The design of the transparency server which is under COMELEC control as an interface that provides media outlets and election watchdogs copies of election returns (ERs) transmitted from the VCMs poses an architectural pseudo-security flaw. When I say pseudo-security flaw, I do not mean that it introduces an actual security flaw that can be exploited to alter the results of the election. I am talking about the potential security flaws as perceived by observers because the Transparency Server was not transparent enough. Regardless, this cast doubt among the people on the trustworthiness of the election results.
Unlike the Transmission Router which supposed to store and forward encrypted ERs in their unaltered form to local CCSs and the Transparency Server, the Transparency Server (which if I may add had been subjected to a code review) transforms ( read as decrypted and combined with other pieces of information such precinct codes, etc.) the encrypted ERs before forwarding them to media outlets and watchdog organizations [1]. This design breaks the verifiability of information flow from the VCM to the media outlets that publish unofficial results.
A better design is to remove this indirection and allow media outlets to get their copies of ERs directly from the VCMs via the Transmission Router and have them verify the integrity of the transmitted ERs themselves. This design will require more technical investment on the part of media outlets. However, this will undoubtedly make the intended purpose of the Transparency Server true to its name. If done this way, the transparency server is no longer a "single" server controlled by COMELEC but is the collection of servers controlled by independent 3rd parties. This approach will also unburden COMELEC a little bit because now, the responsibility of showing the transparency of the entire election process is shared with the media outlets and other organizations accredited by COMELEC.
The COMELEC can go even a step further and let anyone who is interested verify election results. This can be done by adding to the AES a tamper-proof verifiable public bulletin board containing verifiable election data that are needed to verify election results. How to build this? Blockchain could be part of the solution. But the most important bit here is that the bulletin board is public. Is the Transparency Server in the current AES a verifiable bulletin board? It could be. But is it a verifiable public bulletin board, as it stands, IT IS NOT.
I recently learned that the digital ERs outputted by VCM's do not contain all the necessary information (i.e., not self-contained) to be interpreted completely. With respect to the Transparency Server, the TS needs to first decrypt the ER and link the information it contains to an Oracle database (Original post by Doc Pablo Manalastas [2] ).
Doing so minimized the size of the ERs and improved overall performance, but it sacrificed their verifiability. As mentioned previously, this design adds additional layers of transformations which could lead to more vulnerabilities if left unchecked/audited.
Doing so minimized the size of the ERs and improved overall performance, but it sacrificed their verifiability. As mentioned previously, this design adds additional layers of transformations which could lead to more vulnerabilities if left unchecked/audited.
This issue could have been easily avoided by packing all the information needed to "interpret an ER as intended" in the transmission package itself, making it self-contained. However, obviously doing increases the size of the transmission package and could impair performance. But one can't also ignore the benefit that a self-contained transmission package provides. In the current implementation, there's a possibility of gaps in the verification chain. I feel it's safe to say that the code the processes a self-contained transmission package would be less complex and easier to review.
A self-contained transmission package would also mean that ERs in their "pristine" form can be easily shared to 3rd party observers e.g., media outlets, election watch organizations, etc. for the purpose of allowing independent verification of results increasing the level of transparency of the entire election process. Accredited 3rd party election observers will be able to verify the integrity of the ERs themselves, independently from the COMELEC. Perhaps this is what NAMFREL was after when demanded access to more election data from the COMELEC. The use of a proprietary data format would result in some legal implications in terms of copyrights, etc. Hopefully, in future elections, COMELEC opts for an AES solution that generates election data using open data format to allow free exchange and independent verification of election results by 3rd parties, if it is not yet done this way in the current system.
It would be great if the COMELEC opens the design of the AES and its components to review, just like what they did with code review. Most of the issues that have been discussed in posts about the AES stemmed from architectural decisions that went into the implementation of the AES components. Unfortunately, some of these decisions preferred to prioritize system performance while sacrificing the simplicity, verifiability, and transparency of election data.
Some people claimed that the use of Blockchain is the solution to the problem. However, they failed to identify the problem that Blockchain is supposed to solve. It’s possible that Blockchain gets used in future versions of our country’s Automated Election System, but not for the right reasons. The COMELEC should discern what is lacking in the current system. Because in the end, all engineering solutions will not matter until the AES is designed in a way that empowers ordinary citizens with reasonable technical know-how to verify election results.
No comments:
Post a Comment