May 10 election automation: can data-substitution happen during transmission?

There are several entry points for election cheats under the election automation project of the Comelec. We will focus here on the transmission phase.

Every precinct counting machine (PCOS) is supposed to transmit its electronic Election Return (e-ER) to the three upstream servers: the municipal canvassing server, the KBP-PPCRV-political parties server, and the Comelec central server, in that order.

The risk of reverse data flow (RDF)

Why does the municipal server come first, and the Comelec central server last? Here’s the risk if the Comelec central server comes first: suppose that during transmission a reverse flow of data actually occurs? That is, instead of receiving data, the central server instead sends to the PCOS, overwriting the latter’s authentic election results with fraudulent data coming from the central server. We will call this the Reverse Data Flow (RDF) risk. It can only happen if both the PCOS and the central server had earlier been programmed to do so, upon receipt a certain command (for instance, if the PCOS receives a certain string of characters from the central server). We know that Smartmatic machines have such capability and can be commanded to accept incoming data, because it happened during the 2008 pilot in ARMM. (Those in the industry call this the Wao incident. Wao is a town in Lanao del Sur Province.)

If this RDF risk materializes, then, when the PCOS subsequently connects to the municipal and the KBP-PPCRV servers, it will now be uploading not authentic data but the fraudulent data it received from the central server. To be effective, RDF needs to occur on the first connection to the outside (presumably with the central server). Why? Suppose the authentic data from the PCOS manages to get out on the first connection to the municipal or KBP-PPCRV server. If the central server subsequently manages to load the PCOS with fraudulent data through RDF, then discrepancies will show up between the municipal and central data files that will be harder to cover up.

RDF can also occur between a PCOS and a municipal server, but this means the cheats would have to take control of many municipal servers, instead of a single central server, to achieve a similar impact. Thus, RDF through the central server is simpler and easier to cover up, if cheats were to attempt it. This is why it is extremely important for the PCOS to connect to the municipal server first, and the Comelec central server last.

How to make the PCOS connect to the central server first

A security flaw in the implementation of the transmission sequence exists, that can be exploited by cheats. In its Resolution No. 8739, the Comelec instructs the Board of Election Inspectors that if the PCOS is unable to connect with the municipal server after three tries, then the BEI should try sending to the KBP-PPCRV server instead. And if that doesn’t work either, they should try sending to the Comelec central server next. Then, back to the municipal server, in round-robin fashion. The revised general instructions (Comelec Resolution No. 8786) keeps this round-robin approach.

Hence, if there’s a way to intentionally block municipal servers and the KBP-PPCRV server from receiving a PCOS transmission for a while, then the PCOS will end up connecting with the Comelec server first, setting up the conditions for the RDF problem.

Remember the 5,000 cellphone jammers reportedly imported into the country? They suit this purpose perfectly. The 5,000 are more than enough to cover the 1,631 city/municipal servers throughout the country, plus the KBP-PPCRV server. If this method of cheating were to be attempted, the cheats will probably not operate in every city and municipality but only in selected municipalities where they can achieve maximum impact with minimum of disruption. Areas where there is no credible opposition might be good candidates for such an operation.

Another possibility is swamp the target server with a Denial of Service (DoS) attack through the Internet, long enough to get the PCOS to try the central server first. After the RDF operation, which will only take the expected few minutes (except that data will be flowing in the opposite direction), things can go back to normal at the municipal and KBP-PPCRV servers.

How can this method of cheating be prevented?

Several measures are necessary to prevent or detect this method of cheating:

1. The source code of the PCOS as well as the servers must be opened for scrutiny and review. RDF can only happen if there are programs in the PCOS and the server instructing them to make it happen. A thorough code review may be able to determine if such rogue programs exist, as long as they are not camouflaged or hidden very well.

2. The Comelec central server must be accessible for close observation at all times, to all stakeholders, especially political parties and non-partisan election monitors such as media and citizens’ groups. This will make it more difficult to set up the Comelec server for an RDF operation or to install new software at the last minute for doing so.

3. The BEI must be under strict instructions not to attempt connection to the Comelec central server until the data has been transmitted to their upstream municipal server and the KBP-PPCRV server.

4. Print more than 8 ERs before any transmission is attempted, to give more minority parties access to one of the pre-transmission ERs. Under current Comelec instructions, only 8 ER copies will be printed before transmission and the remaining 22 after transmission, so only the dominant majority and minority parties (the dominant minority designation is still being contested between the NP and the LP) get a copy each of the pre-transmission ER. Another copy goes to PPCRV, which however has announced no concrete plan so far to do a parallel count, and still another gets posted on a conspicuous place at the precinct level. These first 8 copies are extremely important for detecting RDF.

5. Specifically instruct the BEIs and official watchers to ensure that the ERs printed before and after transmission are identical and to record this fact as well as any discrepancy in the BEI minutes.



  1. Posted April 30, 2010 at 11:09 am | Permalink

    This site is so bogus. Like this statement:

    Remember the 5,000 cellphone jammers reportedly imported into the country? They suit this purpose perfectly. The 5,000 are more than enough to cover the 1,631 city/municipal servers throughout the country, plus the KBP-PPCRV server.

    Most of the cities will be sending via wired connection. That is so impossible to jam unless through post wires.

  2. Roberto Verzola
    Posted April 30, 2010 at 8:03 pm | Permalink

    The municipal servers were designed to connect to the mobile phone network through wireless modems. So they can be jammed. The PPCRV-KBP server too.

One Trackback

  1. […] May 10 election automation: can data-substitution happen during transmission? « Ecology, techn… […]

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: