René B. Azurin
BusinessWorld
BusinessWorld
THERE IS an old saying, “Fool me once, shame on you; fool me twice, shame on me.” Well, shame on us for letting foreign supplier Smartmatic and our clearly complicit Commission on Elections fool us twice. Everything is now firmly in place for the faulty Smartmatic automated election system used in our 2010 polls to be used again in our 2013 elections. Unless something is done between now and the upcoming May polls to abort the Smartmatic-Comelec conspiracy, we (as a people) would have successfully made the transition from (possibly) mere naiveté to gross national stupidity. Is there something so seriously wrong with us that we won’t listen to anything more complicated than a clichè-riddled telenovela? Why don’t we hear what computer scientists and information technology experts are saying about the problems and flaws in Smartmatic’s system?
To recap what has transpired so far in this unfolding saga: i) Comelec has exercised its option to purchase 82,000 of Smartmatic’s PCOS [precinct count optical scanner] machines for 1.8 billion; ii) Comelec has given Smartmatic a 486 million contract to be in charge of the electronic transmission of election results; iii) Comelec has awarded Smartmatic a 154-million contract to supply 15,000 units of transmission modems; and iv) even if Smartmatic did not bid for it, Comelec has declared it the winning supplier in a 45-million contract to supply the 82,200 CF [compact flash] memory cards which will contain the instructions to the PCOS machines on how to read the ballots fed into them. It certainly looks like Smartmatic and its patrons at Comelec have covered all the bases leading to full control of Philippine elections.
In an intimately related development, Comelec has just announced in a formal resolution that it “resolves to again use the PCOS digital certificates to digitally sign the election returns for the May 13, 2013 National and Local elections.” What this means is that a machine-specific code will effectively serve as a “digital certificate”. What this means is that no Board of Election Inspectors member or Comelec representative will effectively “certify the results of the counting of national ballots from the precinct” (as required by RA 8436, the Election Modernization Act). What this means is that no election official can be effectively pinpointed as responsible for the accuracy or integrity of the precinct results transmitted simply because no one of these affixes his/her (digital) signature to these results. What this further means is that it will be impossible to authenticate the results sent or determine whether these were altered in any way during the process of transmission. What this finally means is that Smartmatic personnel (foreigners) — and not Comelec personnel (Filipinos) — will effectively exercise full and total control over our entire election process.
To explain (briefly), what the “digital signature” is is a special file — a “digital certificate” obtained from a trusted Certification Authority (like Verisign) — that permits the recipient of a message or document (like poll results) to verify the identity of the sender and then validate that the message or document has not been altered in any way by anyone else. Obviously, this is crucial in establishing the integrity and credibility of election results. The whole process is actually done through cryptographic codes that encrypt and decrypt data in a way that is unique to the sender. (Digital certificates are widely used in online banking, e-commerce, and other applications requiring security and confidentiality.)
In a Supreme Court ruling in connection with our “E-Commerce Act” (RA 8792), a “digital signature” refers to a key that effects “the transformation of an electronic document or an electronic data message… [so that] a person having the initial untransformed electronic document… can accurately determine… whether the initial electronic document had been altered after the transformation was made.” With the Comelec’s decision to use a so-called machine ID instead — as it unilaterally decided to do during the 2010 elections, over a howl of protest from IT experts and independent observers — the verification and validation that a personal digital signature provides will no longer be possible. No one will now be able to verify who actually sent a particular precinct result, whether it had been altered during transmission, and, indeed, whether it is at all accurate.
It should be pointed out that, when Smartmatic salesman Cesar Flores (a Venezuelan) told the Joint Congressional Oversight Committee on the Automated Elections System that “everything that happens in the machine is digitally signed,” he clearly had no idea of what a digital signature is or what it does. That, of course, is understandable since Flores is a sociology student masquerading as an IT expert. Still, he pulls the wool over the eyes of most of our senators and congressmen. Fools them not just once but, apparently, every time he speaks. That’s some achievement, right?
It should be recalled that, in the post-election analysis of the May 2010 presidential polls, Al Vitangcol III, who has a master’s degree in computer science and is a certified “computer hacking forensic investigator,” reported that the Joint Forensic Team stated in its findings (dated June 9, 2010) that, “Examination of the PCOS machines revealed that there was no evidence to prove the existence of digital certificates in the PCOS machines, contrary to the claims of Smartmatic. The technicians of Smartmatic were not even able to show to the forensic team the machine version of the digital signature.” Another prominent IT forensic expert, also a member of the Joint Forensic Team, Drexx Laggui, said that an audit of the files on the Smartmatic machine’s main compact flash card, showed that there were “no BEI keys with which to sign results.” He stressed, “Nothing was found to show that digital certificates were in the cards or in the machines.” At that time, Mr. Laggui smiled when he revealed that, when they were asked, “Hecber Cordova and Heider Garcia [of Smartmatic] assured us that there are digital certificates in the machines, it is just that they have no tools to extract them.” Oh my, they really like fooling us.
Philippine IT experts, academicians, and knowledgeable observers have been screaming about the demonstrated faults in the conduct of the May 2010 elections and about the inherent flaws in the Smartmatic system (whose software Smartmatic doesn’t actually own and now doesn’t even have a valid license to use). In one complaint, filed by the Philippine Computer Society under its then president Nelson Celis, the PCS charged Comelec and Smartmatic officials with the deliberate bungling of the 2010 polls and “illegal acts that caused irreparable damage to the government and ultimately to the Filipino people.” Among the specific charges was perjury, because these officials claimed in Congress, under oath, that “all PCOS machines had Digital Certificates as signatures when in fact the technicians of Smartmatic failed to show or present proof of the machine version of digital signatures.”
That PCS complaint also pointed out an even more serious breach of security, one that should be fatal. Contrary to the required contract specs and contrary to law, Smartmatic’s PCOS machines have a publicly accessible “controlling Console Port” which makes them unsecure and vulnerable to hacking, and which therefore “rendered the recent elections completely open to malicious control and fraud.” With such an open port, anyone with just a couple of minutes access to a machine can quickly insert a flash memory device into the port and introduce malicious code. Electronic dagdag-bawas, here we come. Smartmatic and its Comelec patrons won’t even talk about this.
It would be hard to believe that Comelec chairman Sixto Brillantes, Jr. and his minions are still being fooled by the huckster Flores. What is easy to believe is that Comelec is in cahoots with Smartmatic in pulling the wool over the Filipino people’s eyes. They fooled us in 2010; they have no reason to believe they cannot do it again in 2013. Shame on us, shame on us.
No comments:
Post a Comment