SOUTH KOREA: National Election Commission must ensure security of data in order to guarantee free and fair elections
The Asian Human Rights Commission (AHRC) is deeply concerned with the introduction of the new online service for national elections by the National Election Commission (NEC). The failure of the previous system in October last year during the Seoul Mayor election has raised serious concerns about allegations of election fraud. The National Assembly decided to set up an independent body that would commence its work in early March. Despite the important evidence such as log files of such failure, the NEC may use this technical restructuring process to justify the disappearance of key evidence.
Due to the vacancy of the Seoul Mayor after his voluntary resignation, a new election was held on October 26, 2011 in Seoul. On the Election Day, a significant number of polling places were changed in which the electorate was not fully aware or informed. In the early morning before going to work, many people accessed the main web page of the NEC in order to find out the link redirecting to the information on the location of polling place for voting. They however, were unable to be linked to the data base where the location of the polling place could be found. The police started investigation on the basis of the Distributed Denial of Service (DDoS) attack, which took over a month.
Meanwhile, a serious allegation has arisen that the failure to access to the data base containing the polling place from the NEC web page was not because of DDoS attack but the involvement of a person who could be either outsider, meaning a hacker or by an insider meaning, a person who knows the system and is in a position to manipulate or disconnect the link reached to the data base.
The Prosecutor's Office further investigated this matter and released their investigation report on January 6, 2012. According to the report, seven people including the secretary of the then Chairperson of National Assembly and assistants to Members of Parliaments belonging to 'New World Party', former Grand National Party and other Information Technology (IT) workers were accused of their involvement in this attack and indicted accordingly. It also reported that the DDoS attack took place to the main web page of the NEC from 6:16am to 8:32am of the Election Day which impeded the electorate from access to data base. It further asserted that no involvement from a third party was found.
Ironically however, some serious allegations were raised. Firstly, people were able to access to the main web site of the NEC but was unable to be redirected to the data base by clicking from its web site. Secondly, it is also reported that while investigation, the prosecutor's office failed to manifest the disconnection to the data base only through the DDoS attack. Thirdly, contrary to the prosecutor's investigation report, after the attack, the IT company providing service for protection to NEC from DDoS attack published a report, which says, 'the system prevents successfully from the amount of traffic which was approximately 2 gigabyte and due to the transmission, it impacted the web server causing the web site slow but resulted in no damage to the system'. The NEC officially acknowledged as well that there was no damage due to the DDoS attack. However, the investigation report failed to verify the disconnection to the data base.
Nonetheless, the unchanged fact is that through failure to access to the data base, the electorate's right to vote has been denied and law enforcement agencies have so far failed to give good reasoning to the public beyond reasonable doubts.
The doubts provoked the political parties' agreement to pass a bill on February 9, 2012 to set up independent investigating body into this matter. According to the Act, a person will be appointed to form and lead the body and its investigation will start from early March, 2012.
Apart from the question of the technical issues involved and that the current system was successfully able to block such attack according to the IT company, nonetheless, the National Election Commission plans to change its whole system under the name of its improvement. It is reported that the National Election Commission hurriedly shorten the time which normally takes longer than half year to get final approval with due process through a public tender if the amount of a government project is over a million Korean Won. However, the National Election Commission is failing to follow due process and planning to have it done before the general election scheduled on April 11, 2012.
Importantly, there is no regulation or law for the National Election Commission to keep all the old data after a change of system is made. It means that although the independent investigating body starts its investigation, it could not find any of such data to investigate the reason of disconnection of the data base on the Election Day. If this is, the result will be nothing different from the prosecutor's office. Forming such an independent body will be nothing but a facade.
Every citizen has the right to vote and have equal access to public service in his country. The free expression of the will of the electors should reflect on the result of the election through fair and transparent system. However, serious allegations above have arisen and if they fail to provide beyond reasonable doubts to the public, the election commission will lost its confidence from the public.
Under this circumstance as the matter of urgency as well as utmost interest to the public, the Asian Human Rights Commission urges the National Election Commission to secure all the data if a change of whole system is indeed necessary. The Election Commission should allow other independent body totally outside from it to fully participate in the process of securing all data from the beginning. In addition, all data should be kept in an independent and safe place where no attempts of manipulation are made possible.
Despite this warning, if a single datum is either destroyed or damaged with the failure of the government's proper action, there will be no room for the government to exonerate from its responsibility and it would appear that the destruction of such datum is done either under the implied consent with or acquiescence of the government.