Join the campaign (Learn More)

The Manila Times : Smartmatic's WORM SD card can be altered

News & Interviews
5 June 2021

By Al Vitangcol 3rd | The Manila Times

EXACTLY a month ago, the Pivot International Inc. (PII) and Power Serve Inc. (PSI) joint venture filed a manifestation and verified complaint before the Commission on Elections (Comelec) seeking to "declare a failure of bidding, reject the bid, and or not to award the contract for the procurement [of] vote counting machines refurbishment with consumables" and to administratively charge "the end-user representative and members of the Comelec SBAC (special bids and awards committee) and the technical working group for serious dishonesty, grave misconduct, and/or conduct prejudicial to the best interest of service."

I mentioned in this column on May 22 that the sole technical issue involved in the complaint is that of a WORM SD card. However, the concerns brought up by the PII and PSI concerning this SD (secure digital) card carry with them a multitude of technical and legal repercussions.

What is a WORM SD card?

A secure digital card, or SD card, is a portable electronic data storage device used for storing digital information. The format was developed by the SD Association, a US nonprofit organization that sets memory card standards for consumer electronics worldwide. The association was founded by SanDisk, Panasonic and Toshiba in January 2000.

With regard to capacity, SD cards with a bigger capacity and better performance are called SD high capacity (SDHC) and SD extended capacity (SDXC). The memory size of these cards ranges from a low 2GB (gigabytes) to as high as 128TB (terabytes). The most common size nowadays is 32GB.

WORM is an abbreviation for "write once read many," which is a type of magnetic storage technology that secures data from unauthorized alteration or modification at both the hardware and software levels. A WORM SD card is a special SD card that utilizes the WORM technology in which digital information, once written on the SD card, can no longer be altered. This process gives the assurance that any data, once written on the card, cannot be tampered with or altered.

Predecessor PCOS machine

The present vote counting machine (VCM) that the Comelec used and will be using in the upcoming 2022 national and local elections (NLE), is an improvement from its first version, the precinct count optical scanner (PCOS) machine that was used during the first automated elections in the Philippines in 2010. Both the PCOS and VCM were supplied by technology provider Smartmatic Inc.

Eleven years ago, the joint canvassing committee (JCC), doing the canvassing of the presidential and vice-presidential votes for the 2010 elections, requested for the forensic analysis of some 60 PCOS machines which were in the possession of the Senate of the Philippines. On June 2, 2010, the Comelec consented to the requested forensic analysis and during the joint canvassing session of the same date, Sen. Juan Miguel Zubiri announced the creation of a joint forensic team consisting of representatives from the Senate and the House of Representatives.

I was designated to head the joint forensic team. The forensic analysis was conducted from June 4 to 5, 2010 at the A. Padilla Hall of the Senate and on June 7, 2010 at the Smartmatic warehouse in Cabuyao, Laguna.

The PCOS machine has two card slots - one for the blue main CF card and another for the red backup CF card. CF stands for compact flash, another type of memory storage device. The main CF card contains three folders - the "dcf" folder, the "election" folder, and the "temp" folder. The transaction log files, statistical files, election results and other files are likewise stored in the blue card.

Timeframe analysis on the CF cards revealed an intriguing fact - almost all files were modified on May 10, 2010 (election day) but were last accessed on two other future dates, of which no plausible explanation was offered then. The CF cards should have been in "read only" mode after the PCOS shutdown.

Improved vote counting machine

The VCM supposedly addressed all the system defects and perceived flaws of the PCOS machine. With some technical modifications and system enhancements, the VCM essentially performs the same functions required of the PCOS machine.

Instead of CF cards, the VCMs use SD cards. The main card slot needs a regular SD card while the second card slot requires a WORM SD card.

During election day, as ballots are fed into and read by the VCM, ballot images and counts are written in the regular SD card. At the end of election day, the data back-up and results are written in the WORM SD card - with the intention of not accepting any more "write events" after that one and only writing. This is to ensure that the election results stored in the WORM SD card are not altered and tampered with once the VCM is shut down.

BAC formatted WORM SD card

It was alleged in the PII/PSI joint venture's complaint that the bids and awards committee-technical working group (BAC-TWG) "proceeded to format the SD cards (main) and the WORM SD cards in the SBAC-AES TWG's computer. The formatting of the WORM SD cards, however, was done despite a prior and clear manifestation made by Mr. Alfred S. Cayton, a representative of the joint venture, regarding the nature of a WORM SD card. Cayton explained that the WORM SD cards do not need further formatting because such act will be considered tampering with the WORM SD cards and will affect the operability of the WORM SD card."

The reformatted WORM SD card, as expected, was rejected by the VCM, and relied upon by the BAC to disqualify the bid of the PII/PSI joint venture. Thereafter, the project was awarded to Smartmatic.

If this allegation is true, then it simply means that the VCM does not use a real WORM SD card. Pure logic dictates that if the VCM runs on a "formatted" WORM SD card, then the WORM SD card is no longer write-protected. If the card is not write-protected any more, then the results (or whatever digital information) stored in the card can be written over, modified, or altered without any restriction.

Legally, the supply of a "non-real" WORM SD card is a violation of the terms of reference of the project itself.

Technically, the data security from unauthorized alteration or modification at both the hardware and software levels, as afforded by a real WORM SD card, can no longer be assured.

Worse, this opens the possibility of post-election tampering.

John F. Kennedy said, "The ignorance of one voter in a democracy impairs the security of all." Let us not be ignorant of these technical maneuverings - which eventually can elect and install officials in government.