The Commission on Elections (Comelec) and the National Bureau of Investigation (NBI) announced the arrest of one of the hackers who defaced the Comelec website. A report published by gmanews.tv April 21 revealed that the NBI is still looking for two other hackers and that the probe is focused on the data taken from Comelec and leaked online.
Case solved? Could we now be rest assured that everything is all right? Far from it.
First of all, the data that was taken from the Comelec last March 27 are no less than the personal information of 55 million registered voters, which included our contact information, address, passport or any other government-issued ID number, fingerprints, among others. These are the information that we usually keep in locked vaults. And no thanks to the Comelec, these data could now be used for committing electoral fraud or identity theft.
Second, this raises questions regarding the integrity and vulnerability of the program being used by the Comelec for the automated election system. The Comelec has been too smug about its system that it didn’t even bother to have it checked by independent IT experts, which is a requirement of the poll automation law.
In October 2015, Comelec Chairman Andres Bautista declared that it has already scheduled a source code review to cover the Vote Counting Machine, the Consolidated Canvassing System and the Election Management System. The source code review will supposedly be participated in by, not only the Comelec-contracted company, but also all “interested political parties and legitimate organizations accredited by the poll body, including duly accredited citizens’ arms, information technology experts, and educational institutions.”
This never happened. Worse, the Comelec has been disregarding the other security features provided by the poll automation law, except the issuance of voter receipts, which the Comelec grudgingly agreed to provide only after the Supreme Court ordered it to do so.
Actually, the hackers are not the problem. They did us a service by waking up the Comelec from its complacency and false sense of security, and demonstrating to the people that the automated election system is indeed very vulnerable.
The problem is the Comelec. Instead of frantically trying to patch up the vulnerabilities of the programs it has been using, it has been downplaying the impact of the hacking. It is acting as if it was a petty hacking intrusion and that everything is business as usual.
Instead of complying with the requirements of the poll automation law, it merely repeats the worn-out reason it has been saying since 2010: that it lacks time for preparations, when it had nine years to do so since Republic Act 9369 was enacted in 2007.
It is hard to find a logical reason for the Comelec’s actions and inactions, especially after the hacking. There are only 18 days to go before the May 9, 2016 elections and still, the Comelec appears unperturbed. It’s as if they don’t care, or perhaps the elections is done thing?