How to rig an automated election in the Philippines

Strategic Perspective
Rene B. Azurin

Posted on November 13, 2014

COMMISSION ON ELECTIONS (Comelec) Chair Sixto Brillantes Jr. has effectively admitted that Comelec’s implementation of a computerized election system has been flawed all along. In the most recent hearing of the Joint Congressional Oversight Committee (JCOC) on Sept. 18, Professor Nelson Celis, spokesperson of the election watchdog AES Watch, reported the following exchange between Mr. Brillantes and Senator Alan Peter Cayetano:

Cayetano: “Pwede bang mangyari sa buong Pilipinas... apat lang ang binoto ng isang tao pero labin-dalawa po ang bibilangin noong makina?” (“Can it happen all over the Philippines...that a person votes for only four candidates but the machines count votes for 12?”)

Brillantes: “Tama ho iyon.” (“That’s right.”)

Cayetano: “Did it happen, Mr. Chair, only in 2013 or pati 2010?”

Brillantes: “Nakita ho namin iyan sa 2013, hindi pa ho namin nai-check iyong 2010.” (“We saw it in 2013, we haven’t yet checked 2010.”)

Cayetano: “Then how can we decide on having a manual or automated (election) in 2016 if we can’t assure our people that walang dagdag-bawas (there will be no manipulation of the count)?... This is the first time I’ve heard Comelec admit that it can happen.”

Brillantes: “The machine is not perfect... There are certain glitches (and) deficiencies... that can adversely affect the results.”

That admission raises the question: why then is Comelec insisting on perpetuating the use of an automated election system that its chair agrees is flawed? And why hasn’t Comelec blacklisted Smartmatic, the provider of this flawed system, and is allowing it to bid again for the supply of the election system to be used in 2016?

It should be mentioned that Comelec has asked Congress for a budget to buy 23,000 additional PCOS (Precinct Count Optical Scanner) voting and counting machines for P2.5 billion. P109,000 per machine? Computer science professor Dr. Pablo Manalastas of Ateneo University asks: Isn’t that overpriced?

Although I -- and several others, including computer industry pioneer Gus Lagman and former Philippine Computer Society president Nelson Celis -- have been writing about the serious flaws in Comelec’s implementation of a computerized election system since before the 2010 automated polls, most people still are not clear on what exactly makes the whole system defective. Indeed, I continue to receive queries on this subject, many of those from politicians and would-be politicians.

To condense part of what I’ve explained in my book Hacking Our Democracy (2013), there are three ways of rigging the results in an automated election.

The first way involves adding and changing a few lines of programming code (instructions) in the software of the voting and counting machine. In essence, the changed instructions can direct the computer to add one vote to a particular candidate and subtract one vote from another candidate. This is the electronic form of dagdag-bawas (literally, add-subtract). It’s a simple algorithm and any programmer who’s studied the program can easily do it.

To guard against this happening, our automated election law requires that the software source code be made available for thorough examination by political parties and interested observers, then duly certified, loaded into the machines under public (trusted) supervision, and secured from unauthorized access throughout the poll exercise.

It should be pointed out that Comelec, ignoring calls from political parties and computer industry experts for such a “source code review,” adamantly refused, in blatant violation of the law, to make the program software available in both the 2010 and 2013 elections. That meant that all sorts of malicious instructions could have been executed by the voting and counting machines in 2010 and 2013, and no one would necessarily be the wiser. (The altered instructions would have, as a matter of course, included a line telling the machines to erase the malicious code immediately after it is executed.)

The second way involves transmitting fake precinct returns to the central canvassing and tallying computers. This was made possible -- again, in both the 2010 and 2013 polls -- because Comelec explicitly refused to implement another requirement of our automated election law, that of requiring precinct returns to be digitally signed by the by-law-designated election official. What a “digital signature” entails is the encryption of the transmitted returns using a “private key” (a very long string of digits) unique to a designated election official. This basically identifies the sender, authenticates the document being transmitted, and ensures that it hasn’t been altered.

Because the precinct returns were not digitally signed in 2010 or 2013, it was impossible to properly authenticate the actual source (and sender) of the returns that were transmitted to the central canvassing and tallying computers. That meant that manufactured (fake) returns could have been transmitted from anonymous machines to the canvassing servers, replacing the true returns being sent from the precincts (the transmittal of which would have been jammed). This has been shown to have happened when circumstances allowed the examination of the machine transmission logs. For example, in Biliran province, examined logs showed that canvassing servers received returns from precincts at times when the precinct machines had already long been switched off.

A third way of changing election outcomes is through the compact flash (CF) cards, the memory devices that contain the configuration settings that determine how the PCOS machine will appreciate a particular ballot. The prescribed specification for these CF cards is that these should be non-rewritable, that is to say, “write-once.” Once the configuration has been written into a write-once CF card, it can no longer be overwritten and modified. The reason for this requirement is to prevent the CF cards that are installed into the voting machines deployed to the individual precincts from being altered to “mis-appreciate” the ballots of voters. Changing CF card configurations can mean that certain shaded boxes will simply not be read as votes for a candidate.

Comelec -- again, in both the 2010 and 2013 polls -- just disregarded this requirement and used CF cards that were rewritable. What that meant was that those CF cards could be re-configured anytime while in transit from the Comelec/Smartmatic warehouse to the assigned precinct. That could be done by any individual (given simple instructions) who could obtain access to a voting machine for as little as five minutes. Since the machines and the CF cards were not really well secured while in transit, there were myriad opportunities for doing this.

It is easy to rig the results of an automated election without proper security safeguards and independent validation mechanisms. In essence, the trouble with Comelec’s implementation of our computerized polls is that, in brazen violation of our election laws, it disabled standard computer security protocols that could ensure the integrity of the system and protect the data being tallied from being altered and modified. Furthermore, also in violation of our election laws, Comelec eliminated all the mechanisms that would allow the public and independent observers to authenticate the data being electronically transmitted and to verify the count. In short, the system is completely untransparent and there is no way for us, the public, to validate the results. Whatever Comelec proclaims as the outcome of any race has to be accepted by the rest of us on sheer faith.

That’s not democratic. Without means for verifying and validating the count, why even vote?

The JCOC meets again on Nov. 20. What will it decide?

Dr. Rene Azurin is a management professor, strategy consultant, and author of several books on government and the economy.