Saturday, August 15, 2009

Automation and the Obsolescence of Trust

OPPOSITION to the automated election system being prepared by Comelec for 2010 comes from a surprising direction--not Garci, Bedol, the Palace, the trapos, nor even the political opposition--but from certain elements of Civil Society who simply do not TRUST the government and Comelec to come up with a secure and honest system. In this of course, Comelec itself has given them much justification, such as the last time they tried to automate in 2004 under Ben Abalos.

In a justifiably cynical sense of course they are right: Comelec can't be trusted. But I think these elements also miss the essential point: that a successfully implemented automation system will largely obsolete the need to trust Comelec in the old-fashioned sense of the word, much as we do not have to "trust" our banks in that way. However getting to that point may not be so easy, since it is Comelec itself that must implement automation! It looks at first like a classic Chicken-or-the-Egg situation. But it is NOT because in fact it is the Congress which is mandating the Comelec to modernize a hopelessly defraudable manual election system. Even though Comelec is an independent Constitutional Commission, it is actually the Congress that is empowered by the Constitution to provide for a system to secure the secrecy and sanctity of the ballot and uphold the the Right of Suffrage. So I believe the most utilitarian way of looking at this situation is that we, the People, through our elected representatives, are in fact forcing reform upon the Comelec by making it adopt an automated system that will disempower the Garcis, Bedols and Abaloses within that all important institution!

In the meantime, however I believe the chances are much greater than 50/50 that the Supreme Court will TRO a Monkey Wrench into the 2010 automation project. What the Civil Society opponents of automation want before allowing automation is a trustworthy Comelec. And because Comelec may have done some things wrong even this time around they have unwittingly done the Dirty Work for those who really don't want automation anyway: the Palace, the trapos and those who know how to cheat the old fashioned way. If this happens, and SCoRP rules against automation, Garci will probably christen his new yacht next year as the M/V Harry Roque.

COMELEC COMMISSIONER RENE SARMIENTO writes a defense of the worthy ambition to automate Philippine elections in 2010: A Moment in History: Understanding Poll Automation for the 2010 Elections (Business Mirror). He rises to Biblical eloquence in his concluding paragraph:
Hebrew soldiers said Goliath was too big they could not kill him. David said Goliath was too big, his slingshot would not miss him. Attitude. Equipped with the correct attitude, our people can view this electoral breakthrough called poll automation, and the generous support of many all over the land, young and elderly alike, as reasons for hope and optimism. With prayer and work (ora et labora) that there are better days ahead, Filipinos will succeed. If we whine, we complain, we bemoan that the Filipinos are beyond redemption, we will fail. Against gloom and doom, we labor and hope that change is within reach, and proclaim that God provides and He will never fail the Philippines!
Many voters, in particular the youth and new registrants, are looking forward to the automated polls and I believe would be unlikely to vote at all under the old, fraudulent, cumbersome and messy manual election system.

Ominously, the Supreme Court of the Republic of the Philippnes (SCoRP) heard oral arguments last July 29 on a taxpayers suit filed by UP Law Professor Harry Roque that would effectively stop the Comelec's plan to conduct the first nationwide automated election in May 2010.

ABSCBN reports on Justice Carpio's question about "foreign control" of the elections during last week's oral arguments in Roque v. Comelec in what could be another case like ITF v. Comelec (2004):
Justice Antonio Carpio raised the issue of foreign control of the polls after he pointed out the mandate of the Comelec, which is to supervise and administer the election process. Carpio noted that the winning foreign bidder, Barbados-Venezuela Netherlands-based Smartmatic, will have exclusive possession of the public and private keys for the operation of the electronic machines.

Carpio, one of the few IT-knowledgeable magistrates in the tribunal, explained that the public key allows access to the main system (or administrator) while the private key is essentially the password for the operation of the individual machines. The precinct count optical scan (PCOS) machines that will be used in the polls will count, consolidate and transmit the election results.
In response to Carpio's line of questioning, Lead Petitioner Harry Roque reportedly posited that if Comelec grants exclusive possession to Smartmatic, it also cedes exclusive control of the election process:
Lead petitioner UP Professor Harry Roque told the High Court that it will be Smartmatic which will have control of both public and private keys. During the elections, the private key will be given to the Board of Election Inspectors (BEIs) in the precincts.

However, the BEIs will have to depend on the private keys (or passwords) to be given by Smartmatic. By having control of both public and private keys, the set-up, in essence, reposes to Smartmatic the exclusive control of the election process.

Roque said the scheme amounts to “complete abdication of the function of Comelec” to supervise the polls, which is unconstitutional.
CAVEAT:
I think this an unjustifiable and rather naive assertion. It is like claiming that because I insist upon my bank having exclusive possession of the combination to their safe, I have completely abdicated my control over what the bank does with my money. Conversely, they seem to suggest that there ought not to be exclusive possession of these all important keys by Smartmatic. What? Maybe they would like to give Cyber Garci a copy of them?

Moreover, there appears to be developing here a Y2K-bug-like superstition about CRYPTOGRAPHY based on ignorance of its true essential and central role in securing the elections and disguised by the use of technical verbiage. Where the IBM PC clocks were made an object of mysterious power to foment disaster, Roque et al have tried mighty hard to invest the same mystical malevolence in the cryptographic keys used in an automated system like this.

To foster great public understanding of this all-important SECURITY feature of the automation systems, we must look for documentation and information about this aspect of the automation project from independent and reliable sources. Fortunately, the winning bidder of Comelec's automation contract, Smartmatic Corp. has participated in a number of United States elections and in the process has been forced to adopt U.S. Federal and State standards, guidelines and qualification procedures for its systems and products in order to compete in that very tough market.

Before suddenly rendering any historic decisions, I think it would be most helpful and beneficial if everyone involved, even "I.T.-knowledgeable" Justices of the Supreme Court, would become familiar with the U.S. Election Assistance Commission's General Security Requirements for Voting Systems, which covers the following topics:
Cryptography: Requirements relating to use of cryptography in voting systems, e.g., use of U.S. Government FIPS standards.
Setup Inspection: Requirements that support the inspection of a voting device to determine that: (a) software installed on the voting device can be identified and verified; (b) the contents of the voting device’s registers and variables can be determined; and (c) components of the voting device (such as touch screens, batteries, power supplies, etc.) are within proper tolerances, functioning properly, and ready for use.
Software Installation: Requirements that support the authentication and integrity of voting system software using digital signatures provided by test labs, National Software Reference Library (NSRL), and notary repositories.
Access Control: Requirements that address voting system capabilities to limit and detect access to critical voting system components in order to guard against loss of system and data integrity, availability, confidentiality, and accountability in voting systems.
System Integrity Management: Requirements that address operating system security, secure boot loading, system hardening, etc.
Communications Security: Requirements that address both the integrity of transmitted information and protect the voting system from communications based threats.
System Event Logging: Requirements that assist in voting device troubleshooting, recording a history of voting device activity, and detecting unauthorized or malicious activity.
Physical Security: Requirements that address the physical aspects of voting system security: locks, tamper-evident seals, etc.
What one discovers from a careful study of this comprehensive document is that CRYPTOGRAPHY is essential and necessary to all these aspects of system security and operation. It would be literally impossible to carry out its mission and guarantee that system security if Smartmatic were not given exclusive possession of them.

The cryptographic public and private keys referred to are a necessary and indispensable piece of information without which the Automated Election System could not be operated properly, nor could the system provider then guarantee the integrity, authenticity, verifiability or even the source of election data generated by the 82,500 PCOS machines. Thus, the unavoidable FACT is that Smartmatic must have possession of these keys. Does this constitute "foreign control" of the polls? The short answer is NO, simply because legally speaking, Smartmatic/TIM is 60% Filipino! The long answer is also NO, since it would be dumb-ass foolish NOT to insist on exclusive possession and indeed absolute secrecy and confidentiality of the private keys to the PCOS machines and of all other machines in the AES. I cannot see how any "I.T.-knowledgeable person"--whether or not they happen to also sit on the high bench of SCoRP--could possibly think that sharing the private keys with Comelec for example could possibly be a wise or sane thing to do!

The EXCLUSIVE POSSESSION by Smartmatic is certainly not "foreign control of the polls" but a necessary security feature of the whole automation system! It seems to me that we ought to view exclusive possession by Smartmatic of the public and private keys as a virtue and strength, not a vulnerability or undesirable feature at all! We surely do not want non-exclusive possession, such as by allowing Comelec to know these codes! Comelec has no need of these codes that I can see. But if it grants exclusive possession to Smartmatic, does it also cede exclusive control of the election process as effusively asserted by Petitioner Harry Roque, in response to Justice Carpio's lines of questioning?

In order to understand WHO should control the CRYPTOGRAPHIC KEYS that are used to secure the individual ballot data, the election returns and the entire process of digitally canvassing the results of the elections, we must first understand what these keys are and how they are used. I do not wish to controvert the claim that Justice Carpio is "IT-knowledgeable" but if his position was accurately reported above, that knowledge does not show in any suggestion that he agrees with Roque's conclusion. First of all, the referred to "public keys" and "private keys" are indeed essential not only to the operation of the Smartmatic Automated Election system (both its hardware and software) but also to the overall SECURITY of the data streams exchanged between Persons and among the various Machines involved. As such, it is both right and proper that Smartmatic have control of these cryptographic reference materials, for otherwise they could not conduct the election! However, it is purely hyperbolic for Petitioner to assert that this amounts to Comelec abdicating its Constitutional duty. Control of the cryptography is central to the system's data integrity and security.

This happened already once before --in the 2004 SCoRP decision ITF v. Comelec--whose incomplete restitution has left a sour taste in everyone's mouths about Comelec and automation. The Court-ordered recovery of over a billion pesos paid to provider Megapacific in that case has never happened! As a result of the 2004 fiasco over Ben Abalos' Automatic Counting Machines there has developed a justifiable cynicism and distrust of Comelec. Many people are simply unwilling to grant Comelec the benefit of a second doubt in the case of the proposed Smartmatic Automated Election System and Comelec has not done much to win the Public's TRUST since the Garci Scandal of 2004, indeed, insult was added to injury with that slow-motion Maguindanao scandal in 2007 involving the votes of Migz Zubiri and Koko Pimentel, and Mr. Garci Junior himself, the accurately-named Lintang Bedol!

Of course, ANY first attempt to conduct an automated national election involving up to 50 million voters has got to be fraught with pitfalls and challenges. However, I do not agree with Petitioners in the case aforementioned that there is a big risk of an outright failure of election because of a massive and systemic failure in the Smartmatic system software and hardware. Against such a possibility -- say their PCOS disappears and another cannot be delivered in time -- each Board of Election Inspectors is expected to conduct a manual count of the executed ballots and to process their Election Return in the normal way: by submitting it to the Municipal Board of Canvass. They are obligated to do the same any way under RA 9369 except that they could also forward the PCOS-generated E.R. In a sense, manual election operations become the fail-over mechanism should the PCOS machines be unable to do the job on the voters' ballots. The Smartmatic Real Time Information System (REIS) claims to be able to accomodate manually counted and reported Election Returns from precincts without functional PCOS machines.

Some paint a picture of possible widespread inability to operate the Smartmatic PCOS machines; or that these machines will spit out and transmit inaccurate or dishonest election returns that cannot be questioned and corrected. Such an eventuality would be a grave disappointment, of course.

It is easy to believe the speculation that the First Gentleman Mike Arroyo stands to make a hefty commission from the deal, and not much less credulity to think that the FG or similar evildoers may even resort to "wholesale automated cheating".

I guess, I am prepared to believe that certain persons in High Places stand to make money from a seven billion peso contract, but I do not personally believe that Smartmatic Corp. is primarily interested in selling out to some Filipino politician instead of trying to establish itself as a long term leader in a rapidly growing global market for automated election systems. The calculus here is pure greed, since Smartmatic stands to make more money providing secure, reliable election systems than colluding with Filipino cheaters for a small time score.

Accusations have been made that these cryptographic codes in the possession of "foreign companies" will be used to conduct "modernized cheating" or digital dagdag bawas during the transmission and canvassing phase. The main accusation of petitioners is in fact "Comelec has abdicated its Constitutional duty " to conduct the 2010 synchronized national and local elections if it agrees to give Smartmatic Corp. "exclusive possession of the public and private keys" used in the elections.

I believe this characterization to be HYPERBOLIC, if not hysterical. It is equivalent to claiming that one ought not to allow one's Bank to exclusively possess the combination to its own SAFE because then it might cheat one of one's money, or not yield to an audit of the balance on demand.

Exclusive possession of those cryptographic keys by Smartmatic is WISE, as opposed to shared possession with say Virgilio Garcillano and others at Comelec--which strikes me as a singularly idiotic idea.

13 comments:

Unknown said...

I think you misunderstand the role of the public and private keys in poll automation and confuse it with cryptography. The data is encrypted and the innards of that encryption system is kept secret and held only by Smartmatic. But to open that file, one needs a key. That key should be generated by and kept secure by the authorized person mandated by law - the election inspector. Authorizing the election inspector to create and control his own key does not mean exposing the entire encryption system to the public.

To put it simply, the public/private key is like the PIN for your ATM. This PIN is not assigned by the bank but is generated by the user himself (in this case the election inspector) in order to ensure that the election results data that he sent from the precint level is exactly the same thing that was transmitted and received by the canvassing center. Thus, the election inspector's digital signature or password should be generated and kept by the user alone, not by COMELEC or Smartmatic. Giving Smartmatic or COMELEC these keys would make the entire system vulnerable to systematic manipulation.

Deany Bocobo said...

Teddy, that's what Carpio thinks.

Jesusa Bernardo said...

I just think it's a "damned if you do, damned if you don't" situation. Who really trusts the Comelec, whether it's automation or manual vote counting? Perhaps, the election officer should be assigned two/three "bodyguards" 24/7--one each from the administration and major opposition groups?

Anonymous said...

2010 is not the time to automate elections. When? First thing is to allow time for the atmosphere of corruption and wanton disregard for the law to pass. How much time will that take - who knows?

If at all, automation should be tried on the local elections first. Let's see how that goes. So, lets pilot the proposed system. Field testing is what they call it. This should expose certain system kinks. The glitches would be more manageable.

I've worked as a technical consultant in systems development and implementation in the US and know that any system, more so with huge systems can't be rushed.

Unfortunately, there are always those who get excited about automation without really understanding what is involved.

Ony

Deany Bocobo said...

Chicken v. the Egg Ony. I say we start now and force reform on Comelec. If you wait for Comelec to reform first, why do you even need automation?

Anonymous said...

Jorge,

Many systems fail because of what you propose - start/implement now for the sake of having automation.

As I suggested, start at the local level where it can be administered with an some level of confidence, in the Manila mayoral and council elections, for example.

Reform Comelec? By all means! And it might be simpler than what your complex noodle factory thimk. If we can get rid of GMA, we'd be 50-70% done in our efforts.

Ony

Deany Bocobo said...

anon,
perhaps it is mere hatred of GMA that motivates those who oppose it now. It isn't like automation is some big mysterious thing. Cenpeg and Roque are doing a reprise of the Y2K bug. Their technical critique does not stand up to scrutiny as it is based on fearmongering. They are holding the thing up to standards that aren't even within a thousand kilometers of the manual system that they are forcing upon us. Why shouldn't we do it they say? Because we will be cheated or it will fail. But cheating is much easier to do in a manual election and will surely occur.

Anonymous said...

Jorge,

Manual or automated, for those who know and are in power, one is not harder than the other when it comes to cheating. You know this just as well as anyone.

Automated processes should always be held to higher, if not the highest standards. In fact, this is always the objective - "Best practice."

As to hatred of GMA, she brought it upon herself. If I may use your analogy of chicken and the egg: GMA is both chicken and egg of corruption in the Philippines - puno at dulo, ika nga.

Wouldn't you agree that her actions motivates or inspires suspicion and deep mistrust to everything she is connected to or does?

Again, sa local elections, kung palpak ang automation o hindi na test ng mabuti at maraming surot ang system mass manageable na ituwid o bigyan lunas sa mataas na kanpangyarihan, lalo na kung ang puno ng bayan ay hinde si 'hello Garci.'

Btw, R. Carandang suggests an interesting schenario in his blog about what could happen in 2010 elections.

Ony

Orlando R said...

I may be wrong, but I think the bank analogy doesn't quite fit. The bank can be trusted because if it messed up, it could lose its license. If Smartmatic messes up, the consequences on it is not as dire as on the electoral process.

Deany Bocobo said...

Orlando,
You would be right if we assume that Smartmatic isn't in this for the multibillion dollar global automation market (including its business in the US) and that they would be willing to sellout small time to some Filipino trapo. Then again the analogy would change to a ROGUE BANK that was set up for just a single score (and possible jail terms!) The Philippine election would be the biggest single national election that would be automated and could crack the market wide open for Smartmatic if it is hailed as successful and secure. They would be out of business otherwise. BTW the analogy is more along the lines of how CRYPTOGRAPHY in the election system is as strong (and claimed to be STRONGER) than for banks since they use the same US Federal Cryptography standards, against which their software has already been tested since they participated in several US polls. I bring up the analogy for a third reason: to convince people that this type of automation is quite common and reliable already, not some big mysterious thingy. thanks for your comment.

Jun Bautista said...

Hi Dean,

Denying Comelec access to the public and private keys - because it cannot be fully trusted - will not necessarily prevent the likes of Bedol and Garci within the Comelec, or any one with intimate access to it, from rigging the election should they want to. Smartmatic might not have the motive to score or become pawns of election cheats, but dirty Comelec officials can always have access to the election machines and insert malicious softwares to alter the results. An inside job at the Comelec is more likely to sabotage the AES. In fact, this problem is something that a princeton university IT study group found vulnerable in the US automated elections; luckily for the US, their election officials do not suffer obsolescence of trust.

Anonymous said...

goodness. all these naysayers on automation. a few years ago they were screaming 'automate!' then when the comelec comes around to doing this they all scream 'don't automate!' i mean, what do we all really want?? why can't we make up our bloody minds?? it's occam's razor, the simplest answer tends to be the correct one. automate. get electronic results within the day, proclaim a winner so that governance won't be severely delayed (we've seen garbage pile up during hotly contested local election counts) and if there are complaints, then retrieve the paper ballots cast. which means, once those paper ballots are run through the counting machine, don't throw them away. so in this scenario, after the electronic count, comelec declares an unofficial winner who will be deemed as a sort of 'officer-in-charge'. governance and public service will then be left unhampered. if all protests against this OIC are deemed void or resolved, then COMELEC moves to officially proclaim the OIC as duly elected for his/her respectable position. frankly, i for one believe that the presidential and senatorial vote is likely more honest than the local elections because based on what i've observed throughout all my years voting is that people on the local level hardly care about the national vote. so to secure the presidential and senatorial count, you merely need to focus attention on the national canvassing body. all the issues against automated voting might be releveant in the local elections but arguably not for the national vote. besides, if the system messes up, we won't have any problems finding the culprit. Smartmatic gets the accusatory finger.

Jesusa Bernardo said...

@Anonymous

I guess you've not heard enough of the abominable 'Hello Garci' scandal and previous 'Dagdag-Bawas' operations that's why you think national elections in RP have been cleaner than the locals.

Even if, for the sake of argument, vote manipulation in both levels are the same, the implications of national-level cheating are obviously much more serious.