Lack of AES Law implementing rules and regulations
THERE are gaps between what the Automated Election System (AES) Law, Republic Act 8436, as amended by RA 9369, and how it was implemented in the last five national and local elections (NLEs).
When an information technology professional thinks of automating, he thinks of workflow processes, rules, data, network topology, security, type of technology to use and organizational operational support, among others. He also thinks of logistics and how to implement the automated system.
In manual elections, the workflow processes are prescribed in the Omnibus Election Code (OEC), including the manner of voting, counting, production of the election returns, conveyance of the election turns to the respective board of canvassers (BOC), the canvassing and consolidation of votes in the city or municipality, then to the provincial level, and finally to the national level. It also prescribes the operational procedures followed by the members of the boards of election inspectors (BEIs) and the BOCs.
Data about jurisdictions, precincts and centers, elective positions, candidates, etc., is also considered by the poll body.
Then, the Commission on Elections (Comelec) thinks of ballot printing, ballot box production, printing of various election forms, and paraphernalia that will be used.
Implementation of an AES covers the same concerns and much more.
The processes prescribed in the OEC are considered in automating the manner of voting, vote counting, generation of election returns, transmission of election returns to the respective city or municipal boards of canvassers, and the ladderized manner of canvassing and consolidation from the city or municipality level, to the provincial level, and finally, to the national level. Of course, there are changes in some rules, like from writing down the names of the candidates on the ballot to shading ovals to the left of the name of candidates, as in the case of the voting system used in the last five NLEs.
RA 8436, as amended, specifically identifies two voting technologies: 1) a paper-based election system and 2) a direct recording electronic election system. The paper-based election system has been used and implemented since the 2010 NLE. For the 2025 NLE, which includes the BARMM parliamentary elections, the Comelec specified in its invitation to bid a dual technology voting system, combining the two voting technologies identified in RA 8436 as amended, into one voting device.
The law also provides for minimum capabilities as enumerated in Section 7 of RA 9369, which amended Section 7 of RA 8436, as well as other features, functionalities and requirements.
Beyond the processes, a decision has to be made on how the minimum system capabilities and other features, functions and requirements provided by law, such as the use of secure communication channels in securely transmitting the election results, will be implemented and what devices will be used.
The election automation project also covers the preparatory stage that includes data needed to be entered into the system for it to operate properly. These include, among others, data on electoral contests or elective positions, the jurisdictions and the legislative districts, the project of precincts, and the number of voters, among others. These data sets are used to configure the SD cards and in ballot design.
Then, there is the matter of operational support to be considered. These include setting up and operating the National Technical Support Center, the regional and provincial support hubs, and various data centers, including the transparency and Comelec central servers.
All these should have been covered by the implementing rules and regulations (IRR) that could have been promulgated by the Comelec for the effective implementation of RA 8436 as amended. To be fair, the poll body had issued thematic IRRs by way of resolutions covering operational guidelines, for example, for the BEIs and the BOCs, guidelines on the conduct of the local source code review, the operations at the data center that hosted the transparency server, the manner of conducting the random manual audit, and others. But there are gaps in the implementation of the AES that were not addressed in Comelec resolutions.
When three groups of stakeholders jointly petitioned the Supreme Court in GR 259354 to order the Comelec to allow access to and inspection of the configuration of SD cards, preparation of the VCMs, and information about the support hubs, servers and data centers, and details of the transmission facility and transmission of election results, the Comelec defended itself by saying that it is not enjoined by law to do so.
This is one gap between RA 8436
as amended and its implementation.
The lack of information on how the AES Law has been implemented has led to issues being raised every election time. Issues like the implementation of digital signatures and the use of the meet-meroom, also referred to as a secret server or intermediary server, have been raised time and again. And in the 2022 NLE, the use of private IP addresses has been questioned.
The issues raised since the NLE was automated have led some stakeholders to question the integrity of the automated and the credibility of the election results.
All these could have been addressed if the IRR had been crafted by the Comelec in consultation with stakeholders, particularly information technology practitioners and professionals who can address the different aspects of automating the elections.
Perhaps the Comelec should do so prior to implementing the AES that will be used in the 2025 NLE, especially as it is considering a dual-technology voting system.