Metro Manila (CNN Philippines) — The Commission on Elections (Comelec) on Tuesday (January 26) came up with the trusted build of the software that will be used to run the election management system (EMS) of the May 9 national and local polls.
The supplier of the software, Smartmatic-Total Information Management (TIM), and the international certifier, SLI Global Solutions, put the trusted build together based on the customized source code reviewed by SLI in Denver, Colorado, USA.
They were supervised by members of the Comelec and representatives from the Technical Evaluation Committee of the Department of Science and Technology (DOST).
On its website, the Comelec defines the trusted build as “the process whereby the source code is converted to machine-readable binary instructions (executable code) for the computer. It is performed with adequate security measures implemented to give confidence that the executable code is a verifiable and faithful representation of the source code.”
Comelec Senior Commissioner Christian Robert Lim said the trusted build is what will be loaded onto the main server of the EMS and determines essential elements of the polls, like ballot faces and voter distribution among precincts.
The source code, on the other hand, is the human-readable version of the software. It underwent parallel review processes, one by SLI and the other, by local political parties and advocacy groups.
Comelec Spokesperson James Jimenez described the process of constructing the trusted build as “putting back together the elements of the source code, which the reviewers took apart for scrutiny.”
The trusted build also contains improvements and customizations to the source code as a result of the review process.
After an eleven-hour session, representatives from SLI and Smartmatic loaded the trusted build into a thumb drive which will be kept secure overnight in the Comelec main office at the Palacio Del Gobernador in Intramuros, Manila. The drive will be handed over to the Bangko Sentral ng Pilipinas (BSP) on Wednesday (January 27) for escrow.
At the start of the session, representatives from poll advocacy groups raised questions on the timing and credibility of the software.
Lito Averia, a volunteer with the National People’s Movement for Free Elections (NAMFREL), pointed out that the local reviewers have yet to scrutinize the customized source code. They have only so far reviewed the base source code.
“In this case, the trusted build process is going ahead without the benefit of the local group having reviewed the customized code. And there’s no hash code to compare it with. So, to me, it does not build an assurance that they’re working on the same source code,” Averia said.
Hash codes are derivatives of software—like fingerprints. They are unique and may be compared to determine whether two pieces of software are identical.
The goal of any source code review is to rule out the existence of malicious lines that may direct the automation system to perform tasks other than what it is intended for, i.e., to scan the ballots and count the votes properly and accurately. It is meant to rule out suspicion that the system may be manipulated to railroad the elections.
The output, the trusted build, is supposed to be completely trustworthy, as its name suggests.
Averia said it would not hurt to wait until the local reviewers are finished with the customized source code, which they will begin to scrutinize on Monday (February 1).
Lim, who leads the steering committee for the May 9 polls, said the poll body cannot afford to wait longer for the trusted build because it is necessary to begin laying out and printing the ballots.
The Comelec initially set the printing for January 26 but postponed it to February 1 and yet again to February 8 to wait for the Supreme Court to decide on whether Sen. Grace Poe should be allowed to run for president. The decision will determine whether Poe’s name will appear on the ballot
“Yung base code yun eh. Yun yung pinaka-basic pa na code. Syempre marami kaming mga requirements na for Philippine elections. We call it ‘customization requirements’ and it will change the source code. So syempre, hindi mo pwedeng i-match yung base code at saka yung code na yon. Kasi yung code na yon, marami na kaming binago. Marami na yung customized for Philippine elections at saka yung errors na nakikita ng SLI, kino-correct na nila,” Lim said.
[Translation: That was the base code. That was the most basic code. Of course, we had many requirements specific to Philippine elections. We call it ‘customization requirements’ and it will change the source code. So, of course, you won’t be able to match the base code (with the customized code) because the (customized) code contains many changes from us. It has many features custom-built for Philippine elections. Also, whatever errors were there have now been corrected by SLI.]
SLI reviewed the source code for several months. Lim said the Comelec is paying the company $44,000 for the certification and the requisite tests. The law requires that the source code for the automated election system be reviewed and certified by an independent third party.
