As the Philippines prepares for its national and local elections this Monday, confidence in the electoral process is more critical than ever. Yet, a review of the TEC Certification Annex B the document validating the Automated Election System (AES) source code raises serious questions about transparency, thoroughness, and accountability.
After thoroughly examining the report as a developer, I found several red flags that warrant closer public scrutiny. These concerns do not come from speculation, but from specific technical shortcomings within the report itself.
1. Poor Structure and Presentation
The report is marred by formatting issues, typographical errors, and inconsistent labeling. For a document tied to the integrity of our election system, this level of sloppiness is unacceptable. It sets a troubling tone for what should be a precise and carefully prepared certification report.
2. Contradictory Claims About Compliance
The review claims that the submitted code complies with the 2005 EAC VVSG (Voluntary Voting System Guidelines) Version 1.0, yet also admits that the source code wasn’t actually written to meet those standards. This contradiction is brushed aside, with the justification relying solely on the output of code analysis tools like SonarQube and Parasoft Jtest.
Tool-based scanning can assist in detecting issues, but it is not a substitute for standard compliance. Without clear documentation of how the gaps were addressed, such conclusions are unfounded and misleading.
3. Lack of Specific Findings or Evidence
While the report mentions that “a few issues” were found and “submitted to vendors,” it offers no breakdown of what these issues were, how serious they were, or whether they were fully resolved. There are no specific code samples, no severity classifications, and no evidence of patch verification. It reads more like a summary than a technical review.
4. Absence of Critical Metrics
•Key audit metrics are missing from the report:
•No mention of how many lines of code were reviewed
•No code coverage statistics
•No classification of vulnerabilities (e.g., buffer overflows, logic flaws)
•No tracking of how many issues were raised and how many were resolved
•These are basic components of any serious source code evaluation and their absence is deeply troubling.
5. Weak Security and Risk Assessment
The report repeatedly states that the code was scanned for backdoors, test flags, hardcoded credentials, and security vulnerabilities. Yet, there is no record of what tools were used in each case, no methodology, and no results summary. In effect, the report says "we checked," but gives us no reason to believe they checked thoroughly.
6. Lack of Reviewer Transparency
Nowhere in the document are the names, qualifications, or affiliations of the actual reviewers mentioned. Independent verification and peer review are standard in any high-stakes technical audit. Without knowing who reviewed the code or if they were truly independent it’s hard to trust the conclusions.
Why This Matters
Elections are the foundation of democracy. Every citizen has the right to be confident that the system counting their vote is secure, transparent, and free from manipulation. The TEC Certification report should serve as a pillar of that confidence not as another source of uncertainty.
Unfortunately, this report fails to provide the clarity and credibility that the public deserves. It reads like a rushed formality, not a rigorous evaluation.
What Should Be Done
•COMELEC and the certification bodies involved must be urged to:
•Release detailed findings and remediation logs
•Provide tool output summaries for independent review
•Disclose who reviewed the code and how independence was ensured
•Explain how compliance was verified despite non-conforming source code
•Only through transparency and accountability can we rebuild trust in our digital election systems.
•With the elections just days away, it is not too late to ask the right questions and demand clear answers.