Open VCM

Grass-Roots Driven End-to-End Verifiable Voting

Jan 17, 2025By Jay Jimenez
Jay Jimenez

Introduction

The foundation of a healthy democracy is a free, fair, and honest election system. It is a state in which the electorate trusts the government that it has the policies and mechanisms in place to ensure that votes are protected, free from fraud, and genuinely reflect the will of the people. Automation is pivotal in guaranteeing integrity as it minimizes human intervention that could tamper with the election result. Since the Philippines started its automated election system in 2010, numerous legal cases questioning its conduct or its outcome in part or its entirety have reached the land's highest court (Judiciary.gov.ph, 2017). While the government is doing its mandate to ensure that security controls are in place to combat both external and internal threats, it should always continue to address reasonable doubts in its approach to protect the integrity of votes as technologies and threat landscape continuously evolve (Cisa.gov, 2025). This means that the entire security chain could demonstrate its capability to preserve integrity from all threats, especially insider threats.


An insider threat to an election system that utilizes optical-scan-based technology is when a malicious insider flips the vote in favor of a chosen candidate (Bernhard et al., 2019). In a country like the Philippines, with almost 100,000 counting machines deployed in every election period, this is hard to detect and poses a significant risk to vote integrity. Previous election systems since 2010 have outlined several policies that intend to resist this kind of attack. One of these is the source code review, in which experts were invited to review the source code designed to be compiled and built for all machines. However, it is challenging to demonstrate to the electorate that every counting machine uses the trusted build. There is a lack of openness, if not a total absence of a mechanism to verify that the trusted build derived from reviewed code is deployed. The second known security control to deter this threat is the random manual audit, which allows the recount of 4% of all clustered precincts. However, how this RMA is conducted from selection to actual execution of audits is still not transparent to the electorate and not convincingly demonstrable. With the security controls previously mentioned, it is insufficient to convince the voters that the election outcome is 100% foolproof.


Verifiable Scheme
 

A verifiable scheme is a paradigm in which the election outcome is verified from casting votes to its final tally. This is a mental model shift from a hard-to-grasp and highly technical source code review mentioned earlier. It only offers how the counting machine works and how technically inclined people understand it. A verifiable scheme is independent of the machine's internal workings as it only concerns that the output is reasonably derived from the set of inputs (i.e., VVPAT).  Since a verifiable scheme offers higher confidence through widescale precinct-level verification within the election day, it is far superior to the random manual audit in detecting fraud and increasing voters' trust.

A verifiable scheme must demonstrate that the votes are recorded as cast and counted as recorded. While the scheme is undoubtedly promising, its effectiveness relies on policies allowing a third-party implemented mechanism for end-to-end verification to fortify the security chain. Figure 1 shows a practical verification of votes by manually counting the receipts by an accredited Citizen Arm.

While manual receipt counting provides end-to-end verifiability, it may require an additional 700 minutes, assuming 700 receipts per clustered precinct. The most favorable approach is a solution that combines verifiability and automation.


The COMELEC’s Implementation of Verifiable Scheme for the 2025
Election

In the middle of 2024, COMELEC demonstrated a new counting machine that features a new Voter Verifiable Paper Audit Trail (VVPAT) receipt with a QR code.  The content of the QR code claims to correspond with the printed text of the VVPAT. After the polling precinct is closed, every receipt shall be scanned by a scanner attached to the same machine where the receipts were printed. QR codes will be transmitted to the election watchdogs, such as NAMFREL and PPCRV, for verification and counting. 

Strengthening COMELEC’s Implementation by 3rd-Party Verification

The COMELEC and its service contractors that provide a critical function for the election are always viewed by the electorate as one. Hence, for the entire verification chain to achieve complete integrity and be trusted by the voters, the printed receipts should be verified by tools and parties independent of COMELEC and the service provider’s people, process, and technology.  In a YouTube (2024) video published by ANC, it was evident that the tool used to scan the QR code for 3rd-party counting will be provided by the same provider that printed the receipt.  Moreover, it was also not demonstrated in the same video who and what will verify the accuracy of the QR codes against the printed text. A proper end-to-end verification scheme should indicate that the process, people, and technology that will conduct the verification are neither COMELEC itself nor its paid 3rd-party contractors. This is the golden rule to ensure the verification process is free from conflict of interest and insider collusion. Fortunately, in the same video, Comelec Chairman George Garcia guaranteed and mentioned, “… We will going to allow NAMFREL, PPCRV, the majority party, and minority party even to capture the QR codes so they can immediately send to their headquarters the results on per precinct basis”. 


As shown in Figure 2, a grassroots-driven, mobile app-enabled complete end-to-end verification requires a four-phase approach involving every member of the electorate and the poll watchers (i.e., a verifiable chain).


Phase 1. The verification of printed receipt as the vote has been cast

This is the first chain verification where a voter must ensure that it has wholly verified the receipt if it accurately printed the voter’s chosen candidates. Voters have been aware of this practice since the previous election. After voter verification, the receipt will be deposited into the assigned secure box.


Phase 2. The verification of the QR code and the printed text

After the polling is closed, a verifier with a mobile app scanner scans the QR code printed on the receipt and compares the app's output against the candidates' names printed on the receipt. This phase ensures that the machine accurately prints the correct QR code.


Phase 3. Counting of the QR codes

Parallel to phase 2, a mobile app will count the receipts, produce a tally of all the receipts, and compare the results against the election return. The app will also transmit the tabulated result to a server so that the public can verify the official election return against the mobile app’s tallied result.  This process will take 35 minutes to complete.


Phase 4. Comparison of printed election return against the published online result

Every counting machine transmits its results to servers managed by election watchdogs to ensure no manipulation between the precinct’s counting machine and the official count. This transparency server previously allowed the election watchdogs to compare the counting machine's results against the official count.


Conclusion
 

Every electorate member should participate to achieve complete integrity in the upcoming 2025 election. After casting votes and feeding the ballot to the counting machine, it is his/her duty to verify the receipt's output to see if it accurately prints his/her chosen candidates and ensure that such a receipt has been deposited in the designated box.  Poll watchers and various Citizen Arm must ensure that after the polling is closed, the verification process begins by comparing the QR code against the printed names on the receipt and ensuring that all receipts have been counted and tallied by the OpenVCM app. The final tally of the OpenVCM app can be compared to the counting machine’s printed Election Return and the officially published result online. The process will only take an hour to complete, with no additional government expenditure, but it will result in 100% confidence in the integrity of the election.  


References Cited

Bernhard, M., Kandula, K., Wink, J. and Halderman, J. (2019). UnclearBallot: Automated Ballot Image Manipulation. Lecture notes in computer science. 11759:14-31


Cisa.gov (2025)  Election Threat Updates [Online] Available at  https://www.cisa.gov/topics/election-security/election-threat-updates (Accessed 14 January 2025)


Judiciary.gov.ph (2017) BAGUMBAYAN-VNP MOVEMENT, INC., AND RICHARD J. GORDON, AS CHAIRMAN OF BAGUMBAYAN-VNP MOVEMENT, INC., PETITIONERS, VS. COMMISSION ON ELECTIONS, RESPONDENT. [Online] Available at https://elibrary.judiciary.gov.ph/thebookshelf/showdocs/1/61738 (Accessed 24 December 2024)


Youtube.com (2024) Comelec demonstrates features of new Miru voting machines | ANC [Online] Available at https://www.youtube.com/watch?v=lfiy_V6UkMU9 (Accessed 14 December 2024)