Too soon to call 2010 elections successful

It is too soon to declare the 2010 elections a success.

People want a successful election so badly, that it is easy to get carried away by flood of incoming election returns. Many want to believe that a clean and honest election has finally happened, at last.

But the vice-presidential election is yet to be settled. The contest between the 12^th and 13^th places in the senatorial race still has to be settled too. Hundreds, perhaps thousands, of local races also await to be settled.

Already news is coming in about delayed Election Returns (ERs), malfunctioning, missing or otherwise questionable memory cards, and other indicators of potential or emerging problems.

As in the manual system, the precinct level count is always the fastest. Even when election inspectors, watchers and the public counted votes by hand, most of the election results had always been available past midnight or early morning. Even under the manual method, the biggest challenge has always been at the municipal level and higher, where wholesale cheating operations occurred.

In fact, the automated election system failed spectacularly its first truly public test a week before election day, when many candidates got zero – a “bawas” — and some got more than the votes actually cast for them – a “dagdag”. The results were worse than most manual counts. Fortunately, the failures in the machine count were so obvious that the election inspectors and watchers noticed them immediately. An embarrassed Comelec quickly called off the public test, and traced the problem to misaligned ovals on the ballot. Because of a last-minute change from single-spacing to double-spacing in the ballot layout for local candidates, their oval locations did not anymore match the coordinates stored in a configuration file in a memory card within the PCOS machine.

Reconfiguring the memory cards was somewhat easier than reprinting ballots, so that is what the Comelec and Smartmatic tried to do.

Smartmatic only had 18,000 spare memory cards and there was little time to recall the rest, so in addition to the spares, Smartmatic recalled the cards that could still be recalled; imported the rest from Hongkong and Taiwan; edited each of the 1,631 ballot layout configuration files (unique for every town); programmed these configuration files into 76,340 memory cards (one for each machine); delivered the 76,340 newly reconfigured memory cards to the waiting machines all over the archipelago; found the right machines for the right memory cards; replaced the misconfigured memory card; and conducted a second round of public testing and sealing of the PCOS machines. All within a span of five days – 120 hours. Aside from some 400 machines that malfunctioned, the rest of the 76,340 machines worked fine and gave the country its first successful automated elections. So they say.

Can we now trust the machine results?

These machines had grievously failed to count a few days earlier. This was followed by a mad rush of recalls, importations, file reconfigurations, card reprogramming, deliveries, reinstallation, and a second round of testing and sealing. In the mad rush, were security procedures and chain of custody considerations still observed? Did anyone see an election inspector with an ultraviolet lamp to check for authentic ballots, for instance? (We have not found anyone who did.) Suppose there were also more subtle problems that a ten-ballot test set was insufficient to detect – ovals that were misaligned by only one or two millimeters, for example, just as the security marks were, or oval coordinates that were purposely changed slightly to shave votes from targetted candidates. Were tests done at all for these potential problems?

Suppose an ATM had earlier given you only half the money than it deducted from your account, and the bank tells you the machine is now ok. Wouldn’t you count your money at least once in subsequent withdrawals? Suppose most ATMs of a bank network shortchanged its clients, wouldn’t they demand that every ATM of that network be carefully tested and recertified for its counting accuracy?

For exactly the same reason, every candidate who lost – and won – in the machine-counted 2010 elections should demand thorough post-election testing and audit for accuracy of every counting machine and its results.

Losing candidates should demand it, because they might have actually won.

Winning candidates – especially those who lead by a huge margin – should demand it, because the gross machine errors a few days earlier and subsequent doubts about machine accuracy have devalued their victory.

Apparent president-elect Noynoy Aquino should demand it, if only for the sake of his running-mate Mar Roxas, who sacrificed his own presidential ambitions to give way to Noynoy.

There was no time for proper testing in the mad rush to the May 10 elections because few wanted the elections postponed. But we have fifty days before June 30, when the new set of elected officials are scheduled to take over. We still have enough time check, double-check, and be sure about the results of the 2010 elections.

In the meantime, the Comelec and local election authorities should not be in a hurry to proclaim winners and declare the elections a success.

2010 election surprise: Binay leading Roxas

ROBERTO VERZOLA, Halalang Marangal (HALAL)

http://www.gmanews.tv/story/190631/2010-election-surprise-binay-leading-roxas

The most recent Comelec report (May 10, 2010, 11:30 p.m., 57% of all election returns canvassed) as of this writing suggests that the 2010 presidential election is an Aquino landslide.

Benigno “Noynoy” Aquino III seems to be getting roughly three votes for every two votes for Joseph “Erap” Estrada and one vote for Manuel “Manny” Villar Jr., confirming late pre-election surveys that showed a widening lead by Aquino over his closest rivals, and a precipitate drop in Villar’s share of the votes.

The tight vice-presidential race is the surprise of the 2010 elections, with Jejomar “Jojo” Binay roughly getting 8-10% more votes than early survey front-runner Manuel “Mar” Roxas III. It also confirms late pre-election surveys of a come-from-behind surge by Binay and a collapse in Loren Legarda’s share.

The top ten in the senatorial race, based on the same Comelec partial report, are Ramon “Bong” Revilla Jr., Jose “Jinggoy” Estrada, Miriam Defensor-Santiago, Franklin Drilon, Juan Ponce Enrile, Pilar Juliana “Pia” Cayetano, Ferdinand “Bongbong” Marcos Jr., Ralph Recto, Vicente Sotto III, and Sergio Osmeña III.

Occupying the eleventh to the fourteenth slots – traditionally a very tight contest – are Manuel “Lito” Lapid, Teofisto “TG” Guingona III, Risa Hontiveros-Baraquel, and Rozzano “Ruffy” Biazon.

Without a breakdown of the election returns received per region or province, it is hard to put the above reports into context. Whether the rankings can still change significantly depends on those regions which are most incomplete in terms of submitted election returns.

Where cheating happens

It is in the low-completion regions where the cheating usually happened in the past. Some municipalities or even provinces would purposely delay reporting their returns, to allow candidates to estimate how many votes they needed to win. They would then bargain with local officials who control the uncanvassed ERs to swing the results in their favor.

The incoming flow of electronic ERs will slow down when all precinct clusters whose voting machines worked, were able to produce a vote count and transmit their results to central servers have completed their transmissions.

Then the results will start coming in more slowly, from voting machines whose memory cards are being physically transported to municipal canvassing centers. These memory cards will be inserted into card readers of the municipal canvassing servers, and their contents “imported,” to be merged with the ERs that had been electronically transmitted.

Cheats and new technology

This is another danger area. Depending on how quickly cheats have mastered the new technology, some may have already acquired enough sophistication to configure false memory cards and attempt an operation to substitute memory cards, analogous to the old practice of ballot-box substitution.

Also, a still-to-be-determined percentage of precincts will still conduct a manual count, if no machine reached them in time, or the machine broke down and its replacement could not get there in time, or if the ballots or the replacement memory card did not get to the precinct in time.

Then manual methods of cheating can still occur. It is in fact much easier now to shade ovals than write names. Thousands can be marked without giving away the secret like handwriting would. Several million votes may still be at stake here.

In the past, the conclusion of precinct counting would just be the start of various cheating operations that occur at the municipal, provincial and national levels. It never mattered to cheats that their operations would create discrepancies between precinct-level data and higher-level data. As long as their candidate was proclaimed, the challenges, costs and delays that faced any post-proclamation protest was enough to deter all but the most determined victims of cheating. After all, they got away with it in 2004 and 2007.

Thus, cheats may still launch attempts at the municipal level and provincial levels, if they had already found ways to do so. One should not underestimate the creativity of cheats.

However, Aquino’s seeming landslide win will probably deter any attempt to cheat him in favor of the runner-up. Estrada’s huge lead in the 1998 presidential elections, and Obama’s huge lead in the U.S. elections in 2008, had made it extremely difficult for a cheating operation to succeed. Thus, the cheats did not even dare, even if the machinery to do so was already in place. Had they led by a much smaller margin, the outcomes might have been different.

If his landslide win insulates Aquino from any outcome-changing attempt at fraud, the same cannot be said in other contests.

The close vice-presidential contest may tempt one or both of the protagonists to tap operators to either strengthen one’s lead or overcome the opponent’s. Too many votes remain uncounted for either side to relax their guard. The drama of the 2010 elections remains to be played out over the vice-presidential contest.

The senatorial contest too has traditionally been marked by a very close contest between the 12th and the 13th placers. In 2007, Zubiri’s margin over Pimentel was only .07% of Pimentel’s votes and this was obtained through statistically impossible results from six municipalities in Maguindanao.

In such close contests, we will need the .005% or lower error rate from PCOS machines specified by the Comelec. Unfortunately, the accuracy rates of these machines remain a big question mark, especially after the fiasco just a few days before the elections.

Again, some of the protagonists in the senatorial contest may be tempted to mount an operation to ensure a 12th or higher position. Whether anyone actually will, remains to be seen.

Finally, given the recent fiasco of gross errors from the voting machines, will losers – especially local candidates – accept at face value the numbers reported by these machines, or will they question the results and demand a recount to double-check their accuracy?

Until these questions are settled, it is too early to declare the 2010 automated elections a complete success. – HS, GMANews.TV

Expect a flood of demands for recount from losing candidates

The PCOS fiasco a few days before the May 10 elections has shattered the credibility not only of election automation, but of the entire electoral process itself. The entire process hinges on an accurate count by the PCOS machine. In fact, COMELEC specifications require at least 99.995% accuracy, or at most one error for every 20,000 marks or around 600 ballots. Today, we have very little idea how accurately the PCOS will count our votes.

One minor mistake – changing from a single-spaced to a double-spaced layout – has created a crisis of credibility for the entire elections. Who will accept at face value the PCOS machine counts now? Even a candidate who wins with a narrow margin may suspect that the machine might have trimmed his margin. Certainly, losing candidates can now be expected to demand a manual recount, so they can see for themselves how they actually fared. No assurance from Smartmatic or the Comelec will now suffice, because everyone has seen how the PCOS machine made gross errors during the final testing and sealing.

Many may not realize it yet, but we are in a different ballgame now. May 10 election victories — whoever wins, in whatever position – have just suffered a major devaluation.

The PCOS fiasco has robbed the winners of the May 10 elections of a clear victory. It has created not only a cloud of doubt about the machine results, but also last-minute disruptions in the crucial final days before the elections that will surely create confusion and chaos in many areas.

Deliveries had to be suspended, because the PCOS machines had to stay put in the hubs or sub-hubs, so they can await the CF memory card replacements. The final testing and sealing had to be called off, to avoid further embarassment and damage to the credibility of the automation project. When the replacement memory cards eventually arrive for installation in the machines, only then can these machines leave the distribution hubs and sub-hubs for final deployment.

Designing machines and ballot sets that will only work with each other, but delivering them separately had earlier created a “logistical nightmare”. The nightmare just became worse, because machines, ballot sets, and memory cards are now being delivered separately, and under even greater time pressure.

If the PCOS machine, its associated set of ballots, and its associated memory card, do manage to find themselves reunited in their destination precinct cluster, on time for the May 10 elections, they still need to be tested again. It was obvious from the fiasco that the accuracy of the machines were not checked before they were deployed, so the final testing is our only chance to determine the accuracy of the PCOS. This final testing cannot be dispensed with.

If the final testing with a ten-ballot test set shows even a single error, then we cannot guarantee with 95% confidence that the machine’s error rate is lower than 1%. There’s a good chance it is higher than 1%. Then, the board of election inspectors must either ask for a replacement, or go ahead and use an inaccurate machine.

Where machines don’t arrive, stop working, reject too many valid ballots, or otherwise fail, the board of election inspectors must resort to a manual count. The Comelec says it has prepared the paraphernalia for up to 30% of the precincts. But the precinct election inspectors have ask for the paraphernalia to be delivered first. More delays. Given the confusion, more than 30% of precincts may need to resort to a manual count.

If the paraphernalia for a manual count don’t arrive, the ballot boxes will have to be sealed and watched over, to be counted later.

So, expect confusion and chaos in many areas on election day. Yet, even where everything works smoothly, the machine counts will remain under a cloud of doubt, and losing candidates will surely demand a recount, citing as reason the errors made by the PCOS machines earlier. Who can blame them?

All because of an innocuous-looking suggestion to change from a single-spaced to a double-spaced ballot layout.

The origin of this suggestion must be traced. Who first raised it? Why did Comelec approve it? Why didn’t Smartmatic or Comelec test the accuracy of the PCOS machine with the new layout?

If anyone had intentionally wanted to disrupt the elections and discredit its results, he – or she – couldn’t have done it any better.

Three things the COMELEC can do to assuage our concerns

This is the latest letter of HALAL to the COMELEC. The HALAL suggestions are important and urgent. Let us all add our voices to these suggestions.

Halalang Marangal

April 20, 2010

The En Banc

COMMISSION ON ELECTIONS

Palacio del Gobernador

Intramuros, Manila

Hon. Chairman JOSE A. R. MELO

Hon. Commissioner RENE V. SARMIENTO

Hon. Commissioner NICODEMO T. FERRER

Hon. Commissioner LUCENITO T. TAGLE

Hon. Commissioner ARMANDO C. VELASCO

Hon. Commissioner ELIAS R. YUSOPH

Hon. Commissioner GREGORIO Y. LARRAZABAL

Gentlemen:

We are deeply concerned that the risk of failure of the Automated Election System (AES) remains unacceptably high. But it is very late in the day to return to the old manual system, which may not save us either. It will simply mean business-as-usual for the cheats, who have mastered the manual system so well that they can manipulate its results in their sleep.

Halalang Marangal (HALAL) proposes three simple things for the COMELEC to do that can help lead us out of this dilemma.

THREE THINGS WE ASK FROM THE COMELEC TO ASSUAGE PEOPLE’S CONCERNS ABOUT THE AES

ONE. We ask the COMELEC to assign every scanning machine and its associated precinct cluster a simple unique identifier and widely disseminate this information to the public.¹

Why? Because this will make the Precinct Count Optical Scanner (PCOS) machines more accountable, just as vehicles with license plates, or policemen with visible name plates, are more accountable. It empowers the voting public better when they know exactly the individual machine they are dealing with, making it easy to identify errant machines, send reports, complaints, etc. The unique identifiers of all machines in a polling center must be conspicuously displayed outside the center, in big characters. The ID of each PCOS must also be conspicuously displayed in the room where the machine is located. A unique identifier, known by all, is a fundamental requirement in any automation project.

These unique PCOS IDs must be quickly added to the COMELEC Project of Precincts (POP), which is the master list of all polling precincts. The updated POP must be made available to the media and the public on a compact disc (CD), for quick copying and dissemination.

TWO. We ask the Comelec to authorize election inspectors to print before transmission 29 of the 30 Election Returns (ERs).

Why? To make as many copies of the precinct results as possible, before the connection with a central server and its associated possibility that the authentic PCOS data may be overwritten with false data from the server during transmission. Also, to remove any cause for PPCRV and NAMFREL, Nacionalistas and Liberals, or national and local candidates of the same party, to dispute who should get ER originals. There may not be enough with eight copies, there will be enough with 29 copies. With so many copies of the original ER circulating, suppressing the truth will be much harder.

The printed ER should contain the machine’s unique ID. The ER originals can now go to more political parties, election watchdogs, media organizations, and other accredited civic groups.

The 30^th copy of the ER, printed after transmission, should be immediately read aloud by the BEI so that everyone who had received an earlier copy may make sure that their copy is identical with the 30^th copy. If not, then the transmission has compromised the election results in the PCOS memory as well as the 30^th copy. These, and the electronic ER copy just transmitted to the central servers, must now be presumed to contain false data and must be questioned. This must be noted in the minutes. But the 29 original ERs still contain the authentic data.

THREE. We ask the COMELEC to authorize a 100% manual audit of the votes for president.

Why? As a final check on the accuracy of the PCOS count, for the same reason that a bank teller still manually counts bills after they have been counted by a machine. The COMELEC reverted to a 100% manual audit of ballot authenticity after it was discovered that the high-speed printing caused 1-2 mm misalignment which resulted in the inaccurate scanning of the UV security mark. For exactly the same reason, we need a 100% manual audit of the votes, to find out if a similar misaligment of ovals due to high-speed printing also resulted in the inaccurate scanning of marks. Without the PCOS feature that allows each voter to verify if his choices were correctly registered by the machine, a 100% manual audit is our only remaining option to check the scanning and counting accuracy of the PCOS. Earlier proposals that have been raised for a 100% manual audit covering three positions only were in the right direction. Our counsel to limit further the coverage of the audit to the president is meant to streamline the process even more, by making possible a very simple manual method as follows:

The BEI will first count the ballots, and then sort them into separate stacks, one stack per presidential candidate. The stacks should be double-checked by individual watchers and elections watchdogs.² The BEI will then count in public, aloud, the ballots in each stack. If the counts are correct, then the total of the counts will equal the number of ballots. If no discrepancy is found, we estimate that this method will take no more than one hour. If a discrepancy is found, it may take another half hour to confirm the accuracy of the manual count.

We emphasize that extra care must be taken to make this manual audit 100% accurate, because it will serve as the standard against which the accuracy of the PCOS machine will be measured. The stacks and the final vote counts must be checked several times to detect and correct any errors. The results of this manual count of votes for president, including the total votes and any discrepancy in the totals, must be appended to the printed ERs and countersigned by the BEI. The results of the manual count will also be entered in the minutes. They should be taken into account before any winner is proclaimed. After all, the term of outgoing elected officials will end only in June 30. There no need to rush any proclamation.

Airplanes and ships are required by law to carry life vests and life boats, even if these are superfluous most of the time because air and sea accidents are rare. They are there not only to assuage passenger concerns, but also because of the lives they will save in those rare events when they are needed.

Similarly, we ask the COMELEC for the following safety mechanisms: unique PCOS identifiers made public, 29 ERs printed before any transmission, and a 100% manual audit of the votes for president before proclaiming any winner.

We hope the COMELEC will consider these HALAL recommendations for the 2010 elections, which we are now formally submitting to the COMELEC in the spirit of supporting the Commission’s efforts to protect the integrity of the ballot and the sanctity of the people’s voice.

Very truly yours,

Halalang Marangal Convenors/Board of Directors

WIGBERTO TAÑADA Chairman, HALAL Former Senator Senate of the Philippines	MEHOL K. SADAIN Former Commissioner Commission on Elections	FRANCISCO GUDANI President, HALAL Retired General Armed Forces of the Philippines
ISAGANI SERRANO President Philippine Rural Reconstruction Movement	Sr. MARY JOHN MANANZAN Association of Major Religious Superiors	MA. PAZ LUNA TOYM Awardee
	ROBERTO VERZOLA Secretary-General, HALAL

1If a unique ID per PCOS already exists, then the COMELEC need only publicize them widely. Smartmatic is apparently using a Stock-Keeping Unit (SKU) system that uses seven digits for internal control. This is enough. The important thing is that the identifiers are unique per machine, that they are consistently used in all official lists and ERs, and that they are publicly known and, on election day, conspicuously displayed outside polling centers and in the precincts.

2This is how some countries do their manual count. After voting closes, all ballots for one electoral jurisdiction are transported to a big hall or covered court, authenticaled, and then dumped on the floor. “Scrutineers” then sort the ballots into stacks, one candidate, one stack. Double-checked, of course. If the contest is not very close, the heights of the stacks will show before the counting starts – even before the sorting is over – who won as member of parliament in that jurisdiction. On the same night, winners in most juristictions would be known, as well as the majority party if any, and then of course the prime minister – a clean and honest count, without automation.

The high-speed printing that misaligned UV marks can misalign the ballot ovals too

The ultraviolet (UV) scanner of the PCOS was disabled because the high-speed printing resulted in the UV mark on the ballot being “misaligned by one to two millimeters”, according to COMELEC Commissioner Larrazabal. As a result, the machine’s UV scanner often missed the mark and many valid ballots being being rejected.

Here’s the big question: If the misalignment of the UV mark was serious enough to make COMELEC turn off the UV scanner, then can’t the ovals be misaligned too? A misaligned oval means a misaligned a vote-mark. Which means the PCOS main scanner may have problems interpreting the voters’ choices.

The Comelec requires from the PCOS an error rate of less than .005%. That means less than five errors for every 100,000 marks. To determine if this Comelec specification is met, each PCOS should have been tested properly. But no test statistics have been released by the Comelec. And if these tests were done at all, they were probably done with perfectly aligned, not misaligned, ovals.

With misalignment, the two types of errors the scanner can make will both get worse: the false positives that register a vote/mark which is not there, and the false negatives that miss a vote/mark which is there. This means some candidates will gain votes (“dagdag”), while other candidates will lose votes (“bawas”). Does that sound familiar?

This problem is made worse by the Comelec decision to, in effect, blindfold voters while the machine is registering their choice. Originally, the PCOS was programmed to display the voter’s choices on its screen, so he can check if his choices were correctly registered by the PCOS and abort the process if the PCOS didn’t. This voter-verification is in fact required by the Automated Election Law (Section 7n): “Provide the voter a system of verification to find out whether or not the machine has registered his choice.” The Comelec ordered Smartmatic to disable this feature. Thus, the PCOS may falsely register voters’ choices, without voters knowing it. This is far worse than a PCOS that stops working or rejects valid ballots, problems which are apparent at once. An inaccurate PCOS will keep scanning and counting happily, with no indication or warning that it is miscounting votes.

According to a former Comelec official, similar problems had also occurred when the Comelec piloted automation in ARMM in 1998. He showed me a Comelec report entitled “Partial Automation of 1998 National and Local Elections”, which is also on the Comelec website. In 1998, said the report, Sulu ballots had to be manually recounted “due to an error in NPO’s printing procedure”. A similar recount was done with Lanao del Sur ballots, “also due to errors in printing of the ballots.”

The Comelec blamed “high-speed printing” for the misalignment. But misalignment is a common printing problem, and good operators know how to correct it. Why would it happen in such an important job as the printing of ballots?

It seems that the ballot printing is being done in such a hurry, that operators are not getting the time needed to stop the high-speed machines and correct any misalignments that may be happening. That the Comelec had insisted on printing ballots even on Maundy Thursday and Good Friday shows how disastrous even a slight delay might be. If they stopped the machines too often to correct for misalignments, they might miss their deadlines. Thus, the UV misalignment problem has gone on uncorrected.

As of April 16, according to Smartmatic, the NPO has printed 43.7 million ballots. If the high-speed printing has misaligned the UV marks, then how many of these ballots have misaligned ovals too? And in these misaligned ovals, how many false “dagdag-bawas” interpretations by the PCOS will occur?

The misalignment of UV marks and possibly the ovals too are the consequences of the Comelec violating the law and using a machine that has neither been piloted nor used widely. The SAES 1800 has never been piloted in the Philippines, as Section 6 of the Automated Election Law requires: “… the AES shall be used in at least two urbanized cities and two provinces each in Luzon, Visayas and Mindanao.” Nor has the PCOS been used widely in any other country, as Section 10 of the law also requires: “… the system procured must have demonstrated capability and been successfully used in a prior electoral exercise here or abroad.” The Supreme Court’s support for the Comelec’s stubborn insistence in using unpiloted Smartmatic machines must have reinforced the Comelec’s sense of impunity in violating provisions of the law.

Because of the lack of pilot, we lost the chance to detect early problems like these. As a result, they have put the entire national elections at risk.

Solution: both the PCOS and their associated ballots must be thoroughly checked for misalignment and accuracy in scanning. The tests must be done not by Smartmatic, but by independent third parties, say, the DOST, and witnessed by all stakeholders.

What if careful testing shows that the PCOS cannot reliably read properly shaded ovals? Then we may have no choice but to manually count the votes again, ballot by ballot.

[Note: This piece is based on the Halalang Marangal April 17 Statement on the problem of potentially-misaligned ovals, which I also drafted. It was published by the Philippine Star, p.18, on April 21, 2010.]

Roberto Verzola has a background in engineering and economics and a passion for social issues. He is recognized by the IT industry as an Internet pioneer in the Philippines and is often tapped by NGOs for technical advice. He currently lectures at the Institute of Mathematics of the University of the Philippines and is a convenor and secretary-general of the election watchdog Halalang Marangal (HALAL).

Front side of the official ballot for the May 10 elections in the Philippines

Here’s a copy of the front side of the official ballot that will be used for the May 10, 2010 national elections in the Philippines, for everyone’s scrutiny.

By the way, the Comelec is being accused of bias in the ballot design. Disqualified candidate Vetellano Acosta (#1 on the list of presidential candidates) is still listed in the ballot. The Comelec had approved Acosta’s candidacy earlier, then subsequently disqualified him. As a result of Acosta’s inclusion, LP candidate Noynoy Aquino, who would have been first on the list, is now a less conspicuous #2, and NP candidate Manny Villar is now all alone in the fourth column.

You decide for yourself, whether this is bias or not on the part of the Comelec.

It’s a long ballot. Be careful when filling it up. You cannot ask for an extra copy.

Dateline: “A Briefer on Poll Automation – Why it is Expected to Fail”

The title above is actually the title of an excellent paper on the risk of failure of the Philippine May 10 automated elections prepared by the “Citizens’ Alliance Against Electoral Fraud and Failure of Elections” and posted on the website of Dateline Philippines. The full text is on this Dateline site. [I’ve been told that the updated link is here. I will keep the old site, just in case…]

The paper is a very well-researched piece. It adds flesh to our own analysis at Halalang Marangal that the automated election process has a dismal 25% chance of success.

For several days, the Dateline site was offline, which was puzzling because few people seem to have accessed the site (the site counter said 88, when I last looked at it). The site is online again.

HALAL analysis of the May 10 elections: text version

HALAL analysis: automated election has 25% chance of success

[As of March 31, we have updated our assessment and now put the chance of success at 28%. See this post on the ballot-printing sub-project for details.]

by Halalang Marangal

Last March 8, Smartmatic-TIM full-page ads came out in some national dailies, claiming “a vote of confidence for the 2010 automated elections”, and listing the accomplishments of the five subsystems under the Automated Election System (AES). The five AES subsystems are: 1. Hardware, supplies, consumables; 2. Software, certification, voter education; 3. Logistics, support, preparations; 4. Telecommunications and Transmission; and 5. Ballot printing infrastructure.

Halalang Marangal (HALAL) carefully evaluated these Smartmatic-TIM claims. We have concluded that, in fact, serious problems beset each of the five subsystems, reducing the AES chances of success and creating opportunities for cheats to manipulate the election results, as they had routinely done in the past.

Remember that most election fraud are inside jobs. HALAL is less worried about hackers and other external threats. We are more worried about cheats who have inside access to the various AES subsystems to do what they have always done with impunity under the manual system.

Note also that by “success”, we mean the absence of significant cheating and similar problems that have chronically attended our elections and a canvassing period that is significantly shorter than the manual method. Otherwise, we would still consider the AES a failure. This “failure of authomation” is different from the legalistic term “failure of election”, by which election officials mean that no voting actually occurred. By their definition, if voters were able to cast ballots, then there was no failure of election.

Due to space limitations, we will cover only the most serious of the problems we identified.

Subsystem 1: Hardware, supplies and consumables

Claim: “82,200 PCOS machines [and batteries] manufactured and delivered”. Note the glaring omission – no mention of the number of machines tested and accepted by the Comelec. Due diligence requires that Comelec personnel – not Smartmatic-TIM – thoroughly test each of these machines for compliance with contract specifications. The Comelec should not accept, deploy or pay for machines which do not meet contract specs. Instead, it should ask Smartmatic-TIM to replace these machines.

Can the Comelec finish the testing on time? HALAL convenor and former Comelec Commissioner Mehol Sadain recalls that in 2004, they needed three months to thoroughly test 1,990 counting machines. Given this experience and the Smartmatic delivery delays, thorough testing of 82,200 machines is an imposing challenge indeed. If the tests are rushed – Smartmatic says they are testing 2,000 machines a day — then we risk deploying for May 10 hurriedly tested machines which can fail, reject valid ballots, or scan inaccurately.

Among the tests results, HALAL considers most important the following: failure rates (the machine mean time between failure or MTBF); the rate of rejection of valid ballots; and the scan error rate (less than 5 in 100,000 marks, according to contract specs). The failure and errors rates in the transmission equipment are also extremely important. We have tried asking the Comelec, political parties, as well as election watchdogs if they have obtained any test statistics. Aside from the field tests and mock elections, when media reported inordinately high ballot rejection rates and transmission problems, there seems to be a complete blackout regarding the test results. This is a bad sign.

Consider the implications of secret testing by Smartmatic-TIM: “good” machines can be selectively assigned to some regions and “bad” machines to other regions. This can easily bias voter turnout in favor of some candidates. Not to mention the Comelec (actually the Filipino taxpayer) paying for substandard machines. “Good” and “bad” modems can likewise be deployed selectively, causing more transmission problems in targetted areas.

Claim: “180.640 compact flash memory cards purchased”. Let us do the arithmetic. Some 82,200 PCOS machines will use two memory cards each. So only 164,400 are needed. Since these cards are solid-state devices, their failures rates are extremely low, compared to the PCOS, which include mechanical parts. Smartmatic-TIM bought 20% more memory cards than necessary. These extra cards, loaded with false results, may be surreptiously used to replace the authetic cards.

Given these and other concerns, HALAL assesses the probability of success of Subsystem 1 at 80%. That is actually a generous figure.

Subsystem 2: Software, certification, voter education

Claim: “Source code customization to meet the requirements of the Philippine elections finished”. The source code was actually customized in a way that violates the requirement of election law for voter verification. The PCOS has a built-in feature that displays on screen the names of candidates the voter has marked. Voters can then verify if their voting intentions were accurately interpreted by the machine. If not, they can abort, and feed their ballot again. If it did, voters can then confirm and press the CAST button. This feature is absolutely necessary to assure voters that the machine scanned their ballots accurately.

Smartmatic disabled this feature, taking away the only opportunity for voters to check the scanning accuracy of the machine on election day. Given the blackout in the results of pre-election testing, and the Comelec plan to conduct the post-election audit of machine results after the proclamation of candidates, we have lost all the three opportunities to determine the scanning accuracy of the machines. This is not reassuring.

Claim: “System audit … finished”; “source code public review process opened”. The law required both a system audit – which covers all the five subsystems of the AES – and a source code review – which is specific to the software programs that control the PCOS and the canvassing servers. The Comelec contracted for this purpose the U.S. firm Systest Labs. Last Feb. 9, the Comelec claimed that the system audit and source code review were done, meeting the Feb. 10 deadline set by the law.

Here’s the rub: neither Systest, Smartmatic-TIM nor the Comelec have released to the public any proper certification document. Such a document should state unequivocally that the AES and its five subsystems, as well as the source code, indeed meet the Comelec requirements of quality, reliability and security as specified in detail in the contract with Smartmatic-TIM. Where are these certification documents? Neither has the full report of Systest Labs been released to the public. Without them, we are justified in asking: are the Systest system audit and source code review actually done, or not yet? Comelec insiders have informed us of a “series of written exchanges” between Systest and the Comelec Technical Evaluation Committee on certain concerns regarding the Systest audit and review. What were these concerns? The only way we can be convinced that Systest has actually certified the AES and its source code is for the Comelec to release to the public the certification documents and full reports of Systest.

The Comelec did open the source code review process to the public. But the conditions it imposed are so unrealistically restrictive, that they make it extremely difficult to conduct a proper local review. Surely, the Comelec did not impose the same restrictive terms and conditions on Systest, when the latter conducted their review.

It is important to appreciate why the source code must be open to public review. The source code is Smartmatic’s general instructions to its machines, in the same way that the Comelec issues general instructions to election inspectors and canvassers. Just as it is totally unacceptable for the Comelec to keep its general instructions secret, it is also totally unacceptable for Smartmatic to keep its general instructions to its machines secret. This is a fundamental issue in a democracy. Our election law fortunately recognized this, and required the prompt release of the source code for public review as soon as the technology is selected. As of today, however, due to the restrictions imposed by the Comelec, no local group has yet conducted any review of the source code. Only two foreign companies – Smartmatic and Systest – have so far seen the general instructions to the machines that will determine our political future. Systest took more than four months to conduct its review. Less than two months before the elections, no local stakeholder including political parties or election watchdogs, have reviewed the source code yet. Even if the Comelec should relax its restrictions tomorrow, a proper review is hardly possible anymore. Smartmatic knew about the open source requirement of the law when they submitted their bid and signed the contract with the Comelec, they cannot invoke commercial confidentiality after winning the contract.

Claim: “Successful field tests and mock elections”. We have read the media reports on high ballot rejection rates and well as transmission problems right in Metro Manila. If Smartmatic can misrepresent results this way, what else are they misrepresenting?

Given these concerns, HALAL assesses the probability of success of Subsystem 2 at 70%.

Subsystem 3: Logistics, support and preparations

Claim: “Over 36,000 voting centers surveyed … [for] network signals, power.” etc. Since we have some 48,000 voting centers, that’s 75% of voting centers covered as of March 8.

Claim: “904 testing … employees working two shifts”. Even three shifts is not enough, knowing that 1,990 machines took the Comelec three months to complete their tests. Furthermore, vendor testing is the vendor’s problem. They should have tested these machines in China, before shipping them here. What we want is testing by the Comelec – due diligence. After all, it is our elections, and it is our money that will be paying for the machines.

Claim: “Contracts with logistics providers and forwarders signed.” According to reports by the newspapers Malaya and Daily Tribune, the three forwarders hired by Smartmatic are: Argo Intl Forwarders (P3.7M 2008 retained earnings, 0.42% of 2008 domestic cargo traffic, 11th place)‏; Germalin Enterprises (P2.3M 2006 net income, 0.35% of 2008 domestic cargo traffic, 12th place)‏; and ACF Logistics Worldwide (P1.1M 2008 cash balance; not in the top 30)‏. Given the herculean task they are entrusted with, the financial capabilities of these companies do not inspire much confidence. Smartmatic should release the list of their field offices, so that stakeholders can double-check their capacity for delivering goods on time.

Claim: “Recruitment and training of over 48,000 field support technicians started.” Since the ad came out 60 days before election day, we can only gape in disbelief: “Started”?

Claim: “438 Comelec training personnel certified”. And at least 230,000 elections officials more to train in the next 60 days.

The Comelec needs to make public the results of the Smartmatic survey for signal and power, as well as the distribution of the forwarders field offices. We must be wary of “problems” in delivery, power availability, and signal transmission, lest these be used to selectively affect voter turnout in some regions or provinces, in a way that can bias the outcome of the election.

HALAL – quite generously – assesses the probability of success of Subsystem 3 at 80%.

Subsystem 4: Telecommunications and transmission

Claim: “48,000 modems for transmission manufactured and delivered”. Again, the missing word here is “tested”. If these made-in-China modems can cause transmission problems right in Metro Manila, something could be wrong with their quality. If Smartmatic delivers a mix of good and bad modems, these can be selectively assigned by region or province to cause transmission and other problems in areas where election cheats want to operate.

Claim: “46,000 SIM cards secured”. Only 46,000 SIM cards for 48,000 modems? “5,500 BGAN transmitters purchased” and “680 VSAT transmitters leased”. With the 48,000 modems, these add up to 54,180 tranmitting equipment, enough for 71.8% of the machines. An extremely serious problem actually hangs over the security of the transmission process: instead of an independept body, Smartmatic, controls the entire system of passwords and digital signatures, from generation to certification. In a business setting, this is equivalent to merging in a single person the duties of vendor, operator, accountant, cashier and auditor – an open invitation to fraud.

Claim: “Contract with major telcos … secured.” But Smartmatic’s own survey says the telcos can cover at most 70% of the precincts. If transmission problems can occur even in Metro Manila, as we all realized during the mock elections, what about smaller cities and municipalities?

HALAL estimates the probability of success of Subsystem 4 at 70%.

Subsystem 5: Ballot printing infrastructure

Claim: “Over 10 million ballots with invisible ultraviolet mark and unique barcode printed.” The printing of ballots started on Feb. 8. A confidential internal Comelec memo was recently leaked to the media which said: as of March 1 (20 days after Feb. 8), 7.9 million ballots had been printed. Let us do the arithmetic: 7.9 million ballots for 20 days is 394,000 ballots per day. At this rate, in 60 more days – March 2 to April 30 – some 21.3 million more ballots can still be printed, for a total of 39.2 million, not quite the 50 million needed for a 1:1 ballot-to-voter ratio.

Remember that this is not a single print job, but some 1,600 jobs, because each city/ municipality has its own list of candidates. The Comelec expects to do 20 different print jobs a day over 80 days; practically one print job every hour. Even the scheduling of the print jobs – if done in a biased way – can matter, because the ballots from print jobs scheduled later are in greater risk of late deliveries.

Aside from printing delays, another problem lurks. An important quality issue in any print run is “registration” — the ovals must be printed exactly where the PCOS expects them to be. Any misalignment in the ballot can cause the machine to scan some positions inaccurately, creating a slight bias in favor of one oval versus another. Such misalignments can occur to any candidate (tough luck!), but election cheats can also exploit this to favor some candidates over others.

HALAL has reason to believe that the poor quality of ultraviolet printing is a cause of the inordinate number of rejections of valid ballots by the PCOS. This is probably why the machine’s ultraviolet scanning feature, which helps distinguish authentic from fake ballots, has been disabled, as former Chief Justice Arturo Panganiban revealed in a column. That’s one less security measure election cheats have to worry about.

HALAL estimates the probability of success of Subsystem 5 at 80%.

Let us now summarize our assessment of Smartmatic-TIM’s five AES subsystems:

Subsystem Probability of Success

• Hardware, supplies and consumables — 80%
• Software, certification, voter education — 70%
• Logistics, support and preparations — 80%
• Telecommunications and transmission — 70%
• Ballot printing infrastructure — 80%

We now turn to a fundamental principle in project management: to get the overall probability of success of a project, which relies on a series of sub-projects, each of which is essential to the project, the sub-projects’ probabilities of success must be multiplied together. Essentially the same principle is followed in product design and reliability engineering.

Thus a system with five subsystems, each with a 99% probability of success, will have an overall probability of success of .99 x .99 x .99 x .99 x .99 or .95 (i.e., 95%). If each of the five subsystems had a 95% probability of success, the probability of success of the overall system is 77%. (Try it on your calculator!) Five subsystems with a success probability of 90% each will give the overall system a success probability of only 59%. Given the problems we pointed out above, we are not ready to assign such optimistic probabilities to the AES project. If some are willing to give Smartmatic the benefit of the doubt, and assign 80% probabilities of success to each of their subprojects, that is still a 33% probability of success overall, a two-to-one odds in favor of AES failure.

HALAL’s assessment of the subprojects’ chances of success leads to .8 x .7 x .8 x .7 x .8 or a 25% overall probability of success for the AES. Feel free to make your own estimates. The conclusion seems inescapable: the risk of a May 10 AES failure is unacceptably high, especially for an election at this important juncture of our political history when failure should not be an option.

Unfortunately the Comelec appears to remain in denial about these problems. It continues to put up a confident face, pretending that nothing is wrong and everything is going on as scheduled. Yet, the automated elections have so many points of vulnerability that Murphy’s Law will almost surely kick in. Thus, the Comelec needs to prepare every precinct for a back up manual system in case some machines fail or are delivered late, or their replacements don’t come on time, or valid ballots are rejected by the machines, and finally for the legally mandated post-election manual audit. But if the preparations for the automated elections are delayed, those for the manual back up are even more so.

Thus, the Comelec has painted the whole country into a corner. If we are lucky enough, the Comelec may still meet its deadlines. After all, a random throw of two coins does come up with two heads 25% of the time. But the same toss will not have two heads 75% of the time, the same risk of failure facing the automated elections. To prepare for this more probable eventuality, we must now wrack our heads and find a way out of this black hole that automation is threatening us with.

March 28, 2010

The Halalang Marangal (HALAL) convenors are: former Senator Wigberto Tañada, retired General Francisco Gudani, former Comelec Commissioner Mehol Sadain, PRRM president Isagani Serrano, former St. Scholastica’s College president Sr. Mary John Mananzan, TOYM awardee Atty. Ma. Paz Luna, and IT expert Roberto Verzola.

Updated HALAL analysis: automated election has 25% chance of success

I have updated our presentation regarding the chances of success of the May 10 automated elections. I have added details regarding the ballot printing problem, and added to the list of things the Comelec must do to improve the chances of success.

The updated presentation may be downloaded here:

halal-analysis-of-aes-risk-of-failure-as-of-March 23.

Back to school

I haven’t updated this blog since April for several reasons. I thought I could do some blogging while doing my research on automated elections and electronic voting machines last April and May at the University of Oxford Internet Institute (OII). But I only managed one short piece. I needed all the time I could spare for the research. (My final output: four working papers – check here — and two early drafts). When there was time to spare, the spare time wasn’t enough either for the OII library, Oxford’s Social Science Library, the museums of Oxford and London and other attractions. So blogging had to wait.

Deaths in the family. When I arrived on June 4, I went straight to the Lung Center, where my 91-year-old mother Anastasia was in the Intensive Care Unit, due to pneumonia. Unfortunately, she probably picked up drug-resistant varieties of the disease from the hospital itself. After a month in the hospital (we took her out of ICU so her children and grandchildren could spend more time with her), she succumbed from the disease. We buried her on July 1 beside my father, Pio, who died 10 years ago when he was 84. On their tombstones we put two epitaphs: “A principled man who led a simple life”, and “A devoted woman who lived to help others”. Both had enjoyed a full life. A few days before my mother passed away, a dear cousin, Bienvenido Verzola Jr., “Manong Tron” to us, and whom I considered an elder brother, also died from cancer. He was the incumbent mayor of his hometown, Luna, Apayao, and was well-loved by his constituents. He was buried July 2 in Luna.

I have also gone back to school. I enrolled in my old alma mater, the University of the Philippines, for an MA Economics course. Many have asked me, “why economics?”

Why, indeed? I had been studying the social impact of new information and communications technologies (ICTs) for decades. I had even written a book about this topic, Towards a Political Economy of Information (full text available here). In the mid-1990s I started work on environmental issues and, starting 2000, basically went on semi-retirement from ICT work to volunteer for farmers’ groups, I worked for years with the sustainable agriculture network Pabinhi and also became coordinator of SRI-Pilipinas, which promotes the System of Rice Intensification. I think I have found a conceptual thread that ties all of my work together. This is the phenomenon of abundance. I decided to go back to school to learn everything I can about abundance, and to distill my own insights about this phenomenon. More about abundance in future blogs.

At 55, I struggle with my courses: Statistics, Math and Microeconomics. My mind doesn’t absorb as fast or retain as much. But I take the courses very seriously, because they are immediately useful to me. The Stats course is important for our election audit work at Halalang Marangal. We have a standing proposal for the Comelec to use double-entry accounting in election tallies, and to conduct a post-election statistical audit to double-check the automated election results. The Math and Micro courses, I need for studying the political economy of abundance, a personal project I have began to embark on. The pace of the Math course (Econ 206) is blazingly fast. I try to study in advance, but each lecture leaves me feeling way behind. The textbook is not very useful for those who want to learn from the book. But I am gradually acquiring some tools for my study on abundance, so I am not complaining. When the semester is over, I will let you know how things turned out.

By the way, one of my election pieces (Automated elections: voting machines have made mistakes too) made it to the top ten downloads at the Social Science Research Network. Nice reward for the hard, hard work that went into that paper. My Oxford pieces were also cited in Dan Mariano’s July 23 Manila Times column entitled “From ‘Hello, Garci’ to ‘Hello, IT'”.

Finally, a pleasant surprise for me: former President Fidel V. Ramos cited my work on intellectual property rights (IPR) in his July 15 speech at the 17^th Annual International Conference of the Asian Media Information and Communication Center. I like the part that he quoted: “Advanced countries think nothing of pirating our best scientists, engineers, technicians and other professionals. They also pirate our genetic resources.” He missed the best part though, where I said that advanced countries complain when we pirate their software, though we never take the original copy away, but they themselves pirate our best professionals, taking the original away and leaving nothing behind. You’ll find the full article here.

In the meantime, I think I can now spare an occasional hour, to keep this blog updated. Thank you all for your patience.