Elections Systems and Citizen Data Protection.

Governments and government agencies globally are some of the largest custodians of citizen data, collected over time for various intents and purposes as prescribed by different laws. The Kenyan government is no different. This is an essential part of the government’s planning and especially in resource allocation.

The Independent Electoral and Boundaries Commission is an independent body that is responsible for the collection, storing and use of voter details to carry out voting exercises around the country. The Kenyan elections happened 8th August 2017 through a process that was both nationally and internationally acclaimed and criticized in equal measure. The recent Supreme Court Running overturned the outcomes of the elections and ordered for a new election scheduled for October 2017.
 
To qualify as a voter in a Kenyan election, one must be a Kenyan Citizen, be above the age of 18, hold a national ID or Passport and register as a voter. After the voter registration process, all voters are encouraged to verify their registration details through online or mobile systems set up by the IEBC as stipulated in the elections laws. The details that are collected about the voter include the Voter’s ID/Passport number, name, their age, gender, and birthdate. These are also the same details that are verified by the voter using the online/mobile systems.

According to the Access to Information laws 2016 on personal information that should be protected, a few key parameters stand out; information relating to gender, age, birth of an individual, any identifying number (ID/Passport). These are exactly the details that were collected by the elections body for 19,687,563 citizens of Kenya. 40% of the population.

System Privacy Vulnerabilities:
In the advent of data protection regulations and interventions, these regulations aim to regulate the collection, retrieval, processing, storage, use and disclosure of personal data. The IEBC is required by law to make the voter register available for individual verification of registration status online.

With the rising cases of identity theft in Kenya, the expectation is that the security of a system that carries 40% of personal data of Kenyan Citizens would be secure enough to prevent any cases of data breach or theft; instead, the system that was deployed had some weaknesses that exposed all of the data that should be protected freely and openly accessible to anyone that could type any variation of numbers that match a national ID number.

Some of the system weaknesses include:

  1. No captcha

The initial voter verification system had no captcha (a program or system intended to distinguish human from machine input, typically as a way of thwarting spam and automated extraction of data from websites), meaning that a well versed computer programmer could write a piece of code that could harvest all the data from the voter register.

Even with the introduction of a captcha after a public uproar on the vulnerabilities of the system, the system still only required the entry of an ID number, any ID number, to get multiple layers of citizen personal data.

2. Selling the entire database for $200

Systems in most developing countries are usually porous enough to allow for mashing up of different datasets to recreate an identity or detail of an individual. The IEBC selling an entire voters’ register to whoever could afford to pay $200 meant that this information could potentially be used to reconstructed to create the identities of individuals, a result of which could be used for targeted reach of un-consenting voters.

The above is a text message I received from an aspirant that not only identified me, but also had the exact details of my polling station.

3. Not limiting access to the voter register.

Anyone with a mobile phone or an internet connection had access to pretty much the entire voter register depending on their determination to access it. There was no security feature installed to ensure that for one to have access to the voter details, they had to have a level of knowledge of the voter.

All the details contained in the above image are great parameters for identity theft.

Recommendations

Citizen data being very critical for national and subnational planning, there needs to be more that is done to ensure this particular set of data is not only secure but that it is also kept clean, accurate and correct. The easiest way to ensure that this happens is by streamlining the processes that are involved in data collection, storage, access and dissemination.

Custodians of any datasets that contain personal data of any individuals need to be properly trained on how to handle that data and especially to prevent cases of introducing impurities into the data, such that the data becomes too unreliable and undependable especially for decision making.

Access to datasets that contain personal data needs to be limited to only those with the right clearance of the owners of that data themselves. Article 31(c) of the Kenyan constitution under the right to privacy provides that citizens have a right to not have information about their private affairs unnecessarily required or revealed.

For mass access of data, the normal standard is to anonymize the data as much as possible so that it cannot be used to map back to any one or group of individuals. These lessons can be taken in to inform the process that is going in to inform the formulation and improvement to the current data protection bill. To do it right before it becomes law.