AES Technical Briefing

8/14/2019 AES Technical Briefing

1/53

Automated Election SystemDoes automation = clean elections?

Possible Problems: Preliminary Results

Technical BriefingAES2010 Policy Study Team

Deans Office, College of Law, University of the Philippines,

and

Center for People Empowerment in Governance (CenPEG)


2/53

INTRO


3/53

The AES 2010 Policy Study Team

One year project under the Deans Office

UP College of Law aimed to: Determine whether technologies for the 2010

elections are tamper-free, will be used feasibly

and without any manipulation, and will ensuretransparent, clean and fair elections;

Determine the capabilities, resources, and

preparations of the Comelec and other relatedagencies as they play their pivotal roles in theautomated national elections of 2010.


4/53

Technical study team

Election management study team

Legal study team

Research teams


5/53

What is AES?

A system using appropriate

technology which has beendemonstrated in the voting, counting,

consolidating, canvassing, and

transmission of election result, andother electoral process


6/53

Public perception of the AES

It would lead to clean elections

Cheating would be impossible in anautomated election


7/53

AES System

Election Management System (EMS)

Election MarkUp Language (EML)

PrecinctCount Optical Scan (PCOS)

System Precinct Machine

Consolidation / Canvassing System(CCS)

BOC Computer


8/53

SMARTMATIC AUTOMATEDELECTION SYSTEM (SAES 1800)

PCOS Machine


9/53

SAES 1800Precinct Count

Optical Scan /

Optical MarkReader (OMR)

Detects theabsence orpresence of amark in

predefinedpositions on aform


10/53

SAES 1800 Components

Thermal Printer

2-1/4 inch roll paperRated to last 5 years

Input / Output PortsCF Card ReaderUTP Ethernet PortDisabled USBRJ 11 Modem Port

Digital Scanner4-bit mono color scanner16 shades ofgray

Display

Touch screen, mono-color displayQuarter VGA in size, 320x240 pixels

Ballot Box

Cast and ReturnButtons Disabled

RF Key

ProcessorAnd MemoryNot Specified

Compact Flash (CF)

Card


11/53

Ballot Boxes withTransparent Panels

Compartmentsin the Ballot Box

Transparent Panels Invalid Ballots Valid Ballots


12/53

Software Specifications:

Operating System Embedded uClinux

Possibly with uClibC

Possibly with GNU core utilities

Copyrighted under the General PublicLicense (GPL) open source licensing

scheme


13/53

Voting Flow using PCOS - OMRBEI inserts physical key intoPCOS machine to power it

BEI inserts CF card into PCOSmachine to configure it

BEIs type passwords toinitialize the machine zero

votes

Voter fills up and feedsballot into the machine

BEIs close poll and print ER

BEI attaches externalmodem to access internet

connection

BEIs digitally signs electronicER which gets transmitted to

municipal, provincial andnational servers

Canvassing

2

3

4 5

E


14/53

Configuring the Machine

CF CardSmartmatic

Inserting the Card

B


15/53

Initialization

Initialization Initialization Report

B


16/53

Voting

Sample Ballot

Feeding the Ballot

into the Machine

B


17/53

Voting

ER (With Results)

B


18/53

Election Return

and Transmission of VotesER Certification External Modem

B


19/53

CANVASSING LEVELS

Data Flows


20/53

Consolidation Canvassing

System (CCS) Real-TimeElectoral Information System

(REIS) Operating System: GNU/Linux

Software possibly written in web server

side programming language (e.g.

JAVA)


21/53

Cities/Municipal Input: ERs from precincts

Provincial/Congressional Input: Statement of Votes and Certificate of

Canvass from Cities/Municipalities

National Congress: President and Vice President contests

Comelec: Senators and Party List contests Input: Statement of Votes


22/53

PCOS Machine (counting)

SAES 1800

CCS Server (canvassing) -

REIS


23/53

30 VULNERABILITIES

Pre-election * Election * Canvassing * Proclamation


24/53

6 Vulnerabilities On Voting Day

Hardware Failure: Start up orboot failure

Pre-marked legitimate

ballots might be fed Legitimate ballots

rejected Reading/scanning

ballots from anotherprecinct

Hardware/software

failure No backup units Voter cannot verify if

ballot is read/scannedcorrectly

Failure to accept password

Wrong CF card inserted

Failure of initialization

function Machine has stored ballot

images already Wrong program installed Paper jam

Failure of function to close polls(premarked ballots can still beinserted)

Misreading of ballots Mis-crediting of marks Erroneous counting Printer fails

Signing/encryption/transmission failure

Failure to accept password Connectivity failure

BEI inserts physical key intoPCOS machine to power it

BEI inserts CF card into PCOSmachine to configure it

BEIs type passwords toinitialize the machine zerovotes

Voter fills up and feeds ballotinto the machine BEIs close poll and print ER

BEI attaches external modem

to access internetconnection

BEIs digitally signs electronicER for transmission

Canvassing


25/53

5 MAJOR TECH ISSUES

Software and Data Integrity


26/53

Highlights of Technical

Concerns Verifiability of Voters Choice

Machine Interpretation of Ballot Program Correctness

Review of Source Code

Program Integrity Verification

Protection of Transmitted Data

Digital Signatures System Administration

Root Users / System Administrators


27/53

Voters Choice Verifiability

Provide the voter a system of verification to find outwhether or not the machine has registered his choice.

[Article 7 (n) of RA 9369]


28/53

Voters Choice Verifiability

No sufficient mechanism for voters choiceverifiability.

Safeguard Comelec has to enable the feature of the SAES-

1800 that will show how the PCOS machineinterpreted the ballot.


29/53

Program Correctness

RA 9369 requires Comelec to subject the

source code to review by all interested

parties.


30/53

Source Code

Human readable version of the computer

programs running on the PCOS and BOCcomputers.

Will reveal whether the counting and

canvassing are done properly To prove that the PCOS and CCS programs

follow RA 9369 and COMELEC ToR


31/53

An illustration of Java source code with prologue comments indicatedin red, inline comments indicated in green, and program code

indicated in blue.


32/53

Reviewed andapproved

source code

Machine

executableformat

Burned intoeach PCOSmachine /

Install in CSS

Safeguard


33/53

Program Integrity Verifier

How can we know that the approved

source code is installed?


34/53

Program Integrity Verification

The hash (one line of numerical value)

verifies that the approved program isinstalled in each PCOS machine / CCS

The hash (integrity verifier) of theapproved programs should be printed.


35/53

S f d


36/53

Safeguard

Comelec should subject the approvedprogram to a hash verifier function

Provide the BEIs, political parties and

poll watchers the hash value On election day, the hash value of the

program installed in each PCOSmachine should be printed during theinitialization stage

If the values are different from the hashvalue of the approved program, thewrong program was installed in themachine


37/53

Protection of Transmitted Data

Immutability of Precinct Data


38/53

RA 9369

Section 22 Electronic Returns: "The

(precinct) election returns (ER)transmitted electronically and digitallysigned shall be considered as official

election results and shall be used asthe basis for the canvassing of votes

and the proclamation of acandidate."


39/53

Comelec Implementation

Guide: ToR/RfP AES2010

4. Counting, Consolidation and Generationof ER

4.3 The BEI shall physically sign and affix their

thumbprints on all copies and on all pages

of the ER4.5 The BEI shall digitally sign and encrypt the

internal copy of the ER


40/53

Digital Signature / Secret Key

A summary (hash value) of the ER encrypted

using the BEIs secret key. The digital signature serves two purposes:

Identifies the BEI personnel who signed the

precinct ER It ensures that the precinct ER is not modified in

any way by dagdag-bawas


41/53


42/53

What Happens If Another


43/53

What Happens If AnotherPerson Knows the Teacher's

Secret Key?

The other person, with malicious intent, can remove

the BEI's signature, change the contents of the ER,

and sign the modified ER (again) with the BEI's

secret key.

Only the person who has possession of the BEI's

secret key can re-sign the ER.

Any person who has possession of a majority of the

BEI's secret keys can control the results of election

2010


44/53

Comelec's Error

Bid Bulletin No. 10 (20090415):

The digital signature shall be assigned by the winningbidder to all members of the BEI and the BOC (whethercity, municipal, provincial, district). For the NBOCs, the

digital signatures shall be assigned to all members ofthe Commission and to the Senate President and theHouse Speaker. The digital signature shall be issuedby a certificate authority nominated by the winning

bidder and approved by the Comelec.

S C C


45/53

SMARTMATIC WILL CREATE THE

PRIVATE-PUBLIC KEY PAIRS In Smartmatic's financial proposal, Item 1.2.1.4

consists of 246,600 sets of 2048-bit

private public key pairs for BEIs (3 per PCOS)at the cost of PHP0.00. The BEIs will be

anonymous (will not be known by name) so

that any teacher can sign in any BEI position.

This can only mean that Smartmatic itself will

generate the key pairs, and so Smartmatic willhave all the private keys.


46/53

Safeguards

Comelec should ensure that the secret key of theteacher is known only by the teacher

The ER and digital signature (encrypted hash value)should never be separated during transmission andstorage in the Comelec databases.


47/53

System Administration

He Who Controls Technology,

Controls the Votes


48/53

System Administration

The root user/system administrator or super

user A human who can issue any command available

on the computer, normally to do systemmaintenance or to recover from failure.

The root user can edit the precinct ERs if he

has access to secret keys and change the

election results.


49/53

Safeguards

Comelec should have enough precautions

so that aroot user is not needed tomanually interfere with the electionprograms

In case of a breakdown, the root usersactivities are all properly logged in publicly-

displayed audit and log files in real time to

be scrutinized by poll watchers.

The root usermust not be allowed to log-in

from remote / different location

Wh t ill h if i


50/53

What will happen if issues are

not addressed? Unless these issues are addressed

satisfactorily by Comelec, Smartmatic,the Comelec Advisory Council (CAC),the Comelec Technical Evaluation

Committee (TEC), and the JointCongressional Oversight Committee,

the computerized elections in 2010can lead to computerized cheating or

failure of elections.


51/53

HOW YOU CAN HELP


52/53

Area Tasks

Source Code Review System Administration, Keys and

Cryptography, Data Communicationsand Processing, Event Handling

IT Research Related Literature and Technology

Geographical Info

System

ResearchEncode

Website Development Content management

Media and Publicity Multimedia content production and

design

Administrative Transcription


53/53

Contact Information

Project Office

AES Policy Research Office, 3rd Flr. (UP Law Library), UP

College of Law (Malcolm Hall)

Contact No: 029299526 / 09064924266

Email: [email protected]

AES Website: http://www.aes2010.net

CenPEG: http://www.cenpeg.org

Date post:	30-May-2018
Category:	Documents
Upload:	blogwatchph
View:	218 times
Download:	0 times

AES Technical Briefing

Documents