Tuesday, July 21, 2009

Automation and the Rights of Suffrage

"THE CONGRESS SHALL PROVIDE A SYSTEM FOR SECURING THE SECRECY AND THE SANCTITY OF THE BALLOT..."

What exactly does the Constitution mean by the two terms: (1) "the secrecy of the ballot" and (2) "the sanctity of the ballot"--and how should our appreciation of them change if the country moves from the old Manual Election System to some kind of new Automated Election System? How for example can a ballot remain SECRET yet be properly and verifiably COUNTED by a public agency like the Boards of Election Inspectors, Comelec and the Congress? How can BOTH secrecy and sanctity of the ballot be secured, as required by the Constitution? In future there may not even BE a physical ballot involved in the voting process!

The 1987 Constitution provides:
ARTICLE V -- SUFFRAGE
Section 1. Suffrage may be exercised by all citizens of the Philippines not otherwise disqualified by law, who are at least eighteen years of age, and who shall have resided in the Philippines for at least one year, and in the place wherein they propose to vote, for at least six months immediately preceding the election. No literacy, property, or other substantive requirement shall be imposed on the exercise of suffrage.

Section 2. The Congress shall provide a system for securing the secrecy and sanctity of the ballot as well as a system for absentee voting by qualified Filipinos abroad.
The Congress shall also design a procedure for the disabled and the illiterates to vote without the assistance of other persons. Until then, they shall be allowed to vote under existing laws and such rules as the Commission on Elections may promulgate to protect the secrecy of the ballot.

"THE CONGRESS SHALL PROVIDE A SYSTEM FOR SECURING THE SECRECY AND THE SANCTITY OF THE BALLOT..."

What exactly does the Constitution mean by the two terms: (1) "the secrecy of the ballot" and (2) "the sanctity of the ballot"--and how should our appreciation of them change if the country moves from the old Manual Election System to some kind of new Automated Election System? How for example can a ballot remain SECRET yet be properly and verifiably COUNTED by a public agency like the Boards of Election Inspectors, Comelec  and the Congress?   How can BOTH secrecy and sanctity of the ballot be secured, as required by the Constitution?  In future there may not even BE a physical ballot involved in the voting process!

I think that these two terms refer to two different aspects of the INFORMATION that is contained in a valid voting BALLOT namely: (1) Which VOTER cast the ballot; and (2) Which CANDIDATES were chosen on the ballot.

The SECRECY of the ballot refers to the IDENTITY of the VOTER who cast a given ballot. There must be a reasonable expectation that this information cannot easily or readily be determined from an inspection of the ballot alone.

Meanwhile, the SANCTITY of the ballot means that it ought to be properly counted and canvassed and the candidates chosen receive the intended vote.

Under the Manual Election System that has been used in all past elections, a paper ballot must be filled out by the Voter with the NAMES of the candidates (this, despite the explicit 1987 provision that literacy is not a requirement for the exercise of suffrage.) The ballots cast at a given precinct are then read (usually by persons many of the voters will know to have been their school teachers) and a tally of all the votes is made to produce the Precinct Election Return.  Theoretically, the identity of the voter casting a given ballot is kept "secret"  since the voter does not literally sign the ballot.  But in most cases of course, this is a legal and practical fiction.    About 250,000 precincts (max 200 registered voters each) are required to service about 50 million potential voters for 2010.

In the case of the Manual Election System that has been in place since time immemorialthere is of course no identification of the voter on the ballot. However, since each voter is obligated to write out the names of each candidate, and the local school teachers who know everyone from infancy (and likely their handwritten script) are manning the Board of Election Inspectors, the concept of voter identity secrecy could easily be a legal fiction in most cases!

On the other hand, the sanctity of the ballot under the Manual Election System is notoriously subject to addition, subtraction, multiplication, division and every imaginative genre of dagdag-bawas known to Garci, Bedol and that shady ilk of election operators during a month long process of municipal, provincial and national canvass.

Comes now the concept of the AUTOMATED ELECTION. How are reasonable Filipinos to construe the concepts of SECRECY and SANCTITY of the BALLOT under this new SYSTEM?

In the upcoming May, 2010 elections, an automated election system will enable registered voters to MARK selections from a LIST of candidates on the printed paper ballot. The ballot is fed into a Precinct Count Optical Scanner (PCOS) which photographs it; programmatically interprets the voter's choices; encrypts, registers and stores the raw data in preparation for CANVAS, TRANSMISSION, and ARCHIVING. The PCOS will also produce a RECEIPT for the voter's records.

The following analogy is useful: the ballot is like a set of email messages, one for each candidate selected by the voter. The voter is the sender of the email messages and the candidates chosen are the recipients of the message.

Thus the "delivery system" which is to be provided by the Congress and executed by Comelec must efficiently and accurately deliver all possible 50 million email message ballots in 2010 to their intended recipient's "mailboxes" maintained for local candidates at the Comelec HQ and the Congress in joint session assembled for the national canvass. At the same time, for any given message, the identity of the sender must not be easily or readily determinable from the ballot alone.

May I suggest that there is a well-established technology which can fulfill the Constitutional guarantees on secrecy and sanctity of the democratic ballot that is available to a suitably engineered and implemented automated election system. I speak of techniques involving the use of PUBLIC KEY CRYPTOGRAPHY to guard both the voter-sender's identity from public view, and ensure that only the intended candidate-recipients can actually receive the ballot-message!

Are such systems even possible in the real, practical world?  You bet! In fact take a look at this news item on PhysOrg from the Harvard University School of Engineering and Applied Science, which describes a recently implemented "auditable voting system" called Helios that is a kind of ideal model for an automated election system:

 "Helios allows any participant to verify that their ballot was correctly captured, and any observer to verify that all captured ballots were correctly tallied," said Adida. "We call this open-audit voting because the complete auditing process is now available to any observer. This revolutionary approach to elections has been described in the literature for more than 25 years, yet this is the first real-world open-audit election of this magnitude and impact of outcome."

The verifiable voting system, available as open-source/free software, implements advanced cryptographic techniques to maintain ballot secrecy while providing a mathematical proof that the election tally was correctly computed.

Helios relies upon public key homomorphic encryption, a method where a public key is used to encrypt a message (in this case, a vote); messages can be combined under the covers of encryption (in this case, tallying the votes); and multiple independent private keys are required to decrypt the message (in this case, the election tally).

In an election, Helios works as follows:

• first, each voter receives a tracking number for his/her vote and the vote is encrypted with the election public key before it leaves the voter's browser;

• second, with the tracking number, a voter can then verify that their ballot was correctly captured by the voting system, which publishes a list of all tracking numbers prior to tallying; and

• finally, the voter, or any observer including election watchers from outside the election, can verify that these tracking numbers (the encrypted votes) were tallied appropriately. The election results contain a mathematical proof of the tally that cannot be "faked" even with the use of powerful computers.

"Because the tallying happens under the covers of encryption, the entire verification process is done without revealing the contents of each individual vote," explained Adida "Moreover, by using Helios, voters no longer need to blindly trust those supervising the election, as officials must provide mathematical proofs that everything was done appropriately."

The automated election system that Comelec will use in the May 2010 elections makes many similar claims of capability to secure ballot secrecy and sanctity, although the implementation is necessarily different for an election with 50 million voters spread out over 250,000 precincts, than what may be possible at Harvard University!  However, it will be noted that public key encryption techniques are at the heart of the SmartMatic/TIM consortium's proferred system and thus certainly has the potential to be evolved and developed into a mathematically secure voting system.

Cryptography is indeed the KEY to securing the rights of suffrage: ballot secrecy and sanctity! 

The Contract between Comelec and the technology provider, SmartMatic/TIM is to be found here on the Comelec website.

Key Dates on the Comelec 2010 Election Calendar are here.

SmartMatic Corp's Home Page contains a wealth of information about the company that will provide the historic first automated election system for the Philippines.  There is a Philippines Media Kit on the site.  Although SmartMatic has a track record in conducting elections, it reveals on the website that it has actually counted only about 150 million votes in all the elections it has automated.   The May 2010 elections could involve as many as 50 million Filipino voters.  

A successful automated election in the Philippines is clearly in the long-term interest of the company called SmartMatic, for it could unlock a rich market for automated election services in democracies all over the world.   A bad election in which the automated system is implicated in fraud or God forbid, a failure of election, is NOT in SmartMatic's interest.

I believe this is a key consideration in how pundits and bloggers especially ought to see SmartMatic.  Comelec of course is another matter!


REFERENCE LINKS:

SOURCE: Philippine Commentary


No comments: