Time to change the automated election law
Nelson Celis
The Manila Times, Feb. 27, 2019
Posted by CenPEG March 14, 2019
Part 6
IN the proposed 2018 draft amendments to the Automated Election System (AES) Law, or RA 9369, the Technical Evaluation and Certification Committee (TECC) shall closely coordinate with a credible Project Management Office (PMO).
Let’s analyze further why the PMO is a critical success factor to a genuine AES law compliance.
To begin with, let’s define basic terminologies. A project, like implementing the AES every three years, has a precise start and end in time with corresponding defined scope and resources. In the Philippine context, an AES project becomes a routine operation whose project team includes people from the Commission on Elections (Comelec) primarily, different government agencies (i.e., DICT, DoST, DepEd, joint congressional oversight committee, or JCOC, etc.), private and nongovernment organizations (i.e., AES vendor like Smartmatic, telecommunications companies, Comelec-accredited citizens’ arms like Namfrel and PPCRV, watchdogs like AES Watch, etc.), and political parties and candidates. The latter shall be involved in project activities such as access, review and testing of AES-related equipment and source codes and in the activation of continuity and contingency measures. On the other hand, the project management of AES is the application of knowledge in AES law and IT governance, combined with practice of IT skills, tools and techniques to fully operationalize an AES on the exact date of the national and local elections.
We can summarize the AES project management processes into five stages: 1) initiating – Comelec shall create a Comelec Advisory Council (CAC) which shall be convened not later than 18 months prior to the next electoral exercise. The CAC then recommends the most appropriate, secure, applicable and cost-effective technology to be applied in the AES. Referring also to its previous recommendation to Congress, the JCOC approves what CAC recommended; 2) planning – Comelec and CAC come up with an AES implementation plan. Based on the plan, the former procures the necessary resources; 3) AES implementation – AES vendor delivers AES components, Comelec conducts source code reviews, field testing, mock elections, test certifications of AES components and activation of continuity plan and contingency measures; 4) executing, monitoring and controlling – Comelec conducts the elections: counting, electronic transmission of digitally signed election results, canvassing, random manual audits, system audits and proclamation of winning candidates; 5) closing – CAC submits a written report about its analysis of the AES implementation to the JCOC within six months from the date of election. The JCOC then conducts a comprehensive assessment and evaluation of the performance of the different AES technologies implemented and shall make appropriate recommendations to Congress. The JCOC shall be deactivated six months after completion of canvassing.
Come to think of it, AES project management is quite a complex routine job for the Comelec. It is handled by an internal PMO whose members are Comelec organic employees and supported by external consultants. As regards our experiences in the last three elections as observed by AES Watch, there had been disconnections in the AES project management processes, and this could be attributed to the lack of implementing rules and regulations (IRR) that Comelec has failed to promulgate since 1997. Compared with the recent signed laws by President Duterte like the Universal Health Care Act, or RA 11223, concerned government agencies are in a hurry to come up with corresponding IRR, not to wait forever like the IRR of the AES law.
The existence of IRR, articulating the policies, rules, guidelines and procedures, is a critical success factor in having a clear understanding about managing the AES project. The AES law stipulates the general provisions but does not explain, say, how to generate the voter-verified paper audit trail or voter’s receipt or how to digitally sign the election returns. Ironically, Comelec misinterpreted the voter’s receipt as the ballot paper itself, though the Supreme Court ruled before the 2016 elections that such receipt is generated by the voting machine. In last week’s article, the source code review findings were explained in detail. One of which was the Comelec’s option to proceed without the digital signing facility of the DICT and that the i-button will continue to be used for generating the machine signature.
Under the AES law, it is very clear that the manner of determining the authenticity and due execution of the certificates shall conform with the appropriate authentication and certification procedures for electronic signatures as provided in RA 8792, or the e-Commerce Act of 2000, as well as the rules promulgated by the Supreme Court (i.e., Rules on Electronic Evidence). The misinterpretations of the intentions of the AES law is in itself a disconnection and could affect the integrity of the AES project management.
Further, the source code review has been overdue since February 13. The review is extended until next month, March 2019. As mandated by law, three months before the elections, May 13, 2019, the Technical Evaluation Committee (TEC), through an independent international certifying entity (i.e., Pro V&V Inc.) should have already certified that the AES is operating properly, securely and accurately. The noncompletion of the source code review and its certification on time is a manifestation of poor project management. There was disconnect between the Comelec’s PMO and the TEC in terms of the certification timeline. For sure, had there been early PMO planning with the TEC, the Pro V&V Inc. could have already done its part.
What about the inventory completion of the telecommunication hubs and electrical power nationwide? Continuity plan and contingency measures? Has there been any certifications in any of these? Have the political parties and candidates participated in the tests? What is the PMO doing in this regard?
Another major disconnect is the CAC and the JCOC. The CAC had religiously submitted its recommendations but JCOC never had a chance to deliberate on it. For example, the CAC had recommended in 2010 not to use the PCOS machines of Smartmatic in 2013 onwards, and it endorsed in 2017 the use of mixed technologies for the 2019 elections, but JCOC didn’t bother to consider these. The disconnect in the CAC-JCOC is caused by the absence of regular JCOC hearings. Eventually, the CAC-JCOC disconnect created a domino effect, causing more disconnects between JCOC and Comelec, leaving the latter to decide on its own to acquire AES technologies through option-to-purchase twice — first in 2012 and again in 2017. Notwithstanding the disconnect between the JCOC and Congress as there was no appropriate recommendations submitted by the former to the latter in session. Had there been a credible PMO, it would have sounded off the Comelec en banc to remind the JCOC to call a hearing. But there was none!
With the mismanagement of the AES project by Comelec’s PMO since 2010, the result was the repeated noncompliance of Comelec with the AES law. There were so many disconnections among the project team players.
To stop history repeating itself, the draft amendments to RA 9396 propose a credible and independent PMO which will complement the Comelec and the proposed AES Board.
What are the functions of the proposed PMO and who are its members?
(To be continued)
https://www.manilatimes.net/time-to-change-the-automated-election-law-4/517886/