Earlier this year, there was a report that sensitive voter information may have been compromised after a group of hackers allegedly were able to breach the servers of the Commission on Elections. The group was reportedly able to download more than 60 gigabytes of data.
The data was said to include, among others, usernames, PINs of vote-counting machines, network diagrams, IP addresses, list of all privileged users, domain admin credentials, list of all passwords and domain policies, access to the ballot handling dashboard, QR code captures of the board of canvassers with login and password, list of overseas absentee voters, configuration list of the database, and user accounts of Comelec personnel.
The news report was based on screenshots and a 44-page PDF file, among others, presumably provided by the hackers. According to the publication, the information came from white hat hackers who just wanted to expose the vulnerabilities of the Comelec servers.
Of course the news was alarming. We are talking about data that could affect the upcoming May 2022 national and local elections. And our personal data.
Rappler meanwhile earlier reported that two months before the 2016 elections, Comelec also had to grapple with a major hacking incident, with hackers leaking a voter records database online. It was dubbed “Comeleak” and considered the biggest leak of personal data in Philippine history and among the biggest breaches of a government-held database in the world, Rappler said.
But as it turns out, things might have been blown out of proportion.
According to the Comelec, key information about the list of voters is offline and since these are not available online, there is no way these can be hacked or illegally accessed online.
As to the PINs and passwords of the VCMS, the poll body emphasized that these could not have been stolen since these are not yet in the system.
Much has been made about the alleged breach of sensitive data from the Comelec’s servers. As it eventually turned out, it was much ado about nothing.
The facts of the case are these: The only evidence presented was a screenshot from supposed well-intentioned hackers who want to expose the supposed vulnerabilities of the Comelec’s servers.
The Comelec’s database of voter information that are supposedly part of the breached data are not available online; PINs and passwords of vote counting machines (VCM) that are also supposedly part of the breach have not yet been uploaded to the system at the time of the alleged hacking.
The National Bureau of Investigation (NBI), after testing the poll body’s system, found that there is no evidence of hacking as the system cannot even generate data that were supposedly breached, enforcing the Comelec’s claim that those information are not available online.
The National Privacy Commission said that its initial findings show no hacking of Comelec servers and that the latest incident happened probably with a third party engaged by the poll body. The hacking incident, it said, involves personal information dated 2015 and 2016 but that the NPC is still verifying the authenticity and origin of the documents.
It has also been reported that according to Comelec, their technology vendor’s role is limited to providing the automated elections system, and that the vendor has zero access to information that could affect the elections in any way. Expert analysis revealed that the data at the epicenter of the controversy are non-sensitive.
Alex Ramos, an IT expert who is representing Partido Federal in the Local Source Code Review (LSCR), said that the alleged compromised data is “completely irrelevant” to the elections.
In 1997, a law was passed authorizing Comelec to use an automated election system in the May 22, 1998 national or local elections and in subsequent electoral exercises.
However, lack of preparation, time and funding led to the use of the automated process only in Lanao del Sur, Maguindanao, Sulu and Tawi-Tawi in 1998.
By 2003, Comelec started to build a centralized computer database of all registered voters, including digital photos, fingerprints and signatures.
An automated electoral process on a nationwide scale was first employed in the 2010 elections which brought former President Noynoy Aquino to power. Multinational company Smartmatic was chosen to supply the hardware and software for the electronic voting.
The second nationwide automated elections took place in 2013. The third time was in 2016, when Davao City Mayor Rodrigo Duterte rose to the highest government post in the country.
Shifting from manual to automated election was of course not without problems. It also did not prevent the usual problems like vote-buying, intimidation of voters, harassment of candidates, presence of armed men, according to an international group of observers of the 2010 elections.
But electronic voting speeds up counting of ballots and does away with the practice, especially in far-flung places, of boxes containing the used ballots being taken away or being lost while being transported for manual counting.
Indeed, allegations of hacking and breach of data months before the conduct of a hotly contested presidential election should be looked into and given serious consideration.
Unfortunately, there are parties which are now using the recent alleged hacking as an excuse to plant seeds of doubt in the minds of the public as to the credibility of the results of the 2022 elections.
Even before the pandemic started, there were already proposals to return to manual elections, even adopting a hybrid system.
There is still time to address issues such as sharing of information by Comelec with third parties. But all indications point to fact that Comelec servers have not been compromised. The alleged information that has been hacked has not been verified.
This recent incident should not justify going back to the Stone Age.
For comments, e-mail at mareyes@philstarmedia.com