Automated Election System

The Challenge: Meaningful Poll Watching

By
Angel “Lito” S. Averia, Jr.
Prepared for the Center for People
Empowerment in Governance (CenPEG)
 Automated Election System
Concerns
 Operations
 Cheating
 Fraud
 Sabotage
Operational Problems with OMR
Valid ballots that were crumpled, folded (to fit in
the size of the ballot box) and those that contained
unnecessary markings or smudges as well as
those lightly shaded ballots were rejected, which
slowed down the counting.

CAC Report on the 2008 ARMM Elections

Operational Problems with OMR
The number of ballots to be counted per ACM
was not as it was projected. There are
discrepancies in the counting of ballots between
those who actually voted with results counted. An
example of this was experienced in one of the
precincts of Shariff Kabunsuan where the actual
number of voters is 371 but the machine counted
only 276, there was a discrepancy of 95 ballots
papers. But, after the BEIs conducted a recount
the machine counted 365.
CAC Report on the 2008 ARMM Elections
Operational Problems with OMR

Incidents of over voting in some precincts that

used OMR, such as Bumbaran, Lanao del Sur,
were also encountered because of BEIs voting
in their assigned precincts. In these cases the
result was invalidated (treated as zero) and
COMELEC had to override it.

CAC Report on the 2008 ARMM Elections

Operational Problems with OMR
The Counting and Canvassing System (CCS) was
not programmed to accommodate failure of
elections in some municipalities, such as
Balindong, Lanao del Sur and Basilan, thus the
machine had to be shut down to force the system
to close the counting. There were incidents
wherein the system would not close the counting
and canvassing since it showed that it didn’t
count 100% of the total votes from all the
precincts though all precincts were able to count
the votes. CAC Report on the 2008 ARMM Elections
Operational Problems with OMR

Some ACMs to include laptops and printers

overheated, stopped functioning and had to be
re-started.

CAC Report on the 2008 ARMM Elections

Operational Problems with OMR

Constant paper jamming (of the OMR Ballots).

CAC Report on the 2008 ARMM Elections

Operational Problems with OMR

The attached full 196-key Keyboard in the

ACM is open to programming intrusion.

CAC Report on the 2008 ARMM Elections

Operational Problems with OMR
During the results transmission phase after the
closing of the election, it was observed that
problems were encountered by the supplier
involving the data communication infrastructure.
Specifically, it was reported that in the areas of
Buluan, Pagagawan, Talayan and Shariff
Aguak, the BEIs had to personally bring the
USB flash drive to their respective canvassing
centers due to total transmission failure. This
incident holds true for several areas in
Maguindanao. CAC Report on the 2008 ARMM Elections
Operational Problems with OMR
The supplier admitted that they used an
untried and untested private network that was
only installed too close to the Election Day.
Not only did this delay the transmission but
also compromised the integrity and security of
the AES.

CAC Report on the 2008 ARMM Elections

Operational Problems with OMR
Another cause of delay in the consolidation and
transmission process was the physical
transportation of the OMR ballots to the counting
centers. The printing of 30 copies of the election
returns of each precinct and counting center also
slowed down the canvassing and transmission
process, which in turn inconvenienced the BEIs of
queuing to wait for their turn before their ballots
could be counted and canvassed.

CAC Report on the 2008 ARMM Elections

 2008 ARMM Elections
 The previously listed problems were
experienced in the 2008 ARMM Elections
 2008 ARMM Elections involved and
estimated 1.2mn voters in approximately
5,600 precinct clusters
Replication at Nationwide Scale
 The foregoing listed problems could recur
during the 2010 national elections if the
COMELEC fails to put in place the
necessary safeguards
 The Election Process

A Comparison of the Traditional

Process and the Automated
Process
 Machines & Infrastructure
 Traditional  Automated
 None  Precinct Count Optical
Scan (PCOS)
 Canvassing Computers
 Central Server
 Telecommunications
devices and network
 Software
 Machines & Infrastructure
 Machines could be rigged
 PCOS and Canvassing Computers: A program
or software could be embedded into firmware
(burned into eprom) which can be installed on
the motherboard of the PCOS and/or
Canvassing Computers. The embedded
program or software could include hard data
or randomly generate votes to favor a certain
candidate. The firmware could be installed
before the machines are shipped out of the
manufacturing facility or before the machines
are sealed days before the elections.
 Machines & Infrastructure
 Machines could be rigged:
 The PCOS and Canvassing Computers are
basically computers
 Computers have central processing units
(CPU)
 In the CPU is a program called the BIOS or
Basic Input/Output System
 A malicious code designed to manipulate the
results of the count or canvassing to favor a
certain candidate could be embedded in the
BIOS.
 Machines & Infrastructure
 Machines could be rigged
 Mitigation: Review/audit of the hardware
before sealing. This would, however, require
highly skilled hardware engineers to review
the equipment circuitry.
 Machines & Infrastructure
 Software Program Components
 Imaging
 Optical mark reader
 Counting
 Printing
 Signing
 Encryption
 Transmission
 Canvassing
 Machines & Infrastructure
 Software Program Components
 Different, rigged versions of the software that
will create the image of the ballot, count the
votes, and prepare the ER could be loaded in
80,000 PCOS units.
 General software failure
 Software component failure
 Machines & Infrastructure
 Software Program Components
 Mitigation: inspection and testing of each
PCOS unit. However, it will be a Herculean
task to check all 80,000 PCOS units to
determine if the same software is deployed.
 Ballot
 Traditional  Automated
 elective positions and  Names of candidates
blank line(s) for each for each elective
elective position. position are printed on
the ballot. Across the
name of each
candidate name is a
figure (oval or square)
which will be shaded
by the voter.
 Ballot
 Potential Problem:
 If the pre-printed ballots are pre-filled, there is no
way to detect if one and the same person pre-filled
the ballots.
 The pre-filled ballots may be “read” or scanned by
the PCOS before the PCOS is sealed with the
connivance of the technical personnel
 Or, before opening of polls with the connivance of the
BEI
 Ballot
 Mitigation: At initialization of the PCOS, it
should be demonstrated that no images
are stored in the PCOS.
 Note: The RFP requires a function to show
that all vote counters are zeroed. But nothing
in the RFP requires the execution of a function
to show that there are no ballot images stored
in the PCOS.
 Pre-Poll-Opening Activities
 Traditional  Automated
 Preparation of election  Preparation of election
paraphernalia paraphernalia
 Breaking of seal of the
PCOS
 Powering up the PCOS
 Execution of the
initialization function
 Pre-Poll-Opening Activities
 Problems
 No seal
 Seal broken
 Failure to power up
 No power
 Defective UPS or power supply

 Failure of the initialization function

 Poll Open – 7am to 6pm
 PCOS Unit Failure
 Malfunction due to:
 Overheating
 Component shutdown (no power)
 Machine or any component “hangs”
 Mitigation:
 Rugged testing prior to election day
 Backup plan
 Procedures to employ
 Escalation
 Pre-Poll-Opening Activities or
Poll Open – 7am to 6pm
 Machine or component failure:
 Backup unit delayed
 What is COMELEC action?
 Voting
 Traditional  Automated
 Voter writes the  Voters marks the
names of candidates figure across the name
per elective position of his selected
candidate
 Voting
 Problems
 Over-voting (votes will be disregarded for the
affected position only)
 Note: Under-voting is allowed
 Smudges
 Crumpling of ballot
 Mitigation:
 Voter education
 Casting
 Traditional
 Voter folds the ballot and
drops it into the ballot box
 Automated
 Voter “feeds” the ballot
into the PCOS
 If PCOS is integrated with
ballot box, ballot is
automatically dropped into
ballot box
 If PCOS and ballot box are
independent units, voter
drops the ballot into the
ballot box
 Casting
 Problem
 PCOS rejects or does not “read” the ballot
 Cause for rejection
 Crumpled or folded
 Overly smudged
 Fake
 Machine failure
 Mitigation – voter education
 Not to crumple or fold ballot; avoid smudging
 Accept ballots only from BEI
 Machine Failure: COMELEC should institute actions to be
taken by BEI and Tech Support
 Counting
 Traditional
 Manual count, stick counting.
Guided by the Rules on Ballot
Appreciation, a member of the
BEI shall read the name of the
chosen candidate for a
particular position. Another
member shall record by stick
mark (taras) the vote for a
particular candidate on the
tabulation form posted on the
wall of the precinct while the
third member of the BEI
records the vote for a
particular candidate on the
Election Return (ER).
 Automated
 PCOS count. A function in the
Precinct Count Optical Scan
(PCOS) will be executed by
the BEI after closing of polls.
The count shall be done
internally and without public
view/review of the ballots.
 PCOS program component will
“read” the marks on the
ballot in order to count the
votes.
 Counting
 Counting is away from public view. If the
hardware/software is rigged, the result of
the machine count may not be faithful to a
hand/manual count.
 The program to “read” the marks could
“misread” the marks. Or it could be
designed to actually “misread” the marks.
 Counting
 Mitigation: hardware/software audit prior
to deployment to 80,000 PCOS units and
another 2,000 PCOS units that will serve
as backup. Ensure same software copy is
deployed.
 Election Return
 Traditional
 The ER is prepared
manually in seven copies.
The ER is signed and
thumbprints affixed.
 A copy of the ER is posted
on the wall of the precinct.
 The rest of the copies of
the ERs are distributed
accordingly.
 Automated
 The ER is prepared using
the PCOS.
 First eight (8) copies of the
ER is printed and signed
and thumbprints affixed.
 The electronic copy of the
ER is digitally signed and
encrypted.
 A copy of the printed and
signed ER is posted on the
wall of the precinct.
 Election Return
 Problems
 ER is prepared/generated by PCOS
 Printout could be different from ER copy
stored in PCOS
 RFP does not specify a way to verify
 Printing failure
 Mitigation
 Testing and pre-audit of PCOS
 Transmission
 Traditional  Automated
 The ballots and ER are
placed in the ballot box.
The ballot is then
transported to the City or
Municipal Board of
Canvassers.
 The ER, precinct statistical
report, and PCOS audit
logs shall be transmitted
electronically to various
destinations, including but
not limited to the
city/municipal
Computerized Canvassing
System (CCS), central
server, and various parties.
 Transmission
 Assurance that the transmitted copy is the same
as those earlier printed and manually signed
then posted on the precinct door?
 Mitigation: immediate posting on a publicly
accessible website. Poll watchers can then
immediately download the web copy and
compare with the one posted on the precinct
door.
 Transmission
 Problem
 Inability to establish connection
 Failure to transmit
 Poor or no telecommunications infrastructure
present in the locality
 Transmission
 Problem
 Signal interception or data hijacking. This
would require sophisticated actions. The
window is tight. Data shall be transmitted to
multiple destinations at (almost) the same
time. If signal interception or data hijacking
is successful, spurious data could be injected.
 Canvassing
 Traditional  Automated
 Manual tallying and  Canvassing computers
preparation of SOV at each level shall tally
and COC at each level the votes and shall be
used to generate the
SOV and COC.
 Canvassing
 Problem:
 Canvassing software could be rigged such
that votes for a particular candidate could be
padded or shaved.
Certification of Results
 Certification
 BEI and BOC cannot certify to the
correctness/accuracy (ER, SOV, COC) of
the results/reports generated by the
PCOS and Canvassing Computers
 BEI and BOC can only certify that the
printouts are generated by/from the
machines
Security Threat
Remember Estonia!
 Web War I

 Estonia: World’s most wired nation

 April 27, 2007: CyberAttack
 Denial of Service Attack
 Attack came from various servers from South America, Europe, Asia
 Swamped the websites of Estonia’s private and public organizations
 Denial of Service Attack
 An attack similar to the Estonia attack
could be launched on May 10, 2010 and
paralyze the telecommunications
infrastructure thus preventing the
transmission of the Election Returns, PCOS
audit logs, and precinct statistical data.
Physical and Environmental
Security
 Protection of the PCOS Units
 Problem: somebody could/might/attempt
to physically hack or pour liquid on the
PCOS units (prior to or on election day).
 Mitigation:
 Store PCOS in secure room.
 On election day, limit number of people who
have direct access to PCOS
 BEI and watchers should be watchful of
movements of voters
 Environment
 Power outage (or blackout) on election
day.
 Natural disaster – flash flood, heavy down
pour
The Poll Watcher
 Role of the Poll Watcher
 Role of poll watcher in guarding the vote
count is mooted
 Poll watcher is limited to observing and
contesting actions of BEI and/or BOCs
 Challenge
 No way to protest / challenge a ballot
 Undefined protest procedure in the
automated environment
Electoral Protest
BIG QUESTION

HOW?
Evidence
 The Ballot as Evidence
 The ballot is a traditional document
 The ballot image may not be treated as an
electronic document. The ballot image is
produced from a traditional document.
 The ballot box cannot be opened unless
there is a protest and the electoral tribunal
authorizes its opening.
 The PCOS and Canvassing
Computers as Evidence
 Contents of the machines need to be
analyzed
 Need for digital forensic analysis
 Electronic Discovery
 No rules on electronic discovery
 Center for People Empowerment
in Governance
 NASSA-CBCP Forum
 May 11, 2009
 CenPEG Policy Critique of the Automated
Election Systems Project of the COMELEC
 Salamat Po!

Lito S. Averia
litoa@phcert.org
lito.averia@gmail.com
 Concerns
 What if COMELEC fails to test all 82,000
PCOS units, 1,632 municipal canvass
machines, 70+ provincial canvass
machines, 70 central servers, 70 backup
central servers?
 What if COMELEC fails to review source
code or allow any third party to review the
source code?
 Concerns
 What happens if transmission is not
tested?