Partners’ squabbles sideline bigger security, tech issues

Last of Two Parts

THEIR PLANNED joint venture now hangs by a thin thread, but squabbling partners Barbados-registered Smartmatic International and local counterpart Total Information Management Corporation (TIM) have also yet to tie down many loose ends in their winning bid to automate the 2010 elections.

Chief among the concerns are security issues now being raised by computer experts, nongovernmental groups, and even members of the Commission on Elections Advisory Council (CAC) that oversaw the protracted, if transparent, bidding process. These unresolved security issues have raised the specter of an automated exercise where the cheating will not just be as fast as the counting, but harder to detect as well.

Last week, Smartmatic, the partner tasked with manufacturing the Precinct Count Optical Scan (PCOS) machine, told the Commission on Elections (Comelec) that it wanted to replace its SAES1800 PCOS machine with a newer model, which had yet to undergo the commission’s stringent battery of technical tests.

This was two weeks after Smartmatic presented at a public demo the SAES1800 PCOS model to the Comelec’s Special Bids and Awards Committee (SBAC) for technical evaluation. That machine passed all the requirements of the SBAC’s technical working group, bagging the automation contract for the Smartmatic-TIM venture.

The SAES1800 PCOS machine is basically an optical scanner that reads and collates the paper ballots of voters. The built-in proprietary software tallies the results, and transmits them to the municipal, provincial, and national canvassing centers. This software also ensures that only authorized personnel can use the machine, and transmit untampered data.

Security nightmare

Smartmatic’s “newer model” has similar features with this machine – with one crucial difference: the proprietary security and counting software would no longer be housed and secured inside the machine itself, but contained in a removable memory card that would be in the custody of members of the Board of Election Inspectors (BEI), according to Ramon Casiple, chairman of the Consortium on Electoral Reforms (CER) which is also a member of the CAC.

Casiple says Smartmatic informed the Comelec and the CAC of this new development last week. While Comelec’s position on the new proposal is still unclear, Casiple says the stand of members of the CAC was unequivocal: “Our position is that this cannot be allowed. We immediately saw the problem with security.”

“The program and the data will now be in the memory card,” Casiple says of the new model. “If these are damaged or tampered with, the whole machine is compromised.”

With 82,000 PCOS machines to be distributed nationwide for next year’s elections, information technology experts balk at the thought of having memory cards containing the critical software in the personal custody of 82,000 individuals. It would be a security nightmare, to say the least.

Easier for cheats

“The software has to be secured from tampering and alteration,” says IT expert Ken Tiambeng. “If [the software] is in a memory disk or a flashdrive, that makes it unsecure. You can easily change it, alter the codes, then plug it in the machine and say it’s authentic.”

Tiambeng says any cheater who wants to tamper with the vote-counting software must first get a copy of the original software. That would have been harder if the software were burned into a chip contained inside the machine itself. But getting a copy of the software would be infinitely easier if the software is in a removable memory stick that is in the hands of 82,000 sets of BEIs.

Points out Tiambeng: “You can easily go to the machine, put whatever results or algorithm you want, and do the dagdag-bawas in an automated fashion.”

Before the Comelec could resolve the question, Smartmatic and TIM had a falling out over the terms of their joint venture. The issue has been sidelined for the moment as the two partners bicker over who gets control of the joint venture’s board.

Digital signatures

Why Smartmatic decided to offer a new model at the last minute has yet to explained by the firm. It has been an open secret, however, that its original system had been facing increasing scrutiny from the IT sector.

Professor Pablo Manalastas of the Ateneo de Manila Computer Science Department and the Center for People Empowerment in Governance (CENPEG) says the real key to the sanctity of the ballot is the “private key” to be issued to the BEIs. Unfortunately, Manalastas says, the private key is not going to be very private at all.

After the BEI collates the results, the board “seals” the tally with a digital signature using a private key before transmitting them to the canvassing centers. The digital signature is akin to a wax seal that authenticates the validity of an official document, and the private key is what seals it.

But in its Bid Bulletin No. 10 issued on April 15, 2009, the Comelec’s SBAC stated that:

“The digital signature shall be assigned by the winning bidder to all members of the BEI and the BOC… The digital signature shall be issued by a certificate authority nominated by the winning bidder and approved by the Comelec.”

Shortcuts

What this means is that the digital signatures would be generated and assigned by Smartmatic or a group chosen by Smartmatic. Manalastas says this is dangerous because one group would now have the digital signatures with which to tamper any or all the results from the 82,000 PCOS machines.

“What it boils down to is that Smartmatic will have possession of the secret and public keys of all the BEI personnel.” Manalastas says. “The person who is in possession of the secret key can change the vote of the precinct.”

Ordinarily, he says, the private keys used to affix digital signatures are generated by the user himself by going online and registering with accredited international certificate authorities like VeriSign and Comodo; it is not assigned by just any group or a person.

The Comelec may have chosen to shortcut this complex procedure by simply allowing the winning bidder to do it for all the BEIs.

Manalastas says that theoretically, Smartmatic could now “unlock” the tallies from the precincts, change the results, and then seal them again using the private keys. The tampering is even harder to trace because the changed results were sealed with the same private keys of the BEIs.

In the end, Tiambeng says, it would be a matter of complete trust.

“The issue would be in relation to trusting this company not to share this certificate outside of the organization so that someone can spoof or create another file and say this is authentic because it has a digital signature,” he says. “There is no way to detemine that (something was tampered with) once the digital signature is copied or given to another party.”

The ‘God’ power

Another issue yet unresolved is the degree of access granted to the system administrator on election day. A rival bidder, Avante Technologies, says that Smartmatic’s personnel were able to remotely access and change election results all the way from Manila during the 2008 elections in the Autonomous Region in Muslim Mindanao (ARMM).

Avante was one of the seven joint ventures that bidded for next year’s automated elections, but was disqualified early in the process for failure to submit all the required documents. It participated in the automation of the ARMM elections last year, though, alongside Smartmatic.

Avante’s representative, Keshab Roncesvalles, says that Smartmatic’s technicians were able to correct errors in the precinct count in Wao municipality in Lanao del Sur by logging in from remote computers in Manila. While there appeared to be no cheating involved, Avante says that this power to change results from a remote site was a dangerous part of Smartmatic’s election system. Smartmatic, for its part, says its technicians simply “unblocked” the results of Wao’s vote.

This problem also was cited by the Comelec Advisory Council in a post-election report that it submitted to the Joint Congressional Oversight Committee on Automated Election System after the 2008 ARMM elections.

“There was a report submitted by Avante to Comelec regarding changing the data of election results remotely from Manila head office by Smartmatic-SAHI that if left unchecked can lead to widespread vote reduction and padding,” said the CAC.

SAHI or the Strategic Alliance Holdings, Inc. had initially partnered with Smartmatic in this latest Comelec bidding. They eventually split up, leaving SAHI in tandem with the Spanish firm Indra Systemas.

“The mere fact that they were able to unblock (the count) means that they were able to access the system,” Avante’s Roncesvalles notes. “You should not be able to tamper with it. It seems you can just manipulate the results as if they were just Excel files.”

Roncesvalles says the system administrator should not be allowed to change the results in any way.

Comments Manalastas: “Remember that in any computer the [system] admin is ‘God,’ he can do anything in the computer. You have to be careful who God is.”

Scanning vs. direct voting

Also at issue is Comelec’s decision to adopt the PCOS system over the Direct Recording Electronic (DRE) system. Both technologies were used in the 2008 ARMM elections, with mixed results. But in its Request for Proposals to prospective bidders, the Comelec made sure that the bids were only for the PCOS system.

The decision to stay with a paper-based automated election system appears based on the desire to introduce “a new system of voting to the Filipino electorate nationwide without deviating much from the manual manner of voting and which protects the voter’s right to the secrecy of his vote,” the Request for Proposal states.

A PCOS machine simply optically scans a paper ballot, and transmits the tally to a canvassing machine. A DRE machine, meanwhile, allows a voter to select his candidate on a computer touchscreen.

Curiously, as early as 2004, Smartmatic president Antonio Mugica, in an interview with Radio Nacional de Venezuela, had declared that an automated election system based on the scanning of paper ballots was unreliable and prone to errors.

“That [scanning] technology has a very important intrinsic problem, and that is, when one introduces the ballot, the machine makes errors,” Mugica told Venezuelan radio in June 2004, just two months before Smartmatic‘s machines serviced the Venezuelan Presidential Recall Referendum in August of that year.

Margin of error

Mugica noted that optical scanning machines failed to read between five and 15 percent of the ballots. This was the reason, he said, why Smartmatic was focusing its efforts on direct recording electronic (DRE) systems, where the voter casts his vote electronically by pressing his choices on a computer touchscreen.

“The new machines avoid that (problem) by permitting a direct vote from the screen,” Mugica told Radio Nacional de Venezuela.

In its website, Smartmatic still appears to show a preference for its DRE machines over its optical scanner. The website mostly shows images of its DRE machines, the SAES 3300 and the SAES4000, and the company’s corporate audiovisual presentation only shows DRE machines.

But if Smartmatic isn’t so confident with optical scanning systems, it certainly didn’t let that get in the way of its bid for the Philippines’ 2010 polls, where it offered its SAES1800 model, the company’s only optical scanning machine.

Unlike its touch-screen counterparts, the SAES1800 is basically a paper scanner that records images of the ballots that are fed into the machine. The results are then tallied and digitally signed, and transmitted to a canvassing center.

Open vote, secret count

CENPEG Director Bobby Tuazon warns that the technology chosen by the Comelec for next year’s election has made the election even less transparent for the voter. Voters will see their ballots going into the scanning machines, but they will not know how the machines read their ballots, if at all. While the SAES1800 has an LCD panel, voters will know the results only after the machine prints out the final tally.

The machine could be programmed to give the voter instant feedback on his vote through the LCD, but Comelec disabled this option, fearing it would slow down the voting process.

“These expectations for transparent elections are not being addressed by the Comelec and the kind of technology that the Comelec has adopted,” Tuazon says.

With the PCOS machines, Tuazon says that Filipinos will have a transparent vote with a secret count, instead of a secret vote with a transparent count as envisioned by the Comelec. This is because BEI members are likely to see who the voter voted for while they help him feed the ballot into the scanner; the voter, however, won’t even know whether the machine recorded his vote.

CENPEG complains that the Comelec shut out all criticisms during the protracted bidding process, effectively branding all critics as proponents of a no-election scenario.

“SBAC is claiming that everything is transparent,” says CENPEG observer Rosa Castillo. “We recognize the fact that we were allowed inside as observers. Pero when we tried to ask questions, they would not allow us, (they said) that we were delaying the process, and that did we want to have no elections?”

Castillo says this was how Comelec officials effectively shot down questions raised by Manalastas on the private key and the digital signatures before Smartmatic could reply to these. Adds Castillo: “The important questions like the source code, voter verifiability, and the integrity of the programs were not tackled.”

A different bidding war

Now, though, all these concerns have been sidelined by the more immediate issue of whether there will be a joint venture that would take charge of automating the elections.

In the meantime, CER’s Casiple warns that with 11 months still to go before Filipinos cast their ballots, and with full automation already in limbo, election cheats have started their own bidding war on who can circumvent, or even take advantage, of this new way of doing elections.

“I just came from Mindanao, and the reports from the field state that there are already offers to politicians that these operators can do it [cheat] with the automated system,” Casiple says. “But they haven’t shown any proof yet that they can really do it.”

It is not clear how much information these operators have about the hardware and software to be deployed by Smartmatic and TIM, assuming the two companies finally get their act together. What is clear is that these operators think that just like in the olden days of manual counting, they will still be very well employed in 2010. PCIJ, 2009