Comelec holds 2nd 'trusted build' on two Halalan 2022 components

Ina Reformina, ABS-CBN News

Posted at Jan 13 2022 07:32 PM

People participate in COMELEC’s mock elections at the Padre Zamora Elementary School in Pasay City on December 29, 2021. George Calvelo, ABS-CBN News
People participate in COMELEC’s mock elections at the Padre Zamora Elementary School in Pasay City on December 29, 2021. George Calvelo, ABS-CBN News

MANILA — The Commission on Elections (Comelec) on Thursday conducted a second “trusted build" on the vote-counting machines (VCM) and consolidation and canvassing system (CCS) software that will be used in the May elections.

This, after after the poll body noted “vulnerabilities” in the source codes during field tests, according to election steering committee head commissioner Marlon Casquejo.

“We have found some improvements that need to be corrected when we conducted our field test, as well as our mock elections conducted last December. So as we have said earlier, before, when we conduct our trusted build in Huntsville, Alabama, if there is a need to do another trusted build because of some issues which involve source code, then we need to do another trusted build,” Casquejo said during a virtual livestream of the activity.

He said "no issues" were found in the election management system (EMS), thus there is no need to do a second trusted build for this component.

Trusted build is the process of converting the human readable codes into a machine readable or machine executable code.

The final trusted build was done at a hotel in Manila by Comelec’s international certification entity, Pro V&V, led by its president, Jack Cobb, and witnessed by the multi-agency technical working committee (TEC). 

Dr. Franz De Leon, director of the Advanced Science and Technology Institute of the Department of Science and Technology (DOST), who sits on the TEC, explained some security enhancements had to be done on the souce codes, thus the need for a second trusted build.

The first trusted build in Alabama was completed in December, he said, after Pro V&V found “no critical and major issues” in the codes. 

Cobb said “there was a vulnerability found for log 4 J” of the transmission router component, thus the need to “[update] the libraries to a newer version that does not have the vulnerability in it.”

It remained unclear whether the second trusted build stemmed, in part, from a discrepancy noted between the total number of assigned voters and actual voters who cast their vote at the P. Zamora Elem. School in Pasay City during the nationwide mock elections last Dec. 29. 

A total of 390 voters turned up to cast their vote out of 786 registered voters, but the CCS flashed the same figure for the columns under “expected number of voters” and “received number of voters,” both at 786. 

The VCM and CCS trusted build took almost five hours, after which the USBs and final trusted build were deposited inside a vault at the Comelec main office in Intramuros, Manila.

The Comelec has yet to announce when the source codes and trusted build shall be transferred to the Bangko Sentral ng Pilipinas, as mandated by the Automation Law. 

 THE BUILD

During a trusted build, an environment is built on a “clean” computer not connected to any network.

The source codes are then placed in the build environment. 

File signatures for the codes are checked to verify that these are unchanged.

These then pass through the trusted build process.

Upon completion of the build, file signatures or hashes will be produced for the created executable codes, and shall be made available to the public.