‘Not enough proof’ yet in server logs to show 2016 poll fraud
AT A GLANCE:
- The supposed activities in the server logs, as cited in Senator Vicente Sotto III's privilege speeches are "inconclusive" and do not point yet to vote manipulation, according to 3 information technology specialists.
- The IT sources raise concerns, however, over the security aspect of the automated election system (AES).
- Specialists push for more transparency and explanations from the Commission on Elections and Smartmatic to address cheating allegations in the automated elections.
MANILA, Philippines – More than a year before the 4th national and local polls in 2019, the country's automated election system (AES) is taking another hit.
In two privilege speeches, Senator Vicente Sotto III made allegations of election fraud reflected in snippets of "logs" from two election-related servers during the 2016 elections.
In his first speech on March 6, Sotto said these logs supposedly showed there were "early transmission" of votes a day before and the morning of the polls, and there was "foreign access" in domain name service (DNS) servers.
He followed it up on March 14 with a second speech, where he spoke of the existence of 4 "queueing servers," and questioned the handling of election returns that were not transmitted to the Comelec Transparency Server.
These information came from a "concerned and impeccably reliable source," said Sotto. Most of these claims have also appeared in a presentation at a cybersecurity conference organized by Global Chamber Manila last January 31.
During that conference, a person wearing a mask said in a video that he and his group "were able to access computers and servers" of the AES, which were managed by the Commission on Elections (Comelec) and Venezuela-based firm Smartmatic.
In a news report following his first speech, Sotto quoted his source as saying that 6 national candidates "benefitted" from these alleged irregularities. He has yet to reveal who these candidates were.
Are these claims enough to prove poll fraud? No – at least for now. There is not enough information yet to show that the vote counts of certain candidates were affected.
"So far, nothing in the evidence conclusively points to anything wrong," said William Yu, IT director of election watchdog Parish Pastoral Council for Responsible Voting (PPCRV). "It could, but it's not automatic. It's not a conclusion you can jump to."
"The infrastructure and software may have been used to commit fraud, but where is the fruit of the fraudulent act?" asked Lito Averia, an IT consultant and an advocate of transparent elections.
The DNS queries "indicate only traffic in so far as establishing connections between devices," said Averia. "It still does not show what data are involved."
DNS servers map IP addresses of devices in a network to a readable address, like associating a phone number to a person in a directory. In the AES, it gives to vote-counting machines the IP address of the server where they should transmit election results.
Yu said that in the logs, "there's a line that says this client queried the DNS for this server. It is easy to say that it's a 'transmission,' but I'm saying that's a mistake." (READ: 'Irregularities' in 2016 election server logs? Not necessarily, says I.T. expert)
Yu also said networks can "generally have more than one DNS resolver configured. Any can be used. This is best practice."
As to the "early transmission" issue, Averia did not agree with Comelec spokesperson James Jimenez's explanation that these were final testing and sealing (FTS) activities. Comelec's own rules state that the FTS in polling precincts can only be done from May 2 to 6, 2016. This was also mentioned in Sotto's second speech.
But Averia raised the possibility of lapses, like delays in the delivery of VCMs. If ever there were testing activities outside the allowed period, these should have been written down in the minutes of the Board of Election Inspectors (BEI) manning the precincts, he added. (READ the explanation of former Comelec chief of staff Emil Marañon III in "Debunking Sotto's election fraud claims.")
Meanwhile, the supposed "foreign access" in the DNS server by an Amazon web server (AWS) could be "as harmless as doing analytics," said Joben Ilagan, CEO of Seer Technologies, a software consultancy company.
"Access by the foreign entity seems to only have been limited to the DNS server and only DNS stats are being retrieved," he added.
How about the "4 queueing servers" claim?
While Averia noted that these servers were belatedly disclosed to poll watchdogs, these might be needed to assist in transmitting huge volumes of election returns. "It will absorb heavy transmissions of data, hold it for a while, then forward it to the proper consolidation and canvassing system (CCS)."
"The CCS recipients can only receive so much. If there were no 'queueing server(s),' then election returns would have been lost," he explained.
Yu reminded the public to be careful in reading into these allegations, because the data in the logs are "very limited."
As to the 7 regional hubs, Yu said these may correspond to warehouses of logistics providers that deliver VCMs to the polling precincts.
Rona Caritos of the Legal Network for Truthful Elections (Lente) also told Rappler that the VCMs, including spare units, had been deployed to these hubs at least a week before election day.
However, Eric Alvia, secretary general of the National Citizens' Movement for Free Elections (Namfrel), told Rappler that Comelec had informed them about these hubs only "a day before election day" and with scant details.
If ever a VCM malfunctioned, Yu said technicians would have to attempt to fix it at the affected precinct, not at the hubs. Spare units from these hubs would be delivered if the fix was unsuccessful, said Caritos. This is reflected in Comelec Resolution Number 10101, specifying contingency procedures in the conduct of the polls.
What should we be worried about? The IT experts raised concerns on the security aspect of the AES, as well as the level of transparency by both Comelec and Smartmatic.
For Ilagan, the root access privilege of user "e360sync" was worrisome.
Users with root privilege "has all the necessary powers to look into and maybe change something inside the servers," Averia explained separately.
Ilagan asked: "Was the AWS server and user authorized for remote access? And since the user has root privileges, how deep down can its access go? Can it also access election servers?"
"While this is not sufficient proof to say that there were early transmissions, some doors were open and you cannot assume that nothing happened, unless you take stock and do an inventory or audit of what is there," Ilagan said. "[We] cannot brush this aside, unfortunately."
Ilagan added that Smartmatic or Comelec should come clean on the use of Amazon web server and the supposed queueing servers. "The burden of proof is on Smartmatic to show why it isn’t possible [to cheat]" with these servers, he said.
For Averia, while poll fraud wasn't demonstrated yet in these logs, he asked where the AWS server is located and whether its use was disclosed or authorized.
If the allegations about it were true, he wondered why government data related to elections were "sent to a cloud service whose servers are not in the Philippines."
Ultimately, the IT experts pushed for increased transparency in the entire automated election process.
A full disclosure of the entire AES setup – both software and hardware – and the participation of more 3rd-party observers are needed. These could be included in more expansive source code reviews, they said.
Comelec and Smartmatic's transparency problems are why issues like the untransmitted votes to the Transparency Server and the use of an Amazon web server raise doubts on the automated polls, said Averia.
Ilagan described the current election setup as "highly-centralized" and voters "are just made to trust the system." With allegations like those in Sotto's privilege speech, Comelec and Smartmatic must "continuously reassure the public" on the integrity of the AES, he added.
"Should it turn out that this is not the only log involved, then expect all sorts of other allegations that may come up in the future."
Yu added that since Senator Sotto had raised these allegations, Comelec and Smartmatic should be the ones providing the explanations. But he said the line should be drawn on "how far they would go to disprove" various claims, especially if some of the supposed evidence are "weak."
"It is very hard to prove the absence of a conspiracy," he argued.
What would it take to prove poll fraud? The IT specialists said: show in the data that the vote counts have been changed, and show how it was done. Exhibit that the vote counts sent by the VCMs are different from the ones received by the election servers.
To prove poll fraud, Averia said these questions need to be answered:
- Where did the cheating or manipulation happen?
- How was the fraud perpetrated?
- Who did it?
The allegations in Sotto's speech have yet to cover these questions, he argued. "One needs to get to the data and the software to find proof of fraud."
"If ever votes were manipulated, at what stage did it happen? Was the manipulation done at the VCM level, or at the consolidation and canvassing level?"
Averia said that in order to expose poll fraud in the AES, "the machines and memory cards must be forensically examined."
Activity logs from vote-receiving election servers and the VCMs itself, as well as transmission logs from network providers, would help to determine credible proof of fraud, he added.
Yu added that Comelec and Smartmatic should have a list of IP addresses of all the devices in the AES network. This would help in checking the IP addresses listed on the server logs.
One possible way to cheat, Averia and Ilagan explained, is by having a "man in the middle" or a device which could intercept transmissions to switch or change election returns (containing vote counts) sent by VCMs. This server could also "spoof" IP addresses, or pretend to be another IP address to pass off as a valid recipient or sender of vote results in the AES.
But Averia argued, "We have not seen proof of that happening."
What questions remain unanswered? More than a week after Sotto's speech, neither Comelec nor Smartmatic has fully answered the allegations.
However, Comelec said it is investigating the matter and coordinating with Senator Sotto's office to get copies of these logs and other documents.
This leaves some more questions:
- Who retrieved these logs from the DNS servers and when? Were the DNS servers hacked? If an "insider" from Comelec did this, was he or she given authority to do so?
- Was Comelec alerted that someone was downloading the logs from the two DNS servers?
- What is the actual topology or network layout of the AES used during the 2016 elections?
- Were the main vote-receiving election servers up and running days prior to election day? What were the activities in it during that time?
- If the "queueing servers" were really necessary, what were the actual activities in it?
- Were the servers that consolidate and receive votes "re-zeroed" or reset to zero votes before polls open, like what is done to VCMs? If yes, is there a document reflecting this?
- If the supposed activities were indeed transmission tests by vote-counting machines, were these officially recorded by BEIs or election officers in polling precincts?
How about the issue of "zero votes"? During the interpellation following his speech, Sotto mentioned the number of precincts where some of his colleagues got "zero votes" in the 2016 elections.
Sotto was right to clarify that any candidate can get "zero votes" in some areas. Rappler has shown this in the 2016 vice presidential elections, where winner Maria Leonor "Leni" Robredo and her closest opponent Ferdinand "Bongbong" Marcos Jr did not get votes in certain precincts. (READ: Which VP candidate benefited the most from zero votes?)
Data from the Comelec Transparency Server also show that none of the 12 winning senators in 2016 received zero votes in any of the precincts in Angono, Rizal, and Libon, Albay, the two locations mentioned in Sotto's first speech.
However, there is no solid connection yet between the supposed activities in the server logs to the actual vote counts in the 2016 elections. – Rappler.com