By Nelson Celis | The Manila Times
THE Senate Committee on Electoral Reforms and People’s Participation (Cerpp), led by Sen. María Imelda Josefa Marcos, has been consistently deliberating Senate Bill (SB) 7 since it was introduced by Senate President Vicente Sotto 3rd in July last year. The bill is an “Act providing for the conduct of the hybrid national, local and ARMM elections, through manual voting and counting at the precinct level, and automated transmission and canvassing, and for other purposes.” This week, the Center for People Empowerment in Governance (CenPEG), through its AES Watch, submitted its recommendations on how to go over the implementation of a hybrid election system (HES) in 2022.
To date, the agreed upon principle of manual voting and counting system at the precinct level should be performed in public; that is, the voter still manually enters his/her votes on ballot paper and that counting be publicly seen by the Board of Election inspectors (BEIs) and watchers represented by different groups in the precinct. The manner of counting is still being deliberated, whether it be computer-aided or pure manual. After the counting, the election return (ER) would be computer-generated before it is electronically transmitted for consolidation and canvassing at the municipal level. This is still similar to our past four elections (from 2010 to 2019) except that the “secret” counting by the vote counting machines is eliminated. It was secret as nobody had seen how the machines really counted — transparency was lost!
CenPEG fully supports SB 7. It recommended two phases in proceeding with HES in 2022: Phase 1 — understand how the Commission on Elections (Comelec) “misManaged” the automated election system (AES) in the past elections; and Phase 2 — implement action plan to correct Comelec’s “misManagement” (see previous article regarding its definition).
Comelec data centers
In going through Phase 1, CenPEG’s first agenda is to determine how Comelec used its Data Center (DC) in processing election results. The DC is the heart of any organizational computational power in processing its information needs. Before the 2010 elections, an independent systems audit from 2007 to 2008 was conducted by representatives of the Philippine Computer Society at the Comelec’s DC at Palacio del Gobernador, Intramuros and its Backup Data Center (BDC) at Insular Life Building, Alabang. These data centers house the databases of registered voters and other data hacked during the ComeLeak incident prior to the 2016 elections. Questions were raised: has there been any independent system audit of DC and BDC done after 2008? If none, why? If there has been, can Cerpp request for such system audit/s?
The next interesting questions raised were all related to the DC operations on the use of
AES from 2010 to 2019 to understand how the telecommunications companies (telcos) operated viz the DC processing of ERs and certificates of canvass (COCs), to wit:
– Was the DC connected with the telcos directly to receive and process the ERs and COCs? If so, did the BEIs and Board of Canvassers (BOCs) use digital signatures? If not, why?
– Was the BDC receiving directly the processed ERs/COCs from DC for backing up? If yes, was the backing up done immediately after DC’s processing? If not, how?
– If the DC was not receiving directly the ERs/COCs, was it through a third-party service provider (SP), whose servers were located outside the DC premises? Is that legally binding viz Republic Act (RA) 9369 and Batas Pambansa (BP) 881?
If allowed by law, did the SP process the received ERs/COCs or just passed it on to the DC for processing? Did the SP receive the ERs/COCs directly from the BEIs/BOCs? If not, were there intermediaries or regional hubs (RHs)?
Was the digital signing of BEIs/BOCs observed? If yes, how? If not, why was there no digital signing? Did the Comelec people manage the operations of the SP? Did they see the detailed transmissions of the BOCs and the network management system activities in SP’s operations?
Did the Comelec or SP provide a disaster recovery site viz a business continuity plan in case the main server goes down in compliance with RA 9369, Section 13 regarding continuity plan? Were the stakeholders informed about the continuity plan? Was the SP test certified by the technical evaluation committee as per RA 9369, Section 11?
How were the telcos connected to the AES? Was the contract of electronic transmission signed between Comelec and telcos? If not, were the telcos made accountable to Comelec?
If yes, telcos should have stored the transmission logs and should be accessible when needed by Comelec, the House of Representatives Electoral Tribunal, the Senate Electoral Tribunal and the Presidential Electoral Tribunal without court order. Were the telcos directly connected to the SP? RHs? business continuity center? If yes, were the telcos managed directly by the SP or by Comelec?
These probing questions will help the Cerpp guide how Comelec managed the DC operations in processing the ERs and COCs, how they complied with the AES law, figure out why were there so many unanswered mind-boggling questions to date about the secret counting, and how will Cerpp come up with a strategic plan to successfully implement HES.
And as initial heads-up to the Cerpp, CenPEG enumerated some of the following major recommendations:
– Promulgate immediately the implementing rules and regulation (IRR) once SB 7 is approved. Remember that Comelec did not promulgate the IRR of the AES Law (or RA 8436 of 1997, as amended by RA 9369 of 2007) in spite of having brilliant lawyers within its ranks since 1997 — 23 long years and counting! Perhaps they need the help of Cerpp and stop the impasse.
– Audit the AES implementation from 2010 to 2019 — corrective actions vis audit findings should be presented to Cerpp.
– Use digital signatures for BEIs and BOCs through the public key infrastructure facilities of the Department of Information and Communications Technology (DICT).
– For the DICT to handle the HES project — the past four elections showed Comelec’s misManagement of the AES implementation.
– For the DICT to prepare the DC operations of Comelec for the 2022 elections. This includes the DC operations at Comelec’s premises, the removal of intermediaries or RHs, and the direct connectivity of the telcos to the DC and BDC — that is, direct transmission of ERs/COCs to DC by BEIs/BOCs through digital signing. The “Meet Me Room” must be inside the Comelec’s DC.
– The DC and BDC operations must be manned by Comelec and DICT organic personnel, no vendors should be allowed.
– For the telcos to provide copies of the transmission logs to Comelec and DICT at the soonest possible time (e.g., three days after the elections). In the past, telcos just delete these logs without prior notice to election stakeholders. To avoid early transmissions as experienced in the past elections, telcos should only activate their facilities at the closing of the precincts on election day.
– For the Comelec to comply with RA 9369, Section 27: “The Commission shall post its digital files in its website for the public to view or download at any time of the day. The Commission shall maintain the files at least three years from the date of posting.” Commission on Audit (CoA) is recommended to check Comelec’s compliance.
– Replace “international certification entity” by CoA, supported by local auditing firm/s, as stipulated in RA 9369, Section 11: “The Committee shall certify, through an established international certification entity…categorically stating that the AES…is operating properly, securely and accurately.”
– Use the Consolidation Canvassing System co-developed by Comelec and the Department of Science and Technology.
– For the DICT to hold the source code review in public.
– For the technical working group of the Cerpp/Joint Congressional Oversight Committee (JCOC) on AES to finally check project completion and compliance of the HES two months before the elections
– For the Cerpp to remind the JCOC to comply with RA 9369, Section 33, as the latter failed to conduct a comprehensive assessment and evaluation of the performance of the AES technologies implemented in the last four automated elections. JCOC have not reported any appropriate recommendations to Congress in session assembled.
The Cerpp will extract the answers in the next hearings to come.