How bad is the COMELEC data breach?

Back in March 27, 2016 hackers under the banner, Anonymous Philippines hacked into the website of the Commission on Elections defaced it to demonstrate how weak the poll body’s online security measures are. A few days later, another group of hackers LulzSec Pilipinas made available online the entire database of COMELEC – 338GB in size containing information of more than 55 million voters.

COMELEC Chair Andres Bautista said that no confidential information was leaked. COMELEC has downplayed the scale of the data breach to allay fears that it could compromise the results of the 2016 elections. While a valid concern and the election results were untainted, it brushed aside the other equally great risk for the millions of registered voters whose personal identifiable information has been compromised.

The newly established National Privacy Commission has just finished its investigation of the data breach and had made public the types of personal data that has been made available to anyone online including criminals:

“The voter database in the Precinct Finder application contained each voter’s complete name, date of birth, gender, civil status, address, precinct number, birthplace, disability, voter identification number, voter registration record number, reason for deletion/deactivation, registration date, and update time.”

“The voter database in the Precinct Finder application contained information on each voter’s verified name, date of birth, gender, civil status, post of registration, passport information, with number and expiry date, taxpayer identification number, e-mail address, mailing address, spouse’ name, the complete names of the voter’s mother and father, the voter’s addresses in the Philippines and abroad, post or country of registration, old registration information, Philippine representative’s complete name, citizenship, registration assistor, profession, sector, height and weight, identifying marks, biometrics description, voting history, mode of voting, and other textual reference information for the voter registration system.” the decision further reads, depicting how much personal data are now most likely in the hands of criminal elements as a result of the COMELEC data breach.

Here’s a rundown of the personal identifiable information that has been leaked:

  • voter’s verified name
  • date of birth
  • gender
  • civil status
  • post of registration
  • precinct number
  • birthplace
  • disability
  • voter identification number
  • voter registration record number
  • reason for deletion/deactivation
  • registration date and update time
  • passport information with number and expiry date
  • taxpayer identification number
  • e-mail address
  • mailing address
  • spouse’ name
  • complete names of the voter’s mother and father
  • voter’s addresses in the Philippines and abroad
  • post or country of registration
  • old registration information
  • Philippine representative’s complete name
  • citizenship
  • registration assistor
  • profession
  • sector
  • height and weight
  • identifying marks
  • biometrics description
  • voting history
  • mode of voting
  • other textual reference information for the voter registration system

To criminals who is into identity theft, use of forged documents and IDs, impersonation, blackmail and harassment, the COMELEC data leak is a gold mine.
If you’re a registered voter, you are vulnerable to hacking of your social media and other online accounts, identity theft which would compromise your bank accounts, utilities, academic or professional records, etc it could even be used to manipulate the next elections.

The NPC is just right in recommending the filing of criminal charges against COMELEC Chair Andres Bautista as he is liable for this catastrophic violation of Republic Act No 10173 or the Data Privacy Act of 2012.

I don’t know how else to say it, but this has really got me scared.

Would manual parallel count be good for the May 10 elections?

The worries over the reliability of the automated election system which will be used for the first time during the May 2010 national and local elections has galvanized the sentiments of some sectors of the public to conduct a parallel manual count.

While the intention is good and deserves merit, I’d leave its legality to the experts and instead dwell on the possible pro’s and con’s.

The popular logic is that the automated election system has yet to win over the public’s complete trust because of the experienced problems with the PCOS machines, the glitches in printing of the ballots themselves, fears of power failures, hack attacks on the system and how the COMELEC has been conducting the preparation and implementation of the country’s first ever automated elections, a parallel manual count would ensure that the results are credible and accurate.

This logic rests on the fear that those problems would indeed manifest themselves on Election Day and at worst, put the results of the elections in doubt.

However, if we reverse the logic, say trust that the automated election system would perform satisfactorily on election day with the results being made available, because of the sheer speed of the automated election system in tabulating and consolidating the election results, within a
week at the most of closing of the polls and leaving the progress of the parallel manual count in the dust.

And once the results from the parallel manual count is out but is not consistent with the results of the automated election system, which one is then to be taken as credible and reflective of how the electorate really voted?

Say for example, that in the automated election results, Manny Villar wins the Presidency while Mar Roxas wins as Vice President but the results of the parallel manual count shows that Noynoy Aquino won as President while Loren Legarda bags the Vice Presidency. The difference between the two results is around 20%, what will happen next? Your guess is as good as mine.

So while writing this post, I asked a friend this question: “After Election day, which of the results would you believe as the real one, the results of the automated election system or the one from the parallel manual count?

His answer was straightforward, “the manual count”.

If you were to be asked the same question, what would your answer be?

Bloggers’ first hands-on of poll automation

As a blogger or Filipino are you concerned about our democracy and the future of our country especially now that 2010 Presidential elections are just around the corner?

If so, Bloggers’ Kapihan is inviting you to an event that will be a step in the positive direction:

What: Bloggers’ briefing on poll automation

When: July 19, Saturday, 1:00pm – 3:30pm

Where: COMELEC Automated Electoral System Information Office, ground floor, Palacio del Gobernador Bldg. Intramuros, Manila (near Manila Cathedral)

The Commission on Elections will give a special briefing on poll automation to 20+ bloggers on July 19.

COMELEC and its technology suppliers will conduct actual trainings on the usage of electronic voting machines and automated counting machines. Video presentations and tutorials will also be shown. The voting machines will be used in the ARMM elections next month.

The briefing will also be an opportunity to hear the feedback of voters and bloggers about the poll automation program of Comelec.

Program

1:00 Opening remarks – Mr. James Jimenez, Comelec Spokesperson

1:05 Comelec presentation

2:40 Reaction from Bloggers’ Kapihan

2:45 Open Forum

Due to limited seat, we urge the interested participants to send an email to mongpalatino[at]gmail[dot]com.