Last of two parts
Certification 4: A certification that the source code is kept in escrow with the Bangko Sentral ng Pilipinas (BSP). There is no Annex that would show certification that the source code is kept in escrow with the Bangko Sentral ng Pilipinas (BSP). The only document related to BSP is the letter of the Comelec’s Project Director to the TEC Chairman dated February 9, 2013 (Annex B): “…As regards the PCOS binaries, CCS code and other applications built by SLI Global System, Inc. during the Trusted Build activity in Manila last January 10, 2013, the same shall be deposited with the Bangko Sentral ng Pilipinas as soon as the new Escrow Agreement is agreed upon and finalized…” What? No agreement yet despite the deadline of three months before the 2013 elections! Is that the usual management practice in Comelec—not to meet deadlines? Or is it ineptness? What about for 2016 national and local elections (NLEs), is there an Escrow Agreement already with BSP? Maybe none yet up to now!
Ironically, when Comelec imposes deadlines, they ensure that it happens! Take for example the recent “No Bio, No Boto” campaign deadline on October 31, 2015. They stood firm with it! Who suffered then? Our 2.5 million registered voters who are now disenfranchised! Guess what, when Comelec breaks a certain deadline or violates any provisions of RA 9369, nobody in their office is sanctioned!
The law says “through the International Certification Entity (ICE).” What is now the role of the ICE (i.e., SLI Global Solutions) pertaining to the BSP matter? How will Comelec interpret this provision of the law?
Certification 5: A certification that the source code reviewed is one and the same as that used by the equipment. Interpreting this provision of the law would mean so much vis-à-vis AES accuracy, functionality and security controls (i.e. related to Certification 2). Since Comelec has not promulgated the Implementing Rules and Regulations (IRR) of RA 9369 since 2007 (i.e., 9 years have passed already), they just relied solely on what the ICE had done. The 2013 certification of ICE (Annex A) revealed that the remaining open “Major” discrepancies from the May 2011 base source code (i.e., read Let’s Face IT article of Lito Averia dated December 23, 2015) were determined to be satisfactorily resolved. The said 2011 base source code was also the one used in 2010; that means, the 2010 base source code had problems and were found to be resolved at the time of 2013 certification.
Assuming that the ICE would be able to certify the new customized source codes of the vote counting machine (VCM) or PCOS, canvassing and consolidation system (CCS) and election management system, and that no findings would be assessed by the political parties, et al., before February 9, 2016, a question arises as to how will the CCS servers and VCMs be protected from tampering within Comelec up to its deployment in the municipalities and precincts, respectively, in the 2016 NLEs. Will the said machines be sealed and protected with locks prior to final testing and sealing and prior to the actual day of elections to prevent altering of the systems? Will the compact flash (CF) memory cards of the VCMs be installed prior to deployment such that removal of which would need a process of authorization to prevent system tampering? In the absence of IRR, how can Comelec protect the chain of custody of these machines so as to maintain the integrity of “the source code reviewed is one and the same as that used by the equipment?” Who should be accountable if the chain of custody is compromised? How will Comelec mitigate the underlying critical risks?
But reality bites! What’s the use of source code review when those reviewed safeguards were disabled before the elections? A very specific case was Comelec’s resolution days before elections in 2010 to disable the PCOS’ ultra-violet security mark sensor, a functionality that determines the genuineness of a ballot. Instead, Comelec purchased handheld UV readers that were not even used during the 2010 elections – displaying an irrational way of thinking! It was merely a violation of the law contradicting that “the source code reviewed is one and the same as that used by the equipment” and that making the ICE’s certification useless!
Certification 6: The development, provisioning, and operationalization of a continuity plan to cover risks to the AES at all points in the process such that a failure of elections, whether at voting, counting or consolidation, may be avoided. It appears that Comelec prepared a continuity plan by signing Resolution no. 9635 dated February 12, 2013 (Annex F), that’s three (3) months before 2013 NLEs. Through the ICE? But no document would show that SLI Global Solutions concurred with Comelec’s continuity plan in 2010 and 2013 elections. What about in the 2016 NLEs?
Nonetheless, the continuity plan didn’t work as it seriously failed with the staggering 24 percent non-transmission of election results (i.e., 9 million votes) and therefore a violation of RA 9369. In 2010, 9 percent of election results were not transmitted. Worst, Comelec is planning to successfully transmit only 90 percent of election results in 2016! Sections 22 and 26 of RA9369 stipulate that the election returns and certificates of canvass, respectively, transmitted electronically and digitally signed shall be considered as official election results and shall be used as the basis for the proclamation of a candidate. The target of 10 percent failure of transmission in 2016 by Comelec is another clear indication of future non-compliance with RA 9369 in 2016.
Let’s face IT! What’s the use of RA 9369 if Comelec will not comply with it? Hence, it’s better to get back to conventional manual elections on May 9, 2016. Anyhow, reverting back from automated to manual elections is nothing new as Comelec did it in the 2004 and 2007 elections! Comelec then easily printed ballots for manual elections without waiting for the final list of candidates.
It’s no-brainer, non-compliance with the law is equivalent to converting the whole AES project to a Vote Cheating Machinery…’Abangan!’