The Technical Violations Of Smartmatic-tim Aes Contract From Transparentelections.org

The Technical Violations of the SMARTMATIC-TIM AES Contract to RA 9369

By: Ma. Corazon M. Akol Transparentelections.org.ph

1. Digital Signature – Sections 22, 25 & 30

Sec. 25:

• The Bid Bulletin No. 10 dated 27 April 2009 of COMELEC also contained the following clarifications : • Question/Issue: The Consolidation and Canvassing System shall allow the BOCs to digitally sign all electronic results and reports before transmission. Please specify your requirements for the digital signature. Answer/Clarification : The digital signature shall be assigned by the winning bidder to all members of the BEI and the BOC (whether city, municipal, provincial, district). For the NBOCs, the digital signatures shall be assigned to all members of the Commission and to the Senate President and the House Speaker. The digital signature shall be issued by a certificate authority nominated by the winning bidder and approved by COMELEC.

Digital Signature Required By Law The Omnibus Election Code or Batas Pambansa 881 (BP881) mandates that the election returns be signed by the Board of Elections Inspectors (BEI) and the certificate of canvass be signed by the Board of Canvassers (BOC). Republic Act 9369 mandates that the election returns and certificates of canvass be digitally signed prior to transmission for these election reports to be used to proclaim the winning candidates. The RFP for the Automated Election System for the 2010 National Elections, as clarified in Bid Bulletin No. 10, required digital signing as one of the features. The Smartmatic PCOS and CCS do not have the proper hardware and software for digital signing of the election documents ( ER, SOV, COC, etc) by authorized members of the BEI and BOC as required in the Law and the Comelec Terms of Reference, specifically, the Smart- CardReader – Writers nor programs to support the smart cards for digital signing

The reply by COMELEC Consultant, Mr. Renato Garcia on the issue of the missing Digital Signature: “ During final project implementation and customization of the system, En Banc decided based on the Advisory Council recommendation that the machine digital signatures, the BEI Chairman iButton and the 2 BEIs passwords were sufficient authentications for the transmittal of ERs and COCs, compliant w RA9369. Personal digital signature systems were not locally available and the government had not at that time established the structure and system for accreditation and certification. To use Verisign at $25 per BEI for example would not provide official local authentication. The cost at that time was outrageous. The BEIs were also unprepared and would be required to enter their selected encrypted personal PINs, which personal digital signatures would then have to be configured into each machine 3 months before election. Today, personal digital signature applications are being piloted by DOST and may cost less than $5 per BEI. Since DEPED appointments of BEIs are made only a few months before election (subject to frequent changes up to election day), this today remains an operational challenge. ”

However, Smartmatic’ s claim of using the machine digital signature was discredited by both the Systest Labs Report and the Joint Forensic team organized by the National Canvassing Board. According to the Systest Labs Source Code Review – “no trace of any encryption using SSL (Secure Socket Layer) , therefore no digital signing” In the Forensic Team Report: • “Absence of Machine Digital Signatures.” • “Examination of the PCOS machines revealed that there was no evidence found to prove the existence of digital certificates in the PCOS machines, contrary to the claims of Smartmatic. The technicians of Smartmatic were not able to show to the Forensic Team the machine version of the digital signature, alleging that they do not have the necessary tool to show the same. More so, they were at a quandary as to how to extract the said machine signatures – to the dismay of the forensic team.” • “If there are digital certificates then these were supposed to be revealed. The forensic team tried to extract the digital signatures but to no avail. Hence, the forensic team is of the opinion that there exists no digital signature in the PCOS machine.”

• Upon careful review of the Financial portion of Smartmatic-TIM’s Bid, there were no Funds allocated for the digital signature. It can be concluded that Smartmatic –TIM had no intentions of complying with the requirements of RA 9369 and the RFP/TOR issued by COMELEC Therefore the Contract entered into by COMELEC with Smartmatic-TIM should have been nullified.

How then can an invalid Contract be again renewed for another similar Project – in clear violation of the Procurement Act stated in RA 9184

2. Voter Vote Verification - Section 6 (e) and (n)

This feature, although available in the PCOS model used in the U.S. was not included in the PCOS used in the Philippines.

3. Source Code Review – Section 14 .

This mandatory law provision addresses transparency and integrity requirements. Although COMELEC with much long-drawn hesitation allowed this, the procedure imposed was not free and unfettered as it should be. The reason could be because the owner of the Technology was Dominion Voting of Canada. CenPEG uncovered a “License Agreement between Smartmatic International Corporation and Dominion Voting Systems” dated April 4, 2009. Essentially, Dominion Voting Systems, owner of the software that would be implemented and used with the PCOS machines granted to “Smartmatic a non-exclusive license, except for the Republic of the Philippines, which shall be exclusive, to use and manufacture hardware, software and firmware using Dominion’s Licensed Technology x x x “. The Licensed Technology includes, among others, “All relevant technology owned by Dominion required to market, sell and implement PCOS technology (including all current and future versions of them), specifically inclusive of PCOS hardware, all software and firmware resident on the hardware, and EMS software, including Democracy Suite EMS and Democracy Suite Image Cast PCOS. The License Agreement further declares, “all related technology and related IP remains the sole property of Dominion”.

In IT industry practice, a License Agreement is understood to refer to a running of executable code (not the source code) of software that will be implemented with a hardware. Since Dominion, under the License Agreement, retained ownership of the software, Smartmatic had no authority to disclose the source code of the EMS and PCOS software for review by interested political parties or groups.

Proof of this is the Dominion website which claims to have done the Philippine Elections. http://www.dominionvoting.com/field/philippines

4. Certification of Source Code Review : Sec. 11

Non-certification that the Source Code reviewed is one and the same as that used by the equipment before and after the Final Testing and Sealing of PCOS Machines on May 3, 2010

5. Fake Ballot Detection

The Law mandates an automatic and machine-effected, not a humanly performed , detection mechanism of fake ballots by the PCOS as the voted ballot is submitted for scanning. This feature was disabled due to the problems encountered when the System was tested. Apparently, during the ballot printing stage, there was a reported massive splatter of the UV ink due to the uncontrolled vibrations of a second-hand printer provided by Smartmatic. The fallback solution to use manual UV scanners was at best done in the field by 50% of the BEIs. So there is a possibility that fake ballots could have entered the System.

6. COMELEC Website

All Internet-transmitted municipal and provincial COCs and SOVs to the public access website were made available for public viewing at the link: http://electionresults.comelec.gov.ph on May 10,2010, and after several weeks was removed. However, a group of IT Experts made a mirror image of this website for analysis. This mirror website is available at http://curry.ateneo.net/~ambo/ph2010/electionresults/index2.html A study of the COMELEC public access website reveals evidence of large scale transmission errors. Of the total of 76,472 precinct ERs, we have counted (using computer programs to count) the following: Precincts that have no ERs, possibly due to transmission failure Precincts that have too few voters (0-10), possibly FTS ERs Precincts that have normal (> 10) number of voters

8,939 11.7% 371 0.5% 67,162 87.8%

Total number of precinct ERs counted

76,472 100.0%

The disturbing fact is that of the 67,162 precincts with normal number of voters, 25,888 precincts or 38.5% have missing data in one or more candidate positions.

A normal ER, but with no data in one, two, or three candidate positions, possibly because of partial failure of transmission, looks like this:

7. Date & Time Stamps

Varying Timestamps On Election Returns: Discrepancies between time and dates stamps of the audit logs of the PCOS machines and that of actual transmission were noted in many Election Results. Examples would be in the protest Cases of Former Rep. Glen Chong of Biliran and Mayor Lito Atienza of Manila. A record of these ERs are also included in the CenPEG and NAMFREL Post Election Reports.

8. Technical Evaluation Committee Certification

A very critical transparency requirement is the certification of the system as to its integrity. The Certification for the AES 2010 was incomplete and conditional since it carried with it a long list of compensating controls-conditionalities (to qualify as certified) which in the end were not in fact satisfied. NEVER HAS THERE BEEN A CONDITIONAL CERTIFICATION FOR MISSION CRITICAL AUTOMATION SYSTEMS. A CERTIFICATION IS A BINARY STAMP, EITHER THE SYSTEM PASSES OR FAILS CERTIFICATION. THERE IS NO SUCH THING AS A CONDITIONAL CERTIFICATION FOR USE. IF THE SYSTEM WAS FOUND TO HAVE SERIOUS FAULTS THEN IT SHOULD NOT BE USED IN A BINDING ELECTION. THE SYSTEM HAD SERIOUS DEFECTS BUT STILL COMELEC USED THE SYSTEM IN SUCH A NATIONAL MISSION-CRITICAL SYSTEM AS THE PRESIDENTIAL ELECTIONS OF 2010. THIS ACTION COMPLETELY DEFEATED THE VERY RATIONALE OF PUTTING THE CERTIFICATION PROVISION IN RA 9369 AND IS THEREFORE A BLATANT LAW VIOLATION. Seven components were not certified: five of them are either critical or very critical to the integrity of the system. The very critical components are the central server system and the ballot production tool. One with medium criticality is the back-up central server system. The two critical components not certified are the election system DNS server and the PCOS modem firmware. The remaining two non-critical components that were not certified are the public website and the KBP server systems. Even if all the compensating controls were put in place and tested before election day, the 7 components above should have barred the issuance of certification.

In the end, the system used on election day was uncertified and therefore illegal. Due to the need to change the CF cards in the field a few days before Election Day, it was impossible to do re-certification (which is a mandatory need) in the few days before Elections.

9. Security of the System

Unsecured Communication Port During the demonstration conducted at the Smartmatic Warehouse in Cabuyao, Laguna, an unsecured communication port was found in each PCOS machine used during the demo. The unsecured communication port allowed another computer to be connected to the PCOS machine. The PCOS machine could be accessed directly using the computer connected to it without need to enter a username-password combination or any type of access challenge. The unsecured communication port offers an opportunity for tampering of the software and data in the PCOS machine.

Violations of RFP-TOR 1. CF Cards- Not WORM Technology From Bid Bulletin No. 10: Question/Issue: Can the Comelec provide clarification on what Comelec deems “closed” with respect to the removable storage device Answer/Clarification: The storage device should not allow anymore writing of data after one back-up operation.

• This refers to the capability of the medium-: Write Once, (to prevent writing on the medium again and thus making it tamper-proof) and Read as Many Times as needed.(WORM )…Obviously the CF cards were not WORM Technology.

2. PCOS Scanning Accuracy-99.995% Bid Bulletin No. 10 Question/Issue: In total, how many ballots should the vendor provide for each precinct in the technical evaluation, and should these ballots be blank, or should they be voted in any particular pattern Answer/ Clarification: For the demo system, the bidder shall provide the number of ballots needed to show 20,000 marks. Please take note that “at least 99.995%” accuracy rating will be evaluated as I error from 20,000 marks. In addition the bidder must provide 1,100 blank ballots. Except for the 1,100 blank ballots, the ballots for the demo system following the Demo Model shall be pre-accomplished manually by the bidder prior to the conduct of the Systems Evaluation. Apparently the certification that all the units of PCOS machines delivered had 99.995% accuracy rating was not done. The report of PPCRV and Comelec in the Random Manual Audit was 99.6%.

3. Marks Allowed X and Check Question/Issue: If the ballots will be manually marked by a committee, what are the criteria for judging whether a given mark should be interpreted as a vote for the specified candidate in relation to mark characteristics such as mark density and percentage of of target filled by the mark. Answer/Clarification: The machine should be able to recognize a check mark, an X mark, a full shading of at least 50% coverage as a valid vote.

Smartmatic changed the specs and did not allow the X and check marks but just accepted the shading of the ovals .