Join the campaign (Learn More)

The Manila Times - The source code review findings

News & Interviews
20 February 2019

By Lito Averia | The Manila Times

WHAT value does the review of the source code of the automated election system being done by representatives of political parties, citizens’ arms, and interested groups serve when the international certification entity, Pro V&V of Alabama, USA, engaged by the Commission on Election (Comelec), has already completed its review?

The representatives of the local source code reviewers presented their findings and recommendations on Feb. 7, 2019 at the public hearing of the joint congressional oversight committee on the automated election system held on the same date.

Presented were the following:
— The canvassing and consolidation system uses what is referred to as “store procedures” with the database. The stored procedures or short programs for database services were not included in the review. The stored procedures may be changed while the canvassing and consolidation system is in full operation. A vulnerability! The local source code reviewers recommended the implementation of database security measures and adherence to database security best practices.

— Some vote marks on the digital image of the ballot are enclosed by red boxes. The red boxes indicate that the enclosed vote marks passed the threshold size for the vote marks to be considered as valid. Arguing that the digital ballot image has been processed with the addition of the red boxes, the same cannot be presented as evidence under the Rules on Electronic Evidence because the ballot image is not an exact copy of the original. The local source code reviewers recommended that a raw, unadulterated copy of each ballot image be stored in the SD cards used with the VCM as storage.

— The barcode appearing on the ballot has been replaced with QR code. Ballots can only be used in specific precincts within specific jurisdictions and are marked with unique serial numbers. The barcode represented the precinct-specific information. Presumably, the QR code serves the same purpose. The election returns generated by the VCM does not have a QR code marking. The local source code reviewers recommended that the election returns include a QR code.

— Machine signature is included with the transmission of election results. The local source code reviewers reported that the Comelec and the Department of Information and Communications Technology (DICT) are coordinating for the DICT to be the Certificate Authority (CA). A CA is a trusted third party that issues digital certificates which certify that a signer owns the public key appearing on the digital certificate. Parties may use the public key to independently verify ownership of the digital signature appearing on an electronic document. Due to lack of time, the Comelec may opt to proceed without the DICT and be its own CA but doing so defeats the purpose of having a third-party CA. The i-button will continue to be used for generating the machine signature.

— A folder named “Transmission Router” was discovered by the local source code reviewers during an unguided review session and noted its existence during one of the trusted build exercises. The local source code reviewers requested that this be discussed.

— The ballots recorded by the VCM had jumping sequence numbers and some ballots lodged in sequence by the VCM were found at the end of the list with different sequence numbers. Smartmatic has not explained the jumping or out-of-sequence numbers.

— As in the past three automated elections, election returns are transmitted to the transparency server in an encrypted transmission package. The transmission package is decrypted and processed to convert the data in text format. The data in text format is then passed on to the majority party, dominant minority party, citizens’ arms, the Kapisanan ng mga Brodkaster ng Pilipinas, and other Comelec-accredited groups. The local source code reviewers recommended that the encrypted transmission package be delivered directly to the various accredited groups and the decryption utility be provided to them and allow them to decrypt the transmission package themselves.

Additionally, the local source code reviewers recommended the following:
— That the Comelec develop and implement an audit protocol for the entire automated election system, particularly, the audit logs of the VCM and the canvassing and consolidation system servers, as deployed prior to any proclamation. The audit team can be headed by the DICT, and participated in by other competent government agencies.

— The hash codes from the trusted build stored at the Bangko Sentral ng Pilipinas be compared to the hash codes of the programs deployed in the machines on election day.

— A decryption utility be provided to extract the contents of the SD cards for audit purposes.

— The review of the source code is highly abstract. Guided and unguided sessions are conducted but the exercise mainly involves going through the source code line by line. And only selected parts of the source code are reviewed. The local source code reviewers recommended that the source code be compiled (a process of converting the source code into its machine-executable version) and a test run of the programs be included in the exercise.

The review of the source code being done by various groups is still ongoing and will be terminated in March. It was also announced during the public hearing that the source code of the election results transmission system will still be reviewed by the local source code reviewers.

The source code reviewed by Pro V&V has been subjected to trusted build exercises and the executable codes which will be used by the components of the automated election system generated. The recommendations of the local source code reviewers may no longer be implemented.