With May 9 looming around the corner, I am quite concerned about rumors and warnings of massive cheating that some are predicting and spreading on social media. Fortunately, I happen to have a valued resource in my contact list whom I trust can shed light on what is possible or not possible in terms of cheating, even if we are already using the automated election system.
This person is Dr. Pablo Manalastas, my calculus professor way back in college at the Ateneo De Manila. Aside from mathematics, Doc Mana (as we fondly called him) is also an expert in computer science and programming. What many people do not know is that he, along with other well-meaning and conscientious programmers, spent many hours studying the source code of the software to be used in the voting and canvassing machines this coming election. They did this on a purely voluntary basis, without allowance or compensation, or even much appreciation or recognition. But what they did was a genuine service for the country and they deserve our gratitude.
A few days ago, I sent Doc Mana a message asking him what his assessment was of the possibility of cheating in the elections via hacking or some other means.
This is his reply (with edits made to explain the many acronyms used):
There are many programmers who have seen the source code of the Election Management System (EMS), Vote Counting Machines (VCM),and Consolidation and Canvassing System (CCS), including Rodel Aniban, Kendrick Chan, Wilhansen Li, Pepe Bawagan, Suzi Bermudez, Dr. William Yu, myself, and other programmers. These programmers are not just some mediocre programmers, because they are some of the best C/C++/Java programmers that you can find, anywhere.
Most of us have agreed, after reading the source code, that there is enough security in the source code to make cheating, using the source code alone, very difficult. However, there are ways of cheating without touching the Final Trusted Build, compiled from the source code.
General principle for cheating: Access to the Oracle databases of the EMS, the configuration files of the VCM and CCS, the voting records in the VCM, election returns (ER) of the VCM, certificates of canvass (COC) of the CCS, and transmission packages. All these are controlled by symmetric keys, and asymmetric key-pairs used for encryption and decryption, to control access. A few Comelec insiders with proper access, with the help of a few key people in the field, can change by “dagdag-bawas” both softcopy and hardcopy ERs and COCs. This is not easy to do, but it can be done.
- The ballot face contains the row-column positions of candidates, and these positions must be correctly entered into the VCM via configuration XML files (XML is a certain kind computer file format). Errors in these XML files, whether intentional or not, may cause votes for some candidates to go to a favored candidate. Fortunately, these errors will show in the Voter-Verified Paper Audit Trail (VVPAT), even the simple VVPAT that the Comelec will issue. Note that these XML files are not part of the source code, but they can be used for cheating in the absence of VVPAT.
- The asymmetric keys (private-public key pair) that all Board of Election Inspectors (BEI) will use for digital signing of the precinct ERs, and that all Board of Canvassers (BOC) will use for digital signing of the COCs and Statement of Votes (SOV) will all be generated by Comelec, will be in Comelec’s safekeeping, and will be handed to the BEIs and BOCs in time for final testing and sealing, and for digital signing on election day.
Whoever has possession and control of the signing keys will have control of the ERs, COCs, and SOVs. Control means whoever has possession of these keys, or copies of them, can generate their own ERs, COCs, SOVs, and can make these appear as if they were generated in a real election precinct on election day. This is hard to do, but it can be done.
Cheating using this method can be wholesale cheating, at the level of municipal/provincial canvassing, and can be done without touching the source code. This form of cheating can be prevented using all of the following steps:
(a) Allow the BEIs and BOCs to generate their own private-public signing keys, allow each BEI and BOC to keep secret and safeguard his private key, and allow third party certificate authorities to certify the public keys.
(b) Post the original digitally signed ERs, COCs, and SOVs at the Transparency Server (TS) and at the Comelec Public Access Website (CPAW), and allow each person that downloads them to verify the correctness of the digital signature to ensure their authenticity, that no dagdag-bawas has taken place.
(c) Post all ERs, COCs, and SOVs at the TS and CPAW, including those that were hand-carried to the CCS due to failure of transmission. Handcarried ERs/COCs/SOVs can be transmitted to their intended destinations by the CCS to which they were hand-carried.
Dr. Manalastas further noted that (a) will most likely not be implemented due to lack of time:
The important thing here is that, using OpenSSL, each BEI/BOC member must generate his own key pair, and Comelec must have nothing to do with the safekeeping of the private keys. But this is not done at present. The Supreme Court, if a case is filed there, will probably decide in favor of Comelec’s current procedure of generating all keys, even those for use by the BEIs/BOCs, simply because of lack of time.
So I asked that if there is a scenario where it would be possible to cheat if (a) is not followed since this is already a near-certainty:
This is one possible scenario…Some Comelec operators preload several extra VCMs with prepared voting records, prepared pre-signed ERs, prepared manually pre-signed printed ERs, and transmit these ahead of the real precincts, and deliver the printed ERs via Comelec couriers to recipients like PPCRV, etc. This was allegedly the manner of cheating done in 2010. It is hard to do, but can be done.
And the reason why it is hard to do is that it requires the complicity of so many people in order to cheat. If only one of them breaks and leaks out the truth, then everything will come undone. However, Dr. Manalastas also warns us in another related post that if the perpetrators are able to pull it off, the public will be clueless. We will not know about it, even if we religiously follow (b) and (c).
Finally, I asked him he thinks are the chances of cheating in this coming election and he said:
If the Comelec Mafia is stricken with guilt and behaves in 2016, and if the Commissioners’ hearts and souls are in the right places, Comelec still has 30% of voter turnout to play with in its dagdag-bawas “extrapolation” to determine winners, the 30% that was not successfully transmitted. In 2013, the Comelec never really accounted for its final senatorial count. It could not, because it does not have correct data, with the extensive dirty lines problem of the PCOS machines. So it does educated guessing, something the law does not allow, but something that Comelec has repeatedly done, and gotten away with. What confidence do I have that there will be no cheating? My heart bleeds, my soul is dying, no one really cares, not even the Supreme Court.
That doesn’t sound too good to my ears.
Originally published in Sunstar Davao.