An untransparent election

Strategic Perspective
By René B. Azurin
June 9, 2010
Posted by EU-CenPEG Project 30-30

With so many hands having fondled the memory cards and the voting machines, how can anybody still know what "fingerprints" were actually on them? Further, with all the potentially useful security features of the poll automation exercise disabled, there may now be little we can do except concede that electronic cheating was done and admit that we will never be able to establish the extent of such cheating. The Filipino public has effectively been forced to accept whomever Comelec/Smartmatic says won the recent elections and move reluctantly on.

Before and after May 10, access to the flash memory cards and the PCOS voting machines was acquired variously by assorted Smartmatic personnel, Comelec officials, logistics companies’ personnel, city or municipal treasurers, technical personnel, election officials, and who knows who else. That’s just too many potential "perpetuators." It should be emphasized (again) that even a few minutes’ access to these memory cards and voting machines would have allowed a "hacker" to introduce malicious code that can change the reported election results and then remove traces of such alterations even from audit log files.

Smartmatic Asia-Pacific head Cesar Flores likes to insist that nothing could have been done with the memory cards and voting machines "without the audit logs showing this." This is a claim that is not true even in theory, much less in practice. Indeed, modifying audit logs is made easier when a particular software system has inherently weak security features. Which seems to be the case in the Smartmatic system. This is clear from the report submitted by US software testing company, SysTest Labs, who was commissioned by Comelec to review and certify the suitability of Smartmatic’s Election Management System software code. In the section covering "Audit Functionality" in its Certification Test Report (dated Feb. 9, 2010), SysTest Labs reported, "The reviewer was unable to find adequate evidence of logging of a run of test ballots. The VVSG [voluntary voting system guidelines] requires that the auditing log contain a record of the number of test ballots sent, when each ballot was sent, the machine from which the ballots were sent, and the specific votes or selections contained in the ballots. The SysTest reviewer was unable to verify the existence of specific reference to the logging of any of these items."

Additionally, "The reviewer was unable to verify that the identity of the contacted wireless device was logged when the resident device made a connection. The reviewer was also unable to find any function that logged the disconnection of the wireless device. Specific functions involved in the disconnection were found and examined, and it was determined that these functions did not include the logic required to log their activities." I should point out that, if disconnections are not logged, subsequent transmissions from a particular PCOS machine can be made to appear to have come from a previous user. This muddies the so-called "audit trail." SysTest Labs noted that the aforementioned findings are "an impediment to an accurate re-creation of election actions, should the need arise." This finding contradicts Mr. Flores’s confident assertions on the audit logs.

SysTest Lbs also found that "The EMS does not provide measures to protect against tampering during maintenance activities.... In at least one instance, an audit log was able to be moved [sic] without an alert or stoppage of the system." This is significant. Also significantly, "Numerous instances were found in which the display of error, informational, or confirmation messages presented to the user, and the user responses to those messages, were not logged." Clearly, the audit features in Smartmatic’s software leave much to be desired.

Although SysTest Labs eventually arrived at the (rather weakly stated) final conclusion that it "does not find reason to preclude the AES voting system as being suitable for use as an electronic election system for the Republic of the Philippines," it found (and reported) numerous errors and weaknesses in the Smartmatic automated election system. For example, "Multiple instances were found in the code where data was written to buffers with insufficient safeguards against potential buffer overflow.... If more data is written or copied into those buffers than they can hold, the data overflows and overwrites the values in adjacent memory locations.... If done maliciously and cleverly, this can result in manipulation of the program or its contained data." In fact, buffer overflow is one of the common means hackers use to induce errors that allow an intruder to gain control of a computer system.

Here’s another example: "Numerous instances of database transactions being explicitly committed even in the event of database operations’ failure have been observed. The pattern of miswritten exception handling and erroneous transaction termination logic is so widespread that it appears that the system authors used an incorrectly written template for such source code logic, and that the incorrectly written aspects of the template have resulted in potential exception handling errors everywhere that the template may have been used."

SysTest Labs’ report on the weaknesses of Smartmatic’s automated election system inevitably raises the suspicion that Comelec was deliberately trying to cover up the shortcomings of its favored supplier when it severely limited the time available and placed unreasonable restrictions on local IT experts asking to review Smartmatic’s source code.

It also makes Comelec’s actions to disable or discard -- over the strong objections of technical experts -- important security features even more suspect. In a notable example, the security safeguard of providing the members of the Board of Election Inspectors in each polling place a digital signature was disabled. Instead, Comelec allowed Smartmatic to replace these personal digital signatures with machine signatures -- that the BEI members could not change -- and this effectively prevents the pinpointing of personal responsibility for the transmission of a particular set of election results from a specific PCOS machine. It also gives certain Smartmatic and Comelec personnel -- those with the right digital keys -- full access to all the machines in the country and thus the power to modify data or transmissions. That’s a lot of power, worth billions of pesos in potential value.

Personally, I am convinced that there was a deliberate effort to muck up these first-ever automated elections. This conviction is reinforced by i) Comelec’s suspiciously late testing of the memory cards (thus triggering an eve-of-the-election need to "replace and reconfigure" 76,000 of them), and ii) Comelec’s complete botching of the prescribed "random manual audit." The former cleverly allowed the "perpetuators" to do their dastardly deeds in full view of the public. The latter prevented observers from (at least) statistically validating the reported electronic election results. In effect, we have just been through an untransparent election, one in which we have no way of knowing what the results actually were. Citizens’ groups who have been -- correctly -- critical of Comelec and Smartmatic for their seemingly deliberate bungling of the poll automation process must now prepare and file the appropriate cases against certain Comelec and Smartmatic officials because there is strong indication that a monstrous crime has been committed by them against the Filipino people. All the self-congratulatory talk of a "well conducted" automated election should be dismissed as mere ululations of a pernicious kind.