Resolution No. 9987

WHEREAS, Section 12 of Republic Act No. 9369 directs that "once an AES technology is selected for implementation, the Commission shall promptly make the source code available and open to any interested party or group which may conduct their own review thereof";

WHEREAS, the conduct of the sufficient source code review by any interested party as provided in Section 12 of Republic Act No. 9369 will enhance public acceptance of and build public confidence in the Automated Elections System;

WHEREAS, Section 9 of Republic Act No. 9369 directs the creation of an Advisory Council which shall "provide advice and assistance in the review of the systems planning, inception, development, testing, operationalization, and evaluation stages";

WHEREAS, the COMELEC Advisory Council issued Resolution No. 2015-002 recommending guidelines in the conduct of source code review;

NOW, THEREFORE, pursuant to the powers vested in it by the Constitution, the Omnibus Election Code, Republic Act No. 9369, and other election laws, and after taking into consideration the recommendation of the Comelec Advisory Council in its Resolution No. 2015-002, the Commission has RESOLVED, as it hereby RESOLVES, to approve and adopt the following guidelines in the conduct of the source code review by interested parties or groups of the Automated Elections System for the 09 May 2016 National and Local Elections:

I
LOCAL SOURCE CODE REVIEW

SEC. 1. Objectives. The conduct of a local source code review seeks to provide interested parties and groups an opportunity to inspect the source codes in the Automated Elections System.

SEC. 2. Coverage. The review shall cover the source codes of the following systems:

1. Vote Counting Machine (VCM);
2. Consolidated Canvassing System (CCS); and
3. Election Management System (EMS).

SEC. 3. Review Phases. The source code review shall involve two phases. The first phase covers the review of the baseline source codes. The second phase covers the review of the source codes after the systems have been customized and configured according to the preferencesand [sic] needs of the Commission. The second phase of review shall be undertaken after the Technical Evaluation Committee has certified the Automated Election System. The start and duration of the local source code review for each of the phases shall be set by the Commission.

II
INTERESTED PARTIES/GROUPS

SEC. 4. Participants. Parties or groups interested in conducting a local source code review must belong to any of the following:

1. Political parties or coalition of parties duly registered and/ or accredited by the Commission;
2. Legitimate organizations or groups duly accredited by the Commission which includes duly accredited citizen's arms;
3. Two (2) Information Technology (IT) Groups recommended by the Comelec Advisory Council which are known for their expertise, integrity, and independence in the IT community; or
4. Host educational institution, if any.

If because of limited space, all interested parties and groups cannot be accommodated in the venue of the source code review, preference shall be given to: 1) major political parties, as determined by the Commission 2) duly- accredited citizen's a1ms of the Commission; 3) and to the host educational institution, if any. After preference is given to the above-mentioned parties and groups, the remaining slots shall be filled-up according to the date of submission of the written request of other parties or groups. Other parties or groups which cannot be accommodated shall, with prior authority by the Commission, be entitled to collectively appoint one set of reviewers which shall collectively represent them.

SEC. 5. Disqualifications. Except for an educational institution which will host the venue for the local source code review, interested parties or groups must not belong to any of the following:

1. Any religious sect or denomination, organization or association, organized for religious purposes;
2. Any foreign party or organization; or
3. Any group or organization which is receiving monetary or any form of financial support from any foreign government, or foreign political party, foundation, or organization, whether directly or through any of its officers or members, or indirectly through third parties.

III
LOCAL SOURCE CODE REVIEWER

SEC. 6. Qualifications. The source code reviewer must be duly-authorized by the interested party or group and must possess the following:

1. Must at least have a 4-year bachelor's degree preferably, in any IT related field specializing in computer systems security or cryptography.

In addition, he or she must possess the following:

1. For the VCM, the reviewer must possess
1. Expertise in C and C++ application development; and
2. Experience in Unix-like systems.
2. For the EMS/CCS, the reviewer must possess
1. Expertise in Java application development; and
2. Experience in Unix-like systems.

SEC. 7. Number of Reviewers; Limitations. Each interested party or group may appoint a maximum of three (3) qualified reviewer for the source code review. However, only one (1) qualified reviewer is allowed to review the covered system at a time.

IV
APPLICATION FOR THE LOCAL SOURCE CODE REVIEW

SEC. 8. Procedure. The interested party or groups must file a written request before the Commission's Steering Committee signifying its intent to participate in the local source code review. The written request shall be filed not later than 22 September 2015 during regular office hours at the Office of Commissioner Christian Robert S. Lim, Commission on Elections. It shall be signed by the duly-authorized representative of the interested party or group.

SEC. 9. Written Request, Contents. The written request shall contain the following details:

1. Name of the interested party or group;
2. Intent to participate in the conduct of the local source code review;
3. Name of the local source code reviewer/ s and the latter's credentials; and
4. Signature of the duly-authorized representative of the interested party or group.

SEC. 10. Attachments. The written request shall attach the proof of credentials of the local source code reviewer. The attached credentials are dependent on the system he or she will review.

The certified true copy of the diploma showing the bachelor's degree of the reviewer shall be attached.

In addition, the following credentials must also be attached:

1. For VCM reviewers, a C and C++ Certification; or
2. For EMS/CCS reviewers, a Java Certification.

SEC. 11. Approval. All written requests filed within the specified period shall be subject to the approval of the Steering Committee. The approval or denial shall be based on the following:

1. Written request and its attachments;
2. Date and time of the request submitted, if applicable; and
3. Availability of slots/space in the source code review room.

SEC. 12. Date of Receipt. The date of receipt shall be the date stamped by the Office of Commissioner Christian Robert S. Lim, through which the written request to the Steering Committee, is flled. For application sent via registered mail or private courier, the controlling date shall be the actual physical receipt of the written request by the Office of Commissioner Christian Robert S. Lim, and not the date of the sending/mailing thereof, as stamped on the envelope by the courier.

V
PRE-REVIEW CONFERENCE

SEC. 13. Pre-review Conference. Before the start of the review proper, parties and groups approved by the Steering Committee and their reviewers shall attend a conference wherein they will be oriented on the following matters:

1. Security Protocols;
2. Working hours;
3. Scope of the review;
4. Duration of the Review;
5. Review Process;
6. Proper Report and Documentation;
7. House Rules; and
8. Other matters agreed upon by all of the parties present.

SEC. 14. Non-Disclosure Agreement. The parties, groups and their reviewers must sign the non-disclosure agreement before conducting the local source code review.

SEC. 15. Walkthrough for the baseline source codes. After the signing of the non--disclosure agreement, the parties, groups and their reviewers shall attend a brief walkthrough on the baseline source codes conducted by the Commission, through the system provider, wherein they will be oriented on the following:

1. Organization of the source codes per system to be reviewed;
2. How to use the manuals to be distributed if any; and
3. Other matters which may aid the reviewer in conducting the review.

SEC. 16. Walkthrough for the source codes after customization. After the first phase but before the start of the second phase of the review, the parties, groups and their reviewers shall attend a brief walkthrough conducted by the Commission, through the system provider, wherein they will be oriented on the source codes after customization.

VI
VENUE

SEC. 17. Venue. The Commission shall provide a secured and enclosed location or facility for the conduct of the local source code review. All entries and exits in this area shall be properly recorded. Access to this area shall be regulated by the Commission. To strengthen the transparency and integrity of the review, the Commission shall provide video and audio recordings in the facility.

SEC. 18. Virtual extension of the review room. The video -- without audio -- may be fed live, adjacent to the secured location. It shall be open to the media, political parties, electoral reform organizations, other interested entities, and the general public in order for them to view the conduct of the local source code review

VII
REVIEW PROPER

SEC. 19. Workstations. The Commission shall provide the workstation inside the secured location or facility with a clean computer system.

SEC. 20. Source code. The Commission shall provide and install a read-only copy of the source code on the workstations inside the secured location or facility. To ensure the identity of the source code under review, hash codes may be generated and used.

SEC. 21. Availability of software engineers. The Commission, through the system provider, shall make accessible software engineers who are competent and knowledgeable in the source code under review, through on site consultation at least once a week.

SEC. 22. Duration. The period allotted for the two (2) phases of the source code review shall be determined by the Commission.

VIII
REPORT AND DOCUMENTATION

SEC. 23. Contents. The report must contain the following details:

1. Name of the Reviewer;
2. Party Represented;
3. System being reviewed: VCM, CCS, EMS;
4. Description of the findings;
5. Location of the Findings;
6. Description of Risks/ Comments; and
7. Recommendations.

SEC. 24. Weekly Report. The reviewer must submit to the Steering Committee a report on his or her findings once a week. Copies of the report shall be furnished to the Technical Evaluation Committee and to the system provider.

SEC. 25. Final Report. After the end of each review phase, the reviewer must submit within five (5) days a final report collating all of his or her findings for the entire duration of the review to the Steering Committee. Copies of the report shall be furnished to the Technical Evaluation Committee and to the system provider.

SEC. 26. Final Report; Dates. The five (5)-day period shall be counted from the last day of each of the review phase.

IX
MISCELLANEOUS PROVISIONS

SEC. 27. Documents; Limitations. No copy of the source code, documentation, any material supplied by the Commission or any part thereof may be taken out from the secured location/ facility, whether physically or electronically.

SEC. 28. Electronic Device; Limitations. No electronic device of any kind, including but not limited to laptops, mobile phones, cameras, USB drives and other storage devices shall be permitted inside the secured location/ facility unless expressly authorized by the Commission.

RESOLVED FINALLY, that the Commission may modify the above guidelines as it may deem fit and necessary.

Let the Education and Information Department cause the immediate publication of this Resolution in two (2) daily newspapers of general circulation in the Philippines.

SO ORDERED.