Tuesday, September 22, 2009

The Death of Election 2010 Source Code Review (Sep 23 09)

If you saw the ANC special on Election 2010 at 8:00 o'clock PM on Monday night, where I asked Comelec when the source code of the Election 2010 computer programs will be released for review by interested political parties and groups, Director Rafanan said that CenPEG will not do a source code review, but a international certification agency will do the review as a prerequisite to TEC certification. After customization in November 2009, and after code review by that international certification agency in February 2010, the source code will be "shown" to interested political parties, but not reviewed by them. The PPCRV representative and Ramon Casiple and Renato Garcia even added that the source code will be presented in much the same manner that a company shows its financial statements to the public.

My daughter Karen keeps telling me that I should not cite the law, RA-9369 Section 12, which reads:

"Once an AES technology is selected for implementation, the Commission shall promptly make the source code of that technology available and open to any interested political party or groups which may conduct their own review thereof."

She says that I should not cite the law to the lawyers of COMELEC, since they are better at the law, and they can can twist the meaning of the law to whatever they want the law to look like. But I argue with her that this provision is not just a question of law, but a question of computer technology as well, at which I am slightly better than the lawyers of COMELEC. No matter how I twist and turn and squeeze and pull and push these words of Section 12, I see no way out but for COMELEC to release the source code to the political parties and groups who are interested, and showing them the advertizing page of a company giving a healthy financial statement of the company is not a substitute for source code review. Ask any computer programmer, ask Supreme Court Justice Antonio Carpio, ask the members of the Philippine Linux Users' Group and they will NEVER agree that showing the public a certification by an international certification agency that states that the Dominion Voting Systems "Democracy Suite Ballot Marking System plus the Democracy Suite Image Cast" has been certified and is suitable for use in the Primaries in New York, is not an acceptable certification that the "Democracy Suite Image Cast" alone (which Smartmatic has renamed to SAES-1800 PCOS computer) is suitable for use in the Philippines.

What I do not understand is why "computer security experts" like Mr. Mata and others from the CyberSecurity groups do not want the political parties to do a source code review. Why should reviewing the source code make the election programs more susceptible to external attacks? Have they not seen the experience of Linux and OpenOffice and GIMP and so many other programs that are freely available on the Net? Their source codes are available for ANYONE to download and review and modify to their hearts' content, and never have I seen a report stating that the security of Linux or OpenOffice or GIMP has been compromised as a result of these reviews. On the other hand, the source code of Microsoft Windows XP and Vista, are not available for download anywhere, and yet there are gazillions of viruses and vulnerabilities of Windows. This is because opening up the source code for review allows more people to study and to help correct the vulnerabilities. These corrections for improvement can be accepted by COMELEC, if it wants and rejected otherwise. It is still COMELEC's call. It is COMELEC's acceptance or rejection of suggestions for improvements that will determine the future quality of the election programs, not the source code review itself.

But Director Rafanan has already made his final word on the issue, and I believe Director Rafanan's word is god's word. May God bless COMELEC, and may I ask, like Jesus asked, to "Father forgive them, for they know not what they do".

No comments: