By Nelson Celis | The Manila Times
Aside from the digital signatures, the Technical Working Group of the Philippine Computer Society deliberated on the importance of the source code review (SCR).
Source code is defined as the human readable instructions that describe what the apps of the Automated Election System (AES) would perform. The apps refer to the election management system (EMS), vote counting machines (VCMs or PCOS machines) and the canvassing and consolidation system (CCS). The SCR is also a means to determine if there are insidious codes or back door entry implanted by a hacker in any of the apps. Nothing was mentioned about source code review, even digital signatures, in RA 8436, or the Automated Election System (AES) law of 1997.
Hence, the amended AES law, RA 9369 of 2007 stipulates in Section 11: “The Technical Evaluation Committee (TEC) shall certify, through an established international certification entity… not later than three months before the date of the electoral exercises…categorically stating that the AES… is operating properly, securely, and accurately, based on the following documented results: (1) the successful completion of a source code review; (2) a certification that the source code is kept in escrow with the Bangko Sentral ng Pilipinas; and, (3) a certification that the source code reviewed is one and the same as that used by the equipment.”
In the past three national and local elections, Comelec failed to conduct comprehensive SCRs. It was even a mockery when former Comelec Chairman Sixto Brillantes presented the source code in CD of the PCOS machines during a press conference three days before the midterm elections in 2013. He might have overlooked the fact that the law mandated that the TEC must release the certification of the SCR not later than three months before the election day, not three days!
Last week’s column by Lito Averia about the “Blind acceptance of the AES” raised a lot of provocative questions related to SCR, such as, “Is the EMS source code reviewed by Pro V&V the same EMS source code reviewed by local parties and groups? Which copy of the reviewed EMS source code will be used in the AES in the 2019 midterm elections?”
Whatever the outcome of the SCR of the apps for the 2019 elections, it has been observed/predicted that the SCR, the use of digital signatures and all the technical provisions in RA 9369, could not be complied with by the Comelec. That has been since the 2010 elections.
Thus, in 2017, a draft amendment of RA 9369 was crafted by the combined team efforts of Sen. Dick Gordon’s think tank, NAMFREL and the AES Watch. The draft was submitted to the Joint Congressional Oversight Committee (JCOC) this year for their perusal. The draft is in support of the JCOC’s function to conduct a mandatory review of the AES law every 12 months from the date of the last regular national or local elections. It may be recalled that the RA 9369 was a result of RA 8436 review in 2006. That means, there were only two (2) reviews made independently outside of the JCOC since 1997; that is, in 2006 and 2017. The 2006 review resulted in the amendment of RA 8436 to RA 9369 while the amendment to RA 9369 is still pending with the JCOC.
Why only two reviews since 1997? We all know that the composition of the JCOC members and its leadership changes every three years. After the 2016 elections, the Senate chairman of JCOC was jailed and the JCOC was not convened until 2018. Same is true after 2010 and 2013 — no reviews were done except for the technical recommendations of the Comelec Advisory Council (CAC) to the JCOC not to use the 2010 PCOS machines of Smartmatic in 2013 and beyond.
Section 9 of RA 9369 stipulates that CAC shall recommend the most appropriate, secure, applicable and cost-effective technology to be applied in the AES; provide advice/assistance in the review of the systems planning, inception, development, testing, operationalization and evaluation stages; provide advice/assistance in the identification, assessment and resolution of systems problems or inadequacies as may surface or resurface in the course of the bidding, acquisition, testing, operationalization, re-use, storage or disposition of the AES equipment/resources as the case may be; provide advice and/or assistance in the risk management of the AES, especially when a contingency or disaster situation arises; and prepare and submit a written report within six months from the date of the election, to the JCOC, evaluating the use of the AES. The CAC also recommended in 2016 to use mixed technologies, not only VCMs for that matter, and this was emphasized by the Department of Information & Communications Technology in a JCOC hearing this year. But this was misinterpreted by the Comelec to mean the continuous use of the 2016 VCMs.
So, what are the proposed amendments to RA 9369? The major ones are:
The CAC and the TEC are changed to permanent AES Board and Technical Evaluation and Certification Committee, respectively.
A proactive Project Management Office is created in the proposed set-up.
Other than the Direct Recording Electronic (i.e., touch screen) and Optical Mark Reader (e.g., VCMs) technologies, composite election system is included in the draft.
Electronic transmission shall be done by the members of the Board of Election Inspectors (BEIs) observing the following procedures: (i) entry of public key by the chairman of the BEI, (ii) keying in of the digital signatures by all the members of the BEI, and (iii) actual electronic transmission by the chairman of the BEI.
At least three months prior to the elections, the Comelec shall bid out and engage the services of a reputable accounting/auditing firm, which will conduct a post-election audit, and which must be completed not later than 90 days following the end of the elections.
Penal provisions are included to strictly enforce the AES law. A sample statement would be: “Failure to strictly comply with the foregoing requirements shall be considered prima facie evidence of sabotage and shall be punishable by imprisonment and/or a fine.” Remember that the voter’s receipt was only implemented in 2016 elections through the Supreme Court’s ruling! Comelec didn’t have the intention to comply with Section 6.e regarding the provision for voter verified paper audit trail (VVPAT) or voter’s receipt. Sen. Gordon had to pass through the oral argument then to explain the right interpretation of the VVPAT.
The Comelec shall promulgate implementing rules and regulations (IRR) for the implementation and enforcement of ‘this Act’ not later than 60 days from its effectivity. Aside from VVPAT, Comelec has its own interpretation of digital signatures. Comelec’s promulgation of IRR has been pending since 1997 and it should settle all misinterpretations of Comelec in the past 22 years.
* * *
In the spirit of Christmas, let’s reflect upon Pope Francis’ homily on Christmas Eve: “Dear brothers and sisters, on this holy night we contemplate the Nativity scene: there “the people who walked in darkness have seen a great light” (Isaiah 9:1). People who were unassuming, open to receiving the gift of God, were the ones who saw this light. This light was not seen, however, by the arrogant, the proud, by those who made laws according to their own personal measures, who were closed off to others. Let us look to the crib and pray, asking the Blessed Mother: “O Mary, show us Jesus!’”
(To be continued)