Introduction

For decades, we have used the manual system of voting, counting and canvassing in the elections. National canvassing takes two to three months. As our current elections system is exceptionally prone to various forms of corruption, it has been a popular cliche that a candidate either wins or is cheated.

But this is soon to change - or so we think. The Automated Election Law which requires an automated election system (AES) to “encourage transparency, credibility, fairness and accuracy of elections” [AES] will be implemented. The COMELEC is mandated to evaluate and recommend appropriate technoloy for the implementation..

The first attempt to implement AES was scrapped by the Suprement Court in 2004. COMELEC's P1.7 billion contract with Mega Pacific Consortium was declared null and void due to irregularities.

COMELEC's second attempt to automate has a signed budget of P11.3 billion. It was approved by Pres. Gloria Macapagal Arroyo on 24 March 2009. Bidding invitation will be released on 4 April 2009. According to the project's calendar the AES will be ready and deployed by 25 April 2010.

On this article, we will attempt to introduce AES and its possible use in a transparent, credible, fair and accurate elections. Two technologies will be discussed; direct recording-electronic (DRE) and optical media reader. We will focus particularly on AES as proposed by COMELEC. In the end, we give a stern warning that if the AES is implemented without serious considerations on its limitations, without credible people running the elections, this kind of tool can be used to implement large scale fraud and cheating.

What is AES?

Bruce Schneir, a well-known security and cryptography expert outlines four major characteristics of an AES – Accuracy, Anonymity, Scalibility and Speed. AES should be accurate in translating voter's intent into a tally. It should be secured such that votes can not be tampered or changed. Secrecy of the ballot should be protected by the system. In our case, it should be able to handle 45 million voters without compromise of accuracy and anonymity. Finally, AES should be able to generate quick results. There are two popular technology used for AES, optical mark reader (OMR) anddirect recording-electronic (DRE).

OMR is used in many nationwide assesment tests by the Department of Education. With this method, the voter fills an oval or circle to mark his or her choice in the ballot. At the close of voting, the ballots will be located in a central tallying area. An optical mark reader will be used to read the marks and tally votes for the candidates. The precint level tally will then be transmitted to the municipal, provincial and national canvassing.

On the other hand, DRE records votes by providing the voter a ballot display which can be activated using buttons or a touchscreen. A computer software handles the translation of choices to votes, tallying and transmission of the tally results to a consolidation center. Most reported errors and election fraud using AES utilized this technology.

The OMR system that will be rented by COMELEC will have 80,000 Precint Counting Optical Sensors (PCOS) machines. PCOS is composed of a computer system (it can be an ordinary or customized desktop computer with AES software installed), an OMR device, can be similar to a dot-matrix printer, which will read marked ballots, and a networking device for data transmission.

AES in other countries

Contrary to Sen. Richard Gordon's opening paragraph in [INQ], there are more reports of frauds and errors in the use of AES. Most of these documented reports [IE] are from advanced countries that have sufficient time to evaluate technologies and vendors before implementation.

In March 2, 2004, absentee votes of about 6, 692 ballots were overlooked by an improperly calibrated marksense scanner in Napa County, California. This same technology will be adopted by COMELEC in 2010.

Recently, electronic voting was banned by the German Constitutional Court on the grounds that the voting machines “conflict with the principle of transparency.”[GN] Prior to this ruling, a “Top to Bottom Review” was commissioned in May 2007 by California Secretary of State Debra Browen of all electronic voting machines in the state. The Review reported “significant security flaws in all of the manufacturers' voting systems. It cited “flaws that could allow a single non-expert to compromise an entire election [SF].”

Furthermore, there are other studies [IE] on AES which warn against the risk of adopting it hastily because of the software engineering challenges, insider threats, network vulnerabilities and the challenges of auditing.

COMELEC's Project Timeline

To have a picture of the implementation plan of AES by COMELEC, we look at similar efforts in other countries.

When the New York State in the USA considered electronic voting machines, a minimum of 475 days were alloted for the full implementation. COMELEC's calendar has about 400 days from bidding to implementation. New York has about 23 million voters and single set of candidates for the whole state. In contrast, we have 40 million voters and 1600 towns with different sets of local candidates. New York’s geographic characteristic is simpler than the archipelago of our country. Furthermore, electronic voting machine dealers are locally available in New York. On the other hand, these are not available in our country.

There are 11 vendors interested in bidding the PCOS machines which use OMR. They are US firms Sequioa, Avante, ES/S, Hart and Scantron; a Venezuelan company named Smartmatic; DRS of United Kingdom; Bharat of India; DVS Korea of South Korea; Gilat Solution of Israel and Indra System from Spain. These companies have to import all 80,000 machines that will be rented by COMELEC.

The winning vendor for the AES will have Php 11 Billion from taxpayer's contributions. They have to accomplish interrelated tasks in a very tight schedule. The timeline has little provisions for trials, errors and failures.

We take a closer look on the different tasks that need to be completed in the project.

1. Customization of Systems and Systems Development. AES machines have to be configured before deployment. COMELEC is alloting 166 days compared to the normal 180 days to finish this first step. If vendors have the best programmers, they may be able to produce a customized software program for our elections within a month. They should be able to configure 588 machines everyday in the next four months to continue with the next tasks.
2. Machine Testing. Test procedures on the machines have to be thorough. Since the system will handle a very important part in participatory democracy, all 80,000 machines have to be tested. The usual industry practice of random checking and tests is unacceptable. The test should include reading the paper ballot and all possible scenarios related to it (i.e. ballots with confusing marks, etc), data storage, checking of its counting accuracy, data security, data transmission, and printing capabilities. They should be able to test 2,666 PCOS per day in a month.

   For a particular vendor, the US firm Avante, the PCOS is an ordinary computer with attached OMR reader similar to a printer. The ballots are fed to the OMR reader during precint level counting. Avante then has to have 111 technicians all working 24 hours to test the hardware performance of the computer, its operating system, the software program for the AES, the integration of OMR reader to the computer, and its data transmission capabilities.

3. Creation of machine configuration, ballot face, etc. The 2010 elections will include different candidates in the local level. Machines should be configured to have the correct sets of candidates per district down to the municipal level to the national posistions. This particular task should finish 666 customized PCOS everyday within three months. A misconfiguration can result to failure of elections in a local area. Printing of ballots is linked to this customization stage and should produce 50,000 ballots per day in 100 days. The reading function of the OMR machines should be tested also with the printed ballots
4. Deployment of Machines/Transmission Equipment. Once every machine is properly configured and tested, deployment to designated counting or canvassing site starts. The vendor should be able to deploy and set-up about 1,500 machines everyday in less than two months to cover the whole country. Technicians should be recruited and trained to support this massive deployment. They should be able to certify 1,600 qualified technicians daily in 50 days.

This tight schedule combined with the very interrelated tasks to complete the project make a good recipe for disaster. One delayed or failed task will impact its delivery significantly.

How to cheat the AES?

Will the AES pave the way for transparent, credible, fair and accurate results in the elections? The slow process of tally in the precint level and municipal/provincial canvassing has contributed to this chronic election problems to which AES is prescribed as the solution. On the contrary, COMELEC's current AES will not eliminate cheating and fraud. In fact, it can be a tool for larger scale cheating and fraud.

We now focus on the technological challenges of AES. Insider threats, software engineering limitations, network vulnerabilities and required auditing procedures are the four main challenges on any implementation of AES.

Insider Threats. Using AES, insider manipulations become more sophisticated. Tampering becomes more mathematically consistent. In the manual elections, adding or subtracting results produces inconsistent totals of registered voters and actual votes. The use of AES can now consistently add and subtract tallies if programmed to. Insiders can overwrite consolidated data with results favorable to certain candidates. In the manual elections, the coordinated manipulation of municipal/provincial canvass is greatly limited by geographical factors. Multiple and synchronized provincial canvass tampering can now be done more easily by just manipulating the consolidation servers in the municipal, provincial and national canvassing

Software Engineering Limitations. Whether intentional or incidental, a software problem can affect all the machines for the AES. It is a fact to computer users that perfect software does not exist. Bugs are commonplace and they sometimes affect the same hardware with the same configurations differently. Documented reviews [IE]in other countries warn on malicious software that can be loaded to the AES which can affect the whole election results. “Viral” attacks can corrupt the whole installation of AES in a certain tallying center, destroying vote records.

Network Vulnerabilities. In manual elections, securing the data means physically locking the ballot in the box, and printing results for submission to the next higher canvassing level. This manual solution gets very complicated for AES. The machines should be physically secured. Data should be stored such that secrecy of the ballot is maintained and data are not changed. Encryption should be employed. Nobody except authorized personnels are able to do system administration on the server.

Even during transmission of data, there are still dangers of manipulation. Outside attackers can do advance cracking techniques to alter data being transmitted. The lower canvassing center can also transmit incorrect data. Both unauthorized insider or outside attackers can also send data to the official consolidation servers if authentication and security are not adequately placed.

Required Auditing Procedures. “Voter-verifiable-audit” [EV] trails should be in place. A voter-veriafiable-audit mechanism allows a voter to check consistency between his or her ballot and the recording made by the AES. In the event that machines fail, there should be a way to recount votes independently from the machines.

These AES challenges can be exploited and used to “automate” traditional cheating practices. Worst, it can also be used to sabotage the whole election.

Transparent, credible, fair and accurate AES

AES should be viewed as a mission-critical system similar to systems run by aircrafts, banks and space shuttles. In those systems, lives or millions of money can be lost if errors are not eliminated. But in the current COMELEC's procedures, AES is being acquired similar to an ordinary desktop computer with simple office productivity tools.

Technical assesments on AES should be carefully studied. AES should be reviewed by a large number of outside security experts with knowledge in computer security and cryptography. The source code, instructions written in a language understood by computers, of the system should be open and available to the public. This will allow all interested and technically-adept individuals and groups to scrutinize the functions of the system. It should have voter-verifiable audit trails for reference. It should accurately capture voter's intent to actual tally. It should be secured such that ballot secrecy is protected and tampering is made difficult. It should be able to effectively handle a large number of voters. Finally, it should release report faster than the manual elections.

In 2007, Task Force Pollwatch formed by progressive partylist groups used short messaging system (SMS) to track the elections. Email, fax, traditional landline and mobile communications were used to transmit data. These simple tools already provided accurate predictions in the supposed outcome of the elections. However, technology and reliable data at hand are useless once the government body that oversees the elections process ignores all obvious indications of cheating and fraud.

AES will not eliminate cheating and fraud in the 2010 elections. Moreover, technology to speed up voting and the canvassing process only becomes relevant and useful if the people behind the technology are credible and will serve to protect the interests of the population in the elections.

References

[AES] Republic Act 9369

[INQ] http://opinion.inquirer.net/inquireropinion/talkofthetown/view/20090321-...

[GN] Election to the Bundestag: Constitutional court stops use of choice computers - Spiegel online - message - net world, Retrieved 25 March 2009.

[SF] Testimony of Dr. Dan S. Wallach , Texas House Committee on Elections . June 25, 2008

[IE] Analysis of an Electronic Voting System, IEEE Symposium on Security and Privacy 2004.

[EV] R. Mercuri. Electronic Vote Tabulation Checks and Balances. PhD thesis, University of Pennsylvania, Philadelphia, PA, Oct. 2000.