The recent national elections are generally thought to have turned out well, compared to the two previous elections, but common failings have surfaced, among them:
1) mismatched results;
2) candidates’ names missing or the other side of the coin, voters’ lists unexpurgated;
3) vote counting machines (VCMs) in undisclosed areas, with about 2,500 of them failing to function altogether, disenfranchising some 1.5 million voters;
4) discrepancies between voters’ intent and the VVPAT receipts;
5) aggregate sums of select candidates go down as counting went on, when at worst these should remain steady;
6) questionable transmissions due to the physical handling of all 92,509 SD cards from the VCMs to the canvassing centers;
6) signals non-existent or weak in some places, etc.
But to my mind, the most serious failing of the 2016 elections is the tampering of the script or command for the transparency servers--without the permission of the Comelec en banc, as provided in R.A. 9369, the Automated Election System (AES) Law. This is the most worrisome of all the recent elections' shortcomings, as it directly challenges their integrity. It means that the system can be hacked from within seemingly without effort or detection.
As a background, feisty Comelec Commissioner Rowena Guanzon gave a stiff dressing down to the chief of Smartmatic’s technical support team, the Venezuelan Marlon Garcia, for making changes in the script or command of the transparency server---without first consulting and informing the Commissioners en banc, as the law provides. The transparency server dishes out election results to the PPCRV, the citizen arm charged with election quick-count and cited as primary source by media outfits. But as a result of the unauthorized change of script or command, now the PPCRV’s data are held suspect in some quarters as favoring one party over another. This is particularly true in the tight vice-presidential race.
Marlon Garcia, when questioned, gave the lame excuse that he wanted merely to correct the lack of proper use of the “enye” sign in the names of certain candidates, which had appeared only as ?. Was that all that Garcia did with the Transparency server? Peks man?
Commissioner Guanzon, however, was rightly cynical and termed Garcia's act a breach of protocol. She stressed that he should be made liable to Comelec and the people of the Philippines, as he took too much liberty with our election laws.
An alert FB reader notes that it's strange for the Venezuelan officials of Smartmatic, who designed the electoral system, to overlook the proper “enye” sign, considering that it's very much in the Spanish language. Comelec Chair Andres Bautista quickly termed this breach controversy a “minor” one that would not affect the outcome of the elections, but to Guanzon, Garcia should answer to the en banc for this outright violation of the law.
Even before Guanzon denounced Garcia's tampering, Filipino IT experts already raised the alarm last Wednesday, May 11, at a press conference at their command center at the Pamantasan ng Lunsod ng Maynila. They deplored that the software that counted our votes was designed and operated not by us Filipinos, but by the foreign company which should already have been held accountable for many glitches in THREE PRIOR ELECTIONS, namely, the 2008 ARMM elections, and the 2010 and 2013 elections. The IT experts now challenged the incoming Duterte administration “to BEGIN real reforms of the election system, holding accountable those who perennially make poll automation an exercise in speed and convenience, over transparency, accountability, security and accuracy.”
But just as important, the Filipino IT experts demanded that all the Smartmatic officials be placed under a departure hold-order, and that the country be done with this foreign firm for good. I cannot agree more.
The question in many minds is, in changing the script or command order, was Marlon Garcia behaving innocently or was he in cahoots with syndicates known to be operating from within? This same Smartmatic official has been involved in other controversies in past Philippine elections, e.g., in 2013, when an intermediary server suddenly sprouted between the PPCRV and the transparency server that dished out data directly from Comelec. No one seems to have known about this mysterious server until an alert bunch of IT folks discovered it and traced it to Garcia. Yet he went unscathed, only to figure in a new controversy this time.
Sadly these recent happenings within the Comelec only serve to further erode the credibility of the elections.
I reproduce here the opinions of a couple of IT experts, in the hope that they would help enlighten you readers on this new controversy stirred up by the Smartmatic official.
Manila Times Columnist Rene Azurin puts the problem about Garcia’s move succinctly thus:
“The main point about this script change is being totally missed. The point here is that A SMARTMATIC PERSON HAS ACCESS TO THE SERVER PROGRAM WHILE CANVASSING IS GOING ON. This is a security flaw and should not have been the case!” (emphasis BOC's). Azurin stresses that “If this Smartmatic person can change that one character, he can change other things as well.”
On the other hand, IT expert Leo Querubin puts the move of Smartmatic’s Garcia in the context of Sec. 35 of R.A. 9369. amending Sec. 29. R.A. 8436, as follows:
“Sec. 35. Prohibited Acts and Penalties. - The following shall be penalized as provided in this Act, WHETHER OR NOT SAID ACTS AFFECT THE ELECTORAL PROCESS OR RESULTS:
(c) GAINING or causing access to using, ALTERING, destroying or disclosing any computer data, program, system software, network, or any computer-related devices, facilities, hardware or equipment, whether classified or declassified…” A further provision of RA 9369 provides that “Any person convicted for violation of this Act, except those convicted of the crime of electoral sabotage, shall be penalized with imprisonment of eight years and one day to twelve (12) without possibility of parole, and perpetual disqualification to hold public office and deprivation of the right of suffrage. Moreover, the offender shall be perpetually disqualified to hold any non-elective public office."
IT professor and practitioner Edmundo “Toti” Casino, on the other hand, cites SEC. 42. Section 27 (b) of Republic Act No. 6646 as hereby amended, to read as follows :
"The act or offense committed shall fall under the category of electoral sabotage in any of the following instances;
"(1) When the tampering, increase and/or decrease of votes perpetrated or the refusal to credit the correct votes or to deduct tampered votes, is/are committed in the election of a national elective office which is voted upon nationwide and the tampering, increase and/or decrease of votes, refusal to credit the correct votes or to deduct tampered votes, shall adversely affect the results of the election to the said national office to the extent that losing candidate/s is /are made to appear the winner/s;
"(2) Regardless of the elective office involved, when the tampering, increase and/or decrease of votes committed or the refusal to credit the correct votes or to deduct tampered votes perpetrated, is accomplished in a single election document or in the transposition of the figure/results from one election document to another and involved in the said tampering increase and/or decrease or refusal to credit correct votes or deduct tampered votes exceed five thousand (5,000) votes, and that the same adversely affects the true results of the election ;
"(3) Any and all other forms or tampering increase/s and/or decrease/s of votes perpetuated or in cases of refusal to credit the correct votes or deduct the tampered votes, where the total votes involved exceed ten thousand (10,000) votes; ..Provided finally; That any and all either persons or individuals determined to be in conspiracy or in connivance with the members of the BEIs or BOCs involved, shall be meted the same penalty of life imprisonment."
Former Comelec IT Chief Ernie del Rosario also weighed in on this fraudulent practice of Smartmatic's Marlon Garcia:
"The specific PM component missing here is that of Change Control which serves as a strict control of ALL changes to be effected in the system, no matter how minor, inconsequential or as the Chairman says, "cosmetic" the change is. This controversial change that was applied MUST be effected ONLY if there is a duly signed Change Request document duly-approved and signed by a Change Control Board.
"Simply, a Change Request document is a formal request that defines a change or addition to the agreed to and signed off requirements of the solution. This can be in the form of an interface, a bolt-on application, a report, a data conversion, or a modification to a system such as an addition of even a one-word or one-letter (such an "n" to an "enye") or one number or one special character script to a program. All change requests are submitted to the Change Control Board, which evaluates all requests.
"To resolve this issue what PPCRV or Comelec or Smartmatic should produce is the specific approved Change Request document that allowed the script addition change. Where is it ? This is a multi-billion peso project and as mentioned above a mission-critical system and there seems to be no such project management system in place ? OMG !!!
"A similar thing happened in 2013 where a Smartmatic personnel also did something in the Conspiracy (Oops ! Transparency pala) Server. This was documented in several media videos. We lodged a formal complaint on this to the Supreme Court which must be resurrected and high-lighted again this time that we indeed delegated the conduct of our elections to foreigners. As usual the SC has not acted on the complaint until now."
Among the numerous deficiencies in the conduct of the two prior automated elections, these very similar incidents are worth bearing in mind:
(1) In 2010, a Smartmatic technician cavalierly accessed the canvassing program to change the number of voters after the tally showed an erroneous 256 million as the total number of registered voters; and
(2) In 2013, a Smartmatic technician accessed the canvassing server to correct a script that produced an astonishing 12-million vote surge barely two hours into the canvassing. (Uncorrected, that surge would have produced an aggregate vote far exceeding the total number of registered voters.)
These incidents indicate major flaws in the Smartmatic system that our Commission on Elections has been so bent on foisting on the Filipino people.
This now puts the entire canvassing process in serious doubt. The integrity of the automated results can now be reasonably questioned.
- RENÉ AZURIN, Author, Hacking Our Democracy, and Convener, AES Watch