In the same way that the first round of the presidential elections, next May 31, is approaching, tensions are growing between President Gustavo Petro and the National Civil Registry, the entity in charge of organizing the electoral day. Faced with the insistence of the president in asserting that there are risks of fraud, the registrar, Hernan Penagos, made known a robust General Audit Plan to guarantee transparency.
The plan presented by Penagos this Thursday has four strategic components to ensure a comprehensive analysis and a systematic evaluation of the different electoral software systems involved in the process by political organizations, oversight bodies, and electoral observation missions. It includes a specialized international audit led by the Center for Electoral Advisory and Promotion (IIDH / CAPEL).
This audit is aimed at strengthening transparency and confidence in the presidential elections with three modules: specialized international external audit, systems audit, and international technical assistance. “For the first time in the electoral history of the country, there is an international audit of the presidential elections. This audit is in charge of a technical body with broad experience in the matter, which provides independent rigor, international standards, and a comparative perspective,” said Penagos.
Related: Colombia: Internal Corruption Allegations Undermine Petro Administration Credibility.
Source code will not be delivered, it will be exposed
But perhaps the boldest measure that the Registry is going to take in the interest of transparency is to allow the audit of the source code of the software for the selection of polling jurors, pre-count, scrutiny, and consolidation and dissemination of results by the auditors of the accredited political parties.
At first, the registrar announced that the source code of the four software systems involved in the elections will not be delivered, but will be exposed, something that is planned for two weeks, from May 11 to 24, enough time for party auditors to verify it. In addition, he assured that access to 100% of the code is guaranteed. The process will have the accompaniment of oversight bodies and electoral observation missions.
He then explained why the source code would not be delivered, as requested by President Petro. “Delivering the source code has serious difficulties for processing, for integrity, and for the viability of elections in Colombia,” said Penagos. “The first difficulty generated by that delivery is the possibility of software impersonation, that is, that malicious or ill-intentioned actors want to impersonate it, deriving obviously in the knowledge of the essence and in the possibility of misinforming and establishing fraudulent codes.”
“The delivery of the source code also generates risks because it allows ill-intentioned actors to design attacks on the logic of that source code, causing alterations to it,” continued the registrar. “That also produces evasion of the security controls that are implemented by the IT management, and also allows those actors to look for vulnerabilities to later be able to modify it.”
New clash between Gustavo Petro and the registrar
“The delivery of the source code is not carried out in any democratic nation. In Latin America, no one thinks of delivering or requesting that source code. The risks in terms of vulnerability and attacks on that source code are extremely high,” he concluded.
The response of President Petro was immediate and confrontational: “What registrar Penagos says is a lie. In the world, most countries do not have software with private source codes, but are property of the State. This was ordered by the plenary chamber of the Council of State in 2018, and since that date, all registrars until today have ignored justice,” he wrote on the social network X. “They keep the source code secret in the registry and in the hands of a private company whose owners were prosecuted in the U.S. for bank fraud, and not even the registry can audit it, since it has not learned the lesson when it is its duty.”
In any case, registrar Penagos announced that the process of freezing the pre-count, scrutiny, and digitization software of form E-14, as well as the software for consolidation and national dissemination of results, is planned for May 28. He also reported that as part of the preparatory activities for the presidential elections, multiple simulations will be carried out to evaluate the functionality, security, reliability and productivity of the IT and logistics solutions arranged for these elections.
Among the most decisive simulations are the national and international pre-count simulation, on May 16, the national and consulate scrutiny simulation on May 19 and 20, and the digitization of form E-14 on May 21.
The General Audit Plan also includes carrying out load and stress tests to measure the capacity of the different technological solutions involved in the process: pre-count, scrutiny, consolidation and dissemination, forms E-14 and E-11 (installation record and general voter registry), as well as platforms for jurors, Infovoters, control of polling stations, significant groups of citizens, among others.
The National Civil Registry emphasizes that cybersecurity is an essential component of electoral transparency. Therefore, access to the systems is carried out under controlled schemes, with technical audits, accompaniment of specialized organizations and strict security protocols, which guarantee both the integrity of the process and protection against threats.