Tesla Model 3 now on roads

Tesla unveiled the Model 3 in 2016, with Elon Musk promising a cheaper electric car than the Tesla Roadster and Model S.

In July 28 2017, Tesla hosted its delivery event for the first batch of 30 Model 3s pre-ordered in 2016. During this event, they released a bunch of information regarding the price, options, features, and specs of the Model 3.

David Imai, Senior Manager, Exterior and Interior Design at Tesla described the Tesla  as designed in a way where  “form can follow function without sacrificing comfort, performance, or styling”, because the cars have been build from the ground up.

The Model 3 starts at $35,000, but with options the price can get as high as $59,500. This dies not include taxes for your final destination, or country.

Standard Model 3

  • Unit price: $35,000,
  • 220 miles range (354 Kilometers range),
  • 5.6 sec 0-60mph (96kph),
  • 130 mph top speed (209kph top speed)
  • Full self-driving hardware
  • Wi-Fi and LTE connectivity
  • Free over-the-air software updates
  • Full LED lighting
  • Eight year, 100,000-mile battery warranty

Long range model 3

  • Unit Price: $44,000,
  • 310 miles range (499 Kilometers range),
  • 5.1 sec 0-60 mph (96kph),
  • 140 mph top speed (225kph top speed)
  • Rear wheel drive (the beginning configuration)
  • Premium upgrades
  • Three customization options: wheel size, exterior color, autopilot features

Options for Model 3

  • Long range battery – $9,000
  • Paint: Black, midnight silver metallic, deep blue metallic, silver metallic, pearl white multi-coat, red multi-coat (all colors but black cost $1,000 extra)
  • Wheels: 18″ aero or 19″ sport for an additional $1,500
  • Upgrade interior for $5,500 – Heated seating, two rear USBs, wood decor, 12-way power adjustable seats, premium audio system, tinted glass roof, auto dimming and heated side mirrors, LED fog lamps, center console with storage for docking two smartphones
  • Enhanced autopilot – $5,000 – Match traffic conditions, keep in lane, automatically change lanes, transition from one freeway to another, exit freeway and self park
  • Full self driving capability – $3,000 plus Enhanced Autopilot – This isn’t available now

For a while now, there have been rumors of Bitcoin war. The two camps have been sparing for over a year, and the fight is scheduled on 31st July 2017 Midnight. The winner will be announced on August 2017. That whole month will be used to evaluate the winner.

The War

This fight has been necessitated by a number of proposals for technical changes to Bitcoin – that is User Activated Hard Fork (UAHF) vs User Activated Soft Fork (UASF)

The User Activated Hard Fork (UAHF) is a proposal to increase the Bitcoin block size scheduled to activate on August 1. The UAHF is incompatible with the current Bitcoin ruleset and will create a separate blockchain. Should UAHF activate on August 1, there will be a new blockchain spewing out new coin associated with that Fork.

The User Activated Soft Fork (UASF) is a proposal to adopt Segregated Witness on the Bitcoin blockchain and could result in network instability. It is scheduled to activate at the same time as the UAHF on August 1.

If you have your bitcoins in any BTC wallet, be sure to find out which side your wallet is cheering, because that will decide the value of what you will be holding after the war is over.

Why have 2 different forks?

SegWit

The problem that the Bitcoin platform is facing is that as more and more transactions are being conducted, more blocks have to be added to the chain. Blocks are generated every 10 minutes and are constrained to a maximum size of 1 megabyte (MB). Due to this constraint, only a certain number of transactions can be added to a block. The weight of the transactions, represented by the blocks, is weighing down the network and causing delays in processing and verifying transactions, in some cases, taking hours to confirm a transaction as valid. Imagine all Bitcoin transactions that have been carried out since the inception of Bitcoin in 2009 sitting on the blockchain and still piling up. Long term, the system would not be sustainable if a radical change is not made.

SegWit is the process by which the block size limit on a blockchain is increased by removing signature data from Bitcoin transactions. When certain parts of a transaction are removed, this frees up space or capacity to add more transactions to the chain.

Segregate means to separate, and Witnesses are the transaction signatures. Hence, Segregated Witness in short, means to separate transaction signatures.

Read more: SegWit (Segregated Witness) Definition | Investopedia http://www.investopedia.com/terms/s/segwit-segregated-witness.asp#ixzz4nTOn151q
Follow us: Investopedia on Facebook

SegWit is an update for Bitcoin Core. It is assumed that this update will solve the problems. But some users, mining firms, i.e. Bitmain, and companies, i.e. Bitcoin Unlimited, do not support this idea. So, the realization of SegWit can split the whole system of Bitcoin. Some users and miners will accept new standards, but others can use the older version of Bitcoin code. So, different variants are considered to avoid this and save the one Blockchain of transactions.


Kenya does not have a data protection law. But there is a data protection bill [1] pending somewhere in the corridors of power.

Police in Eldoret arrested a man suspected of stealing over Sh180,000 from mobile money agents in Nandi using dozens of stolen SIM cards and ID cards, which were used to register M-Pesa lines

This is an election year in Kenya. As part of the requirements to vote, the Independent Electoral and Boundaries Commission (IEBC), the electoral body mandated to conduct elections, registered voters who will participate in the 2017 plebiscite. Just like most countries, to qualify to vote in Kenya[2], the voter has to be over 18 years, a citizen of Kenya, and hold an identification document which is either a National ID card, or a Kenyan passport.

This year, 19.6 million [3] people registered as voters. That is just about half of all Kenyan citizens of 48 million [4]. The beauty of the new revamped IEBC is that they released publickly all the datasets of registered voters [5]. Voter registration is only by physically going to a registration center. There is nothing like online registration. Registration entails capturing the biometric data of the vote. The biometrics are finger prints of both hands and facial features. They also capture all the details available at the registrar of person (full name, ID/passport number, and date of birth). Finally they capture your phone number, address, and voting location. To prove you are a registered voter, you are given a laminated card, which serves no purpose apart from bragging rights in the village pub. This whole process is called Biometric Voter Registration.

The author undergoes Biometric Voter Registration. Photo credit Mariana Mulinge.

Verification of voters
For some strange reasons, Kenyans feel a need to confirm their voter registration details. In this part of the world, elections are a high stake game, and the level of mistrust with the system is at it’s highest. According to the Constitution, the Electoral body has to provide a mechanism for the electorate to verify their voter data. Section 6 of the Election Laws 2011 was updated by The Election Laws (Amendment) Act, 2017 where “The Commission shall cause the Register of Voters to be opened for inspection by members of the public at all times for the purpose of rectifying the particulars therein, except for such period of time as the Commission may consider appropriate [6].

According to IEBC, there are two ways of identifying voters; through finger print scan, or though the ID document by either searching the ID number or scanning the machine-readable part of the ID. This process and tools are called Biometric Voter Identification (BVID).

In their wisdom, the IEBC provided a two week windows for voters to verify and correct any registration anomaly by physically going to a verification center. After the correction, the voter register is supposed to be accessible to the general public for auditing. IEBC has a provision to give the entire voter register to any entity for Ksh20,000 [7] (US$200). The law requires IEBC to provide the register for free or at a reasonable cost.

Not every Kenyan would require the entire register. Individual voters want to confirm their details on ongoing basis. IEBC has an SMS system where the voter sends an ID number to the phone number 70000 [8], and the system returns the registration details of that number if it’s registered. The cost of that SMS is Ksh7 (Us¢7). These are the parameters that the SMS returns; name, county, name, constituency, polling station code, polling station, ward. It does not matter who queries the database, the information returned is the same. One phone number can query as many registered voters as the amount of Ksh7 they are ready to spend. The system will return the full list of all those parameters. You don’t even need to send a challenge code like a date of birth to get that information.

IEBC SMS verification output. Image source twitter @OwenKims [9]

To make the system more intuitive, IEBC development a Web portal where voters can query the same voter information at http://voterstatus.iebc.or.ke/voter. Here at no cost, the voter uses their ID number to query and get their registration status. The query returns all these parameters; ID number, name, date of birth, gender, poling station, county, constituency, and ward. It does not matter which ID number you query, you will be able to get the voter data. Here too, more data than required for verification is displayed, and there is no challenge code asked by the system. Any automated bot can harvest the entire database. And that is the problem.

more data than required for verification is displayed, and there is no challenge code asked by the system. Any automated bot can harvest the entire database. And that is the problem.

The problem

For the privacy conscious, IEBC is doing poorly with how they are exposing raw data of nearly 20 million Kenyans to the world. Anybody with basic programing skills would be able to harvest the raw data through an automated search. If you search any random number with the format of Kenya ID numbers, say hypothetically 12345678, you will realize you can pull up citizen’s details, at least ID number, and name, and locality they live. Basic security tips would require the system to have a captcha to prevent automated harvest of the information, and also output just the required information for verification, and nothing more. A captcha is defined as program or system intended to distinguish human from machine input, typically as a way of thwarting spam and automated extraction of data from websites.

Screenshot IEBC website returning more information than necessary, and without requiring a captcha

 

To test this problem, I Googled one of the top Presidential candidate Raila Odinga’s ID number, which was readily available online [10]. I then went ahead to retrieve his registration details as shown in the screenshot below.

Screenshot of Raila Odinga’s Voter details. Image source @lordmwesh [11]

The technical solution

This data breech was discussed at length at the KICTANET mailing list [12], where the community provided several solution;

  • Have a captcha to prevent automated harvest of the information, and have a challenge questions like date of birth to supplement the ID number, therefore only have the data owner have access their information (suggestion by yours truly)
  • Limit requests per IP address (suggestion by Emmanuel Chebukati)
  • Implement a two factor authentication (suggestion by Denis G. Wahome)
  • A government backed smart card which would offer appropriate level of authentication without locking out access to a section of users (suggestion by Mark Kipyegon)
  • Use ID Serial Number as a check to match the ID number (suggestion by Ngigi Waithaka), which he thought could be central to Kenya’s citizen data authentication, where Citizens are made to keep their ID Serial number as their ‘private key’ for all authentication in government platforms. This suggestion was backed by Odhiambo Washington.
  • Integrate the IEBC system with the ecitizen platform [13].  (Suggestion by Victor Kapiyo)

The policy, legal, and procedural solution

Still on the mailing list, Grace Githaiga supported an idea of legitimate implementable solution, which could be sent to IEBC, mooted by Emmanuel Chebukati. Ali Hussein suggested the whole verification exercise be suspended until the rookie mistake by IEBC is rectified. He continued,  “This is a serious breach. In the dark web there are vendors of stolen identities. What IEBC has done is to basically leave the bank vaults open and invite every identity theft vendor in the world into this treasure trove.” Victor Kapiyo added that the implementation by IEBC showed that in the absence of guidelines on how citizens data is managed, then anything is possible, and it wouldn’t be so hard to mine this data from IEBC servers for whatever purpose.

Grace Mutung’u provided a legal interpretation quoting the provision of the elections act on the inspection of the register by the public. She said the idea of the elections act was not only for voters to verify their details but also for the public to inspect the register. Inspection serves an important role in assuring the integrity of the vote by weeding out errors, and non existent voters. The register is also available in physical form at constituency offices for public inspection. It should therefore be possible for members of the public to view other people’s voter registration details. The question should only be what details are made public and also how to prevent harvesting of the data. She objected the justification for serial numbers or SMS [two factor] verification.

From the problem statement, only two of these implementations seem feasible, and still comply with the elections law of allowing a public audit of the register. The solution is have a captcha, and output just enough information to verify a voter, and nothing more.

From the problem statement, only two of these implementations seem feasible, and still comply with the elections law of allowing a public audit of the register. The solution is have a captcha, and output just enough information to verify a voter, and nothing more.

Changes by IEBC

On being notified of the glaring data breaches, IEBC put of the online system for 2 weeks as they were implementing the security mechanisms. The SMS platform remained firmly online.

Computer screenshot of IEBC verification page temporarily down

 

Now, the new, robust system according to IEBC is live. With only one change, captcha.

A mobile screenshot of IEBC website voter identification form screenshot with the captcha

 

From the query, the system is still spewing out more information than required. From a data protection perspective, a clean implementation should maybe just show the initials of the voter, in the case for Raila Odinda, show RO, and his polling station. The query should certainly not show his date of birth, and gender.

A mobile screenshot query from the IEBC system still with more private information relayed to the public than necessary.

 

This sort of rookie mistakes makes you feel there are no competent programmers, cyber security analysts , legal professions, and policy experts remaining in Kenya. But we are here :-). This serves as an indictment to the community who develop applications without proper system analysis.

Kenya does not have any data protection law. But there is a draft data protection bill. This should be a priority for us in lobbying the next Parliament. Data protection is envisioned in the constitution [14]. Article 31(c) of the Constitution outlines the right of every person not to have “information relating to their family or private affairs unnecessarily required or revealed” and Article 31(d), the right not to have “the privacy of their communications infringed”. It would also regulate the collection, retrieval, processing, storing, use and disclosure of personal data.

The Access to Information Act 31 of 2016 confers the Commission on Administrative Justice the oversight and enforcement functions to ensure citizen’s privacy is maintained. in section 21 of the Act, the Commission on Administrative Justice has the Functions [15]; (b) request for and receive reports from public entities with respect to the implementation of this Act and of the Act relating to data protection and to assess and act on those reports with a view to assessing and evaluating the use and disclosure of information and the protection of personal data; (d) work with public entities to promote the right to access to information and work with other regulatory bodies on promotion and compliance with data protection measures in terms of legislation; (h) perform such other functions as the Commission may consider necessary for the promotion of access to information and promotion of data protection.

Why is all this important?

The Business Daily newspaper has case in point of citizen data breach. In 2011, a convicted criminal serving time at the Kamiti Maximum Prison, forged an ID card belonging to retired Chief of the Kenya Defense Forces (KDF), General Jeremiah Kianga. The fraudster conned Kenyans off thousands of shillings via mobile money with the promise of enrolling them in the army. Last March, police in Eldoret arrested a man suspected of stealing over Sh180,000 from mobile money agents in Nandi using dozens of stolen SIM cards and ID cards, which were used to register M-Pesa lines [16].

Who else is mishandling citizen data in Kenya? Reach out to me if you have such case studies at @lordmwesh

The next debate on information confidentiality is usually centered around the question, “Why should I care if I have nothing to hide?” The next article will try to answer that question. Do you have anything to hide?

Sources

  1. Data protection bill 2013 http://icta.go.ke/data-protection-bill-2012/
  2. Elections Act No: No. 24 of 2011 http://www.kenyalaw.org/lex//actview.xql?actid=No.%2024%20of%202011
  3. Registered Voters Per Constituency For 2017 General Elections https://www.iebc.or.ke/docs/Registered%20Voters%20Per%20Contituency%20For%202017%20General%20Elections.pdf
  4. Kenya Population http://www.worldometers.info/world-population/kenya-population/
  5. Statistics of 2017 voters https://www.iebc.or.ke/registration/?stats
  6. Election Laws Amendment Act 2017 http://kenyalaw.org/kl/fileadmin/pdfdownloads/AmendmentActs/2016/ElectionLaws_Amendment_Act_No1of2017.pdf
  7. IEBC register Sh20,000 price tag questioned www.businessdailyafrica.com/news/IEBC-register-Sh20-000-price-tag-questioned/539546-4002054-fdm6p9/index.html
  8. Check registration status by texting ID or passport number to 70000 – IEBC www.the-star.co.ke/news/2017/06/29/check-registration-status-by-texting-id-or-passport-number-to-70000_c1588008
  9. SMS verification output https://twitter.com/OwenKims/status/880376549920448512
  10. Raila shares ID number with another voter https://citizentv.co.ke/news/raila-shares-id-number-with-another-voter-155443/
  11. Screenshot without captcha https://twitter.com/LORDMWESH/status/880554515832782855
  12. [kictanet] Poor show by IEBC: Data Protection in year 2017 and the case of raw voter registration datahttps://lists.kictanet.or.ke/pipermail/kictanet/2017-June/052096.html
  13. Kenya E-citizen portal https://www.ecitizen.go.ke/ecitizen-services.html
  14. Constitution of Kenya http://www.kenyalaw.org:8181/exist/kenyalex/actview.xql?actid=Const2010
  15. Access to Information Act No. 31 of 2016 http://www.kenyalaw.org/lex//actview.xql?actid=No.%2031%20of%202016
  16. Safaricom goes for photo IDs to block M-Pesa fraud http://www.businessdailyafrica.com/corporate/companies/Safaricom-photo-ID-agents-M-Pesa-fraud/4003102-4008158-1sep6kz/index.html retrieved 10 July 2017