Automated utomated Election lection S ystem ystem Does automation = clean elections? Does automation = clean elections? Possible Problems: Preliminary Results Possible Problems: Preliminary Results Technical Briefing Technical Briefing What is the AES? What is the AES? l “A system using appropriate A system using appropriate technology technology which has been demonstrated in the which has been demonstrated in the voting, counting, consolidating, voting, counting, consolidating, canvassing, canvassing, and and transmission transmission of election of election result, and other electoral process result, and other electoral process”
48
Embed
Automated Election System - 123seminarsonly.com · SMARTMATIC AUTOMATED ELECTION SYSTEM (SAES 1800) PCOS Machine ... the computerized ... • PCOS-OMR system: does not enhance “secret
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Possible Problems: Preliminary ResultsPossible Problems: Preliminary ResultsTechnical BriefingTechnical Briefing
What is the AES?What is the AES?
ll ““A system using appropriate A system using appropriate technologytechnologywhich has been demonstrated in the which has been demonstrated in the voting, counting, consolidating, voting, counting, consolidating, canvassing, canvassing, andand transmissiontransmission of election of election result, and other electoral processresult, and other electoral process””
Public perception of the AESPublic perception of the AES
ll It would lead to clean electionsIt would lead to clean electionsll Cheating would be impossible in an Cheating would be impossible in an
automated electionautomated election
AES SystemAES System
ll Election Management System (EMS)Election Management System (EMS)ll Configuration of precinct dataConfiguration of precinct datall Election MarkElection Mark––Up Language (EML)Up Language (EML)
ll Consolidation / Canvassing System (CCS)Consolidation / Canvassing System (CCS)ll BOC ComputerBOC Computer
SMARTMATIC AUTOMATED SMARTMATIC AUTOMATED ELECTION SYSTEM (SAES ELECTION SYSTEM (SAES
1800)1800)
PCOS MachinePCOS Machine
SAES SAES 18001800
llPrecinct Count Precinct Count Optical Scan / Optical Scan / Optical Mark Optical Mark Reader (OMR)Reader (OMR)
••Detects the Detects the absence or absence or presence of a presence of a mark in mark in predefined predefined positions on a positions on a formform
SAES 1800 ComponentsSAES 1800 Components
Thermal Printer•2-1/4 inch roll paper•Rated to last 5 years
ll Embedded Embedded uClinuxuClinuxll Possibly with Possibly with uClibCuClibCll Possibly with GNU core utilitiesPossibly with GNU core utilitiesll Copyrighted under the General Public Copyrighted under the General Public
License (GPL) open source licensing License (GPL) open source licensing schemescheme
Voting Flow using PCOS Voting Flow using PCOS -- OMROMRBEI inserts physical key into PCOS machine to power it
BEI inserts CF card into PCOS machine to configure it
BEIs type passwords to initialize the machine – zero
votes
Voter fills up and feeds ballot into the machine
BEIs close poll and print ER
BEI attaches external modem to access internet
connection
BEIs digitally signs electronic ER which gets transmitted to
Consolidation Canvassing Consolidation Canvassing System (CCS) System (CCS) –– RealReal--Time Time
Electoral Information System Electoral Information System (REIS)(REIS)
ll Operating System: GNU/LinuxOperating System: GNU/Linuxll Software possibly written in web server Software possibly written in web server
side programming language (e.g. JAVA)side programming language (e.g. JAVA)
ll Cities/Municipal Cities/Municipal ll Input: ERs from precinctsInput: ERs from precincts
ll Provincial/CongressionalProvincial/Congressionalll Input: Statement of Votes and Certificate of Input: Statement of Votes and Certificate of
Canvass from Cities/MunicipalitiesCanvass from Cities/Municipalitiesll NationalNationalll Congress: President and Vice President contestsCongress: President and Vice President contestsll ComelecComelec: Senators and Party List contests: Senators and Party List contestsll Input: Statement of VotesInput: Statement of Votes
6 Vulnerabilities On Voting Day6 Vulnerabilities On Voting Day
• Hardware Failure: Start up or boot failure
• Pre-marked legitimate ballots might be fed
• Legitimate ballots rejected
• Reading/scanning ballots from another precinct
• Hardware/software failure
• No backup units• Voter cannot verify if
ballot is read/scanned correctly
• Failure to accept password
• Wrong CF card inserted
• Failure of initialization function
• Machine has stored ballot images already
• Wrong program installed• Paper jam
• Failure of function to close polls (premarked ballots can still be inserted)
• Misreading of ballots• Mis -crediting of marks• Erroneous counting• Printer fails
• Signing/encryption/transmission failure
• Failure to accept password• Connectivity failure
BEI inserts physical key into PCOS machine to power it
BEI inserts CF card into PCOS machine to configure it
BEIs type passwords to initialize the machine – zero
votes
Voter fills up and feeds ballot into the machine
BEIs close poll and print ER
BEI attaches external modem to access internet
connection
BEIs digitally signs electronic ER for transmission
Canvassing
5 MAJOR TECH ISSUES5 MAJOR TECH ISSUESSoftware and Data IntegritySoftware and Data Integrity
Highlights of Technical Highlights of Technical ConcernsConcerns
ll Verifiability of VoterVerifiability of Voter’’s Choices Choicell Machine Interpretation of BallotMachine Interpretation of Ballot
ll Program CorrectnessProgram Correctnessll Review of Source CodeReview of Source Code
ll Program Integrity VerificationProgram Integrity Verificationll Protection of Transmitted DataProtection of Transmitted Datall Digital SignaturesDigital Signatures
ll System AdministrationSystem Administrationll Root Users / System AdministratorsRoot Users / System Administrators
““Provide the voter a system of verification to find out whether oProvide the voter a system of verification to find out whether or r not the machine has registered his choice.not the machine has registered his choice.””
[Article 7 (n) of RA 9369][Article 7 (n) of RA 9369]
ll No sufficient mechanism for voterNo sufficient mechanism for voter’’s choice s choice verifiability. verifiability.
ll SafeguardSafeguardll ComelecComelec has to enable the feature of the SAEShas to enable the feature of the SAES--
1800 that will show how the PCOS machine 1800 that will show how the PCOS machine interpreted the ballot. interpreted the ballot.
Program CorrectnessProgram Correctness
RA 9369 requires RA 9369 requires ComelecComelec to subject the to subject the source code to review by all interested parties.source code to review by all interested parties.
Source CodeSource Code
ll Human readable version of the computer Human readable version of the computer programs running on the PCOS and BOC programs running on the PCOS and BOC computers.computers.
ll Will reveal whether the counting and canvassing Will reveal whether the counting and canvassing are done properlyare done properly
ll To prove that the PCOS and CCS programs To prove that the PCOS and CCS programs follow RA 9369 and COMELEC follow RA 9369 and COMELEC ToRToR
An illustration of Java source code with prologue comments indicated in red, inline comments indicated in green, and program code
indicated in blue.
Reviewed and approved
source code
Machine executable
format
Burned into each PCOS machine /
Install in CSS
SafeguardSafeguard
Program Integrity VerifierProgram Integrity Verifier
How can we know that the approved source How can we know that the approved source code is installed?code is installed?
Program Integrity VerificationProgram Integrity Verification
ll The hash (one line of numerical value) The hash (one line of numerical value) verifies that the approved program is verifies that the approved program is installed in each PCOS machine / CCS installed in each PCOS machine / CCS
SafeguardSafeguardll ComelecComelec should subject the approved program should subject the approved program
to a hash verifier functionto a hash verifier functionll Provide the Provide the BEIsBEIs, political parties and poll , political parties and poll
watchers the hash valuewatchers the hash valuell On election day, the hash value of the On election day, the hash value of the
program installed in each PCOS machine program installed in each PCOS machine should be printed during the initialization should be printed during the initialization stagestage
ll If the values are different from the hash If the values are different from the hash value of the approved program, the wrong value of the approved program, the wrong program was installed in the machineprogram was installed in the machine
Protection of Transmitted DataProtection of Transmitted Data
Immutability of Precinct DataImmutability of Precinct Data
RA 9369RA 9369
ll Section 22 Electronic Returns: "The Section 22 Electronic Returns: "The (precinct) election returns (ER) transmitted (precinct) election returns (ER) transmitted electronically and electronically and digitally signeddigitally signed shall be shall be considered as official election results and considered as official election results and shall be used as the basis for the shall be used as the basis for the canvassing of votes and the proclamation canvassing of votes and the proclamation of a candidate."of a candidate."
ll 4. Counting, Consolidation and Generation of 4. Counting, Consolidation and Generation of ERER
4.3 The BEI shall physically sign and affix their4.3 The BEI shall physically sign and affix theirthumbprints on all copies and on all pages of the thumbprints on all copies and on all pages of the ERER4.5 The 4.5 The BEI shall digitally signBEI shall digitally sign and encrypt theand encrypt theinternal copy of the ERinternal copy of the ER
Digital Signature / Secret KeyDigital Signature / Secret Key
ll A summary (hash value) of the ER encrypted A summary (hash value) of the ER encrypted using the using the BEIBEI’’ss secret key. secret key.
ll The digital signature serves two purposes: The digital signature serves two purposes: ll Identifies the BEI personnel who signed the Identifies the BEI personnel who signed the
precinct ER precinct ER ll It ensures that the precinct ER is not modified in It ensures that the precinct ER is not modified in
any way by any way by dagdagdagdag--bawasbawas
What Happens If AnotherWhat Happens If AnotherPerson Knows the Teacher'sPerson Knows the Teacher's
Secret Key?Secret Key?ll The other person, with malicious intent, can removeThe other person, with malicious intent, can remove
the the BEI'sBEI's signature, change the contents of the ER,signature, change the contents of the ER,and sign the modified ER (again) with the and sign the modified ER (again) with the BEI'sBEI'ssecret key.secret key.
ll Only the person who has possession of the Only the person who has possession of the BEI'sBEI'ssecret key can resign the ER.secret key can resign the ER.
ll Any person who has possession of a majority of theAny person who has possession of a majority of theBEI'sBEI's secret keys can control the results of electionsecret keys can control the results of election20102010
The digital signature shall be The digital signature shall be assigned by the winning bidder assigned by the winning bidder to all members of the BEI and the BOCto all members of the BEI and the BOC (whether city, (whether city, municipal, provincial, district). For the municipal, provincial, district). For the NBOCsNBOCs, the, thedigital signatures shall be assigned to all members ofdigital signatures shall be assigned to all members ofthe Commission and to the Senate President and thethe Commission and to the Senate President and theHouse Speaker. The digital signature shall be issuedHouse Speaker. The digital signature shall be issuedby a certificate authority nominated by the winningby a certificate authority nominated by the winningbidder and approved by the bidder and approved by the ComelecComelec..
SMARTMATIC WILL CREATE THESMARTMATIC WILL CREATE THEPRIVATEPRIVATE--PUBLIC KEY PAIRSPUBLIC KEY PAIRS
ll In In Smartmatic'sSmartmatic's financial proposal, Item 1.2.1.4 consists financial proposal, Item 1.2.1.4 consists of 246,600 sets of 2048of 246,600 sets of 2048--bitbitprivate public key pairs for private public key pairs for BEIsBEIs (3 per PCOS)(3 per PCOS)at the cost of PHP0.00. The at the cost of PHP0.00. The BEIsBEIs will bewill beanonymous (will not be known by name) soanonymous (will not be known by name) sothat any teacher can sign in any BEI position.that any teacher can sign in any BEI position.
ll This can only mean that This can only mean that SmartmaticSmartmatic itself willitself willgenerate the key pairs, and so generate the key pairs, and so SmartmaticSmartmatic willwillhave all the private keys.have all the private keys.
SafeguardsSafeguards
ll ComelecComelec should ensure that the secret key of the should ensure that the secret key of the teacher is teacher is known only by the teacherknown only by the teacher
ll The ER and digital signature (encrypted hash value) The ER and digital signature (encrypted hash value) should never be separated during transmission and should never be separated during transmission and storage in the storage in the ComelecComelec databases.databases.
System AdministrationSystem Administration
He Who Controls Technology, He Who Controls Technology,
Controls the VotesControls the Votes
System AdministrationSystem Administration
ll The root user/system administrator or The root user/system administrator or ““super super useruser””ll A human who can issue any command available on A human who can issue any command available on
the computer, normally to do system maintenance the computer, normally to do system maintenance or to recover from failure. or to recover from failure.
ll The root user can edit the precinct ERs if he has The root user can edit the precinct ERs if he has access to secret keys and change the election access to secret keys and change the election results.results.
SafeguardsSafeguards
ll ComelecComelec should have enough precautions so should have enough precautions so that a that a root user is not needed to manually root user is not needed to manually interfere with the election programsinterfere with the election programs
ll In case of a breakdown, the root userIn case of a breakdown, the root user’’s activities s activities are all are all properly logged in publicly displayed audit properly logged in publicly displayed audit and log files in real time and log files in real time to be scrutinized by poll to be scrutinized by poll watchers.watchers.
ll The root user The root user must not be allowed to logmust not be allowed to log--in from in from remote / different locationremote / different location
What will happen if issues are not What will happen if issues are not addressed?addressed?
ll Unless these issues are addressed Unless these issues are addressed satisfactorily by satisfactorily by ComelecComelec, , SmartmaticSmartmatic, the , the ComelecComelec Advisory Council (CAC), the Advisory Council (CAC), the ComelecComelec Technical Evaluation Committee Technical Evaluation Committee (TEC), and the Joint Congressional (TEC), and the Joint Congressional Oversight Committee, the computerized Oversight Committee, the computerized elections in 2010 can lead to elections in 2010 can lead to computerized computerized cheating or failure of elections.cheating or failure of elections.
HOW YOU CAN HELPHOW YOU CAN HELP
AreaArea TasksTasks
Source Code ReviewSource Code Review System Administration, Keys and System Administration, Keys and Cryptography, Data Communications Cryptography, Data Communications and Processing, Event Handlingand Processing, Event Handling
IT ResearchIT Research Related Literature and TechnologyRelated Literature and TechnologyGeographical Info Geographical Info
SystemSystemResearchResearchEncodeEncode
Website DevelopmentWebsite Development Content managementContent managementMedia and PublicityMedia and Publicity Multimedia content production and Multimedia content production and
3/F, College of Social Work and Community Development Bldg., University of the Philippines, Diliman, Quezon CityTelefax: +632-9299526 email: [email protected]; [email protected] website: http://www.cenpeg.org
, Philippines
BOARD OF DIRECTORS: Dr. Bienvenido Lumbera, Chair; Prof. Luis V. Teodoro; Dr. Eleanor Jara; Bishop Gabriel Garol; Atty. Cleto Villacorta; Ms. Evi-Ta Jimenez; Dr. Edgardo Clemente; Prof. Roland Simbulan; Prof. Bobby Tuazon; Dr. Felix Muga II
Dr. Temario Rivera, Vice-Chair;
CenPEG
Center for People Empowerment in Governance (www.cenpeg.org)
Automated Election System(AES) 2010 Policy Study (www.aes2010.net)
(A Project in Election Reform)
Office of the Dean, UP College of Law
BRIEFINGPhilippine Automated Election
System (AES) 2010Modernizing Democracy
or Modernizing Cheating?
4 – 5 – 6Major Issues in the Automated Election System (AES)
• 4 major legal issues
• 5 major technical issues
• 6 major mgt issues
• Undue delegation of legislative power• Foreign ownership / control• Generally, intolerable technical flaws• Violation of statutory provisions
• Source code (PCOS & CCS integrity)• Program integrity verification• Voter’s choice verifiability• Protection of transmitted data – digital signature• Root user / system administrator
• Choice of technology• Competence (Comelec & CAC)• Procurement / bidding• Geographic Information System (GIS)• IRR & adjudication process• Comelec’s constitutional mandate
IS COMELEC READY for AES2010?
MANAGEMENT ISSUES
August 13, 2009
THIS PRESENTATION• Choice of technology• Management competence• Procurement/bidding• Geographic Information System (GIS)• IRR & adjudication process• Comelec’s constitutional mandate
• Note: Comelec’s AES is the single, biggest fully-automated election project worldwide.
1. Choice of technology• Failure to consult the Filipino IT
community• Need to revisit RA 9369 (Sec.
37: as “technology evolves” and “suitable to local conditions”)
• PCOS-OMR system: does not enhance “secret voting, public counting” (transparency); limits voter’s rights
• Smartmatic-TIM’s P7.2-billion technology is cheap but sub-standard
Section 7.3 p 30 of RFP states “The ownership of the Analysis, Design, and executable programs ofall the application develop should be given to COMELEC at no additional cost”What is COMELEC paying for?!