MANILA – The Commission on Elections (Comelec) on Monday launched the local source code review (LSCR) of the automated election system (AES) to be used in the May 9, 2022 National and Local Elections (NLE).

Poll body officials headed by chairman Sheriff Abas welcomed the participants composed of political parties, citizen’s arm, civil society groups, at the kickoff activity held at the Diamond Hotel in Manila.

Commissioner Marlon Casquejo, head of the Steering Committee and commissioner-in-charge of the LSCR, said the procedure is a pre-election activity that is mandated by the law.

“The review of the human-readable instructions that define what the computer system will do — commonly referred to as the source code — is an innovation that was introduced by Republic Act No. 9369,” he said.

Section 12 of Republic Act No. 9369 provides that “once an AES technology is selected for implementation, the Commission shall promptly make the source code of that technology available and open to any interested party or group which may conduct their own review thereof.”

“In this sense, the activity that we are all going to be engaged in is integral and inseparable to the conduct of elections as any other. As the Chairperson of the 2022 National and Local Elections Steering Committee, allow me then to reiterate the overarching principles that should guide us all: Local Source Code Review is aimed at enhancing public acceptance, promoting transparency, and building public confidence in our Automated Elections System,” Casquejo added.

The objectives of the review are to ensure that the AES functions as it should or as expected and that the code is clean and without any embedded malicious code,

It also aims to identify any critical or major issues or errors that could potentially impact the outcome of the election.

“We intend for this review process to be as transparent and participatory as possible. We intend to preserve the integrity of our automated systems, in the same manner, that we aim to ensure that the upcoming automated elections run as smoothly as possible. And we want you to help us uncover possible issues with our systems inasmuch as we want the general public to know about our readiness and preparedness,” he said.

The stakeholders will review the following: the Election Management System (EMS); the Vote-Counting Machine (VCM); the Consolidated Canvassing System (CCS); and all other related systems programmed and developed by the provider.

“Each and every one of us-the reviewers, the media, the political parties and interest groups, the different branches of the government, and even the casual observers-plays a vital role in ensuring that the general public preserves their trust and confidence in our electoral process. The successful staging and completion of the Local Source Code Review is a positive and welcome step towards the completion of that goal,” Casquejo added.

The participants to the review, as of September 22, are Partido Federal ng Pilipinas (PFP), Partido Para sa Demokratikong Reporma, National Unity Party (NUP), Liberal Party of the Philippines, Unang Sigaw (Partido ng Pagbabago), Aksyon Demokratiko, Partido Demokratiko Pilipino Lakas ng Bayan, National Peoples Coalition.

Other participants include the Kaya Natin Movement for Good Governance, Joint Congressional Oversight Committee, Parish Pastoral Council for Responsible Voting (PPCRV), Democracy Watch, Kilusang Bagong Lipunan, National Citizens Movement for Free Elections (Namfrel), and Pwersa ng Masang Pilipino.

The LSCR will start on Tuesday and will end on March 31, 2022, at the 2nd floor Ruby Room of the Diamond Hotel from 9 a.m. to 5 p.m., Mondays to Saturdays, except holidays. (PNA)

‘They think they are above the law’: the firms that own America’s voting system.

Maryland congressman Jamie Raskin is a newcomer to the cause of reforming America’s vote-counting machines, welcomed through baptism by fire. In 2015, Maryland’s main election system vendor was bought by a parent company with ties to a Russian oligarch. The state’s election officials did not know about the purchase until July 2018, when the FBI notified them of the potential conflict.

The FBI investigated and did not find any evidence of tampering or sharing of voter data. But the incident was a giant red flag as to the potential vulnerabilities of American democracy – especially as many states have outsourced vote-counting to the private sector. After all, the purchase happened while Russian agents were mounting multiple disinformation and cybersecurity campaigns to interfere with America’s 2016 general election.

“To say that they don’t have any evidence of any wrongdoing is not to say that nothing untoward happened,” Raskin said. “It’s simply to say that we don’t have the evidence of it.”

The fact is that democracy in the United States is now largely a secretive and privately-run affair conducted out of the public eye with little oversight. The corporations that run every aspect of American elections, from voter registration to casting and counting votes by machine, are subject to limited state and federal regulation.

The companies are privately-owned and closely held, making information about ownership and financial stability difficult to obtain. The software source code and hardware design of their systems are kept as trade secrets and therefore difficult to study or investigate.

The market for election vendors is small and the “customer base” mostly limited to North America and centered on the US, meaning that competition is fierce. The result is a small network of companies that have near-monopolies on election services, such as building voting machines. Across the spectrum, private vendors have long histories of errors that affected elections, of obstructing politicians and the public from seeking information, of corruption, suspect foreign influence, false statements of security and business dishonesty.

But these companies are the safekeepers of American democracy.

A corner of the computer security world has been sounding the alarm since voting machines were adopted after the punch-card disaster of the 2000 election recount in Florida. Now lawmakers, election officials and national security experts are joining in on the clamor after Russian agents probed voting systems in all 50 states, and successfully breached the voter registration systems of Arizona and Illinois in 2016.

Voting machines are set up in Las Vegas, Nevada, for the 2016 presidential election. Photograph: David Becker/Reuters

Both Robert Mueller’s report and a previous indictment of 12 Russian agents confirmed Russians also targeted private vendors that provided election software. The Russians successfully breached at least one company, its name redacted in the reports, “and installed malware on the company network”, according to the Mueller report.

Intelligence agencies expect cyber attacks from Russia, China and other nations against America’s democracy to continue in 2020.

When Raskin learned that there are next to no federal laws that govern or regulate private sector companies involved in US election infrastructure, he hurriedly introduced a bill that would prevent states from contracting with firms owned or influenced by non-US citizens. He plans to reintroduce an updated version of the bill in this legislative session, he told the Guardian. While it has a decent chance of passing the Democratic-controlled House, it would require Republican support in the Senate to become law.

That is not likely. Republican Senate leader Mitch McConnell has been antagonistic to election reform bills, as has the whole Republican party. The party narrative is that Democrats are trying to use the federal government to take over state and local elections; the political angle is that recognizing vulnerabilities or flaws in the election system could raise doubts about the legitimacy of the party’s – and Donald Trump’s – victory in 2016.

Raskin’s bill could affect at least two of the largest election companies. Dominion Voting Systems, which is the second-largest voting machine vendor in the US, is based in both the US and Canada. Scytl, which provides election night reporting and other online election management tools, is based in Spain. ByteGrid, the Maryland elections contractor, is no longer owned by the Russian parent company.

Campaigners say, however, that foreign ownership of an election vendor is not the only potential security problem. No matter who owns them, voting machines are more vulnerable to insider malfeasance than any other sector of the election industry, and no sector has a longer documented history of US-based ownership with clear partisan ties.

In 2003, for example, when voting machines were rapidly spreading across the country with the help of federal funds, the CEO of one of the largest companies and a top fundraiser for then president George W Bush said he was “committed to helping Ohio deliver its electoral votes to the president”.

Due to that statement and a litany of other scandals – such as leaving an internet-facing server unprotected and revealing the source code for its machines or by installing unapproved software patches on its machines just before an election – that company, Diebold, sold off the election-machine portion of its company in 2009.

A voter takes her paper ballot to be cast. Virginia decertified their voting machines and moved to paper ballots in 2017. Photograph: Michael Reynolds/EPA

In the push for more transparency, computer scientists and academics have been buying voting machines and hacking them. The most famous example came out of the 2017 Defcon hacking conference where computer scientists released a report describing how they hacked a suite of voting machines and the poor computer programming they found. As a result, Virginia decertified their voting machines and moved to paper ballots.

Voting machine companies have been actively seeking to avoid this type of scrutiny. They have sent threats of litigation to academics researching their machines. They have also blocked litigation seeking records from the machines when there were errors in vote counts and have lied to journalists and to elected officials about the fact that some machines could be accessed remotely.

Oregon senator Ron Wyden, in a speech at an election security conference in Washington DC, said that the voting machine lobby “literally thinks they are just above the law, they are accountable to nobody, [and] they have been able to hotwire the political system in certain parts of the country like we’ve seen in Georgia”.

Wyden was referring to the fact that Brian Kemp, who is now Georgia’s governor after overseeing his own election while secretary of state, appointed an ES&S lobbyist as his deputy chief of staff. Meanwhile, the state is in the process of purchasing more than $150m in new voting machines.

“My view is that the maintenance of our constitutional rights should not depend on the sketchy ethics of these well-connected corporations that stonewall Congress, lie to public officials and have repeatedly gouged taxpayers,” Wyden said.

Meanwhile, weak state or federal guidance leaves many cybersecurity companies doing whatever they want, according to Joshua M Franklin, president and co-founder of Outstack Technologies, a cybersecurity company that helps protect campaign and election infrastructure.

“There are no technical standards or best practices from the US federal government on the security of voter registration systems,” Franklin said. “One to two pages [of guidelines] don’t cut it. Similarly, we are missing technical security specifications that election night reporting or blank ballot distribution systems must meet.”

Like voting machine vendors, companies providing voter registration and election-night reporting services have their own history with security lapses and false statements. Very little is known about the contracts and relationships between states and vendors such as PCC and Scytl that provide voter registration or other online election services.

When it was discovered three days before the 2018 midterms that poor cybersecurity left Georgia’s voter registration system vulnerable to being altered, it was unclear whether the state or the company were responsible for the failures. Computer security experts tested the systems of two other states also listed as clients by PCC. One of the coding problems also existed in North Carolina and Washington, though the way the states structured their websites muted the potential hazard faced in Georgia.

The North Carolina state board of elections says that it never contracted with PCC. Instead, it contracted with Quest Information Systems, which was bought by PCC’s parent company, GCR, Inc, then folded into PCC seemingly without notifying several clients. Further, those services did not amount to work on the voter registration system, as PCC’s website claimed, and North Carolina is no longer a client in any capacity to either company. The apparent error on North Carolina’s voter information site – which never posed a threat to the state’s voter registrations or elections integrity, mostly because the state does not do online voter registration – has since been fixed.

Information on which states PCC contracts with is hard to come by, with the best data seemingly on PCC’s own website. PCC claims that its technology is responsible for the registration for nearly 25% of US voters.

As is often the case when companies provide their own industry data with little oversight, it is not clear how true their information is. The Guardian found that at least two other listed clients, Indiana and New Jersey, either have never directly contracted with PCC or have not done so in a decade. New Jersey is no longer listed as a client for voter registration services.

Transparency and trust in every stage of election systems is important because it affects how well voters trust that the system is fair, campaigners say.

But the dominant private sector makes that difficult. Not only are the companies largely free from public records requests, they are often asked to investigate or police themselves, according to election law expert Candice Hoke.

“It is unheard of, for instance in a bank, that if they have anomalies or a potential hack that they need to investigate, that they are supposed to call the software licensor or the software company and get them to examine their own software and decide whether their software was hacked or flawed in some way,” Hoke said. “Absolutely preposterous. And yet we allow that in our elections.”

Often, counties simply do not have the expertise or funding to do investigations, and there is currently little state or federal infrastructure in place to solve this problem. Voters, civil rights groups and activists have taken to the courts, but legal rules say plaintiffs need a certain amount of evidence to file a lawsuit, Hoke said. Yet they cannot get that information – held by the private election vendors – without a judge allowing discovery during that lawsuit.

Whether it is through the courts or legislation, Hoke is clear about what is needed.

“We need independent auditing and forensics assessments and other kinds of IT assessments that are not controlled by the vendors,” Hoke said.

… we have a small favour to ask. Millions are turning to the Guardian for open, independent, quality news every day, and readers in 180 countries around the world now support us financially.

We believe everyone deserves access to information that’s grounded in science and truth, and analysis rooted in authority and integrity. That’s why we made a different choice: to keep our reporting open for all readers, regardless of where they live or what they can afford to pay. This means more people can be better informed, united, and inspired to take meaningful action.