Vulnerable elections (1): Memory cards
by Prof. Giovanni Tapang, PhD
Posted on 04 May 2010
With the May 2010 presidetial elections coming in only two months, citizens groups have raised their concerns regarding the conduct of the first nationwide automation of our elections. Groups such as the anti-fraud and election monitoring group Kontra Daya have called on the Commission on Elections (Comelec) to “walk the talk” regarding its claim that all systems are in place for the Automated Election System (AES) and only an earthquake can stop the May 2010 elections.
Other groups are now busy preparing for the monitoring of the conduct of the elections. Yesterday marked the launch of the Project 30-30 of the Center for People Empowerment in Governance (CenPeg) and its partner organizations with the European Union. Project 30-30 seeks to mobilize civil society groups and grassroots in monitoring and safeguarding against cheating and fraud with regard to the automated election system. There will be a series of voters’ education and training activities around the country to provide information and knowledge about the elections in general and the AES in particular. During election time, there will be an international observers mission as well as election monitoring watch teams that will be deployed to observe report on the conduct of the elections. Working together with the CenPeg are the National Council of Churches in the Philippines, the Council for People’s Development and Governance, the Computer Professionals’ Union (CPU), the Health Alliance for Democracy (HEAD) and the National Union of Peoples’ Lawyers.
Even with the involvement of various sectors, there is still much to be worried about. Problems that have cropped up during field tests and mock elections still have to be addressed by the Comelec. There are also the thirty (and more) vulnerabilities that CenPeg and groups like the AESWatch have raised on the conduct and design of the automated election system. Issues like the lack of transparency and the climate of impunity continue to be prevalent in many places in the country.
As mentioned before, the CenPeg has pointed out more than 30 vulnerabilities in the AES. Among these are issues regarding the source code, the integrity of the counting machines and the procedural weaknesses of the AES as currently implemented by the Comelec. We’d like to raise our concern about one more possible vulnerability that has not been thoroughly pointed out in previous analyses of the AES.
In the AES, a Precinct Count Optical Scan (PCOS) machine reads in the long ballot filled out by a voter. This PCOS machine is equipped with a program (the firmware) to read and tally the votes (supposedly built from an audited and tested source code) and deployed to more than 76,000 clustered precincts nationwide. As each precinct has a different set of local candidates, each of these clustered precincts should be configured differently from the rest.
How will this configuration be accomplished? The PCOS machine has a memory card, specifically a CompactFlash (CF) card, where the data for the local candidates is stored and also where the election data during and after the voting exercise is stored. As such, the first possibility is that the configuration data might be incorrect. Swapping the configuration for one precinct with another will, at the minimum, result in the miscounting of local election results. There should be a way to verify that the configuration files in the memory card is for the correct precinct.
Anybody with a digital camera is familiar with the frailties of the memory cards and the security of their pictures. Pull out the memory card from the camera and your pictures can be corrupted. The same can happen in PCOS machines. The stored files (from the configuration to the results of the elections) can also be corrupted if one pulls the CF card from the machine.
Additional programs and pre-tallied results can also be written unto the CF card before the elections and be executed by the PCOS machine when it is turned on. For many electronic devices such as cameras and cellular phones, using a memory card is how manufacturers update the firmware after the device has already been sold to the customers. The CF card has more than enough space to accommodate more than the data from the count including an errant firmware update or worse, an election result that is already pre-cast for someone to win.
Even if interested groups were allowed to audit and test the source code for the original firmware of the PCOS, we will not be able to check the new firmware’s integrity if it is delivered through the memory cards. The Comelec should provide a way for poll watchers and other interested groups such as Kontra Daya to verify the integrity of the memory cards before they are used in the PCOS machines.
This will be the first of a series of columns on the vulnerabilities related to the Automated Election System. Dr. Tapang is the chairperson of AGHAM. His group was founded in 1999 and is not running in the 2010 elections