Heads must roll: Comelec should be held accountable for data breach

April 21, 2016

By Migrante International

“Let us focus on the main issues: massive automated electoral fraud and exposure to identity theft, especially for overseas absentee voters (OAVs).”

This was the statement of Migrante Partylist following reports that authorities have already arrested a member of Anonymous Philippines who was allegedly responsible for the hacking of the Comelec website last March 27.

“If all personal information would be used to rig the automated elections, the Comelec should not just dismiss its possible repercussions and carry on as ‘business as usual’. Heads must roll. We hold the Comelec mainly accountable for this security breach. The hackers have only proven how vulnerable the AES is,” said Garry Martinez, Migrante Partylist 1st Nominee.

He said that overseas absentee voters (OAVs) are especially concerned because the overseas absentee voting already commenced last April 9.

OAVs up in arms

Today, another website, www.wehaveyourdata.com, not only further confirmed the magnitude of the data leak but also exposed possible information in the Comelec database that are susceptible to electoral fraud.

In the website, a search engine can be found to provide information from the raw dump hackers were able to get from the Comelec website. The website explained its objective: “It’s one thing to hear news about a huge data leak and another to is see your data in a public website. Maybe, at least now, government will start thinking about security of citizens’ personal data.”

“OAVs are up in arms to discover that all their information can now be accessed publicly. We tried the search engine and so far all data are chillingly accurate, to include birth dates, passport details, previous and present addresses here and abroad, even information of their official representatives in the Philippines. Daig pa namin ngayon ang nahubaran,” Martinez said.

“Every registered OAV is now vulnerable to electoral fraud and identity theft. The 1.3 million OAVs are most vulnerable because their passport details have been exposed. Matched with their names, photos, birth dates and signatures, they are more open to different types of fraud because their personal information is 99% accurate. This means that their information can be used not only for electoral fraud but identity theft, as well,” Martinez said.

Comelec non-compliance blamed

He said that had the Comelec complied with requirements stated in the Automated Election System (AES) Law, or Republic Act (RA) 9369, and the e-Commerce Law or RA 8792, repercussions of a breach in database could have been preempted. Among these requirements are the public release of the new source code, a mechanism to verify whether the vote counting machines (VCMs) can accurately read, record and transmit votes and the activation of other security features of the VCMs.

“Because of these, we have no way to determine if the correct program is installed in the VCMs. We also have no way to verify if the votes cast are the ones being read, recorded and transmitted to the Comelec’s central server. Kung ginawa ng Comelec ang mga security measures, hindi mangyayari ito. Paano na ngayong compromised ang central database ng Comelec? Bulag na talaga tayo,” Martinez said.

Missing names, double entries

Martinez said that they have also been receiving reports of “missing names” in the official list of registered OAVs abroad, specifically in Hong Kong, Italy, US and Japan. In Italy, for instance, Migrante pollwatchers have reported that an average of 10 OAVs per day are not able to vote because their names are not on the official list.

“If we find that their names and information can be accessed in the data leak, what are the implications on the results of the elections? We also found that some OAVs have double entries in the data leak. Is this a mechanism for ‘flying voters’? Nalantad na ba kung paano ginawa ang Hocus PCOS noong 2013?

When asked in an interview, Comelec Comm. Bautista appeared clueless on the system design of Comelec’s database and website. “How can the Comelec now assure us of a clean and honest elections? The same system that would handle the election results is the same system that was compromised,” Martinez said.

Martinez also slammed Malacanang for its continued silence on the issue.

He said that Migrante Partylist is mulling filing legal charges against the Comelec for the data leak. “Sanctions must be implemented, and those whose information were leaked should be sufficiently compensated.”

He called on all Filipinos around the world to practice vigilance. “Bantayan po nating mabuti ang eleksyon. Immediately and urgently report all anomalies. Let every vote count.” ###

Reference: Garry Martinez, 1st Nominee, 0939-3914418