The Manila Times : The GIs and the unexplained

22 September 2021

By Nelson Celis | The Manila Times

THE general instructions (GIs) of the Commission on Elections (Comelec) for the past automated national and local elections (NLEs) since 2010 were clear procedures on the do's and don'ts. Take for example Comelec Resolution (CRN) 10460, promulgated on Dec. 6, 2018, in connection with the May 13, 2019 NLEs. It provided the rules and general instructions to the electoral boards (EBs) on the use of vote counting machines (VCMs), and on the process of testing and sealing, and voting, counting and transmission of election results.

However, its Sec. 75 states: "Closing of Polls; Counting of Votes and Transmission of Results; Printing of Reports and Shutting Down the VCMs Procedure. – After all the voters have cast their votes…the EB shall close the voting by performing the procedures in the technical manual…." Nothing was mentioned on how the election results would be transmitted! The function of the iButton was also not defined, but it was stated in Sec. 71 regarding its retrieval from the VCM box. On the other hand, the technical manual would have been easily accessible if it were placed as an annex, or a website link could have been cited.

Then there was CRN 10497 promulgated on Feb. 13, 2019. It contained the contingency procedures in connection with the May 13, 2019 NLE explaining the detailed procedures on how to fix problems related to VCMs, consolidation and canvassing systems (CCS) at the provincial/district/city/municipal board of canvassing (i.e., local elections), power supply interruption like brownout or blackout, network failure, catastrophe (e.g., fire, flood, earthquake and others), and sabotage (e.g., equipment robbery and similar circumstances). Nothing was mentioned about failure of the CCSs at the national canvassing centers (i.e., normally held at Batasan Pambansa and Philippine International Convention Center). A case in point was the 256 million and 150,000 million registered voters at the BP and PICC computer servers, respectively, during the 2010 elections though in fact that the registered voters then was only 51.3 million voters; the service provider just simply said that it was due to "error in application!" What about the possible failures of the central server of the Comelec and its disaster recovery site? Did Comelec foresee the seven-hour glitch of the transparency server, and did they plan any quick recovery procedures?

Random audit

The CRN 10458 promulgated on Dec. 5, 2018 was all about the GIs for the conduct of random manual audit (RMA) of vote count results generated by the VCMs for the May 13, 2019 NLEs…and subsequent elections thereafter. That means, the RMA GIs cannot be changed anymore. Remember that the Automated Election System (AES) Law, or Republic Act 8436 of 1997, was amended to RA 9369 in 2007 due to the obsolescence of the provisions stipulated. AES Watch sees that the selection of precincts using an automated random selection program recommended or developed by the Philippine Statistics Authority is inappropriate as it added more unnecessary procedures. Just imagine, this CRN would require source code review by the representatives of registered political parties and accredited citizens' arm groups and the procedures would be similar to normal source code review as stipulated in RA 9369! By the way, there's no provision in RA 9369 on the use of automated random selection programs. Moreover, the list of specific clustered precincts that have been randomly selected for RMA on election day would only be released to the public the following day! Why not conduct a separate manual selection of precincts, say, using a PCSO lottery machine in the morning so that the RMT team may start their job right after the generation of the election returns (ERs)? That would be more transparent and credible as the risk of possible fraud would be mitigated rather than wait for a day when all the ERs would have been transmitted already.

Recently, CRN 10712, promulgated on Aug. 11, 2021, explained the guidelines on the conduct of the local source code review (LSCR) of the automated election systems for the May 9, 2022 NLEs by interested parties, groups and associations. Nothing was mentioned about the rationale of not using tried and tested automated code review tools by the reviewers that could find defects and provide solutions in less time. Why do purely manual LSCR when you can automate it? What is good about CRN 10712 is its consideration of the risk of the current pandemic by coming up with security and anti-Covid-19 protocols?

In a few weeks' time, the Comelec will publish the GIs and related resolutions for the 2022 NLEs. What the AES Watch and other election watchdogs have been waiting for since 2010 are the GIs for Sections 30 and 33 of RA 9369. Section 30 states: "Authentication of Electronically Transmitted Election Results. – The manner of the authenticity and due execution of the certificates shall conform with the provisions of Republic Act 7166 as may be supplement or modified by the provision of this Act [RA 9369], where applicable, by appropriate authentication and certification procedures for electronic signatures as provided in Republic Act 8792 as well as the rules promulgated by the Supreme Court pursuant thereto." They haven't seen any GIs related to "the manner of and due execution of certificates." What are these certificates defined in the law? What are these rules promulgated by the Supreme Court? Will Comelec promulgate GIs for Section 30?

Oversight committee

As for Section 33, it states: "Joint Congressional Oversight Committee. – An oversight committee is hereby created composed of seven members each from the Senate and the House of Representatives, four of whom shall come from the majority and three from the minority, to monitor and evaluate the implementation of this Act. A written report to the Senate and the House of Representatives shall be submitted by the Advisory Council within six months from the date of election. The oversight committee shall conduct a mandatory review of this Act every twelve (12) months from the date of the last regular national or local elections. The oversight committee shall conduct a comprehensive assessment and evaluation of the performance of the different AES technologies implemented and shall make appropriate recommendations to Congress in session assembled …." Until now, the watchdogs are still excited to know when this "recommendation to Congress, in session assembled" will happen! … Not unless Comelec will promulgate GIs for Section 33? Though there were comprehensive assessments made already, but not "to Congress in session assembled," leading to the proposed hybrid election bills in the Senate and House; that is, aside from the directive of President Duterte in 2019 when he was in Tokyo?

There are other provisions of RA 9369 that the Comelec may take a closer look at and promulgate GIs, especially those stipulated in Section 11 related to "The successful completion of audit on the accuracy, functionally and security controls of the AES software." Does this include the national canvassing servers, disaster recovery servers, and other related servers, not associated with CRN 10497? And what about the provision regarding "A certification that the source code reviewed is one and the same as that used by the equipment?" Who would ever know that the source codes of the VCMs used in the final testing and sealing (FTS) a week before election day are the same as those kept in escrow with the Bangko Sentral ng Pilipinas? What about the CCS source codes during the FTS? Is there such a thing as GI for the chain of custody of all AES equipment and devices or do we leave everything to chance that there are no risks at all?