Kenya does not have a data protection law. But there is a data protection bill [1] pending somewhere in the corridors of power.

Police in Eldoret arrested a man suspected of stealing over Sh180,000 from mobile money agents in Nandi using dozens of stolen SIM cards and ID cards, which were used to register M-Pesa lines

This is an election year in Kenya. As part of the requirements to vote, the Independent Electoral and Boundaries Commission (IEBC), the electoral body mandated to conduct elections, registered voters who will participate in the 2017 plebiscite. Just like most countries, to qualify to vote in Kenya[2], the voter has to be over 18 years, a citizen of Kenya, and hold an identification document which is either a National ID card, or a Kenyan passport.

This year, 19.6 million [3] people registered as voters. That is just about half of all Kenyan citizens of 48 million [4]. The beauty of the new revamped IEBC is that they released publickly all the datasets of registered voters [5]. Voter registration is only by physically going to a registration center. There is nothing like online registration. Registration entails capturing the biometric data of the vote. The biometrics are finger prints of both hands and facial features. They also capture all the details available at the registrar of person (full name, ID/passport number, and date of birth). Finally they capture your phone number, address, and voting location. To prove you are a registered voter, you are given a laminated card, which serves no purpose apart from bragging rights in the village pub. This whole process is called Biometric Voter Registration.

The author undergoes Biometric Voter Registration. Photo credit Mariana Mulinge.

Verification of voters
For some strange reasons, Kenyans feel a need to confirm their voter registration details. In this part of the world, elections are a high stake game, and the level of mistrust with the system is at it’s highest. According to the Constitution, the Electoral body has to provide a mechanism for the electorate to verify their voter data. Section 6 of the Election Laws 2011 was updated by The Election Laws (Amendment) Act, 2017 where “The Commission shall cause the Register of Voters to be opened for inspection by members of the public at all times for the purpose of rectifying the particulars therein, except for such period of time as the Commission may consider appropriate [6].

According to IEBC, there are two ways of identifying voters; through finger print scan, or though the ID document by either searching the ID number or scanning the machine-readable part of the ID. This process and tools are called Biometric Voter Identification (BVID).

In their wisdom, the IEBC provided a two week windows for voters to verify and correct any registration anomaly by physically going to a verification center. After the correction, the voter register is supposed to be accessible to the general public for auditing. IEBC has a provision to give the entire voter register to any entity for Ksh20,000 [7] (US$200). The law requires IEBC to provide the register for free or at a reasonable cost.

Not every Kenyan would require the entire register. Individual voters want to confirm their details on ongoing basis. IEBC has an SMS system where the voter sends an ID number to the phone number 70000 [8], and the system returns the registration details of that number if it’s registered. The cost of that SMS is Ksh7 (Us¢7). These are the parameters that the SMS returns; name, county, name, constituency, polling station code, polling station, ward. It does not matter who queries the database, the information returned is the same. One phone number can query as many registered voters as the amount of Ksh7 they are ready to spend. The system will return the full list of all those parameters. You don’t even need to send a challenge code like a date of birth to get that information.

IEBC SMS verification output. Image source twitter @OwenKims [9]

To make the system more intuitive, IEBC development a Web portal where voters can query the same voter information at http://voterstatus.iebc.or.ke/voter. Here at no cost, the voter uses their ID number to query and get their registration status. The query returns all these parameters; ID number, name, date of birth, gender, poling station, county, constituency, and ward. It does not matter which ID number you query, you will be able to get the voter data. Here too, more data than required for verification is displayed, and there is no challenge code asked by the system. Any automated bot can harvest the entire database. And that is the problem.

more data than required for verification is displayed, and there is no challenge code asked by the system. Any automated bot can harvest the entire database. And that is the problem.

The problem

For the privacy conscious, IEBC is doing poorly with how they are exposing raw data of nearly 20 million Kenyans to the world. Anybody with basic programing skills would be able to harvest the raw data through an automated search. If you search any random number with the format of Kenya ID numbers, say hypothetically 12345678, you will realize you can pull up citizen’s details, at least ID number, and name, and locality they live. Basic security tips would require the system to have a captcha to prevent automated harvest of the information, and also output just the required information for verification, and nothing more. A captcha is defined as program or system intended to distinguish human from machine input, typically as a way of thwarting spam and automated extraction of data from websites.

Screenshot IEBC website returning more information than necessary, and without requiring a captcha

 

To test this problem, I Googled one of the top Presidential candidate Raila Odinga’s ID number, which was readily available online [10]. I then went ahead to retrieve his registration details as shown in the screenshot below.

Screenshot of Raila Odinga’s Voter details. Image source @lordmwesh [11]

The technical solution

This data breech was discussed at length at the KICTANET mailing list [12], where the community provided several solution;

  • Have a captcha to prevent automated harvest of the information, and have a challenge questions like date of birth to supplement the ID number, therefore only have the data owner have access their information (suggestion by yours truly)
  • Limit requests per IP address (suggestion by Emmanuel Chebukati)
  • Implement a two factor authentication (suggestion by Denis G. Wahome)
  • A government backed smart card which would offer appropriate level of authentication without locking out access to a section of users (suggestion by Mark Kipyegon)
  • Use ID Serial Number as a check to match the ID number (suggestion by Ngigi Waithaka), which he thought could be central to Kenya’s citizen data authentication, where Citizens are made to keep their ID Serial number as their ‘private key’ for all authentication in government platforms. This suggestion was backed by Odhiambo Washington.
  • Integrate the IEBC system with the ecitizen platform [13].  (Suggestion by Victor Kapiyo)

The policy, legal, and procedural solution

Still on the mailing list, Grace Githaiga supported an idea of legitimate implementable solution, which could be sent to IEBC, mooted by Emmanuel Chebukati. Ali Hussein suggested the whole verification exercise be suspended until the rookie mistake by IEBC is rectified. He continued,  “This is a serious breach. In the dark web there are vendors of stolen identities. What IEBC has done is to basically leave the bank vaults open and invite every identity theft vendor in the world into this treasure trove.” Victor Kapiyo added that the implementation by IEBC showed that in the absence of guidelines on how citizens data is managed, then anything is possible, and it wouldn’t be so hard to mine this data from IEBC servers for whatever purpose.

Grace Mutung’u provided a legal interpretation quoting the provision of the elections act on the inspection of the register by the public. She said the idea of the elections act was not only for voters to verify their details but also for the public to inspect the register. Inspection serves an important role in assuring the integrity of the vote by weeding out errors, and non existent voters. The register is also available in physical form at constituency offices for public inspection. It should therefore be possible for members of the public to view other people’s voter registration details. The question should only be what details are made public and also how to prevent harvesting of the data. She objected the justification for serial numbers or SMS [two factor] verification.

From the problem statement, only two of these implementations seem feasible, and still comply with the elections law of allowing a public audit of the register. The solution is have a captcha, and output just enough information to verify a voter, and nothing more.

From the problem statement, only two of these implementations seem feasible, and still comply with the elections law of allowing a public audit of the register. The solution is have a captcha, and output just enough information to verify a voter, and nothing more.

Changes by IEBC

On being notified of the glaring data breaches, IEBC put of the online system for 2 weeks as they were implementing the security mechanisms. The SMS platform remained firmly online.

Computer screenshot of IEBC verification page temporarily down

 

Now, the new, robust system according to IEBC is live. With only one change, captcha.

A mobile screenshot of IEBC website voter identification form screenshot with the captcha

 

From the query, the system is still spewing out more information than required. From a data protection perspective, a clean implementation should maybe just show the initials of the voter, in the case for Raila Odinda, show RO, and his polling station. The query should certainly not show his date of birth, and gender.

A mobile screenshot query from the IEBC system still with more private information relayed to the public than necessary.

 

This sort of rookie mistakes makes you feel there are no competent programmers, cyber security analysts , legal professions, and policy experts remaining in Kenya. But we are here :-). This serves as an indictment to the community who develop applications without proper system analysis.

Kenya does not have any data protection law. But there is a draft data protection bill. This should be a priority for us in lobbying the next Parliament. Data protection is envisioned in the constitution [14]. Article 31(c) of the Constitution outlines the right of every person not to have “information relating to their family or private affairs unnecessarily required or revealed” and Article 31(d), the right not to have “the privacy of their communications infringed”. It would also regulate the collection, retrieval, processing, storing, use and disclosure of personal data.

The Access to Information Act 31 of 2016 confers the Commission on Administrative Justice the oversight and enforcement functions to ensure citizen’s privacy is maintained. in section 21 of the Act, the Commission on Administrative Justice has the Functions [15]; (b) request for and receive reports from public entities with respect to the implementation of this Act and of the Act relating to data protection and to assess and act on those reports with a view to assessing and evaluating the use and disclosure of information and the protection of personal data; (d) work with public entities to promote the right to access to information and work with other regulatory bodies on promotion and compliance with data protection measures in terms of legislation; (h) perform such other functions as the Commission may consider necessary for the promotion of access to information and promotion of data protection.

Why is all this important?

The Business Daily newspaper has case in point of citizen data breach. In 2011, a convicted criminal serving time at the Kamiti Maximum Prison, forged an ID card belonging to retired Chief of the Kenya Defense Forces (KDF), General Jeremiah Kianga. The fraudster conned Kenyans off thousands of shillings via mobile money with the promise of enrolling them in the army. Last March, police in Eldoret arrested a man suspected of stealing over Sh180,000 from mobile money agents in Nandi using dozens of stolen SIM cards and ID cards, which were used to register M-Pesa lines [16].

Who else is mishandling citizen data in Kenya? Reach out to me if you have such case studies at @lordmwesh

The next debate on information confidentiality is usually centered around the question, “Why should I care if I have nothing to hide?” The next article will try to answer that question. Do you have anything to hide?

Sources

  1. Data protection bill 2013 http://icta.go.ke/data-protection-bill-2012/
  2. Elections Act No: No. 24 of 2011 http://www.kenyalaw.org/lex//actview.xql?actid=No.%2024%20of%202011
  3. Registered Voters Per Constituency For 2017 General Elections https://www.iebc.or.ke/docs/Registered%20Voters%20Per%20Contituency%20For%202017%20General%20Elections.pdf
  4. Kenya Population http://www.worldometers.info/world-population/kenya-population/
  5. Statistics of 2017 voters https://www.iebc.or.ke/registration/?stats
  6. Election Laws Amendment Act 2017 http://kenyalaw.org/kl/fileadmin/pdfdownloads/AmendmentActs/2016/ElectionLaws_Amendment_Act_No1of2017.pdf
  7. IEBC register Sh20,000 price tag questioned www.businessdailyafrica.com/news/IEBC-register-Sh20-000-price-tag-questioned/539546-4002054-fdm6p9/index.html
  8. Check registration status by texting ID or passport number to 70000 – IEBC www.the-star.co.ke/news/2017/06/29/check-registration-status-by-texting-id-or-passport-number-to-70000_c1588008
  9. SMS verification output https://twitter.com/OwenKims/status/880376549920448512
  10. Raila shares ID number with another voter https://citizentv.co.ke/news/raila-shares-id-number-with-another-voter-155443/
  11. Screenshot without captcha https://twitter.com/LORDMWESH/status/880554515832782855
  12. [kictanet] Poor show by IEBC: Data Protection in year 2017 and the case of raw voter registration datahttps://lists.kictanet.or.ke/pipermail/kictanet/2017-June/052096.html
  13. Kenya E-citizen portal https://www.ecitizen.go.ke/ecitizen-services.html
  14. Constitution of Kenya http://www.kenyalaw.org:8181/exist/kenyalex/actview.xql?actid=Const2010
  15. Access to Information Act No. 31 of 2016 http://www.kenyalaw.org/lex//actview.xql?actid=No.%2031%20of%202016
  16. Safaricom goes for photo IDs to block M-Pesa fraud http://www.businessdailyafrica.com/corporate/companies/Safaricom-photo-ID-agents-M-Pesa-fraud/4003102-4008158-1sep6kz/index.html retrieved 10 July 2017