Achieving end-to-end auditability and verifiability in Philippine automated elections

The design of the transparency server which is under COMELEC control as an interface that provides media outlets and election watchdogs copies of election returns (ERs) transmitted from the VCMs poses an architectural pseudo-security flaw. When I say pseudo-security flaw, I do not mean that it introduces an actual security flaw that can be exploited to alter the results of the election. I am talking about the potential security flaws as perceived by observers because the Transparency Server was not transparent enough. Regardless, this cast doubt among the people on the trustworthiness of the election results.

Unlike the Transmission Router which supposed to store and forward encrypted ERs in their unaltered form to local CCSs and the Transparency Server, the Transparency Server (which if I may add had been subjected to a code review) transforms ( read as decrypted and combined with other pieces of information such precinct codes, etc.) the encrypted ERs before forwarding them to media outlets and watchdog organizations [1]. This design breaks the verifiability of information flow from the VCM to the media outlets that publish unofficial results.

A better design is to remove this indirection and allow media outlets to get their copies of ERs directly from the VCMs via the Transmission Router and have them verify the integrity of the transmitted ERs themselves. This design will require more technical investment on the part of media outlets. However, this will undoubtedly make the intended purpose of the Transparency Server true to its name. If done this way, the transparency server is no longer a "single" server controlled by COMELEC but is the collection of servers controlled by independent 3rd parties. This approach will also unburden COMELEC a little bit because now, the responsibility of showing the transparency of the entire election process is shared with the media outlets and other organizations accredited by COMELEC.

The COMELEC can go even a step further and let anyone who is interested verify election results. This can be done by adding to the AES a tamper-proof verifiable public bulletin board containing verifiable election data that are needed to verify election results. How to build this? Blockchain could be part of the solution. But the most important bit here is that the bulletin board is public. Is the Transparency Server in the current AES a verifiable bulletin board? It could be. But is it a verifiable public bulletin board, as it stands, IT IS NOT.

I recently learned that the digital ERs outputted by VCM's do not contain all the necessary information (i.e., not self-contained) to be interpreted completely. With respect to the Transparency Server, the TS needs to first decrypt the ER and link the information it contains to an Oracle database (Original post by Doc Pablo Manalastas [2] ).
Doing so minimized the size of the ERs and improved overall performance, but it sacrificed their verifiability. As mentioned previously, this design adds additional layers of transformations which could lead to more vulnerabilities if left unchecked/audited.

This issue could have been easily avoided by packing all the information needed to "interpret an ER as intended" in the transmission package itself, making it self-contained. However, obviously doing increases the size of the transmission package and could impair performance. But one can't also ignore the benefit that a self-contained transmission package provides. In the current implementation, there's a possibility of gaps in the verification chain. I feel it's safe to say that the code the processes a self-contained transmission package would be less complex and easier to review.

A self-contained transmission package would also mean that ERs in their "pristine" form can be easily shared to 3rd party observers e.g., media outlets, election watch organizations, etc. for the purpose of allowing independent verification of results increasing the level of transparency of the entire election process. Accredited 3rd party election observers will be able to verify the integrity of the ERs themselves, independently from the COMELEC. Perhaps this is what NAMFREL was after when demanded access to more election data from the COMELEC. The use of a proprietary data format would result in some legal implications in terms of copyrights, etc. Hopefully, in future elections, COMELEC opts for an AES solution that generates election data using open data format to allow free exchange and independent verification of election results by 3rd parties, if it is not yet done this way in the current system.

It would be great if the COMELEC opens the design of the AES and its components to review, just like what they did with code review. Most of the issues that have been discussed in posts about the AES stemmed from architectural decisions that went into the implementation of the AES components. Unfortunately, some of these decisions preferred to prioritize system performance while sacrificing the simplicity, verifiability, and transparency of election data.

Some people claimed that the use of Blockchain is the solution to the problem. However, they failed to identify the problem that Blockchain is supposed to solve. It’s possible that Blockchain gets used in future versions of our country’s Automated Election System, but not for the right reasons. The COMELEC should discern what is lacking in the current system. Because in the end, all engineering solutions will not matter until the AES is designed in a way that empowers ordinary citizens with reasonable technical know-how to verify election results.

[1] https://www.rappler.com/…/230756-opinion-what-happened-insi…
[2] https://www.facebook.com/pmanalastas/posts/10156591555903253

Thoughts about Vote Buying in the Philippines

Vote-buying in the Philippines can be understood as an instance of the classical prisoner's dilemma problem.On the assumption that a certain class of voters vote for the candidate who gives them money, then:Let's say you have two candidates, A and B. The strategy of candidate A while taking into consideration the assumption about voter behavior would follow this train of thought:

1. If Candidate B does not give out money to voters, then it will be better for me to give money to voters because this would increase my chances of winning their votes.

2. If Candidate B does give out money to voters, then it will be better for me to give out money too, in that way, candidate B won't have a definite edge over me. ( Note that this is a simplistic assumption because one could argue that the amount of money given by a candidate also matters in swaying a voter's decision. )

3. Regardless of whether candidate B gives out money or not, it is in A's best interest to give out money, because either way, this strategy would increase his chances of winning a voter's vote.

And candidate B would actually goes through the same analysis.

My observation with vote buying in certain towns in Samar showed that this kind of strategy actually works. Perhaps the assumption about voter behaviour used in this analysis is true. For the 2nd case, the one who wins is the one who gives out more money. So for this case, an 'auction' model becomes the appropriate model to describe vote-buying in most towns.

This analysis provides two classes of solutions (voter-centric or candidate-centric) that can be used in addressing this issue. The first one is a class of strategies that aims to change voter behaviour so that receiving money from the candidates won't affect their decisions on whom to vote. The second set of options follows a strategy whose theme is to make candidates be more honest in their methods.

Logistics wise, I'd personally select the second option because you only have to deal with relatively fewer people (towns in provinces) i.e.  100s candidates as compare to thousands of voters that you will have to re-educate and whatnot. This is a more viable solution, as compare to voter's education program currently used by COMELEC. If COMELEC really wants to curb vote buying, they should focus their resources on solving on the side of the candidates. Possible approaches are:

1) maybe thrrough the use of marked money. 

2) maglagay ng surveillance sa mga kandidato at mga tauhan nito especially a day before the election.
3) through candidate education, baka naman makonsensya sila hindi na mamimgay.

Does this make any sense?

Thoughts On Election Verifiability and the use of E-voting Systems in Philippine Election

I believe that precinct level manual counting provides very nice security properties that are important in ensuring election results integrity. At each polling precinct, counting is performed publicly and observed by representatives from different political parties and concerned organizations. At the end of the canvassing, election returns (ERs) are validated and then signed by different officials. This means that a malicious party needs to corrupt all of the election officials plus official observers who need to sign an ER in order to commit fraud. This possibility is assumed to have a very insignificant chance of happening considering the fact that official election observers are working for different political parties and have different interests to protect.

This process is inherently secure, except for polling precincts which the COMELEC do not have any kind of control e.g. isolated barangays and the likes.

In my opinion, the step that has the highest risk of being compromised is the "transmission" of these ERs from the polling precincts to the municipalities, provinces and the national board of canvassers. This is all where the magic of ballot box/ER switching occurs.

We don't need to implement a fully automated counting of ballots in our election because I believe that the current manual counting process still and already provides an adequate level of security.

However, it is in the transmission of ERs from polling precincts to the different aggregation sites where an e-voting technology could be put to good use. We could design and implement a system for transmission of ERs in electronic form, similar to the Consolation/Canvassing System (CCS).

With respect to our country's election, at the very least, aggregated election results should be verifiable up to the polling precinct level. This level of granularity might not give the same level of verifiability as in individual verifiability but I believe this is good enough given the inherent limitations in the way our national election is conducted.

Imagine that we could verify election results up to the precinct level. If the results are verified by individuals i.e. voters, located at different precincts all over the country, that could give us a higher level of confidence that votes from different precincts were counted and carried over correctly to higher levels up to the national level canvassing. For example, one could create a Facebook application which is populated with the electronic election returns publicly available in the COMELEC's election results server. An observer can verify that the recorded tally of votes posted in the COMELEC servers is the same with results showed in the official ERs posted in polling precincts. Board of Election Inspectors (BEIs) are required by law to post the ERs for their respective precincts within the vicinity of the precinct. So an observer could flag the results transmitted to the COMELEC server as either correct or incorrect.

on IP: IPv4 and IPv6

IP is the main protocol at the network layer of the Internet. Essentially, every data sent by any top level layer i.e. transport and application layer, gets sent as IP datagrams over the Internet. IP datagrams is the building block for internetwork communications provided by IP. IP is meant to be a best effort protocol for sending data over a network, hence it is inherently unreliable. An advantage of this particular design decision is that implementation of IP in network interfaces and routers is relatively simple. Moreover, IP is also connectionless, meaning that IP does not maintain any state information of the datagrams coming its way. Each datagram is handled independently from one another. Datagrams of the same message gets delivered to its destination on possibly many different paths and may arrive at its destination out of order [1]. Hence, a protocol like TCP is needed on top of IP to provide a reliable service needed by most Internet applications.

An IP address identifies uniquely each device i.e. hosts, routers, connected to or in the Internet. IP uses a rather simple and intuitive mechanism in routing datagrams from a source to its destination. Routing is done on a hop-by-hop basis. A routing table is maintained by hosts and routers which they use in forwarding a datagram to the next-hop router or network interface indicated in the routing table entry associated with the datagram’s destination IP address. Using ICMP, a router can build its routing table through advertisement and solicitation messages from other routers [1].

The current widely deployed version of IP, IPv4, uses 32-bit IP addresses amounting to approximately 4.3 billion addresses. With the rapid growth in the deployment of applications, services, hosts, etc. on the Internet, exhaustion of available addresses in IPv4 seems inevitable. As an answer to this likely possibility, the Internet Engineering Task Force developed IPv6, which offers a much larger address space, to succeed IPv4 [3]. IPv6 uses a 128-bit addressing scheme allowing about 2¹²⁸ unique IP addresses. Aside from having a much larger address space and changes in the IP datagram format, other changes were incorporated to IPv6 which include among others: IMCPv6 for automatic host configuration upon connection to a IPv6 network and network level security through mandatory IPSec implementation [2]. Initial deployment of the service has been performed in countries like the USA, CANADA, JAPAN, and CHINA with JAPAN enjoying full government support while CHINA showcased it in the 2008 Beijing Summer Olympics.

References:

[1] Stevens ,W. R. (1993). Internet Protocol. In B. Kernighan (Ed.). TCP/IP Illustrated Volume 1 (). Addison Wesley.

[2] Das, K. IPv6 – The Next Generation Internet. IPv6.com [@http://ipv6.com/articles/general/ipv6-the-next-generation-internet.htm]

[3] IPv6. Wikipedia. [@http://en.wikipedia.org/wiki/IPv6]

on "Congestion Avoidance and Control [2]"

The paper describes a congestion avoidance/control algorithm which has following features:

1. a connection re/starts slow, packet transmission rates starts low and then gradually increases, until such time the connection achieves its state of 'equilibrium'. This prevents the connection from sending big bursts of packets which makes it prone to failure because of constant packet retransmissions.

2. has a 'better' round-trip time variance estimation, which allows it to estimate a more realistic retransmit timeout interval, rto, for succeeding packets. This leads to the variability of the RTT variance used of the rto computation with respect to the medium of communication i.e. satellite links, which leads to increase in performance.

3. when congestion really happens, it employs an exponential retransmit timer backoff, which allows the system to really come into its normal state, no matter what.

4. for congestion avoidance, it uses an increase/decrease algorithm with additive increase and multiplicative decrease components. Unlike in [1] which uses a binary feedback mechanism (incorporated as a bit information in the packet header) in determining the state of the system, their algorithm depends on some assumptions about the inherent properties of "lost packets". That is, lost packets are lost essentially because, the network is congested. So if a connection experiences lost packets, this means that the network is experiencing congestion and it should decrease its load. On the other hand, if the connection continuously receives ACKs, then that means it can try increasing its load. To achieve fairness, the gateway would just have to dropped packets coming from mis-having (abusive) hosts, which in turn would 'trick' the host into believing that the network is experiencing congestion, thus have to decrease its load. Just curious, did this solution work? I still prefer [1], in terms of the feedback mechanism.

Ref:

[1] D.-M. Chiu and R. Jain, "Analysis of the Increase and Decrease Algorithms for Congestion Avoidance in Computer Networks", Computer Networks and ISDN Systems, Vol. 17, 1989, pp. 1-14.

[2] V. Jacobson, "Congestion Avoidance and Control", SIGCOMM '88, Sept. 1988, pp. 314-329.

on the "Analysis of the Increase and Decrease Algorithms for Congestion Avoidance in Computer Networks[1]"

The paper presented a mathematical analysis of increase/decrease algorithms for congestion avoidance in computer networks. Congestion avoidance algorithms allow a network to operate at an optimal level of low delay and high throughput. The authors evaluated the set of increase/decrease algorithms based on the following criteria:

1. the algorithm should allow the communication system to operate at a level of optimal resource utilization (high efficiency).

2. the algorithm not only ensures efficient utilization of shared network resources, but see to it that there is fairness in the allocation of such resources among the users of the system.

3. the algorithm should be distributed to make the tasks of the system and the users simple as possible.

4. the algorithm, starting from an arbitrary initial state, should achieve goal 1 and 2 as fast as possible.

They focused their analysis to a set of increase/decrease algorithms which uses linear controls as control functions. A control function is used by a user of the system in increasing or decreasing its load utilization.

Their analysis used graphical vector representation of the different control combinations to identify the configurations of feasible linear controls that would allow the system to reach the goal of optimal resource utilization and fairness resource allocation as fast as possible. Using this approach, they found out that a simple linear control with an additive increase and multiplicative decrease components is enough for the system to achieve high efficiency and fairness.

Ref:

[1] D.-M. Chiu and R. Jain, "Analysis of the Increase and Decrease Algorithms for Congestion Avoidance in Computer Networks", Computer Networks and ISDN Systems, Vol. 17, 1989, pp. 1-14.

on the 'Rethinking the design of the Internet: 2 The end to end arguments vs. the brave new world'

The author of the paper reiterates the design principles that have been guiding the development of the Internet up to the present, called end-to-end arguments. End to end arguments in the context of the Internet, follow the notion of making the functions of the lower layers of the Internet infrastructure as simple as possible. Any application-specific features should be pulled out of the core infrastructure and should be implemented at the end systems instead. It proceeds by arguing that these design principles have been the key driving factor of the advances and innovations that the Internet has been experiencing since its early days. This position paper was written in the face of increasing interests of third parties i.e. private entities, governments, demanding the inclusion of new features which would allow more “better” mechanisms for providing security, privacy, accountability, etc. The paper cited a situation wherein implementing “eavesdropping” mechanism at the lower level of the infrastructure would still proved useless, after the fact, that end to end points of the communication are free to apply any available mechanism i.e. encryption, etc., to the messages being exchanged. Instead of providing the benefits one expected from it, it would only add complexity to the core network which in turn would increase the cost of deploying new applications to the Internet.