1. Home
  2. 2019 National and Local Elections
  3. Resolutions
  4. Resolution No. 10423

Resolution No. 10423

Promulgation: 21 September 2018

GUIDELINES ON THE CONDUCT OF THE LOCAL SOURCE CODE REVIEW OF THE AUTOMATED ELECTION SYSTEMS FOR THE 13 MAY 2019 NATIONAL AND LOCAL ELECTIONS BY INTERESTED PARTIES AND GROUPS

WHEREAS, Section 12 of Republic Act No. 9369 provides that "once an AES technology is selected for implementation, the Commission shall promptly make the source code of that technology available and open to any interested party or group which may conduct their own review thereof';

WHEREAS, the conduct of the local source code review by any interested party as provided under Section 12 of Republic Act No. 9369 will enhance public acceptance of and build public confidence in the Automated Elections System;

WHEREAS, based on the recommendations and comments of the previous code review participants the Commission fine-tuned its existing guidelines;

NOW, THEREFORE, pursuant to the powers vested in it by the Constitution, the Omnibus Election Code, Republic Act No. 9369, and other election laws, and after taking into consideration the recommendation of the local source code reviewers in the last 2016 National and Local Elections, the Commission has RESOLVED, as it hereby RESOLVES, to approve and adopt the following guidelines in the conduct of the source code review by interested parties or groups of the Automated Elections System for the 13 May 2019 National and Local Elections:

I
LOCAL SOURCE CODE REVIEW

SECTION 1. Objectives. The local source code review seeks to provide interested parties and groups with opportunity to inspect and examine the source codes of the Automated Elections System (AES). By doing so, it seeks to build public trust and confidence on the AES.

SEC. 2. Coverage. The review shall cover the source codes of the following systems:

  1. Election Management System (EMS);
  2. Vote-Counting Machine (VCM);
  3. Consolidated Canvassing System (CCS);
  4. Other related systems as may be deemed necessary;

SEC. 3. Review Phases. The source code review shall involve two phases. The first phase shall cover a preliminary review of the source codes of the AES implemented in the 2016 National and Local Elections with initial enhancements for the 2019 National and Local Elections as reguired by the Commission. The second phase shall cover the review of the final release or version of AES software on Election Day.

II
INTERESTED PARTIES AND GROUPS

SEC. 4. Participants. Parties or groups interested in conducting a local source code review must belong to any of the following:

  1. Political parties or coalition of parties duly registered and/or accredited by the Commission. This includes parties and organizations registered under the Omnibus Election Code and the Party List System of Representation;
  2. Legitimate organizations or groups accredited by the Commission which includes previously accredited citizen's arms in the last 2016 National and Local Elections;
  3. Information Technology (IT) Groups known and recognized as existing in the IT community, preferably recommended by the COMELEC Advisory Council (CAC) and/ or the Department of Information and Communications Technology Office (DICT);
  4. Civil Society Organizations known for their involvement in election reform activities as may be determined by the Commission;
  5. Host academic institution if any;

If because of limited space, all interested parties and groups cannot be accommodated in the venue of the source code review, preference shall be given to: 1) major political parties, as determined by the Commission; 2) duly-accredited citizen's arms of the Commission; and 3) to the host academic institution, if any. After preference is given to the above-mentioned parties and groups, the remaining slots shall be filled-up according to the date of submission of the written request of other parties or groups. Other parties or groups which cannot be accommodated shall, with prior authority by the Commission, be entitled to collectively appoint one set of reviewers which shall collectively represent them.

III
LOCAL SOURCE CODE REVIEWER

SEC. 5. Qualifications. The source code reviewer must be duly-authorized by the interested party or group and must be knowledgeable in computer programming languages and must be able to understand computer language preferably on the following program.ming languages and systems: C/C++, Java application development, Bash, Object Oriented Programming Language, Unix-like systems, and Linux operating system.

The prescribed qualification is to ensure that the code reviewer can understand and appreciate the source codes of the AES to be reviewed. The interested parties and groups are expected to choose their reviewers based on this consideration.

SEC. 6. Number of Reviewers; Limitations. Each interested party or group may appoint primary and secondary code reviewers for each system. However, depending on the availability of space at any given time, each party or group may be limited to field only one (1) qualified reviewer at a given time.

IV
APPLICATION FOR THE LOCAL SOURCE CODE REVIEW

SEC. 7. Procedure. The interested party or group must submit a written request addressed to the Local Source Code Review Ad-hoc Committee signifying its intent to participate including its attachments. The written request must be signed by the duly-authorized representative of the party or group.

In lieu of personal filing, said request including its attachments must be scanned and sent to localsourcecodereview@comelec.gov.ph not later than 28 September 2018. Successful receipt of the request will be acknowledged.

SEC. 8. Written Request; Contents. The written request shall contain the following details:

  1. Name of the interested party or group;
  2. Intent to participate in the conduct of the local source code review;
  3. Name of the local source code reviewer/s and the latter's credentials;
  4. Signature of the duly-authorized representative of the interested party or group.

For this purpose, interested parties and groups shall completely fill-out Annex "A" of this resolution.

SEC. 9. Annexes to the written request. The written request shall attach the resume of the local source code reviewer specifically mentioning his or her experience in computer programming or related field. Said resume shall be under oath.

For IT Groups, a favorable recommendation from the CAC and/or the DICT shall also be attached.

For Civil Society Organizations, a brief summary of the electoral reforms initiated or supported shall also be attached.

In the event that the interested parties or groups cannot submit the complete requirements, a reasonable explanation must also be attached.

SEC. 10. Approval. All requests filed within the specified period shall be subject to the approval of the Local Source Code Review Ad-hoc Committee. The approval or denial shall be based on the following:

  1. Request and its attachments;
  2. Presence of Qualifications;
  3. Date and time of the request received, if applicable; and
  4. Availability of slots/space in the source code review room.

The approval or denial of the request shall be sent to the e-mail address of the interested party or group used in the application.

The approval of the request shall also be posted in the official website of the Commission on Elections.

SEC. 11. Date of Receipt. The date of receipt shall be determined by the system generated date and time of receipt on the above-mentioned e-mail address.

V
PRE-REVIEW CONFERENCE

SEC. 12. Pre-review Conference. Before the start of the review proper, approved parties and groups and their reviewers shall attend a conference wherein they will be given an overview of the local source code review process and the design of the AES. They will also be oriented on the following matters:

  1. Security Protocols;
  2. Working Hours;
  3. Scope of the Review;
  4. Review Process;
  5. Proper Report and Documentation;
  6. House Rules; and
  7. Other matters agreed upon by all of the parties present

The external stakeholders, media, and the general public shall also be invited to the pre-review conference.

SEC. 13. Non-Disclosure Agreement. The parties, groups and their reviewers must sign the non-disclosure agreement before participating in the local source code review.

SEC. 14. Walkthrough of the systems to be reviewed. After signing the non-disclosure agreement, the parties, groups, and their reviewers shall attend a brief walkthrough of the system to be reviewed, conducted by the Commission through the system provider, wherein they will be oriented on the following:

  1. Organization of the source codes per system to be reviewed;
  2. How to use the manuals to be distributed if any; and
  3. Other matters which may aid the reviewer in conducting the review.

VI
VENUE

SEC. 15. Venue. The Commission shall provide a secured and enclosed location or facility for the conduct of the local source code review. All entries and exits in this area shall be properly recorded. Access to this area shall be regulated by the Commission. To strengthen the transparency and integrity of the review, the Commission may provide video and audio recordings in the facility.

SEC. 16. Virtual extension of the review room. The video - without audio recording - may be fed live, adjacent to the secured location as may be practicable. It shall be open to the media, political parties, electoral reform organizations, other interested parties, and the general public in order for them to view the conduct of the local source code review. Depending on availability and prior request for visit, the Commission may designate a person to answer any queries from the visiting public.

VII
REVIEW PROPER

SEC. 17. Workstations. The Commission shall provide the workstation inside the secured location or facility with a clean computer system.

SEC. 18. Source code. The Commission shall provide and install a read-only copy of the source code on the workstations inside the secured location or facility. To ensure the identity of the source code under review, hash codes may be generated and used.

SEC. 19. Availability of software engineers. The Commission, through the system provider, shall make accessible software engineers who are competent and knowledgeable in the source code under review, through on site consultation at least once a week.

SEC. 20. Compilation and demonstration of the AES systems reviewed. Subject to the agreement of the participants of the local source code review, the Commission, through the system provider, may schedule the compilation and demonstration of the systems reviewed for testing purposes only.

SEC. 21. Notices of scheduled activities. The schedule of the local source code review activities shall be posted in the official website of the Commission on Elections.

SEC. 22. Duration. The period of the source code review shall be determined by the Local Source Code Review Ad-hoc Committee.

VIII
REPORT AND DOCUMENTATION

SEC. 23. Contents. The report must contain the following details:

  1. Name of the reviewer
  2. Party or Group Represented;
  3. System being reviewed: VCM, CCS, EMS, etc.;
  4. Description of the findings;
  5. Location of the findings;
  6. Description of risks/comments; and
  7. Recommendations

SEC. 24. Daily report. The reviewer must submit a daily report on his or her findings. Copies of the report shall be furnished to the Ad-hoc Committee.

SEC. 25. Final Report. After the end of the review, the reviewer may submit within five (5) days a final report collating all of his or her findings for the entire duration of the review to the Commission. The five (5) days period shall be counted from the last day of each of the review phase. This may be in the form of a collation of the reports submitted, which must be signed by the code reviewer.

SEC. 26. Certification. In the absence of a major or critical findings observed in the source codes of AES reviewed, which could affect the proper, secure, and accurate operation of the AES, the code reviewer shall sign a certification stating that no major or critical findings were observed and found in the code at the end of the code review.

IX
MISCELLANEOUS PROVISIONS

SEC. 27. Documents; Limitations. No copy of the source code, documentation, any material supplied by the Commission or any part thereof may be taken out from the secured location/facility, whether physically or electronically unless expressly authorized by the Commission.

SEC. 28. Electronic Device; Limitations. No electronic device of any kind, including but not limited to laptops, mobile phones, cameras, USB drives and other storage devices shall be permitted inside the secured location/facility unless expressly authorized by the Commission.

SEC. 29. Authority of the Local Source Code Ad-hoc Committee. The committee is authorized to issue implementing procedures on the conduct of the local source code review.

RESOLVED FINALLY, that the Commission may modify the above guidelines as it may deem fit and necessary.

Let the Education and Information Department cause the immediate publication of this Resolution in two (2) daily newspapers of general circulation in the Philippines

SO ORDERED.

SIGNED:

  • ABAS, SHERIFF M., Chairman
  • PARREÑO, AL A., Commissioner
  • GUIA, LUIE TITO F., Commissioner
  • GUANZON, MA. ROWENA AMELIA V., Commissioner
  • INTING, SOCORRO B., Commissioner
  • KHO, ANTONIO JR. T., Commissioner

Attachment(s)

Signed Copy [.pdf 1,799 KB] Annex A [.pdf 323 KB]