Richard Sanders
The Commission on Elections (Comelec), often presenting itself as the guardian of clean elections, is facing scrutiny regarding its effectiveness in combating rampant vote-buying in the country. In a recent move, Comelec has placed the source codes—essential voting software for the upcoming May 12 midterm elections—into secure storage at the Bangko Sentral ng Pilipinas (BSP).
This action took place on Monday after Comelec Chairman George Erwin Garcia signed an escrow agreement with Elmore Capule, the BSP Officer-in-Charge. The source codes were certified by Pro V & V Inc., an international certification firm engaged by Comelec, and were also evaluated by local reviewers.
Garcia announced that three sets of source codes were deposited in the BSP vault. The first set pertains to the automated counting machines (ACMs), which will facilitate the consolidation of results and the generation of certificates of canvass and proclamation. The second set is designated for the election transmission system, while the third is intended for the new internet overseas voting system (OVS).
According to Republic Act 9369 of 2007, which allows Comelec to employ an automated election system (AES), the commission is required to escrow the AES source codes at BSP. This law aims to guarantee fair, organized, and credible elections. However, given ongoing concerns about integrity and vote buying, the assurance that the source code is secure remains questionable.
Garcia emphasized that this is the first instance in the history of automated elections where Comelec has deposited three sets of source codes for safekeeping. However,the practice of physically locking source code in a vault may create a false sense of security, as it fails to address the primary threats to source code integrity, which are predominantly online. In today’s digital landscape, effective protection relies on robust cybersecurity measures such as encryption, access controls, and secure coding practices.
Physical vaults do not safeguard against cyber threats like hacking or unauthorized access, rendering this approach largely symbolic. This gesture can mislead the public into thinking that the organization is taking substantial steps to protect its intellectual property. Instead of relying on physical storage, Comelec should prioritize comprehensive online security protocols, conduct regular audits, and invest in employee training on cybersecurity best practices to ensure the true security of their digital assets.