Senatorial candidate Jose de Venecia III claims the automated election system can be easily hacked by a lean team of about 30 hackers. The self-proclaimed IT expert whose claim to fame was an expose on a broadband deal that he himself used to be a party to says these hackers can easily get into Comelec's servers.

Ows?

Comelec has repeatedly assured that the system is secure. It should be clear to everyone though that all systems can be hacked, but not all systems are that easy to crack.

Here are some of the security features of the automated system. Check it out and see for yourself if De Venecia's claim holds water.

Security Features

Bar Code. The ballot contains a bar code that guarantees the ballot’s authenticity. If the
bar code is compromised in any way, the ballot will no longer be read by the PCOS. This
will prevent the proliferation of fake ballots that could be used to pad results.

Maximum Number of Ballots. Each PCOS can only count a maximum number of
ballots equal to the number of registered voters plus the BEIs. This will prevent ballot
stuffing as the PCOS will not be able to count ballots beyond the maximum number.

Precinct Based. Since the PCOS is precinct-based, there will be no transportation of
ballots. All the ballots for a given precinct will be counted by the PCOS within the
precinct and the results transmitted directly to the central server and boards of canvassers.
This will prevent ballot snatching and ballot switching.

Paper Based. The PCOS utilizes a paper ballot, so results can be audited by opening the
ballot box and manually counting the ballots. This will be done during the random
manual audit to be conducted by the COMELEC immediately after the elections and
during electoral protests.

Optical Scan. In addition to counting the marks on the ballots, the PCOS also scans each
ballot and stores the image in memory. This provides another layer of auditability in
addition to the paper ballots. This will also ensure the ballots are not tampered with after
they have been cast.

Encryption. Transmissions of results will be encrypted using 128-bit encryption. This
means a total of 2128 possible combinations for the encryption key. A device that could
check a billion-billion keys (1018) per second would still require about 1013 years, which
is longer than the age of the universe.

Access Codes. Each PCOS operator will be given a unique access code that will allow
him/her to operate the PCOS machine. This will prevent unauthorized individuals from
operating the PCOS machines and even prevent authorized individuals from operating
other PCOS machines.

Audit Log. The PCOS machine and the consolidation and canvassing system both
maintain an immutable audit log that tracks all users and actions performed on the
system. This will enable the COMELEC to identify any perpetrators who attempt to
manipulate the system or results.

Transparency. Results will be made available immediately after they are transmitted
from the precinct to the central server. This will allow the public to track the unofficial
results in real-time. While the proclamation might take a few days due to the required
verification of the boards of canvassers, the unofficial results should be complete within a
few hours, which practically eliminates the window for manipulation.

COMELEC Advisory Council
24 July 2009