There is a pressing issue that I think the Philippine cyberspace should discuss and this is the computerization of 2010 elections. We are going to spend around 8 billion pesos in LEASING counting machines for 12 hours without the assurance that the data generated by these machines are genuine.
Safeguarding the 2010 Elections with Digital Signatures
Pablo Manalastas, PhD
Department of Information Systems & Computer Science
Ateneo de Manila University, Katipunan Avenue, Quezon City 1108
April 2009
President GMA has just signed the 11.4 billion peso supplemental budget that will enable the full computerization of the May 10, 2010 national and local elections. The Commission on Elections (Comelec), in turn, has published the terms of reference or “Request for Proposal 2010 Elections Automation Project” (RFP) which will guide the vendors in their bids to supply computer and communications equipment, election software, training of Comelec personnel, and management of the entire election process.
The amount of 11.4 billion pesos is not a small amount of money, and is probably the biggest budget for an IT project ever undertaken in the entire IT history of the Philippines. Why the important players like computerIT companies, communications companies, software houses, government IT agencies, the academe, and local computer organizations, were not consulted in the design of this allimportant IT project is incomprehensible. Even more incomprehensible is why an IT person was not appointed to the Comelec at a time when the Comelec needed an IT expert among its commissioners.
All preparations have been made, no matter how inadequate, and Comelec will push through with fully computerized 2010 elections. All that we can do is be vigilant and make sure that Comelec does not squander its humongous budget.
Please read the complete paper in PDF: safeguarding 2010 elections
COMELEC’S Poll Automation Will Make Fraud More Dangerous
When at most 70 percent of some 50 million voters go to the polls on May 10, 2010, they won’t be able to track how their votes are counted or canvassed. Winners in the national and local elections led by a new president will be declared two or three days after – and the whole nation will be at a loss in knowing whether the election results are real. Protests may probably be hard to file not only because of a lack of paper trail but also for lack of time.
….Poll automation feeds the wrong impression to the public that elections will be clean and credible. Because it is a machine, it is powerless against any fraud that takes place before, during, and after the elections. And, because it is just a machine, it is vulnerable to human intervention such as software attack,
glitches, and other technical problems that could result in wholesale electronic cheating.
Please read the full paper in PDF: COMELEC’s Poll Automation…
Popularity: 3% [?]
Felix,
I agree with the need for broader public discussion of the automated election system. And online is certainly where the qualified discussants are. So thanks for this post.
As a kickstarter I would like to contribute the following perspective:
Start with the observation that there already exists a very common nationwide automated system that most people are familiar and comfortable with that already embodies the hardware, software, security, reliability, audit trail and access features most people mention when they are describing an ideal election system.
I am referring to the Automated Teller Machine System that most of the large commercial banks run and which have been servicing the public's automated financial transactions for well over a generation now. Although most people might make some smart alecky remarks about the ATMs and Banks in jest, I think that most people believe these financial transaction systems are general sound and secure.
To a first approximation then, I think that an Automated Election System ought to look and feel and be a lot like the Automated Teller Machine Systems, and any proposed election system can be judged according to how closely it approximates that other very well known, well debugged and generally secure automated financial transaction system.
Indeed I would posit that the ATM system quality and features be a minimum benchmark that an AEM system must meet.
I think when we consider all the various objections to the current implementation of an automated election system that most if not all of them have already been encountered and solved by the ATM implementation, and more.
In my opinion a successful AEM system will be as sophisticated – and mundane! – as an ATM system. Thus I strongly agree with your pessimistic assessment of Comelec's chances at a successful implementation in about twelve months! But I think this also means we know what we are shooting for.
I hope the ATM analogy gives a FIRST APPROXIMATION as to the overall scale and measure of the system we need and the task before us as a Democratic society. At the same time, I don't consider it a case of some major new invention being required. We do not have to reinvent any major Wheels to implement an automated election system because we already have a template in the ATM network. Felix,
What does "…. were not consulted" mean? Is this "…. Ateneo was totally left in the dark and had no idea of the project"? Is it "…Ateneo has not received any money to participate in the IT project"?
A P75-million contract should be given to the Ateneo de Manila/Quezon City to do system-verification testing. And a P25-million to UST to check on Ateneo's work.
There was an earlier blog, "Christian Monsod and other doubting Thomases" which appeared at FV on March 12, 2009.
Next, instead of appointing an IT expert as COMELEC commissioner who 'must' come from Ateneo, maybe, allow Mr. Ike Senerez and his 10 geeky hackers to assume a role.
For it was Senerez who offered to challenge the COMELEC that the P12 billion poll automation is "hackable".
Besides, how can it be discussed 'surgically' in cyber space if we don't even know who the 'surgeons' are and what exactly will be cut by the 'surgical knife'?
Primer,
"Doubting Thomases" are very important to the successful implementation of a public computer system like this one.
If the Winning Bidder is at all competent, responsible and confident in the capabilities of his proposed system, the process of surviving the Doubting Thomases and respoinding to and possibly assuaging their doubts with both design and testing, strengthens and improves the eventual performance and reliability of the system.
So, a System Supplier will eventually be chosen by Comelec. Such a Supplier ought to be able to explain and defend the proposed system to the DT's and agree to tests and demonstrations that respond to objections and criticisms or other challenges to the integrity of the system.
To facilitate this discussion let us play a Simulation Game. Some of us take the role of the System Supplier, armed with a contract from Comelec for an 11 billion peso system, and the Election Modernization Act with its specifications and requirements on the system, who can present the proposed implementation. Others can be DoubtingThomases and present objections, questions, challenges, tests, etc.
Perhaps in that way we could simulate the coming public debate itself…what do you think?
My proposed system is the Bank of the Philippine Islands (BPI) ATM Network suddenly donated to the Winning Bidder (me) and available for suitable reprogramming to handle the registration, polling, canvassing and reporting of the 20XX elections.
Questions? Doubts? Objections?
DJB:
Will retrofit your reprogrammed ATMs with USB biometric equipment – choice of fingerprint or retina scan para one thumbprint/one retina – one vote.
Question is can we get all the voters thumbprints into the system on time?
Have a contract ready to be deployed on a handshake :)
Why take three days if the results can available within hours.
No need for biometric scanners. Slow down the AEMs and you slow down the cheaters. Limit the AEMs to 1 vote per 3 minutes and cheaters are considerably slowed down.
The cheaters are slowed down, BUT… they are still… CHEATING. albeit slowly. And the process is also slowed down, not just for cheaters but for legit voters as well.
Biometric scanners are a very powerful tool for the purpose of authentication, uses data that is intrinsically linked to the individual and is therefore personal data, unlike the case of tokens/passwords/PINs which are only indirect links to the users and cannot be used to uniquely identify individuals (read.. GOODBYE FLYING VOTERS, GOODBYE VOTER IDENTITY THEFT). more at <a href=”http://www.cesg.gov.uk/policy_technologies/biomet…” target=”_blank”>http://www.cesg.gov.uk/policy_technologies/biomet…
It does not have to be hard – authenticate the voter's identity, cast/verify/submit the ballot, and head out. Doable in 3 minutes using biometrics PKC devices.
We can of course get fancy with biometrics, but the PRESENT solution of the ATMs is simple enough: password protection of the card. Also there is the fact that when you transact you are being videoed including possibly a voice recording as you step up you say your name or go through some small routine equivalent to taking an oath…to impress on everyone that if you are not who your card says you are, you will surely be caught!. The time factor before 2010 may be short, but eventually the idea is to give everyone an electronic voters card much like an ATM card that stays with them forever and is used everytime they access an AEM.
validating the image on the video against a database of names and faces takes a longer time – and what if we have twins? or use of latex masks? the investment in latex masks can be recovered when the candidate is in office – a biometric device will uniquely identify the individual – one thumbmark/one retina – one vote. why settle for a band-aid solution? if we are going to really do this, let's do it right.
Once a voter's biometric is captured, his body parts become his "ATM card that stays with him forever" unless he is amputated.
I agree that the AEM should look and feel like an ATM but it should not be networked. Not networking the AEMs will make it less susceptible to hacking.
If you insist on a networked AEMs then invest on at least 3 mainframes to handle the transaction volume. Be ready to spend millions of dollars for the software to run those mainframes. Forget Sun servers or anything similar. They will most likely hang because of the volume.
Yup yup yup. PhP 11.4B is roughly USD 228M at USD 1:PhP 50.
I think P11.4 B is not enough to build out the AEM Networked System, but we did say 20XX. Hehe. I shall accept this simple problem of lack of money for now, but only for 2010. With 11 billion we can build the basic system though.
It is essential that this proposed system be securely networked using encryption and other standard tactics already in use by the ATM Networks of the banks. I think that level of security is really what we want. I would only stress that there is no special invention required. The solution is already in place in the banking system.
Better safe than sorry, if we are to implement robust security, smart cards+PKC+biometrics is the way to go – one thumbmark/retina – one vote.
Cost of biometric devices are quite affordable and very much negotiable.
In 2007… repeat… two-thousand-and-seven, the Ateneo may have been clueless, but deLaSalle was not:
————–
DLSU invited to do research on poll automation technology
By Erwin Oliva
INQUIRER.net
First Posted 16:10:00 10/08/2007
Filed Under: Elections, Research, Computing & Information Technology, University
MANILA, Philippines–The De La Salle University (DLSU) has been invited to assist the Commission on Elections' (Comelec) technical advisory council by conducting scientific research on poll automation technology that would be most appropriate for the country, a government executive has told INQUIRER.net.
The Comelec technical advisory council is mandated by law to evaluate and recommend an automated election system that would be used during the 2010 elections. The group has suggested a pilot test of an automated system in 2008 and a fully automated election in 2010.
Is It true that Sen. Allan Peter Cayetano is offering millions of peso to who can hack that system?
hmmmmmmmm…….Lets see
True. But silly, immature and possibly computer illiterate,he is.
Cayetano generously offered millions of pesos … government-money, not Cayetano-money.
We have spent a lot for the safeguard of the coming election. Now we must be vigilant to safeguard our
investments. That nobody will frustrate our will to elect a leader.
Yup. Our automated system can count votes for boozing womanizing thugs faster than ever. We can drop into the precipice faster than ever.
Tasio,
I keep reading this in the usual places: "We must remain vigilant!"
WTH does "remaining vigilant" really, really mean? Monitor your gmail every ten seconds. Read the Philippine Daily Innuendo from end to end twice a day? What?
Use 256-bit SSL encryption, use firewalls, and use biometrics – one thumbprint/one retina, one vote.
There are simple manual procedures that can be used to achieve one voter/one vote. Transmission of the data through the network is always a problem. The COMELEC should at least have a dedicated line.
If there's a budget – T3 or T1 lines can do the job – with redundant satellite Internet similar to Hughes Internet – or even Broadband Power Lines (BPL) – using the electric grid as an Internet distribution network.
As long as the budget is there – the COMELEC can get a T3 or T1 backbone with a satellite Internet backup connection plus Broadband Power Lines (BPL) in rural areas.
felix,
thanks for these links. the acronyms leave me dazed and confused. i have a basic question:
the cenpeg webpage has evaluation results for the 2008 ARMM elections, which was referenced in one of your links.
is the automatiion method in the ARMM be used in 2010? is this the SAME exactly as Precinct Count Optical Sensor?
The RFP needs to add an additional layer of security – use of biometric devices will ensure one thumbprint/retina – one vote – PKC can't top that.
Remember that PKC is for protecting data that is usually in transit to somewhere else, or to protect against unauthorized access of some kind. It plays its own role, which would be different from biometric identity checks.
Agree. PKC wraps itself around the biometric data. The biometric data serves as a unique identifier for each individual. The PKC protocols provide an additional layer of security to the biometric identifier.
whats RFP? PKC? whats proposed by comelec for 2010?
Bong,
I think biometrics is sexy. I'm all for what works and can be implemented as easily and reliably as possible. Fingerprints and photographs everyone understands. There are more sophisticated measures but choosing them should be justified by need. I am for video recording of each voter inserting their card so that every real flying voter knows the evidence to put them in jail is being taken as they cheat! Just as people protect their ATM cards, they will also secure their AEM cards.
DJB:
From <a href=”http://www.manilatimes.net/national/2009/march/07…” target=”_blank”>http://www.manilatimes.net/national/2009/march/07…
Looks like handshakes have been made. <img src="http://img.photobucket.com/albums/v241/coldpassion/raisedeyebrow.gif">
While at this intellectual orgy, one should be grabbing some update from the COMELEC for us to chew from time to time although I am not sure if that behooves upon DJB – our Al Pacino here (ala Simone).
Two points are as important: who holds the key? If it be COMELEC, then who will police the COMELEC in case of inside job? Who designs the commands that should go into the system or network and what are these commands? It can happen that the command is in the oblique – a vote to Politician X credits to Politician Y.
Our whole problem with automation is that no one sees what is going on inside those computer chips – no signs can indicate there is something fishy going on. Perhaps, as soon as one has voted, the computer must print an acknowledgment slip wtih significant cross-reference data or something that is digitally verifiable in real time.
Primer:
Normally, the hard-copy summaries can be cross referenced against each individual voters ballot print-out. A manual audit will easily spot a consistently flawed algorithm.
Election computerisation? Not a few people will get rich!
Primer,
Your questions are fair enough: (1) Who holds the "key"? and (2) What's inside those computer chips?
How, in short, is the Public assured that we, the System Supplier, won't be doing an inside job, won't be selling the "key" to one of the candidates and sneaking in a victory by electronic dagdag bawas?
Well let me explain as follows in the general direction of your lack of faith in us by saying that we welcome such skepticism. In fact, you do not need to trust us, nor do we need your trust. However the system we are implementing is just like the one we built for Metrobank and BPI.
If you were to ask the same questions of your Bank, would they not reply that in fact these questions are not normally asked by people any more, who have bank accounts and use ATMs on a regular basis because "inside jobs" in banks, while not metaphysically impossible, are not common happenings, at least not on the scale of where someone could steal the entire contents of the vault by "hacking" the bank's computer system! It requires Wall Street geniuses to do that, and they work on greed, not passwords or operating systems.
Do we seriously worry for example that our banks are stealing our money, cheating us or that they maintain such insecure and hackable systems that we really ought to ask the banks "who holds the key" and what's in the ATM's computer chips. Maybe it steals a buck for every 100 we put in? How do we know?
Now it is not that we "trust" our banks that we don't actually have such worries. It is because we do not need to trust the banks by and large because of the interlocking checks and balances, audits and verification systems that have been built into these systems over the years.
An automated election system ought to be designed to have the same level of security and reliability and integrity as the financial and banking systems ATM network–which long ago addressed the very real issues and questions you raise.
I will try to oversimplify my point, if I can.
I see as worlds apart an otherwise unwitting equivocation system-wise in terms of the reason why one has to run after the bank in case it cannot give back the money and for one to run after COMELEC in case it cannot give back the vote – even by way of a verifiable receipt.
It is pretty difficult having to deal with 50 million customers against a few hundred thousands.
GabbyD:
RFP means Request For Proposal.
PKC means Public Key Cryptography
Hi.. i have a question….regarding registering….i am already registered in my old married name….it was few years ago…that i got married again and using my new married name…i went in our municipal city at the comelec and bring my documents, one staff there who manage to give the application for registration … asked me, i said i will update my data to CHANGE NAME .. to my new married name…. so i they just give me application to fill up and follow instructions for finish the registration…. i did mentioned them that what will happen with my other old name there? i didnt see anything that they did update or find for my name….i did aske someone there and they said thats fine it will not be a problem anymore bec. i am now registered in new name….but i was thinking if they would update or delete my name since i didnt see they did something to it they just let me register…someone said if the old one name will not vote two consecutive terms of election it will be deleted in the list too….so what if my name still there when i vote this 2010 election, i will just ignor it…and wait for another 2nd term election until it get deleted from list? so what about the latest news i heard in the tv that they did announce that its a case court to have two names? wanted to clear about my situation when i register and just changed my name from my old name…i was expecting that comelec in our municipality would know what they are doing …
I believed the chosen software by the comelec for our fortcoming election can do the job except that it is an obsolete kind, troublesome and more importantly it is a very expensive one. Why did I say that? Coz they (comelec) chose and approved an OCR software. An optical character recognition, or in simpler term scanner.
Let’s put it this way. When we say scan there must be something to be scanned right? That’s why they need to print 50.7 million ballots an equivalent number of voters irregardless whether all of them so called registered voters would participate.
Based on record everytime we had this kind of activity only 80& would joined. So what are we going to do with 10 million ballots not use. Don’t you think its a lot of waste at the end of the day? Which in fact we could get away with it if only these (senile)people out there in comelec approved a simpler program. One that is more interactive like the one used by banks in their Automated Teller Machines where voters could punch their chooses directly on key pads that there’s no need to scan. Meaning no paper ballots are needed. And other more advantages we could avail of like there’s no worry if the voter exceeded the number chooses cast because the default mode of the machine to help us voter as we go along.
OCR softwares I admit is widely used even today. But it is used asscurity reasons like used in biometrics, iris scan, atm where the machine would ask us to swipe our atm card first before the machine would pop in the monitor asking us to enter our PIN. In transportation like MRT and LRT using it. Hotel industry is using it as key through key cards before you can access your rented rooms. Supermarkets and grociries are using it through scanning every items bought from them, Big companies nowadays use ocr through biometrics for their employees and to some extend iris scan to more sensitive areas for their selective employees. And more.
We need to remember when we say automation we refer to computer.And computer has it on limitation but can do a lot of things as long as we know what we want. As they say Garbage in Garbage out or popularly known as GIGO.
I say troublesome because being a scanner the source document must be very ligible enough to be read. That’s why the comolec is to busy explaining it to us that we must shade our chooses correctly.
I say again the approved OCR software chosen by Comelec is troublesome, expensive and obsolete but can do the job but it is not a walk in the park as the Americal people would say which is supposedly the case.