2013 certifications as embodied in TEC Resolution No. 2013-001 and its Annexes posted at https://www.comelec.gov.ph/?r=Archives/RegularElections/2013NLE/Resolutions/tecres2013001&bn=Back+to+Search+Results&b=search%26searchbox%3DTEC%2Bcertification%23ps3227.
Certification 1. You may notice that the certification shown in Annex B was signed by the Comelec’s Project Director stating that Comelec successfully did the field testing on January 26, 2013 in eighteen (18) areas and the mock election events on February 9, 2013 in ten (10) municipalities. Was it signed by the International Certification Entity (ICE)? No! Is there a statement whether said events used digital signatures in electronically transmitting election results? None! Section 30 stipulates that the authentication of transmitted election results shall conform to the certification procedures for electronic signatures as provided in RA 8792 or the e-Commerce Act as well as the rules promulgated by the Supreme Court.
Certification 2. The accuracy, functionality and security controls of the AES software were made by the International Certification Entity (ICE) and this must have been done for a certain number of equipment in Denver and Manila (Annex A). Well, if you are talking about 80,000 PCOS machines and 2,000 CCS servers in the past NLEs, that’s a different story. If you take a closer look at Annex G regarding ‘compensating controls,’ there are no comments for ‘test plan procedure’ concerning ‘acceptance testing’ and ‘certification testing.’ Does it mean that those AES equipment in 2010 and 2013 did not pass through the said tests and certifications? Most likely they did not! Hence, Comelec is required to certify those 93,977 PCOS or VCMs and 2,000 CCS servers to be working perfectly by February 9! Let the TEC put the necessary label (e.g., sticker or seal) to indicate that each machine really went through TEC certification. Through an International Certification Entity? Well, the law says so.
Certification 3. In Denver, an International Certification Entity (ICE) performed a static review and analysis of the voting system’s modified source code as provided by Smartmatic and they found no malicious code therein (Annex A). Since the law says successful completion of a source code review, it must be taken in the context of Section 14 – Examination and testing of equipment or device of the AES and opening of the source code for review by political parties and candidates or their representatives, citizens’ arm or their representatives. None of this thing transpired in the past! Though there’s an ongoing source code review happening in Manila based on Section 14, its results should be compared with ICE’s source code review and the certification should be accomplished before February 9! This is likewise related to Certification 2; that means, the procedures in doing the tests may be done too by political parties, et al. Will Comelec allow them to do the tests? How?
(To be continued)