It’s one thing to hear news about a huge data leak and another to see your data in a public website.”
By MARYA SALAMAT
MANILA – Filipino registered voters are now easy game for identity theft and their votes much easier to steal and replace. These, among many threats to the integrity of elections, were brought up in a picket in front of the national headquarters of the Commission on Elections on Friday, April 22. Youth groups and cause-oriented organizations led by Kabataan Partylist denounced the poll body’s “lackadaisical” response to the massive voter data leak.
Makabayan senatorial bet Rep. Neri Colmenares lambasted the Commission for its “criminal neglect and incompetence”.
“The Comelec has utterly failed in its obligation to protect the fundamental human right of privacy of the Filipino people. The situation endangers the security, life and property of each one of us,” said Colmenares.
The problem first surfaced on March 27, when a group calling itself “Anonymous Philippines” defaced the Commission on Elections (COMELEC) website to tell the poll body to implement security features in vote-counting machines that it will use in the May 9, 2016 polls.
Another group, LulzSec Pilipinas, then uploaded what it claimed to be COMELEC’s whole database consisting of 340 gigabytes of data.
This week, those data trove became searchable. “The website www.wehaveyourdata.com not only further confirmed the magnitude of the data leak, but also exposed information in the Comelec database that are susceptible to electoral fraud,” Kabataan Partylist said.
Netizens confirmed that the data about voters available in the search engine are “chillingly accurate.”
In the said website, a search engine yields information from the raw dump the hackers were able to get from the Comelec website. The website explained its objective: “It’s one thing to hear news about a huge data leak and another to see your data in a public website. Maybe, at least now, government will start thinking about security of citizens’ personal data.”
“Overseas absentee voters (OAVs) are up in arms to discover that all their information can now be accessed publicly,” said a statement from Migrante Partylist.
They tried the search engine and found it accurately include their birth dates, passport details, previous and present addresses here and abroad, even information of their official representatives in the Philippines.
“Daig pa namin ngayon ang nahubaran,” (It’s worse than being undressed) said Garry Martinez, Migrante partylist nominee.
Kabataan Partylist warned that with those data available to anyone with resources, as the administration candidates have, nobody can stop them from hacking the elections. Using the identities of the voters, their fingerprints and other required data, hackers could input their “votes” for the candidates it wanted to win.
“Anyone with the technical capability can write a program that can use the data dump to inflate votes automatically,” said Kabataan Partylist Representative Terry Ridon in a statement.
The youth groups said the administration’s Liberal Party candidates are in the best position to benefit from the leaked Comelec data. They could commit massive electoral fraud, given its current unparalleled command of government funds and resources, Ridon said.
Going viral among netizens recently is a screenshot that showed Malacañang had in fact seeded the data dump from torrent — it had been downloading the Comelec data on registered voters.
Electronic flying voters
“If all personal information would be used to rig the automated elections, the Comelec should not just dismiss its possible repercussions and carry on as if it is ‘business as usual’. Heads must roll,” said Martinez.
Martinez said the security breach has only proven how vulnerable the automated elections system (AES) is. Unfortunately, the migrants group can point to many disturbing signs in their experience of overseas absentee voting that the integrity of the votes may be tampered with.
Martinez said they have been receiving reports of “missing names” in the official list of registered OAVs abroad, specifically in Hong Kong, Italy, US and Japan. In Italy, for instance, Migrante pollwatchers have reported that an average of 10 OAVs per day are not able to vote because their names are not on the official list.
“If we find that their names and information can be accessed in the data leak, what are the implications on the results of the elections? We also found that some OAVs have double entries in the data leak. Is this a mechanism for ‘flying voters’? Nalantad na ba kung paano ginawa ang Hocus PCOS noong 2013?” Martinez asked.
The migrant leader said Comelec Chief Andres Bautista had appeared clueless in interviews regarding the system design of Comelec’s database and website.
“How can the Comelec now assure us of a clean and honest election? The same system that would handle the election results is the same system that was compromised,” Martinez said.
Comelec shortcuts also blamed
The threat posed to the integrity of the elections by a breach in the database could have been preempted if the Comelec complied with requirements stated in the Automated Election System (AES) Law, or Republic Act (RA) 9369, and the e-Commerce Law or RA 8792, Martinez said.
Among these requirements are the public release of the new source code to verify whether the vote counting machines (VCMs) can accurately read, record and transmit votes and the activation of other security features of the VCMs.
Because the Comelec neglected to do that, Martinez said “we have no way to determine if the correct program is installed in the VCMs.”
Also, he added, “We also have no way to verify if the votes cast are the ones being read, recorded and transmitted to the Comelec’s central server.”
Martinez blamed the neglect of Comelec in instituting these safety measures for the huge question mark now hanging over the potential use of its central database. He called on all Filipinos around the world to be more vigilant, to watch the elections carefully and immediately report all anomalies.
Martinez also slammed Malacañang for its continued silence on the issue.
Migrante Partylist is thinking of filing charges against the Comelec for the data leak. “Sanctions must be implemented, and those whose information was leaked should be sufficiently compensated.”
Colmenares said that under the Data Privacy Act or RA 10173, it is the responsibility of the head of the agency to ensure that sensitive and personal information it maintains remain secure, using the most appropriate ICT standards.
He added that under the same law, negligence of the agency resulting in a large-scale breach is punishable by imprisonment of up to six years, fine and disqualification to hold public office. He said Comelec must also be held accountable for concealment of this security breach, which is also punishable by imprisonment, fine and disqualification.
“The extent of the data breach is in the hundreds of thousands at the least so the maximum penalty may be meted to those responsible. I would not be surprised if the Comelec would face a lot of lawsuits after this,” said Colmenares.