520 likes | 655 Vues
A utomated E lection S ystem Modernizing Democracy or Modernizing Cheating?. Technical and Election Management Briefing. Center for People Empowerment in Governance (CenPEG). WHY AUTOMATE?. To eliminate clerical, human intervention-related errors
 
                
                E N D
Automated Election SystemModernizing Democracy or Modernizing Cheating? Technical and Election Management Briefing Center for People Empowerment in Governance (CenPEG)
WHY AUTOMATE? • To eliminate clerical, human intervention-related errors • Process is too long and exhausting. It takes almost two months before national positions are proclaimed. • To remove conditions for DAGDAG BAWAS or wholesale cheating
What is the AES? “A system using appropriate technology which has been demonstrated in the voting, counting, consolidating, canvassing, andtransmission of election result, and other electoral process” (RA 9369) CenPEG, 2009
Public perception of the AES • Less human intervention • Cheating would be impossible in an automated election AES = CLEAN ELECTIONS CenPEG, 2009
But automated elections also commit mistakes because of… • 1. Software errors • 2. Hardware errors • 3. Human errors • 4. Poor or Flawed design • 5. Deliberate tampering • 6. Problematic transmission & power supply
Introducing the…The Philippine AES System • Election Management System (EMS) • Precinct Count Optical Scan (PCOS)—Optical Mark Reader (OMR) System • Precinct Machine – SAES-1800 • Consolidation / Canvassing System (CCS) • CCS Computer -- REIS CenPEG, 2009
AESF e a t u r e s • MANUAL VOTING using PAPER BALLOTS: voter shades oval next to names of chosen candidates • COMPUTERIZED COUNTING at precinct level • COMPUTERIZED CANVASSING consolidation and canvassing at municipal, provincial, national COMELEC, and national Congressional levels CenPEG 2009
SMARTMATIC AUDITABLE ELECTION SYSTEM (SAES 1800) PCOS – OMR Machine for Counting Introducing… SAES and REIS For COUNTING For CANVASSING CenPEG, 2009
SAES 1800 Precinct Count Optical Scan / Optical Mark Reader (OMR) --(PCOS-OMR) Detects the absence or presence of a mark in predefined positions on a form CenPEG, 2009
CANVASSING LEVELS Data Flows CenPEG, 2009
Consolidation & Canvassing System (CCS) Real-Time Electoral Information System(REIS) Operating System: GNU/Linux Software possibly written in web server side programming language (e.g. JAVA) CenPEG, 2009
Canvassing Features • Cities/Municipal • Input: ERs from precincts • Provincial/Congressional • Input: Statement of Votes and Certificate of Canvass from Cities/Municipalities • National • Congress: President and Vice President contests • Comelec: Senators and Party List contests • Input: Statement of Votes • Comelec back-up server • Dominant majority/minority parties, citizens arm, KBP server CenPEG, 2009
PCOS Machine (for counting) SAES -1800 CCS Server (for canvassing) REIS CenPEG, 2009
30VULNERABILITIES Pre-election * Election * Canvassing * Proclamation CenPEG, 2009
6 Vulnerable spots in the AES2010:Pre Election • Voters’ list, project of precincts, candidates’ list • Possible manipulation of lists • Printing of ballots • Excess ballots, preciseness of printing, security marks • Storing of ballots • Security of storage, pre-shading of ballots • Shipping of packed ballots • Security of ballots during delivery, ensuring that ballots get to their proper destination CenPEG, 2009
8 Vulnerable spots: Pre Election • Deployment of machines • Security of machines, suitability to local conditions • Final testing and sealing of machines • Long lapse between testing and actual election day, security of storage CenPEG 2009
6Vulnerabilities On Election Day Canvassing BEI inserts physical key into PCOS machine to power it • Signing/encryption/transmission failure • Failure to accept password • Connectivity failure • Hardware Failure: Start up or boot failure T r a n s m i s s i o n BEI inserts CF card into PCOS machine to configure it BEIs digitally signs electronic ER for transmission • No cellular signal in area • One modem shared by all PCOS machine in voting place • Wrong CF card inserted BEI attaches external modem to access internet connection BEIs type passwords to initialize the machine – zero votes • Pre-marked legitimate ballots might be fed • Legitimate ballots rejected • Long ballot twists and jams • Machine fails to recognize dot, check, and x marks • Voter cannot verify if ballot is read/scanned correctly • Failure of function to close polls (premarked ballots can still be inserted) • Misreading of ballots • Mis-crediting of marks • Erroneous counting • Printer fails • Failure to accept password • Failure of initialization function • Machine has stored ballot images already • Wrong program installed • Paper jam Counting Voter fills up and feeds ballot into the machine BEIs close poll, presses function key to count and print ER CenPEG,2009
Initialization Initialization Initialization Report B CenPEG, 2009
Voting Sample Ballot Feeding the Ballot into the Machine B CenPEG, 2009
Voting B CenPEG, 2009
Election Returnand Transmission of Votes ER Certification External Modem B CenPEG, 2009
5 MAJOR TECH ISSUES Software and Data Integrity CenPEG, 2009
Highlights of Technical Concerns • Verifiability of Voter’s Choice • Machine Interpretation of Ballot • Program Correctness and Integrity Verification • Review of Source Code • Protection of Transmitted Data • Digital Signatures • System Administration • Root Users / System Administrators • Transmission / Connectivity CenPEG, 2009
Voter’s Choice Verifiability “Provide the voter a system of verification to find out whether or not the machine has registered his choice.” [Article 7 (n) of RA 9369] Disabled function CenPEG, 2009
Voter’s Choice Verifiability • No sufficient mechanism for voter to verify that the computer has interpreted his ballot correctly. • Safeguard • Comelec has to enable the feature of the SAES-1800 that will show how the PCOS machine interpreted the ballot. CenPEG 2009
Program Correctness RA 9369 Section 14 requires Comelec to make the source code available and open to review by all interested political parties and groups. CenPEG, 2009
Source Code Human readable version of the computer programs running on the PCOS and CCS computers. Will reveal whether the counting and canvassing are done properly To prove that the PCOS and CCS programs follow RA 9369 and COMELEC ToR CenPEG, 2009
An illustration of Java source code with prologue comments indicated in red, inline comments indicated in green, and program code indicated in blue. CenPEG, 2009
Safeguard Reviewed and approved Source Code Machine executable format Burned into each PCOS machine / Install in CSS CenPEG, 2009
Program Integrity Verifier How can we know that the approved source code is installed? CenPEG, 2009
Safeguard Comelec should subject the approved program to an integrity verifier (hash) function The hash value must be provided to the BEIs and pollwatchers on election day as basis for comparison of the hash value of the PCOS machine in the precinct CenPEG, 2009
Protection of Transmitted Data Immutability of Precinct Data CenPEG, 2009
RA 9369 • Section 19 Electronic Returns: "The (precinct) election returns (ER) transmitted electronically and digitally signed shall be considered as official election results and shall be used as the basis for the canvassing of votes and the proclamation of a candidate." CenPEG, 2009
Comelec ImplementationGuide: ToR/RfP AES2010 • 4. Counting, Consolidation and Generation of ER 4.3 The BEI shall physically sign and affix their thumbprints on all copies and on all pages of the ER 4.5 The BEI shall digitally sign and encrypt the internal copy of the ER (RA8792; RA9369) CenPEG, 2009
Digital Signature / Secret Key • A summary (hash value) of the ER encrypted using the BEI’s secret key. • The digital signature serves two purposes: • Identifies the BEI personnel who signed the precinct ER • It ensures that the precinct ER is not modified in any way by dagdag-bawas CenPEG, 2009
What Happens If AnotherPerson Knows the Teacher'sSecret Key? • The other person, with malicious intent, can remove the BEI's signature, change the contents of the ER, and sign the modified ER (again) with the BEI's secret key. • Only the person who has possession of the BEI's secret key can resign the ER. • Any person who has possession of a majority of the BEI’s secret keys can control the results of Election 2010 CenPEG, 2009
Comelec's Error • Bid Bulletin No. 10 (2009/04/15): The digital signature shall be assigned by the winning bidder to all members of the BEI and the BOC (whether city, municipal, provincial, district). For the NBOCs, the digital signatures shall be assigned to all members of the Commission and to the Senate President and the House Speaker. The digital signature shall be issued by a certificate authority nominated by the winning bidder and approved by the Comelec. CenPEG, 2009
SMARTMATIC WILL CREATE THEPRIVATE-PUBLIC KEY PAIRS • In Smartmatic's financial proposal, Item 1.2.1.4 consists of 246,600 sets of 2048-bit private public key pairs for BEIs (3 per PCOS) at the cost of PHP0.00. The BEIs will be anonymous (will not be known by name) so that any teacher can sign in any BEI position. CenPEG, 2009
Safeguards Comelec should ensure that the secret key of the teacher is known only by the teacher The ER and digital signature (encrypted hash value) should never be separated during transmission and storage in the Comelec databases. CenPEG, 2009
System Administration He Who Controls the Technology, Controls the Votes CenPEG, 2009
System Administration • The root user/system administrator or “super user” • A HUMAN who can issue any command available on the computer, normally to do system maintenance or to recover from failure. • The root user can edit the precinct ERs if he has access to secret keys and change the election results. CenPEG, 2009
Safeguards Comelec should have enough precautions so that a root user is not needed to manually interfere with the election programs In case of a breakdown, the root user’s activities are all properly logged in publicly displayed audit and log files in real time to be scrutinized by poll watchers. The root user must not be allowed to log-in from remote / different location CenPEG, 2009
Transmission • Connectivity Transmission by cellphone : 72% Transmission by Internet : 10% CenPEG AES Research Public elementary schools have either no internet connection or limited internet connection.
Reality in 45,255 public elementary schools • Power • Stable – 84% • Scheduled – 3% • No report – 2% • None – 11% • Internet • Cellular – 72% • Wired – 10% • No report – 2% • None – 16% CenPEG 2009
July 5, 2009, Smartmatic: Dream polls for May 2010: “ERs would be transmitted by cellular phone, landline or satellite at the end of voting hours…. There’ll be no more human intervention.”. Doomsayer? September 16, 2009, Chairman Jose Melo …admits that Comelec is preparing for the conduct of manual polls in “30% to 50 % of areas in the country,” specifically places that are prone to power failures and network transmission issues CenPEG 2009
What happens if vulnerabilities are not addressed, and safeguards prescribed in the law not properly implemented? • Unless these valid issues are addressed satisfactorily by Comelec, Smartmatic, the Comelec Advisory Council (CAC), the Comelec Technical Evaluation Committee (TEC), and the Joint Congressional Oversight Committee, the computerized elections in 2010 can lead to: Wholesale computerized cheating or Failure of elections. CenPEG 2009
Doom saying or just PLAIN TRUTH? Transparency is the call of the times CenPEG 2009
HOW YOU CAN HELP CenPEG 2009