The Philippine Online Chronicles

Share this Export PDF Print E-mail

A long time ago, the daughter of Lord Byron, better known as the Countess Ada King of Lovelace encoded a set of rules to be followed that was to be processed by a device called the Analytical Engine. Thus, Countess Lovelace penned the first source code, which in turn became the first computer program. Today, the source flows around us, penetrates our daily lives, wraps itself around our democratic processes and binds our world together. Every computer system, every computer network, every smart phone and every automated election machine in the world are just glorified paper weights without the Source.

It is easy to romanticize Source Code. It has been done often enough: will you take the bluepill or will you take the redpill and plunge into the rabbit hole?

I assume you took the redpill because you're still here.

Another way to look at Source Code is to see it as a recipe, as the computer program is to cake. The cook is the programmer and he assembles ingredients into a recipe. The cook using the recipe turns that code into a finished product like cake.

For Masters of the High Temple of Computing, the Source is the way to interact with the machine. It is the human readable text that when transformed, it instructs a computer system to do something. Is it to eject a disk on your Mac's Finder? There's source code for that. Is it to press your start button on Windows? There is code for that.

Following this how to vote in an automated election, you already know that you will take this ballot, and feed it into the 2010 Automated Election Machine, which is a computer that run several programs meant to do simple things. The machine counts votes for us and generates a canvass report. For election automation, the source code is the human readable version of the computer program that scans your ballot, counts votes, tallies it and generates reports based on that data.

So you got that an idea what Source Code is now?

In a manual process of counting, everyone can see how the votes are counted and tallied. Someone reads the names, and someone marks on a blackboard the vote. In an automated process, since the computer is doing the counting, we don't know how it counts. We can't see it personally, right? That's why source code review is important. Because by reading the code, this tells us how Precinct Count Optical Scan (PCOS) arrived from adding say a number to reach 10. For example, the machine could be counting 1 + 1… until it reaches 10. it could be adding 5 + 1… until it reaches 10. it could be 9 + 1 = 10.

Reading the source code gives us an idea of what the machine is actually doing. This is important to see how the machine transmits data it has collected and where does it send it to. An understanding of the source will lead us to an understanding how this machine does what it does and not just to conform to what we expect.

So that's good, right? It is so good that our law actually requires this to happen.

Yet, there is this fervent controversy surrounding the Source Code for the 2010 Automated Election Machine. So controversial that it has been brought before the Supreme Court. So what are the things you need to know?

Republic Act 9369 is the Election Automation Law and is in fact an amendment of a previous law. That said, section 11 says that the source code must be held for safe keeping at the Bangko Sentral ng Pilipinas:

"SEC. 11. Functions of the Technical Evaluation Committee. - The Committee shall certify, through an established international certification entity to be chosen by the Commission from the recommendations of the Advisory Council, not later than three months before the date of the electoral exercises, categorically stating that the AES, including its hardware and software components, is operating properly, securely, and accurately, in accordance with the provisions of this Act based, among others, on the following documented results:

1. The successful conduct of a field testing process followed by a mock election event in one or more cities/municipalities;

2. The successful completion of audit on the accuracy, functionally and security controls of the AES software;

3. The successful completion of a source code review;

4. A certification that the source code is kept in escrow with the Bangko Sentral ng Pilipinas;

5. A certification that the source code reviewed is one and the same as that used by the equipment; and

So clearly the job of the Technical Evaluation Committee included keeping the source code safely locked away. Here the waters become murky.

On October 03, 2009, the Center for People Empowerment in Governance wrote to the Commission on Elections regarding the release of the source code for study and CenPEG also filed a petition for Mandamus before the Supreme Court. CenPEG wants the source code out in the open so it can be reviewed but there's a problem, Smartmantec's license for using the program for the automated election machine does not include license for the source code. Meaning it is the difference between receiving the cake only, and receiving both the finished cake and the ingredients and instructions on how to make the cake.

Does CenPEG have justification for this?

"To see the full ramifications of this consider the following somewhat philosophical but highly technical question: When one is conducting a SOURCE CODE REVIEW of a large complex system like the contemplated 2010 automated election system for the Philippines, say of the PCOS machines or the accompanying central electional management and monitoring software, how does one know that one has ALL of the SOURCE CODE." Philippine Commentary started in a post entitled, "The War Over Source Code. The post goes on to this:

"In my personal experience and considered opinion this can only be accomplished completely by requiring of the system supplier to provide not only the sources codes of each program module, but also the capability to literally BUILD the executable code from scratch; to store and cryptographically secure the same, ("escrow at the Central Bank" as RA 9436 specifies); securely transfer that operating software to each PCOS machine before Election Day."

The matter of source code review had been a hot topic over at the Philippine Linux Users' Group mailing list. In depth, these masters of the source code fired argument after counter argument at the relevance of doing a source code review.

"I think it's silly to spend so much money and time to test the Election System by reviewing Source code." Wrote Oscar Plameras who in an argument against source code review. In that email, he made a comment saying:

I think it's silly to spend so much money and time to test the Election System by reviewing Source code.

From my experience, end users implement acceptance testing of the system by developing a series of test other than source code review.The main idea is to simulate scenarios of operations with input test data and pre-defining the expected results. Several scenarios are covered with the input data that's prepared.

He then goes on to write:

Hardly no commercial developer will allow third parties to have source code access to their propriety software. And in general, commercial confidence protects the privacy of these codes.under the trade secrets act of countries. I think the Philippines is a signatory to that.

Mr. Plameras' stance is actually the minority point of view on plug.

On the counter arguement, Paolo Falcone wrote (on the same mailing list), "The system is indeed not designed to detect corruption, and neither does a source code review indicate that with all degrees of certainty the presence of a backdoor indicates corruption. "

Mr. Falcone went on to say:

Then again, only a source code review satisfies the requirement that there will be no backdoors in the inspected application, be it put by a corrupt programmer or a programmer in a hurry to get out of the office. A blackbox testing with the specifications can only get you so far - that the system is compliant as per specification. Whether it exceeds or subverts the specification outside the test conditions is something that you can only get with a code review.

To recap: source code review is important because it seeks to tell us how the machine operates on the data and whether or not it has "Backdoors" or has been compromised in anyway.

At this point is it a question of technology (the ability to do source code review) or is it a question of law?

Our laws are quite clear that Source Code needs to be reviewed and needs to be seen by competent authority. This is being done now by Systest Labs, which was awarded the Contract by COMELEC to do provide all code review, functional, performance and hardware testing of the election machine.

So what's the problem? Comelec has asked a third party to do the review. So we're all good right? Not quite.

On Filipino Voices, Pablo Manalastas asked another interesting question when he wrote "Election 2010: Public Counting & Code Review," and it goes:

"Is Smartmatic liable under Philippine laws for its misrepresentations of facts? Is COMELEC, under advice from the CAC, fooling the People?"

Professor Manalastas goes on to write, "A reading of the License Agreement presented by Smartmatic to COMELEC, which is a public document whose contents the people has the right to know, shows the following. The PCOS computer hardware and software/firmware are owned by Dominion Voting Systems of Canada. On April 4, 2009, Smartmatic licensed this technology from Dominion for a period of five years, “with the right to sublicense the right to use such software to the COMELEC”, but that “Dominion will retain sole liability to amend, change or develop all software or firmware or EMS,” Then he added this argument:

It is clear from this document that Smartmatic’s license is a binary license, and Smartmatic has never been authorized to get the source code from the very beginning, nor is it authorized to modify the source code in any way. When Smartmatic joined the COMELEC bidding to supply computer equipment, management, and training for Election 2010, it had full knowledge that it could not meet the provision of RA-9369 Section 14, which states “Once an AES technology is selected for implementation, the Commission shall promptly make the source code of that technology available and open to any interested political party or groups which may conduct their own review thereof”. Since COMELEC is a sublicensee of Smartmatic, which in turn is a licensee of Dominion, with only a binary license, COMELEC could not fulfill this sacred duty of source code review in an environment in which “political parties may conduct their own review,” because there is no source code to review.

There are two important parts here. For Manalastas, it is philosophical as much as it is a matter of law.

Just to be clear again, section 12 paragraph 5 of RA 9369 states (note: AES means Automated Election System):

"Once an AES technology is selected for implementation, the Commission shall promptly make the source code of that technology available and open to any interested political party or groups which may conduct their own review thereof." (emphasis mine)

Let us first look at the philosophical. It is philosophical in that Professor Manalastas is from the Open Source school of software development. This is the school of thought that believes all Source Code should be available for peer review. Meaning, you, me or anyone who would want to read the code can do so without prejudice. That school is the polar opposite of where Bill Gates comes from which is the school that says source code is secret and an internal corporate matter. In the Microsoft-centric universe, source code is proprietary and contain trade secrets.

The spirit of RA 9369 and the letter of the law clearly says that the source must be made available. It is a matter of law, because our law follows the philosophy of open source: that the code may be available to political parties and other groups and they may conduct their own review. The Liberal Party and the Nationalista Party for example may request a copy of said code and have it reviewed.

Manalastas believes that since the license obtained by Smartmantic does not include the source code, only the program itself (i.e. cake and not the instructions on how to bake the cake). He argues that both Comelec and Smartmantic are in violation of the law. The Comelec is in violation because it did not verify that Smartmantic's ownership does not include the license for the source code and the latter is in violation of the law because it went to submit a bid and won it, knowing full well it did not meet all the qualifications.

Can the owner of the source code licensed be compelled to release the source code to all parties and anyone interested? With the appointment of Systest, it didn't really open it. It simply allowed a third party to view the code under safeguard that it will not spread it. But what of the portion of the law that states that political parties and others have a right to do their own audit?

Least understood, does the implication of this law go beyond election automation? Is that a foolish notion? Does this case go into the heart of the philosophy of software development?

The source code in this particular case, isn't open. It is closed. The code as demanded by law allows, for example, political parties to review the code, ergo, open sourced. But what happens when the source code license in this case, doesn't allow third parties to view the source? Did Comelec and Smartmantic violate the law? Could it be forced open? Could the code because of this law be forced to become freely available for anyone to do peer review of? Is this more viral than GPL version 3? And is it not an imperative that political parties and other groups jump at this opportunity to validate the law, to settle it one way or the other?

Perhaps it is the reflection of our time. It is as if darkness blankets our society and that law, and our very democratic processes are perverted to yield the opposite. The source code must be open from the very beginning and yet it is not. Perhaps it is because there is such a gulf of understanding between asking lawyers, lawmakers, people, high masters of computing and the Court to grasp the philosophical nature of this dispute. In these dark times, philosophy and belief in something as abstract as the Source Code find itself at the bottom of the to do list. Yet in the end, we can whisper this prayer and hope to be heard, "May the Source be with you."

Image created by author. Some Rights Reserved.