Comelec: A Question of Confidence<br />By Joey de Venecia III<br />Senatorial Candidate & Spokesman <br />on Poll Automation<br />PwersangMasang Pilipino<br />Presented at the Kapihansa Manila Hotel, May 3, 2010<br />
D Day -- May 10, 2010<br />One week from today, 50 million Filipino voters will head for their respective precincts to elect the next president, vice president, 12 senators, party-list representatives, and local government officials. This will be the first time that the Commission on Elections will conduct automated (AKA computerized) elections.<br />
There are serious issues the Comelec needs to address<br />The Comelec has not succeeded in winning the trust and confidence of the electorate for a number of reasons:<br />The PCOS machines have failed or underperformed in a number of instances;<br />The entire voting system appear to have numerous pitfalls/shortcomings; and<br />It is not clear if cheating – in the form of digital dagdagbawas – can still take place. <br />
COMELEC & the AES<br />Evaluation<br />COMELEC has been trying to create this link without any success<br />Source Code Review<br />Assurance<br />Stakeholders<br />(PUBLIC)<br />CONFIDENCE<br />THE MISSING LINK<br />Automated Electoral System<br />RISKS<br />Systems<br />Concerns<br />Countermeasure<br />Minimize/<br />mitigate<br />risks<br />By: DrexxLaggui<br />Information Security Consultant<br />The COMELEC has been unsuccessful in providing information on the AES to gain voter confidence<br /><ul><li>Release of critical documents were delayed giving the perception that they are hiding something.</li></li></ul><li>Documents<br />On Monday, April 26, 2010, 5:00 PM, The following documents were requested.<br />On Friday, April 30, 2010, 3:00 PM, The following documents were received.<br /><ul><li>Systest Labs Report – promised to be provided on April 27
Technical Evaluation Committee (TEC) certification and report – promised to be provided today April 27
PCOS Machine Test Results (and the PCOS test procedures that generated these results)– promised to be provided April 27
Three (3) test results in particular: mean time between failures (MTBF); average rejection rate of valid ballots; and accuracy rate (given x test ballots, how many were miscounted, if any) If we can have full access to the reports per machine, we can do statistically analysis and have a good idea about the % of failures, ballot rejections, and count accuracy levels to expect on May 10
Random Manual Audit (RMA) Procedures – promised to be provided by April 27
Design Specifications – still to be discussed during en banc on Tuesday, April 27
Test Protocols – to be discussed during en banc on Tuesday, April 27
ANNEX F - TEC Validation and Verification Procedures.pdf</li></ul>Hard copy of the documents were received then converted to PDF format for proper distribution.<br />Downloadable through Joey’s website: <br />http://www.joeydevencia.com<br />Remaining documents were promised to be given on Monday, May 3, 2010<br />
IMPORTANT NOTE<br />Of all the documents provided us by the Comelec, we consider the Certification Test Report for Source Code Review, Readiness and Security Testing the most important. This is also known as the SysTest Lab report.<br />The copy of the report provided us <br /> had a potentially important page missing.<br /><ul><li>The report indicated the extent of the test performed on the system.
The report showed the strength and weaknesses of the system.
A statement in the SysTest Labs website says a comprehensive test was done </li></ul> to the system<br />
COMELEC MATERIALS & THEIR SIGNIFICANCE<br />Technical Evaluation Committee (TEC) certification and report <br /><ul><li>These certifications and reports are mandated by law.
Test Results on accuracy, security and quality of the system.
The Certification released to the public does not satisfy the requirement of the Law.
RA 9369 states: “"SEC. 11. Functions of the Technical Evaluation Committee. - The Committee shall certify, through an established international certification entity to be chosen by the Commission from the recommendations of the Advisory Council, not later than three months before the date of the electoral exercises, categorically stating that the AES, including its hardware and software components, is operating properly, securely, and accurately, in accordance with the provisions of this Act based, among others, on the following documented results:”</li></ul>PCOS Machine Test Results (and the PCOS test procedures that generated these results) <br /><ul><li>The test results show the basis for both COMELEC and Smartmatic’s acceptance of the system.
Smartmatic received the machines from their Chinese manufacturer.
What was the basis for accepting these machines?
COMELEC received the machines from Smartmatic.
What was the basis for accepting these machines?
There has to be some form of Test Data for both COMELEC and Smartmatic to accept these machines. None were provided.
The report should also show the strength and weaknesses of the system.</li></li></ul><li>SYSTEMIC PITFALLS<br />PCOS Machines<br /><ul><li>82,200 PCOS machines & backup batteries purchased
6,729 spare PCOS machines available. ( 8.9% of the total number of clustered precincts )</li></ul>Memory Cards<br /><ul><li>180,640 memory cards purchased.
Two Memory Cards per precinct cluster (one firmware, one data) yields a requirement of 150,942 memory cards.
29,698 spare memory cards available. (39% of the total number of clustered precincts)
These cards could either be used for data or firmware.
Spare PCOS machines can be used to generate multiple ERs and store the corresponding data file to the spare memory cards.
Could be used as the basis when a candidate questions the results.
Could be used to switch the data card during transport.
These Compact Flash cards are small enough to cover with the palm of your hand.
Spare PCOS machines could be used to connect to the servers.
There is more than enough spare data cards to attach to the spare machines.
Identity and profile for these spare machines could be easily be configured. </li></li></ul><li>SYSTEMIC PITFALLS<br /><ul><li>Disabling the feature to read UV markings.
The official COMELEC reason is “alignment problems.”
Empowering the BEI to control the fate of the Ballots.
To date, voters are unaware of how this UV markings should look like.
Disabling the voter verification feature which implements the provision of the law allowing the voter to confirm that the machine (PCOS) registered his/her choice.
Although it is very clear in RA 9369, the COMELEC decided solely to disable this function
RAs can only be changed by amending the law in Congress.</li></li></ul><li>SYSTEMIC PITFALLS<br /><ul><li>The BEI will no longer be required to Digitally Sign the ERs.
The Digital Signature will automatically be embedded by the PCOS machine.
This contradicts the original General Instruction document released by the COMELEC. Although a revised GI was released to reflect this change.
All Digital Signatures were prepared and generated by Smartmatic/COMELEC.
The Comelec has removed another significant security feature which makes it possible to transmit data from other PCOS machines without the presence of any BEI member.</li></li></ul><li>SYSTEMIC PITFALLS (CCS)<br />Audit Functionality<br />Several of the logging functions in the Smartmatic CCS project appear to omit the inclusion of the time and date from the logged messages. These functions are accessed throughout the system as logging functionality is required. This apparent omission may result in audit log entries without complete date and time information being included as part of each individually logged message. (Page 18, Certification Test Report for Source Code Review, Readiness and Security Testing, Rev 1.06, Feb 9 2010, Systest Labs)<br /><ul><li>The CCS (Consolidating/Canvassing System) will be the basis for protests. Just like during the manual voting days wherein the COCs were the basis for electoral protests.
With the absence of time and date logs, records & results can be accessed during and after elections without the public knowing the time and date they were accessed.
Systest Labs even acknowledges this problems stating “it is however, an impediment to an accurate re-creation of election actions, should the need arise.”</li></li></ul><li>SYSTEMIC PITFALLS (CCS)<br />Security Functionality<br />SysTest's processing of the Dominion EMS source code through the Parasoft tool application, however, indicated that there are possible susceptibilities to SQL injections within the Dominion EMS…Several instances were found to exist in which user-entered data-related commands may be submitted to the database in such ways that the implemented protective coding may be bypassed. (Page 19, Certification Test Report for Source Code Review, Readiness and Security Testing, Rev 1.06, Feb 9 2010, Systest Labs)<br /><ul><li>This simply states that it is possible to make changes to the database bypassing the implemented security measures.
Remote operations on the database is possible.
These injections are actual database related instructions that can manipulate data stored in the system.</li></li></ul><li>SYSTEMIC PITFALLS (CCS)<br />Security Functionality<br />It was also determined that, in at least one instance, encryption keys were found to be explicitly coded into the source code of the system. That encryption keys were discovered within the source code could potentially make them available to anyone that might have access to the executable binary version of the EMS application.(Page 19, Certification Test Report for Source Code Review, Readiness and Security Testing, Rev 1.06, Feb 9 2010, Systest Labs)<br /><ul><li>Encryption Keys provide added security features to the system by turningvarious data into unreadable format.
Any threat to the system (such as hackers) have basically their work cut out for them making it faster to access the system.</li></li></ul><li>SYSTEMIC PITFALLS (CCS)<br />Other Functionality<br />Mixed mode operations may have risks involved if the value being converted is of a floating type, and it is converted to a decimal type, thereby potentially losing precision, or if the type being converted is assigned to a type implemented as a smaller variable type, in what is known as a narrowing conversion..(Page 20, Certification Test Report for Source Code Review, Readiness and Security Testing, Rev 1.06, Feb 9 2010, Systest Labs)<br />Type of Variable is Integer<br /><ul><li>Programming languages require you to define the type of numerical value of all variable that will be processed. (i.e. Decimal, Integer, etc.)
Converting types during program execution could affect the values during the conversion process (round up, round down, etc).
This could be a threat especially when dealing with number values in the millions range.</li></li></ul><li>SYSTEMIC PITFALLS (PCOS)<br />Audit Functionality<br />It appears that multiple entities may have the possibility of writing to a single log file using class method logFile.LogMsg() without clear controls over ownership of the file handle, or clear comments indicating that that is the single audit logging thread….. It is however, an impediment to an accurate re-creation of election actions, should the need arise.(Page 21, Certification Test Report for Source Code Review, Readiness and Security Testing, Rev 1.06, Feb 9 2010, Systest Labs)<br /><ul><li>The appears to have the same issues as the CCS
The log file could be overwritten thus clearing the previous log records.
Could be a challenge in re creating events as mentioned in the report.</li></ul>Ballots<br />A few instances were found where the source code did not include checks for the possibilities of vote count variables being overflowed. Numeric variable overflow is possible if the value assigned to the variable becomes more than the maximum permitted value for the numeric type of the variable. The risk can only become manifest if a large number of votes are processed through a single PCOS.(Page 22, Certification Test Report for Source Code Review, Readiness and Security Testing, Rev 1.06, Feb 9 2010, Systest Labs)<br /><ul><li>This states that the PCOS machine can generate more votes than the prescribed amount.</li></li></ul><li>Digital Dagdag - Bawas<br /><ul><li>Majority of the findings in the Systest Labs Report have been tagged as either Major or Minor
Statements like “the implementation of manual processes and procedures will further mitigate any potential issues” are frequently used in the document to downplay the gravity of the findings.
Relying on manual processes to address shortcomings of the system contradicts the entire idea of AUTOMATION.
Issues creating opportunities for Digital Dagdag – Bawas
Log issues will make make it almost impossible to recreate events when needed.
Significant amount of Backup Memory Cards in tandem with the spare PCOS machines can be used to generate ERs.
Lack of Test Data for the 48,000 modems makes the transmission of ERs questionable.
Could create the scenario to transfer Data Card to a different machine for transmission due to modem failure.
Switching of Data Cards is always possible once it is removed from the PCOS machine.
Could create the scenario to send the ERs manually.
Cannot discount the fact that there are still 5,000 signal jammers at large. </li></li></ul><li>Digital Dagdag - Bawas<br /><ul><li>Issues creating opportunities for Digital Dagdag – Bawas (cont’d)
Alignment issues (as demonstrated and confirmed in the UV marking controversy) could result to significant Ballot rejection.
There is no certainty at this point that the alignment issues applies to the names and ovals in the Ballot.
Digital Signatures of the BEI are no longer required by the PCOS in order to transmit the ER.
Allows any PCOS machine to transmit ERs without any BEI officer present.
There are 6,726 spare PCOS machines on standby.
There are 29,698 spare memory cards readily available. </li></ul>COMELEC – SMARTMATIC - TIM<br />Voting<br />Transmission<br />Canvassing<br />With the COMELEC having absolute control and access to the entire Voting System, it should truly secure this and ensure honest elections.<br />
Notes on Digital Dagdag - Bawas<br />Of the 48,000 voting centers nationwide, only 36,000 have been surveyed for signal, power, etc.<br />Only 48,000 field technicians were recruited to handle 75,471 machines to be used on election day<br />Comelec assigned only 438 trainers to train 260,000 Board of Election Inspectors (1 trainor for every 593 BEIs) <br />
Notes on Digital Dagdag - Bawas<br />There are only 48,000 modems for the 75,471 PCOS machines.<br /><ul><li>For all the SIM cards to be used in the elections, Smartmatic generates passwords, issues digital certificates, verifies the certificates, and operates the machines. This is like merging in a single person the functions of accountant, cashier, auditor, operator and vendor!
Data centers are in secret locations which the Comelec refuses to reveal to the public. This is equivalent to conducting a canvass in a secret place only the Comelec and Smartmatic know</li></li></ul><li>RECOMMENDATION<br />To request the COMELEC for full transparency in the steps taken in addressing the findings indicated in the Systest Labs Report.<br />To request the COMELEC for full disclosure on how spare PCOS machines and CF cards be secured against misuse.<br />The COMELEC should educate the voters on how the UV Markings look like.<br />Discolose features of the PCOS machines that can be configured without modifications to the software.<br />