I volunteered as IT consultant for CenPEG, the Center for People Empowerment in Governance. This is a NGO, and it is engaged in a project to document and analyze the computerized 2010 elections. CenPEG is not against computerization. It is in favor of computerization, provided that appropriate safeguards are put in place to minimize possibilities of cheating. The CenPEG project has a website:
http://www.aes2010.net/ This website is under development, so please expect new things to be added from time to time. CenPEG itself has a website: http://www.cenpeg.org/. I write to PLUG for two reasons: 1. Comelec has approved CenPEG's request to do a source code review of the election programs (counting program on the PCOS machine, and canvassing program on the CCS/BOC machine). CenPEG has obtained commitments from some computer science departments of schools to help with the actual source code review. I am hoping that some Linux programmers in PLUG would volunteer some of their free time to this very important civic activity. In the ARMM elections of 2008, Comelec did not do a source code review (which is their duty under RA-9369) citing "lack of time" as primary reason for not doing this. If we do not do a source code review, we will never know what the election computers are doing, and we will always be in the dark. 2. Comelec knows very little about Linux security on the PCOS and CCS machines. It has been reported that in the ARMM elections of 2008, the root user logged in from remote (possibly Manila) to manually enter the canvass data in one of the municipalities of ARMM. This is illegal and constitutes subversion of the will of the people. I have been preparing a list of Linux system administration security checks which CenPEG will propose to Comelec. I hope and pray that PLUG will contribute to this checklist. TO GUIDE YOU AND HELP YOUR DECIDE WHETHER YOU WANT TO HELP, THE TWO KINDS OF COMPUTERS THAT WILL BE USED ARE DESCRIBED BELOW: The fully computerized 2010 elections will actually use two kinds of computers: (1) the precinct count optical scan machines (PCOS), and (2) the Board of Canvassers' (BOC) canvassing and consolidating system (CCS) machines that will be used for canvassing at the municipal, provincial, national, and congressional levels. The PCOS machines will be placed at the precincts, where up to five traditional precincts (or up to 1000 voters) will be clustered to use one PCOS machine. Each voter is given a paper ballot, where he shades the oval next to the name of his chosen candidate using felt-tip pen. He then inserts this paper ballot into the scanner of the PCOS machine, the PCOS machine creates a tiff image of his ballot, analyses this tiff image to determine the candidates that were selected by the voter, and add one vote each to the appropriate candidates, except in the case of over-voting, where no candidate receives a vote. Then the tiff image is saved in (non-volatile) memory. When everyone has voted or at six PM, whichever comes first (if you are already within some perimeter of the precinct at six PM, you are allowed to vote beyond six PM), the list of candidates and the total votes obtained by each one is computed in a document called the Precinct Election Return (ER). Eight copies of the ER are printed on 2.25 inch thermal paper tape (claimed by Smartmatic to last 5 years), manually signed by the BEI teachers (Board of Election Inspectors), and given to some eight recipients. Then the BEI teachers digitally sign (using their SSL secret keys) the softcopy ER, a USB 3G/HSDPA modem is attached to the PCOS machine, and the ER is transmitted via the Internet via public carriers to the appropriate municipal/provincial/national/congressional canvassing computers. Then 22 more copies of the ER are printed on the thermal printer to be given to 22 additional recipients. At the municipal canvassing computer, the digital signature on the ER is decrypted using the BEI's SSL public key and compared against the SHA1 hash value of the ER payload, to confirm that the ER came from an authorized PCOS computer, and to ascertain that the ER payload has not been tampered with. On passing the hash value check, the ER is included in the canvassing. When the ERs from all the precincts included in the municipality have all been trnasmitted and included in the canvass, the Statement of Votes (SOV) and the Certificate of Canvass (COC) are printed (so many copies), the softcopy SOV and softcopy COC are digitally signed by the members of the BOC, and then electronically transmitted to the next higher level (provincial BOC) for further canvassing, etc. What HW/SW are the PCOS and canvassing computers? 1. The PCOS machine runs embedded uClinux, and a special purpose election program, also embedded. All the PCOS machines run the same program. Each PCOS machine becomes usable for a particular country by customization to determine how votes are assigned, what of the 16 shades of gray constitutes a vote, etc. Each PCOS machine becomes usable for a particular precinct in the country by configuration to determine who the candidates are in that precinct, what is the location of each candidate on the ballot face, etc. Customization and configuration are done using an Election Management System (EMS) program that employs Election Mark-Up Language (EML). The EMS program extracts info from the Comelec databases, and saves the customization and configuration data on CF cards. One CF card is assigned per PCOS machine. The PCOS machine does not have a hard disk, and I believe that it uses non-volatile memory. I believe that minimal cheating can happen with the PCOS machines, since it uses a minimally configured embedded uClinux, and an election program that is also embedded. No computer HW/SW manufacturer will intentionally make 82,000 computers and burn into flash memory a defective election program that will allow cheating, when there is a big probability of recall should this defect be discovered. 2. The canvassing machines are off-the-shelf computers (during testing, Smartmatic used laptops), probably desktop Intel PCs, since these are cheaper than Intel laptops. They run some Linux distro, and the actual election canvassing program is a web application (REIS v2.0), probably running under Apache. During the testing conducted by the SBAC (Special Bids and Awards Committee of the Comelec) on May 28, 2009, I observed that the URL on the browser is http://localhost/someElectionAppName. I asked the techie guy who was helping out during the testing to open an xterm and issue the command "ps ax". I saw one java process running, so I guess this must be the connection to the network, a Java thread for each incoming precinct ER. (to be continued) _________________________________________________ Philippine Linux Users' Group (PLUG) Mailing List http://lists.linux.org.ph/mailman/listinfo/plug Searchable Archives: http://archives.free.net.ph
