By Nelson Celis | The Manila Times
Third of a series
TWO incredible incidents happened in the 2016 elections: the ComeLeak and the early electronic transmissions of election results a day before the May 9 elections. The latter event was the basis of Senate President Vicente Sotto 3rd, in two privilege speeches in 2018, to spearhead the use of hybrid election system for 2022 elections (https://www.manilatimes.net/wp-content/uploads/2019/04/TWG-Report-JCOC-March18_jeff.pdf). The former is our focus of interest to figure out the effect of the ComeLeak or the hacking incident in the voters’ list of the Commission on Elections (Comelec) a few weeks before the 2016 elections.
Under the e-Commerce Act of 2000, Section 33 (or Republic Act 8792), hacking is defined as “unauthorized access into or interference in a computer server or information and communication system; or any access in order to corrupt, alter, steal or destroy using a computer or other similar information and communication devices without the knowledge and consent of the owner of the computer or information and communications system, including the introduction of computer viruses and the like, resulting in the corruption, destruction, alteration, theft or loss of electronic data message.”
A few weeks before the May 9, 2016 elections, the Comelec was hacked by two groups. This infamous hacking event on March 27, 2016 led to the defacement of the Comelec’s website and the leakage of its 55 million registered voters and other pertinent data in the web. This was considered to be the biggest personal information breach in the country in which the Comelec violated the Data Privacy Act of 2012 (or RA 10173) as then Comelec Chairman Andy Bautista didn’t appoint a data protection officer and didn’t report the hacking incident within 72 hours.
The extent of the damage could have been analyzed and reported by the digital forensics experts just like what was done with the 60 PCOS machines seized in Antipolo in the 2010 elections. The forensics report then showed several findings such as open ports of PCOS machines that were susceptible to hacking and that the hash codes analyzed were different from what was published by Comelec. For the ComeLeak, however, no professional forensics report came out after the ComeLeak incident or a few weeks before the 2016 elections. The public just simply accepted what had happened.
What could be the forensics report released to the public and to the joint congressional oversight committee (JCOC) on the automated election system (AES) if there was one? The findings could have showed the following: “The database of voters’ list and other Comelec databases were the same with those in the backup data center located 15 kilometers away from the head office; biometrics of the voters were intact and not switched with the others; the detailed personal information of the voters was not corrupted; there were neither injected, replaced nor removed voters on the list; and there were no replications of voters made. Therefore, the voters’ list database, including other databases, are A-OK!”
With this unfortunate hacking incident in the 2016 elections, several questions are raised: will the ComeLeak experience be encountered again before the 2022 presidential elections? Is Comelec ready to protect the voters’ list for the 2022 elections? How can Comelec be certain that the voters’ list has not been tampered with since the time of ComeLeak event? Can Comelec refute the findings of Dr. Gil Ramos (see Part 2 of this series)? Is there a certifying body that could possibly test or put a seal of approval that the voters’ list is clean before the end of 2021? Is there any third party (e.g., Commission on Audit and/or other agencies/stakeholders) that can attest that the computerized voters’ list in the Comelec’s local election offices are truly reflected in their central database? Will Comelec allow the stakeholders and other government offices to participate in the cleansing of the voters’ list? Will the Department of Information and Communications Technology and stakeholders be allowed to check the vulnerabilities of Comelec’s information systems? Will the National Privacy Commission and stakeholders be allowed to check Comelec’s total compliance with the Data Privacy Act?
Aside from the ComeLeak problem, possible hacking points are changing of election results in the SD cards or memory cards of the voting machines. This issue had been raised in several hearings of the JCOC on AES as Comelec has been consistently using rewritable SD memory cards of the vote counting machines since 2010; that is, ballot images and election return (ER) stored in the SD card may be altered. To illustrate, in our office or personal work, we normally use rewritable USB flash memory device or stick to back up our working file just in case there is file corruption, accidental loss of file and even to save other important files like payroll, reports, videos and images. When we wish to remove the saved files, we simply delete it and use the stick again and again. The USB stick and the SD cards used in the past elections are both rewritable devices. And with these are rewritable cards, there’s a big risk of possible alteration of images and ER. For transparency, the SD card in 2022 should be a write-once-read-many (WORM) SD card that could not be rewritten or the images and ER stored therein could not be altered.
In the absence of implementing rules and regulations (IRR) for RA 8436, or the AES Law of 1997, as amended by RA 9369 of 2007, it is best to secure the WORM cards for use in future protests after using the vote counting machines. The unchanged SD WORM cards would be the best source for a recount instead of any printed ballot images and should be considered as part of any electoral protest procedure. To secure the WORM cards is to observe its strict and proper handling in the observance of unbroken chain of custody.
Going back to one of the questions raised earlier, if ever Comelec were to allow the stakeholders and other government offices to participate in the cleansing of the voters’ list, this could be a good chance for a harmonious collaboration with them. Even other concerns like the crafting of the IRR could still be facilitated in coordinating meetings with Comelec so that expectations on the AES implementation are well set for 2022 elections. That means the other questions raised could also be brainstormed. Why not?
But how should the collaboration be? Will the JCOC intercede? If ever, will it be next month?
(To be continued)