Comelec’s Decision To Delay Review Of Source Code Questioned

by Marya Salamat

MANILA – The last-minute, unverified disclosure of the source code by the Dominion Voting Systems (DVS) to the Philippine Comelec failed to reassure election watchdog AES Watch that the votes this coming May 13 would be properly counted. On the contrary, IT experts from the election watchdog grew more alarmed.

Bobby M. Tuazon, co-convener of AES Watch, said the supposed disclosure of the source code by Dominion only bolsters their contention that both Comelec and Smartmatic are liable for automating the elections of 2013 without a source code. “The last-minute disclosure of the source code even if true will not extricate Comelec and Smartmatic from legal liability,” Tuazon said.

The supposed release of the source code less than a week before the elections constitutes a violation of RA 9369, the law on automated elections. Section 12 of RA 9369 says: “Once an AES technology is selected for implementation, the Commission shall promptly make the source code of that technology available and open to any interested political party or groups which may conduct their own review thereof.”

When Comelec decided last year to re-use the Smartmatic-marketed technology – against opposition of the broad-based AES Watch and Kontra-Daya, which found Smartmatic unreliable in the 2010 elections – the source code should also have been revealed immediately. That way, Tuazon said, political parties and other interested groups, as a matter of right, could have conducted an independent review of the software.

Now, barely a week before elections, the said source code was allegedly released to the Comelec. Worse, its illegal tardiness is further aggravated by Comelec chairman Sixto Brillantes’ “arbitrary decision that the review will have to wait till after the May 13 elections,” Tuazon said.

Which source code is it? Under what kind of license?

Dr. Pablo R. Manalastas, IT fellow of the Center for People Empowerment in Governance (CenPEG) and AES Watch co-convener, asked which source code was released to Comelec? If, for example, it happens to be a version of Dominion’s PCOS computer program used in the 2010 Philippine elections, there were bug fixes requested by Comelec from Smartmatic as a condition for purchasing the PCOS under the OTP provision of the 2009 contract.

“There were more than 40 bug fixes (or enhancements, using the words of Smartmatic) requested by Comelec, but these bug fixes were never acted upon because of the court battle between Smartmatic and Dominion in the Court of Delaware,” Manalastas said.

Until now, this legal battle between technology owner Dominion and its Philippine licensee and system integrator Smartmatic is reportedly still ongoing. Manalastas warned that in all likelihood then, “the PCOS binary program that will be used in the May 13, 2013 elections retains all the bugs of the 2010 binary program, plus all the bugs added by the 2011 ARMM binary program, which has never been tested and used.”

Manalastas also warned that until we see the licensing agreement under which the Dominion source code is being made ‘open’, we do not know what Brilliantes was referring to (when he said the source code was ‘released’ to them).

“Is Dominion giving Comelec a license to read and modify Dominion’s PCOS source code? Is Dominion giving Comelec a license to read the source code and propose modifications to be carried out by Dominion? Is Dominion giving the political parties and interested groups a license to read and modify Dominion’s PCOS source code? Is Dominion giving the political parties and interested groups a license to read the source code and propose modifications to be carried out by Dominion? Is Dominion licensing the PCOS program as an open source program? If so, why is it not making the source code available for public download?” Manalastas asked.

As an IT expert, Manalastas said the release of the source code will not improve the credibility of the 2013 elections, and neither does it constitute Comelec’s obedience to the prescriptions of Section 12 of RA-9369. In fact, said Manalastas, the Comelec has tried to disregard the provisions of Section 12, from the very beginning in 2009, to the present. “It has stonewalled the proponents of source code review by imposing source code review qualifications and source code review conditions that are impossible, even for Comelec’s own IT people, to meet.”

Post-election source code review a farce

On Brillantes’ assurance that a review of the source code would be done after May 13, Manalastas said it will not help solve the bugs of the May 13 binary programs.

Another co-convener of AES Watch, IT security expert Lito Averia, said there is nothing to rejoice in the news that at last, the source code of the PCOS machines will be made available for review. “Even as Smartmatic-TIM has released the source code of the election management system (EMS) and the canvassing and consolidation system (CCS), the source code of the PCOS machines has long been withheld,” Averia said.

Those delays mean many avenues for automated cheating and disenfranchisement may have come with the program tasked to count the peoples’ votes. “Even after handing down the supposed source code, how will candidates, political parties and voters know that the errors found in the PCOS program running the machines have all been corrected?” Averia asked.

A source code review done only after the mid-term elections will only be a farce, said Tuazon. “All malicious bugs and errors that will be found then could no longer be corrected let alone the manifest deficiencies that would make the election results questionable,” he added.

Still, AES Watch dared Brillantes to show immediately if the source code he mentioned is the same one loaded into some 78,000 PCOS machines now deployed all over the country – with several being used for the FTS – and verified via hash code matching.

Comelec wasted 3 years

Given the many questions hounding the functioning of PCOS machines and the source code running it, Tuazon said the Smartmatic PCOS machines could not be trusted to count properly and do its job accurately and securely. He accused the Comelec under Chairman Jose Melo and now under Brillantes as “in complicity with its foreign technology provider” and that they “bungled the implementation of the Poll Automation law (RA 9369) in the country.”

“Comelec wasted three years to prepare the source code and the PCOS machines for the 2013 polls,” Tuazon said.

Last May 3, AES Watch individual conveners and members filed a complaint with the international community, the UN and elevated their case to violations of civil and political rights of Filipino voters and watchdogs. They said the Comelec has lied about the source code many times in the past and labeled critics as ‘election saboteurs.’

The group believes it is only Comelec’s fear of an international backlash due to its continued violations of the country’s own poll automation law that prompted it to announce now, so late into preparation for elections, the release of the long elusive source code. The Comelec announced the release in the company of its foreign partners, and, contrary to the provision of RA 9369, it said the review would be done only after the elections, the AES Watch said.

The election watchdog also reminded Brillantes that he is under obligation to disclose the terms and conditions reached with Dominion on the alleged disclosure of the source code, “especially because this company was not – and has never been – a party to the 2009 contract awarding the provision of election technology to Smartmatic.”

Tuazon asked the Comelec how much money the Filipino taxpayers paid just for the disclosure of the questioned source code.

Without credible and timely source code review and bug fixing, and considering all the reported PCOS failings plus the questionably undisclosed nature of licenses entered into by the Comelec, the AES Watch dares Comelec to do a 100-percent Parallel Manual count as a contingency measure. Brillantes had earlier promised to do a partial manual count to check the validity of the automated counting.

AES Watch said only a 100-percent parallel count may “ensure the PCOS software will count right and the machines will operate according to law.” (


Leave a Comment