Saturday, July 15, 2006

"To Hell with the Law, Crime Pays!"

lattering the coup plotters of 2001, whose victory gave him his present job, the Secretary of Justice Raul M. Gonzalez, proclaims that any victorious coup d'etat is patriotic while defeated ones are criminal. Yet, has he not demeaned the entire Justice System as moot and academic? Does not Sec. Gonzalez enliven evil hope of success in criminal minds? I think principled and reasonable citizens will come to conclude that either both or neither of Angelo Reyes and Danilo Lim are guilty of one and the same crime: mutiny, and in one case it did not even come to that, but was contemplated or proposed mutiny, a call to mutiny which Senga considered for two hours. But if legitimacy comes from sheer victory in such a weighty matter as Regime Change, no matter what the means employed, what for do we need the Rule of Law when the good Mr. Justice Secretary proclaims it: To hell with the Law, CRIME PAYS!

Speaking of which, Archbishop Angel Lagdameo, chairman of the Catholic Bishops Conference of the Philippines, writes in his blog yesterday --
On the question of envelopes or gifts allegedly being distributed and of dinners offered by Malacañang to some bishops, since these were privately done, there was no consensus among the bishops whether to accept or not, whether to go for the dinner or not. Each bishop was completely free.

Truth to tell, the bishops did not have any knowledge of the alleged plan of Malacañang to use these gifts or envelops for political ends. It was only later that they realized the implication of the offer. Some, we know, returned their envelopes.

The bishops were told that the envelopes were for the poor. But how must the poor be help institutionally? On the one hand, bishops with the limited resources of their dioceses are already trying to respond to the needs of the poor, v.g., through their social action programs. On the other hand, must not the government use better its powerful institutions to help the poor? If the powerful institutions are not effective and efficient in the work of poverty alleviation, the question that must be asked is “WHY?” But must it be channeled to the bishops at this time?
Right on. This proves Lagdameo has read and understood Deus Caritas Est, and therefore knows the true meaning of the Separation of Church and State! The sad reality however is this: whatever "charity" the Church gives out to the poor is primarily the charity the Church itself receives from the rich. And one thing the rich and powerful in this country have long understood and exploited is the fact that the poor -- both shepherds and sheep -- need them to survive!

RAUL PANGALANGAN (A Passion for Reason) has a ringing condemnation of the descent of society and the Law:
So has Arroyo’s Strong Republic become Gunnar Myrdal’s Soft State, where “breaking rules and flouting laws is a cultural norm”? No, this government is perfectly capable of being strong when it comes to its enemies. The problem is when it comes to its friends. It can get an entire government -- and a dulled public -- to look the other way. It can finagle reprieves from the courts at will, citing neat technicalities that befuddle common sense. It’s like that Monty Python comic skit showing security police at a checkpoint, searching every crevice of a car with flashlights and sticks, while on the roof rack there is a giant box labeled TNT, with a lighted fuse and connected to an old-fashioned alarm clock loudly ticking away.

Filipino lawyers spend four years in college, another four years in that psychological boot camp called law school, and another year preparing for that booby-trapped ordeal known as the bar exams. All that, in exaltation of a rule of law that has increasingly become fiction. By today, the mighty gods of the bar must confess that they have begun to resemble what the legal philosopher Roberto Unger calls “high priests who have lost their faith but kept their jobs.”

Given the present dispensation, Filipinos will have to do it the hard way -- they have to elect better leaders. But on the matter of electoral reform Filipinos also have to do it the smart way...
The next part of this post is inspired by the continuing labors and comments of Postigo Luna (Comelec Ako)...

TRUST BUT VERIFY: Many people who have bank accounts access them almost entirely through Automated Teller Machines (ATM) scattered all over the country at least for routine transactions. Except for the truly paranoid, hardly anybody worries about their money being stolen by the bank clerk, or lost in the machine or intentionally miscalculated by the bank owners.

But ask, why do we trust the automated teller machine system at all? Is it simply because we are dealing with an adding machine that can't make a mistake? Surely not, for we all know human hands eventually handle ATM transactions inside the bank, usually after office hours. So why don't we give it a second thought and implicitly trust the ATM system, indeed the whole impersonal banking system, to keep our financial transactions secure and accurate? Is it because the banking business is run by honest men, like the Comelec? I don't think so.

I think it lies in the fact of VERIFIABILITY. For example, suppose I have P1,000 in my checking account and I deposit P500 into an ATM in Makati. Now, if I fly off to Cebu and there find another ATM in my bank's network, I can pop my card in and discover from my Account Balance that indeed I now have P1,500 in that account and could in fact withdraw it all then and there. I can perform such a verification 24/7 from almost anywhere in the world. In effect the bank is telling the world: look this guy has P1,500 in our vaults. This simple ability to verify what the bank says I have in my account keeps the bank honest and me happy. Indeed, it is with marketing pride that banks crow about the security and reliability of their banking transactions, even if we know there has to be about as many dishonest people there as any other human endeavor. It keeps customers honest too, the fact that whenever you step up to an ATM your entire transaction is captured on security cameras and therefore represent another layer of verifiability about the transaction. Indeed, throughout the banking and financial systems, it is not the inherent honesty of people that the systems are designed around. In fact most security systems assume people's potential for dishonesty! So much so that the system designs have evolved towards thwarting all possible attempts at cheating the system--even by the system designers or bank owners themselves. The goal of all such system design to is to make it largely impossible to cheat the system without getting caught and punished. That is the only way the banking industry has won the trust and confidence of the banking public.

The exact opposite is true of course for our Commission on Elections and whole bankrupt election system of the Philippines. But I think the problems, and therefore the solutions, are very similar: How do we count our money in one case, and how we count our votes in the other.

DESIGNING VERIFIABILITY INTO THE ELECTORAL SYSTEM

Consider the present Philippine election system. Some 50 million voters cast ballots at more than 250,000 voting precincts. Then a multistage canvassing process takes over that brings precinct results into municipal canvasses, and municipal results up to provincial canvassing, and from there onto yet a third stage of handling and processing in the Congress. All the while, the multifarious agents of the Commission on Elections handle the various certificates of canvass, and precinct results, and transmit them to and from the various stages of canvassing.

Now it is generally conceded that in general the counting of precinct level votes accurately reflects the true will of its registered voters. Perhaps that is because it is only at that level the voter vigilance is effective. It is in the higher stages of canvass that all kinds of shenanigans like "dagdag bawas" (addition and subtraction) largely occur. But if I am a lonely voter in Precinct #123456, and with my neighbors knew what our votes were in the election, there would be no way for me to easily verify that those results are reflected in the municipal or provincial or congressional tallies. It would simply be impossible under the current system.

I think that PRECINCT LEVEL VERIFIABILITY should be a system specification of a new election system:

During the period of election polling and canvassing, and as a matter of public record thereafter, the public shall have real-time access to the number of votes cast for each candidate as reported to the Commission on Elections by each precinct.

Such a specification does not imply or necessitate automation, but is a mere functional requirement on the kind of system that the public would mandate the Comelec to use, by law. The present Election Modernization Act, RA 8436, upon which the ill-fated MegaPacific consortium automatic counting system was based, is seriously flawed in that it is not technology-neutral. In fact it naively requires the use of a specific technology, optical mark reading technology, in order to accomplish automated counting of the ballots.

In other words, the suggested VERIFIABILITY spec can and should implemented by Comelec for the 2007 elections. It can be accomplished with no automation systems in place at all. We would merely require of Comelec the realtime publication of precinct level results in newspapers and on the World Wide Web. So that individual voters can check for themselves how their votes are being tallied. In one sense, the entire election exercise is a giant exercise in the ADDITION together of 250,000 ADDENDS, one for each national candidate, each representing the tally of votes from each precinct.

The whole system will be a lot more "trustworthy" if that process is transparent to the public and the results can be directly verified BEFORE the final tally is announced.

31 comments:

Jon Mariano said...

One of the things you need to factor in is the choice of the voter whether he wants others (even in precinct level) to know whom he voted for.

The reason being we don't want voters to be coerced or whatever to vote for anybody. "Alam ko kung sino iboboto mo. Patay ka pag hindi mo binoto si Mayor Suhol!". Or "Alam ko kung sino ibinoto mo, bakit hindi ako? Binayaran kita ah!".

It throws a wrench in your theory of verifiability, but it's a valid point.

Anonymous said...

With our kind of violent political tradition ,the kind of verifiability Jon has in mind is still scary.

I believe it is only in the counting that the automation should be implemented... with out being so transparent as to reveal the names of the voters and whom they voted for.

PS.

Thanks DJB on your input on Ricky's blog,because unconsciously I might still think that the church is the sole authority on morality.

Trip Atomic said...

djb,

"During the period of election polling and canvassing, and as a matter of public record thereafter, the public shall have real-time access to the number of votes cast for each candidate as reported to the Commission on Elections by each precinct. Such a specification does not imply or necessitate automation, but is a mere functional requirement on the kind of system that the public would mandate the Comelec to use, by law."

This would be good, dean, but without automation - almost impossible to pull off.

Real-time reporting sounds sexy, but operationally, that means you should have a means of instantaneously transmitting election results from the thousands of precincts all over the country to a central point that will post those results on the web. This gives you several problems.

first: there is no such transmission system. the law doesn't allow it? i mentioned this in my last comment. I hope you saw it. SMS? unreliable. Look at what happened to Namfrel's quick count.

second: how do you "digitize" election results (for electronic transmission) credibly? automation would do this easily, but without automation, this step would involve people punching buttons on computers. people make mistakes and are susceptible to coercion etc. if we relied on people to perform this step, we will end up with more challenges than ever before.

third: assuming that no automation is involved, the only way to do this would be to allow the COMELEC to receive reports from the various counting centers via telephony, or via remote TV broadcast, as to the results obtained in each precinct. Once the report is received by the COMELEC Election Center in Manila, it can be posted on the web.
This is how they do it in Indonesia (I think). But again, this will almost certainly give rise to so many challenges from candidates that just handling those challenges might actually slow the canvassing process down instead of speeding it up. Just off the top of my head, some of those challenges could easily involve allegations of trending, and refusal to accept broadcast reports as a basis for further official canvassing (lawyers do so love paper!).

fourth: and most prosaically, there is the concern that the precinct level results being reported may not have been arrived at accurately at the first instance. There are challenges at the precinct level, such as those involving the appreciation of ballots or even mathematical errors made by the BEI (not the COMELEC) in adding up the tallies, that are resolved only at the municipal canvassing level. This means you can predictably expect some false-positives from the precinct. So, when false-positives are eventually discovered in the broadcast results, you open the entire system to more challenges of trending or of conditioning the public mind to accept as inevitable the victory of candidate X. To avoid this problem, new procedures will have to be crafted to provide for the elimination of false-positives at the precinct level.

I agree that verifiability is critical to the credibility of elections. It's just that, ensuring verifiability isn't as simple without automation as it could be with automation. Nevertheless, this is something that the COMELEC is already studying very carefully, to ensure that a workable reporting system can be put in place for 2007.

jon and karl, of course individual votes won't be announced.

Deany Bocobo said...

Postigo,
Interesting realities you bring up. But the reason I like trying to think of it "without automation" first is to get at just exactly what it is we want to accomplish under a new design, before we bring the computers and cellphones into the picture to lock everything down and speed everything up.

So let me respond to your points in turn.

first, i am assuming that what we are trying to do here is to develop a design that will be embodied in a new election modernization law that can be passed at any time up until the next elections which would implement the new design and help ensure a credible election. So, yes of course we will use automation, but first, what really is it we would automate and why. I think on the matter of verifiability and my suggestions for precinct level results being available to the public, by "realtime" I only meant at any time after the Comelec claims to have received official results from a given precinct. And even if it takes say a week for such results to arrive at Comelec because of the manual system we are using, nevertheless the verifiability principle would require that if Juan de la Cruz from that precinct wants to see the claimed ADDENDS from his precinct, then Comelec should produce it. So at whatever time the Comelec does receive a precinct result, it would not even be unreasonable today to demand of Comelec that it POST on the Web such results, even if unofficial. This involves posting 250,000 numbers times the number of national candidates, etc...several million numbers, but that is not really a technical problem.

secondon guaranteeing data accuracy without automation...my idea is that since the citizens at each precinct can verify what their Comelec elections officer has reported to Comelec, that will cause them to avoid clerical errors and the Garcis cruising the boondocks. The whole idea behind verifiability is that whatever hoops the data jumps through to get to the place in the giant adding machine at Comelec HQ, it will be obvious to the vigilant. With automation, we might get rid of the clerical errors and speed things up a lot, but without verifiability, even such a speedy system might be dangerous to integrity. So it is okay for us to rely on human hands handling the data during transmission, as long as the voters can check to see if it was done right. Now I admit how challenges and corrections are made becomes a problem. Maybe they have to beat up the elections officer.

thirdIt happens in every district does it not, that the tally of votes is put up on a blackboard? I think such tally should be photographed both by citizens and the Comelec and included as proof of the result along with the election returns and ballots.
As for trending, that comes with the territory. As the technology advances, we must expect greater access by people to info,not less, so that is a matter that will work itself out in the long run, as people become more sophisticated and go through a couple of elections in which yeah the trends might be there. As for legal challenges, how is it done now? All that should occur before transmission?

fourthThe point about precinct level errors being resolved at municipal level is not a real problem, because the level to which the data is transmitted for canvass is always the apt place for doing such resolution. Now that level is the municipal level, but since I want to eliminate the multistage canvass, that means such resolution must occurs at the national level. So what? That's okay because the Comelec can still utilize all its existing muncipal and provincial personnel to do such checking, but all at one level of canvass, instead of 3 or 4 or more!

Thanks for indulging this lil discussion on "verifiability."

So far we haven't really talked about technology or automation. But I do have some ideas there for getting this done in a way that an HONEST Comelec would be nice, but is neither necessary nor sufficient any more for a credible election.

cvj said...

jon, i don't think djb is suggesting doing away with the secret ballot, only to have to precinct level totals transmitted and verified by as many eyeballs by displaying these over the world wide web.

djb, i would speculate that the 'optical mark reading' specification of MegaPacific is there for a reason, unfortunately, it is most likely not a valid technical one. (Postigo, you can correct me if i'm wrong.) Ever since the 'Top Web' scandal in the mid-90's, the government IT bidding rules have been changed to a 'two-envelope system' with a 'technical' envelope (in practice, volumes of binders) and an envelope containing the price for delivering the technical solution. The first envelope to be opened is the 'technical' one to see if the competing vendors meet the minimum technical criteria. Any vendor who does not meet the minimum criteria is disqualified and all vendors who meet the criteria move on to the financial portion of the bid where the lowest price is chosen. This is where a feature such as 'optical mark reading' comes in. A technology this specific as part of the technical requirements means that only a few vendors can qualify and would therefore narrow the playing field making it easier for the favored bidder to win. Coming up with unique technical specs is a game IT vendors play when it comes to government bids. Unfortunately, these specs frequently don't have a bearing on the quality of the final solution.

As i mentioned in this comment at mlq3's earlier this year,

http://www.quezon.ph/?p=798#comment-8840

i could only wish that in a matter of such national importance as the national elections, the IT companies and the people behind them would put love of country over profit.

i support your suggestion on making verifiability a key technical spec. having 250,000 results posted on the web requires at least the same number of volunteers. this is real people power in action and it would be a sight to behold.

Trip Atomic said...

djb,

thanks for the quick response, dean. i'm sure your points will make for a very lively discussion around here.

a few observations:

what really is it we would automate and why - i cannot agree with you more. we do need to make sure that we aren't automating simply for the sake of automating. that would be irretrievably stupid. verifiability (altho we don't call it that) is, in fact, a feature we have been trying to build into the system. we just didn't get a chance to show the public in 2004.

So it is okay for us to rely on human hands handling the data during transmission, as long as the voters can check to see if it was done right. - one of my pet projects, this: to get citizens to exercise vigilance. to help it along, we're working on setting up projectors in canvassing centers so that in every center, there is a running total up on a screen that everyone can see. can't afford it per counting center yet, tho.

I think such tally should be photographed both by citizens and the Comelec - no quibble from me here.

one level of canvass, instead of 3 or 4 or more! - this is one of the things we are lobbying for. pre-cory, we didn't have so many canvassing levels. this made it easier for political parties to field watchers and really maintain vigilance. this multi-level canvassing was actually instituted during the senatorial elections in cory's time. the scuttlebut is that the architect was a certain dour-faced senator, and the purpose was to facilitate the victory of the cory slate. i mean that slate had names there that no one knew from adam, but still they won. Only erap survived. ah, but you know how rumors are ... still, rumor or not, the truth is that multi-level canvassing does make cheating easier because - if nothing else - they become harder to watch over; harder to watch over equals easier to manipulate results. so, like I said, our lobbying to return to the single-stage canvassing succeeds. And soon.

cvj,

RA 8436 specifies that only machines that use OMR can be used for the automated election system. it isn't a standard or a minimum criteria per se but a specific kind of tech. This was put in place upon the recommendation of the Monsod COMELEC, based on the recommendation of a study conducted by an international expert under the auspices of IFES and UNDP.

Now, that tech may have been hot back then, but today, tech has gotten smaller and more compact - more ideal for the Philippine geography - as opposed to OMRs that have still remained bulky affairs.

Parenthetically, Cong. TeddyBoy Locsin called RA8436 a shopping list because it practically identified the one machine that could meet all those qualifications.

juanm, moral recovery is absolutely essential, but that is a long-term solution. we all agree it is necessary , and the comelec should do everything it can to make it happen, but pragmatism is also a very strong incentive to discuss more practical solutions.

The thing about anomalies, on the other hand, is this: people who commit anomalies normally don't blab about it. Those who know about it are usually on the take themselves, and so wouldn't blab about it either. So, if you believe that Garci was such a master of fraud, then you probably shouldn't hold your breath waiting for a whistleblower. I doubt that he would have been that careless.

The better solution is to increase transparency. That way, there are fewer dark corners to do monkey-business in; and the glare of public scrutiny will be an even greater deterrent.

Dean, thanks for all this space. :)

Trip Atomic said...

BTW, dean. I hope you don't mind if i take you up on your "donation to the public domain" and reproduce the verifiability portion of your post on my site. some comelec wonks read it but they're not too keen on following links (probably don't know how the damned things work), and i really want your thoughts to percolate through here. thanks.

Unknown said...

Hi Dean,

Great post you got there. Read it en totto then went off to read PDI - stumbled on pilferin' logopedist of Solita Monsond whose column's title caught my eye (or my ire): "An attempted coup, nothing else"

And she asks, "WITHDRAWAL of support -- is that a crime?"

Then she goes on with the most ridiculous conclusionn, "Yes, say the administration spokespersons. No, say the opposition. And the discussions are entertaining -- except that they have diverted our people’s attention from the real issue: that what happened was an attempted coup d’état. That it failed, we should be thankful for. So let us not waste any more of our time and energy (not to mention newspaper and TV space) discussing whether withdrawal of support is a crime or not. In the present case, it is being used as a euphemism for an attempted coup -- and that is definitely a crime."

Gobsmacking in the extreme! Extraordinarily pretentious of Monsod to write about something of which she has no inkling.

Anyway, I've come back to your own column here to put this comment. I realize my own comment may be a bit off topic here but since you you yourself firmly RE-CALIBRATED the brouhaha re Lim's act of attempted mutiny, I thought, well, I should "dump" my own GET REAL, SOLITA MONSOD!" spiel here, and hope you don't mind.

Monsod is out of her depth.

I thought she's mastered the English language well enough to understand that the word ATTEMPTED is an adjective in the past participle form which means TO TRY or TRIED past participle) and if the word "attempted" precedes a noun phrase, i.e., ACT OF SEIZING THE STATE BY SUDDEN FORCE or more aptly, STEALTH SEIZURE OF THE STATE BY FORCE (which in technical military term is COUP D'ETAT), the whole term implies that the act of seizing the state by sudden force or the stealth seizure of the state by force had ACTUALLY, REALISTICALLY BEGUN = made to seizure of the state by force was attempted.

To my knowledge NO ACT TO SEIZE THE STATE BY SUDDEN FORCE occured, so how could there been an attempt?

There was a timid attempt to start an attempt at best but even that attempted start was pre-empted - there was absolutely no movement of troops nor seizure of any property remotely belonging to the state that it is absolutely absurd of Solita Monsod to say so - in bold letters to boot.

She's tackling an issue of which she clearly has not an iota of clue. Well, either that or she's ATTEMPTING to SHOW OFF!

Solita Monsod is a pretentious person. She might be good at arithmetic and statistics but she shouldn't venture in areas for which her percentages don't work.

By writing about an attempted coup d'état in blithe ignorance, Monsod has become a Gloria mouthpiece once again.

What a ridiculous persona - one day she's pro Gloria, the next day she kicks her in the teeth and before you know it, she's into one of her stupid, pretentious gimmicks again as if she is on an eternal parlay with Malacanang.

I don't care if she makes a fool of herself but that she should write her "fooleries" in a mass circulated broadsheet which foreign media can pick up makes it just more horrific and disastrous for disaster-prone Philippines.

Her silly assertion is doing the country no favor.

The West doesn't like coup d'états and when they read such stupidity, they think the Philippines is gonna be Myanmar or North Korea pretty soon. And boy, that ain't a compliment!

Anyway, Dean, I believe that she'll get wind of this comment when she reads your blog. (PDI ain't gonna publish my comment. They'll be a teeny weeny bit scared of Monsod to do it. So, hope you don't mind my posting it here.)

She's got to know that she's going ballistics in all directions but she ain't hitting the target - she's simply causing collateral damage. Stupid thing of her to do really!

(I'm all the more irked coz yesterday, in a July 14th cocktail party somewhere here, someone commented to me how lucky Gloria really is to go unscathed after so many coup d'états in the Philippines! I almost stuck my toungue out at the fella for being so friggin ignoramus but caught myself and said instead, "There never was a coup d'état - Gloria and media are just hyping about coups...Philippine military ain't capable of achieving one." The guy said, "Oh, is that so?")

Yeah, mister, that is VERY so! Philippine military ain't got the balls to do anything of the kind. But of course I didn't say that - I wanted to be polite (for once).

Here 's lookin' at you kid!

Deany Bocobo said...

Great comment HB! YOu saved me the trouble of critquing the column of Monsod yesterday. Glad you posted your comments here and it will find itself in a coming post. By the way check out the column of Ramon J. Farolan today on this very issue in the PDI.

Deany Bocobo said...

Postigo Luna,
Abalos claims the AES counting machines from MPC are still with Comelec and COULD be used in a future exercise. But I think the stink around the case may have poisoned those machines forever, even if the law that authorized it may not be amended on time for next year's election. I hope such a modernization law can be developed in time. But the OMR machines ought to be donated to DEPED for use in the automated correction of examination papers! Just so the 1.2 billion is not a total loss.

More regarding verifiability:

ON the issue of "trending" the worst example of this was the release of 2004 SWS exit poll for NCR -- in which they proclaimed GMA the winner and that became the headlines worldwide. Yet at the end of the counting, FPJ had won Manila by a landslide. I confronted SWS and Trends MBL personally about this, after the election, because it was a statistical impossibility, yet they have stood by that dastardly result ever since. In all 12 of the other regions, their exit poll results predicted the eventual Comelec result to within expected margins of error, but not minus eight standard deviations as in NCR! It was very impt to the administration that the headlines one day after the election polling day was that GMA had won the NCR. If not, the rest of the canvass would not have gone so well for the Palace. SWS/Trends MBL have never satisfactorily explained how they not only got the margin of victory wrong in an exit poll, they got the WINNER wrong. That's impossible in the sense that the probability of it happenning honesting was 1 in 10 trillion.

We cannot ban exit polls as they are protected free speech according to the Supreme Court. But damn if I let SWS get away with this again. People should never forget this: SWS WAS USED, willingly or unwillingly in 2004, to commit the despicable crime of trending. I think that Trends MBL was compromised and the admin knew the neighborhoods the exit polls would be conducted in and they CORRUPTED the data that went to SWS. It makes me mad everytime I look at the data and proof of the impossibility of their exit poll result.

I don't think that trending works however in a fully open, public access database. It is only when you have things like SWS with some kind of privileged technology like exit polling.

Publication of precinct level results during the canvassing process (especially if it is taking weeks anyway) can and should be done even manually in newspaper and media and the Web.

Jon Mariano said...

Rizalist, Postigo,

I'm actually thinking that verifiability of the vote if ever included in the system should start in one single voter.

In a paper ballot, the voter knows what he has written. In a fully automated system without paper trail, how will the voter verify that his vote goes to the selected candidates (local, city, provincial, national)?

In an ATM, the account owner verifies his bank statement and he knows that the transactions were his. If not, then he's going to complain, the bank is going to investigate, and if an error is found, the bank can rectify the error.

Vis-a-vis a computerized voting system, how can we do it? I'm sure it can be done, but it's not going to be the same way as the paper ballots are done (not the same stream anyway). And I think that it's going to need a a lot of "trust" to the computer system. Can we sell it to the government and the voters?

The comment I made regarding others/observers knowing whom one voted can happen if you display the live count. (e.g. once you choose a candidate, the tally for a certain candidate is incremented by one).

When I was thinking of a computerized voting process, I thought it was very simple, but factoring in the Garcis of the Philippines, it cannot be so.

My simple idea was actually just:
1. A machine that will give you choices on all positions being contested.
2. The voter selects his choices.
3. A ballot-like paper is printed.
4. Voter verifies the printout and affixes thumb mark in printed paper.
5. Voter drops the printout in ballot box.
6. Summary and tallying is done by the system on all levels (this is where trust is needed).

Deany Bocobo said...

Right on Jon. There are however two levels at which we really need to approach this thing:

first is the "design engineering" level, which deals with overall function and features, mainly about speed and security, but also such factors as SCALABILITY, because remember the population is doubling every 30 years, so systems have to be extensible without changing the basic design.

second is the implementation level, where the "mechanics" become important, such as you outline. But I think the first step has to come first. We have to know what it is we are automating and why. This involves identifying all the threats, present and possible against the integrity fo the system. Then we have to decide how those threats are dealt with systematically. Only when we have a complete idea of threat and response can we get down to specifying how it is to actually be implemented. That way, any system of machines, software, and mechanics can be evaluated against the threat-response scenarios.

I think the concern for single voter identification capability has to do with privacy and the fact that the govt would know how each person votes. That might be dangerous. However, any verfiability scheme will carry some danger like that.

Unknown said...

Dean,

As per your suggestion, I just this instant read General Farolan's column.

I must say that when I saw that picture on the front page of PDI, I was shocked. I showed it to my hubby, a retired senior military officer of Her Majesty's Defence Forces and he was dumbfounded.

My husband's immediate comment was: "That's illegal under the Articles of War". He added, by parading them as criminals wearing prisoners' outfit, the military leadership is inciting the military and civilian populations to judge these officers GUILTY prior to their trial."

My husband who has been panel chairman at several court martials during his military career added, "No government purporting to be democratic has the right, moral or legal to strip a member its Armed Forces of its uniform."

He also said, "They (the AFP) could have demoted them (the erring junior officers) on the spot and deprive them of their weapon but to deprive them of their right to wear their uniform is militarily illegal."

British and French, including US military will be absolutely gobsmacked to see how military officers in the Philippines whose only "crime" to date is that of lese majesté are treated by their own.

I am positive Dean that many military officers around the world will be shocked to see idealistic officers who have not committed any civilian crime should be paraded like common criminals.

Dean, the act of turning those young, junior officers of the AFP into civilian criminals tells you a lot about the UNPROFESSIONALISM in the AFP.

How flabbergasting tos ss before your very eyes how the Armed Forces of the Philippines leadership is developping into Gloria's private army but paid for by taxpayers' money.

Those young kids, junior officers, no matter their crime, particularly if their crime is still to be proven and especially when they haven't been tried in a proper military venue, SHOULD BE ACCORDED THE TREATMENT DUE THEIR RANK and must not be humiliated in such ignoble fashion.

They have all the rights to wear their MILITARY UNIFORM - they deserved it - it is a symbol of their status as members - even if erring - of the nation's armed forces.

YOU WILL NEVER SEE THE U.S. military nor any military in the West treat their members - even if they've committed crimes - paraded in such contemptuous fashion; even mere privates or "grunt, grunts" wear their uniforms till they are brought to their military prison cells.

Did you see US Marines' Private Linda England paraded in civilian prisoner's outfit even after she was indicted following the Abu Ghandang prison abuse? NO!

Esperon is a disgusting militar officer and does not deserve to have his four stars. His record as a soldier was only good till he held the rank of major. After that, he transformed his military record into a security guard's record and there's nothing in his record from lietenant colonel onwards to show that he knew what military leadership is all about.

Farolan is right. Joey Reyes should have made Chief of Staff - Joey knows the meaning of being an officer: someone who knows how to behave as a gentleman and as a leader of his troops!

Esperon would never have made it past colonel in the US or anywhere in Europe... Never!

Unknown said...

Dean,

May I butt in on the discussion re automated voting.

Jon's suggestion is highly sensible.

His 6 step by step approach is doable, doesn't take time to do and could be almost fool hardy.

Why so? As a bona fide voter in France these last few "centuries", my voting process went through no. 2, 5 and 6 (via an atomated system.)

I believe a machine print out of a voter's choice/choices is a fantastic idea.

The fact that the Philippines does not have a party list voting system, you will have to do things manually still like when reading out the names on the ballot to tabulate the votes.

Perhaps, the Presidential and Vice-Presidential ballot print outs should be different from the others to ensure faster, more efficient vote tabulations for those offices; said ballots should also be depostited in different transparent ballot boxes at each voters' precinct.

But I do agree that there is a need for COMELEC overhaul. The officials today have very little credibility that even if you modernize the voting process in the Philippines with the most expensive, fool proof gadgets, you will not be ablet to remove the stain of corruption that's impregnated this agency.

cvj said...

Postigo, thanks for the explanation. Jon, your idea sounds very much like the one that was described here:

http://www.openvotingconsortium.org/faq

You may be interested in looking into this as well.

Jon Mariano said...

CVJ, it's interesting that such kind of design, and so detailed a system plan already exists. And the fact that this is "open", or in the public domain, it can be customized and used by the Philippines.

My 6-step suggestion is a high level design if you will, and considering that in every system the devil is in the details, those 6 simple steps will become 6 simple steps with hundreds of details inside!

But of course Dean is correct to say that before you do detailed design, you need to do have a system design where all the requirements (which needs to be automated, why, how) are defined first.

The good thing is, there are already finished products out there. The bad news is, no design has yet to be deemed unquestionable. Further complication is in the Philippines' topography, power supply problems, security problems, technical knowhow (operators in precinct level), etc.

So, it really is a very huge undertaking. But something that we need to do.

Hopefully, Postigo's work can enlighten some minds in the Comelec and a good product will be found/made.

Trip Atomic said...

jon, we call your idea a 'voter-verifiable-paper-audit-trail' and you'll be happy to know that it is already provided for in the amendments to RA 8436 that the House has passed, and in the corresponding Senate Bill that we are still waiting to be passed. This feature will be part of the automation scenario - if not for 2007, then for 2010.

Unknown said...

Beg your pardon folks... I posted an incomplete process there.

Out of the 6 step by step proposal of Jon, our way of voiting here uses 4 steps as follows:

No. 3. A ballot-like paper is printed. (Print outs are already available for selection)
No. 2 The voter selects his choices once in the booth.
No. 4 Voter verifies the printout but signs or affixes thumb mark in a registry before the polling officers.
5. Voter drops the printout in ballot box.
6. Summary and tallying is done by the system on all levels (this is where trust is needed).

By 8 PM on the same day, we already have the name of the winning major candidates and before midnight, we have the names of the winners for Parliament. (Presidential ballot print outs are on a different paper.)

So, in fact we are using 5 of the 6 steps proposed by John already.

Anonymous said...

You guys are correct that a system must be in place first before the design.

Like in a car company,the designers are adviced not to deviate from the system,that is why Volvo remained as boxy for so long and yet remained the safest,best engineered car among its peers.

And you usually tell an architect of your copncept before they make designs for you.


Without that system,we will be at the mercy of the system and design of the suppliers,which of course will be looked at as favoring one so called supplier.

The system must also be copmplete...
Not just a module,like having automation,without a procurement system in place,thus a loophole was easily exposed regarding procurement.

Deany Bocobo said...

Jon,

The polling system you have described sounds a lot like an Automatic Teller Machine!

But in that case, the transaction is mediated by a person's ATM card.

We have to now INVENT the equivalent of that token for the VOTER. A Voter's ID Card and its DESIGNED FEATURES will be a key ingredient in any specific system we design.

And of course, we will be stepping into the other big area of discussion (VOTER REGISTRATION) when we talk of this voter ID card.

But before all that, I just want to work the idea into your 6-step system and think about how the Voter ID Card assists in Verifiability.

Here are some general thoughts:

(1) Like an ATM Card, the VID Card is associated with a unique ACCOUNT. When it is first issued to the voter upon registration/validation, it will contain exactly ONE VOTE as balance in the "checking account."

(2) Like an ATM Card, the VID Card can only be used at an Automatic Election Machine (AEM)(manufactured by Jon Enterprises, Inc, after proper public bidding of course!).

(3) After the voter enters his choice, say for President in a national election, or for the Senators as in 2007, his "account" will now contain zero credits, so no AEM will allow him to vote again. But it will also contain the detailed information of where, when, and who he voted for, a kind of "account record" that is written to his VID in nonerasable memory the first time it is written by the AEM. Everything is cryptographically encoded and unlocked only by a voters PIN, also issued upon registration. Point however is that the voter must be able to check this balance with Comelec at any time after the elections to make sure his individual vote is being given to the choices he has actually made.

I envision that this card will start out being something like the Smart Cards in use in HongKong mass transit and here also in the Philippines. It will have both volatile and nonvolatile RAM and READONLY memory. Public Key Encryption technologies can be used to protect the information within while providing complete verifiability.

It does imply a massive new central database infrastructure at Comelec. But I see now clearly the mountain that must be climbed:

Since votes, like money, are pure information, the Comelec has to become like a Central Bank of Democracy.

Deany Bocobo said...

HB,
The big difference is the existence of the multistage canvass. I predict that it is that feature the political trapos will fight tooth and nail to preserve. They will argue for example that at least locally the authority to count and canvass should remain where they can corrupt it. And nationally, the political classes will OPPOSE automation and modernization with hammer and tongs. I doubt seriously that any of this can be accomplished in 10 years! The main fight will be political. It will be complicated by technology, innumeracy and general ignorance of law, both natural and manmade.

But it is only the Geeks left against Guns, Goons and Gold.

kulas said...

The Secretary of Justice Raul M. Gonzalez knows what he's talking about. Crime pays! So far for them, anyway.

But nothing is forever. And sooner or later, someone will pay. Let's hope that the guilty ones live long enough to pay for their sins not only in hell, but also here on earth - judged by their fellowmen.

Deany Bocobo said...

Well said Kulas! But I am only getting madder and madder at Mr. Justice Sec. Gonzalez. It hit me today that he actually agrees with the Spanish Taliban: Gomez Burgos and Zamora were criminals! Remember the Cavite Mutiny!

Trip Atomic said...

djb,

arthur clarke would probably love to meet you. Your concept of a voter id as a voting ATM card is novel, to say the least. However, tying up voting with an ID is pretty dangerous because it will make massive voting fraud much easier. all a political operator has to do is to gather (by any available means) all the IDs in his territory and he can either load the votes in favor of his client, or deprive his opponent of much needed votes.

As for the voter database - we have that already. With our modernized registration system, we have created a database of registered voters containing the biometric information of each. This information is then used to search for multiple registrants within the system.

Future developments in this direction will include the acquisition of an AFIS - automated fingerprint identification system. When we have that, we will be able to field fingerprint scanners (tiny ones) to all voting centers so that a person can only vote once he is cleared by a database search, i.e., his fingerprint has been compared with the database and he is found to be exactly who he claims to be and is eligible to vote in the place where he wants to vote.

I think the voter ID may be superfluous once this system is up and running.

Deany Bocobo said...

Postigo Luna,
Hang on before you dismiss the Voter ID card concept I've just presented.

I really want to develop a voters id card that is the physical equivalent of an ATM card and even more secure than that. Remember that at the point of registration, an encrypted code can be embedded PHYSICALLY in the VID that is about to be issued to the voter. This encrypted code is not known to precinct operators, and the idea is that the PHYSICAL VID will be required for a vote to be validly posted on election day using that particular card. In other words, knowing the voters ID of a voter won't be enough to vote on their behalf. It's not a video game or a movie. The exercise of suffrage must meet the tests of fully audited time and motion study: when, where, and by whom it is used. The physical card must be used at given time and place, namely the precinct of registry and only on election day.

That is the other feature of a polling station I have in mind to suggest. When it transmits its data it also sends verifiable geocoding information of latitude and longitude at which the VID was used to expend its voting credit. The cellcos can already provide at least cellsite geographic location for transmissions. But better precision can be achieved with GPS.

I think individual voter's id is key to preventing fraud. We have to get very smart now though in how we secure PRIVACY while maximizing VERIFIABILITY.

I can't see any way through it. Even money has to have physical tokens of its value and existence. Some kind of voters id has to be developed anyway.

I say it should embody the engineering design objectives of the overall election system. In fact security and verifiability start at the individual voters level. If you can't secure the smallest minority possible, how can you secure anyone else?

Cradle to grave, registration to proclamation, the individual's ballot is sacred. That's what the Constitution says. We must build that into every crevice of the system. Honesty must become unnecessary, since it is clearly insufficient anyway to deter the Garcis of the world.

Trip Atomic said...

djb,

i understand what you mean, and I'm sorry if I came off as dismissing the notion of an ATM-esque Voter ID. That wasn't my intention. In fact, that IDea has been discussed here as far back as 2000.

I am merely pointing out that by making the ID indispensable to voting, you are giving political operators the means to easily defeat the system.

Knowing the voters ID of a voter won't be enough to vote on their behalf, absolutely, but I never said that that was all that would happen. What I actually said was that just by gaining control of the IDs'of voters (through violence, vote-buying, or whatever), a political operator can deny his opponent votes (i.e., how can the opponent's supporter vote if they don't have their IDs?); or - with a threat of violence against poll clerks - vote with the IDs (at the proper place and time as you specified, determinable by GPS) in a massive disenfranchisement operation: the votes are cast but they are not cast by the ones who own the votes.

This is actually the same weakness that affects ATMs. The difference is, the financial loss resulting from giving up your PIN is far more painful for individuals than the loss of the vote. Plus, the Voting ATM's pin can easily be a saleable commodity.

In sum, the design challenge isn't just technological - and technology won't solve everything (as I'm sure you know). A big chunk of the problem is cultural and economic as well. It is these two stumbling blocks that have made the idea of an ATM-esque voter's ID less than practical.

Deany Bocobo said...

Fair enough Postigo. I realize it is actually impossible to discuss in detail any specific idea because the useful discussion has to approach it all systematically and nonargumentatively. Haha. Philippine Commentary is a very friendly and liberal zone though, so never feel inhibited by the host's sometime surly sound.

I do appreciate this conversation. Because time is running out even on 2007. thanks again,

Trip Atomic said...

ditto. :)

Deany Bocobo said...

I've been thinking hard about VOTER REGISTRATION. But I hope you can give us a good heads up on that situation. I know from your blog that a lot of weird stuff happend under Tangcangco. In California they have Motor Voter Laws I think...same day registration to vote! What would that take? so many issues. How do you deal with the dead and dying? Not to speakof the resurrected?! And what "biometrics" are going to be used? thumbmarks?

Unknown said...

Dean,

My suggestion and I am serious about this.

If COMELEC appoints you their consultant or resource person, accept!

You can put in a caveat: that you should be allowed to do research on voting registration and voting systems available in some Western countries, US included.

I can almost guarantee that if you hold that kind of authority, there are already two nations in Europe which will be only too glad to invite you to speak to you about their systems.

Trip Atomic said...

djb, i'll post my reply to your request on my blog. please check it out there.