[kictanet] Manual Backup and Elections 2017: Is the CS ICT Honest

[Collins Areba]

Listers,
Allow me to share these wise words from a friend, Ben Ngumi Chege, who has
had extensive on the field doing exactly this kind of work in more places
than I can remember. Will paste the long text after the link in case its
not visible to everyone.

https://web.facebook.com/notes/ben-chege/manual-vs-electronic-elections/10154910551733923?__mref=message_bubble

“Manual” vs “Electronic” Elections
> BEN CHEGE <https://web.facebook.com/masukuma>·FRIDAY, 30 DECEMBER 2016
> <https://web.facebook.com/notes/ben-chege/manual-vs-electronic-elections/10154910551733923>
> Every 5 years Kenyans queue to vote, this is an exercise that we have
> engaged in passionately for as long as I can remember and when each round
> of elections is done and dusted we as a nation learn a couple of lessons
> which we then reuse in succeeding election cycles in an attempt to make
> them better. However, looking at the current debate on the use of
> technology and witnessing what is happening, I suspect that there might
> have been an important lesson to be learnt in the 2007-08 when compared to
> the 2013 election cycle that has been missed and this lesson is that Having
> consensus among all players beforehand regarding the electoral process
> generally leads to widespread acceptance of the results of the process.
> Electoral process should be seen as contests, where groups of people with
> various interests engage willingly in order to not only determine political
> representation but also wield the power of the state, and just like any
> reputable contest it has its rules. These rules are well known and
> understood by all players and are accepted from the onset. These rules are
> deterministic in that they are predictable and must be seen by all parties
> to be fair. For a country to have a credible election - we need everyone to
> feel like they have a chance in this contest since from the onset the rules
> of the game do not favour their opponent(s).
> In 2007 ODM did not agree to the way the commissioners were picked after
> the terms of some expired as they felt it contravened the IPPG agreement
> and after the contest was done they did not accept the results announced by
> the commission. When the same commission asked them they refused! We all
> remember the situation the country found itself after the opposition
> refused to engage in a process they felt was flawed and disadvantageous to
> them. The 2017 election process is slowly mirroring the 2007 pre-election
> period especially when it comes to the role of technology on voting day. We
> are witnessing an emotive debate regarding the use of technology and the
> disregard of the voices of political players who hold contrary opinions. If
> lessons from the past hold true, this threatens the expectation of a
> peaceful electoral process and at the very least a credible one.
> On voting day there are 4 core activities that happen within a polling
> station, these are:
> 1) Voter identification/Verification – this answers the question – “Are
> you registered to vote in this polling station?”
> 2) Voting by secret ballot – you are given a ballot paper and then you
> mark it in secret and the cast the said ballot into a transparent ballot
> box.
> 3) Counting of results and declaration – counting of all votes cast in the
> polling station for each race and the declaration of the votes cast in
> favour of each candidate.
> 4) Results transmission – forwarding these results to the next level
> namely the constituency tally center for “tallying” and dispute resolution
> just in case there were any.
> The “Manual” vs “Electronic” debate is really touching on activities 1)
> and 4) and therefore at the core of this debate are 2 questions namely:
> 1) Can we solely verify/identify voters electronically using biometrics
> that they submitted?
> 2) Can we solely transmit results to the next level using electronic means?
> Fortunately, these two are not really new initiatives as the IEBC has been
> using technology in these two areas over the last 4 years. No one doubts
> the credibility boost that well executed technology has on elections. An
> example of this is the by-election in Kibwezi West where the winner won the
> race by the narrowest of margins - a paltry 175 votes and the loser did not
> file a petition challenging the results. This was unheard of in previous
> elections.
> Why then do we have a debate around it? Previously, the use of technology
> was not explicitly dictated by the Elections Act but rather the stipulation
> to use one form of it was found in regulations. Until now the official
> Electoral process has been manual where technology had been added for
> efficiency and confidence building. The latest Election Amendment Act 2016
> has raised the profile of the said technologies from just being tools to be
> used in boosting confidence to be the exclusive means of conducting voter
> identification and results transmission.
> They say once stung – twice shy and thus it’s understandable that the IEBC
> is jittery in embracing technology full throttle without a fallback
> especially because it had technology failures in the said areas during the
> 2013 General elections. Technology is playing an increasing role in our
> lives and for us to move forward on the electoral field - I feel that this
> discussion needs to be informed by a mindset from big technology companies
> have when it comes to failure. Companies like Google, Yahoo and Facebook
> plan for failure more than they plan for success. They have a culture that
> says “failure is OK”, a culture where people are encouraged to ask:
> 1) What do we do if our technology fails?
> 2) How do we continue fulfilling our core business that is serving our
> customers and users when the systems around us fail?
> So as Kenyans we need to ask ourselves the same set of questions and ask
> how it affects the core business of elections. But for that to happen we
> need to synthesize what our core business on election day is. It’s said
> that “Election Day is still the one day when we strive to give equal
> voice to every eligible voter; the day when the woman working in the market
> stall has as much of a say as any wealthy banker, and the illiterate menial
> laborer has a voice that speaks as eloquently as any university professor.
> It is our shared responsibility to strive for processes and systems that
> ensure that every voter is given the opportunity to make their will known,
> and that every vote is counted.” If we agree that this is the core
> business of elections and everything on election day must support this, we
> should ask ourselves a couple of questions, namely:
> 1) What happens WHEN we place a piece of technology as a prerequisite to
> the recording of this voice and the said technology fails and thus affects
> the “core business”? What are the fallbacks available to us?
> 2) Since this is a contest, which out of the array of fallbacks available
> is most acceptable to all players?
> The issues around the failure of technology have been well documented. The
> IEBC conducted an internal audit of the March 2013 election and rather
> candidly highlighted these failures. I will try and address them and
> possibly give recommendations in question form that should advise our
> choice of an acceptable fallback or perhaps a list of fallbacks to be
> executed in when certain scenarios playout. When it came to the
> identification of voters electronically, the issues fell broadly into 3
> categories namely:
> 1) Technology problems – some voters could not be found on some EVIDs but
> were present on the manual register. Some devices run out of power, some
> even exploded during charging
> 2) Procurement problems – getting the wrong device because procurement
> requirements were not met.
> 3) Rollout problems – some devices were not charged, insufficient training
> due to late delivery and lack of manuals e.t.c.
> With proper planning and time to go through the procurement procedures
> most of these can be sorted out. The new Elections amendment act stipulates
> that the IEBC should have procured and set in place technology 8 months to
> an election and then have it tested 60 days to an election. Even with this
> in place some of the problems categorized as “Technology problems” may not
> disappear or may only manifest themselves on polling day. In order to
> address them we need to ask ourselves what are the real risk factors
> related to technology? If the approach to voter verification is similar to
> what was employed in 2013 – then the disruption of telecommunication is not
> a potential failure point – why? The devices were self-contained – the
> register was loaded on the device and thus the device really had no need to
> communicate with external systems after rollout. If this is the model
> envisaged in the new KIEMs Rollout – we should not concern ourselves with
> telecommunication availability in the matters of voter verification. What
> should concern us is the issue of availability of power as the devices will
> be constantly in use throughout the day. The devices used for verification
> conduct a one-to-one match of voters against their biometrics –
> computationally – it can be a costly affair especially if a potential voter
> has to submit multiple fingers to get identified if one fails and so we
> need to have devices that can work for 18 hours or have capability to
> accept external power in the form of portable power cells. Can the software
> be written in such a way that it alerts the users well beforehand that it
> has X number of hours of charge left and that the clerks at the polling
> station need to make arrangement to keep the electronic means working?
> Ghana deployed a solution that utilized dry cells and they put in place an
> operational plan to replace them within 4 hours.
> The issue of some voters not being found on the EVIDs yet being found on
> the manual roll was puzzling, this may be aggravated in 2017 this is
> because the bulk of the current set of fingerprints were collected in 2013
> and it will not be farfetched to expect that the quality of fingerprints
> submitted for verification in this election cycle by an eligible voter who
> work with their hands to be lower and thus this may require multiple
> passes. The current setup is one which a subset of the fingerprints
> collected is used to verify voters electronically. If we are to go full
> throttle – we will need to ensure that all fingerprints are available for
> matching on polling day to increase the chances of matching. An exercise to
> get fingerprints resubmitted for persons who fall in this category and also
> for all those that had their biometrics lost during the mass registration
> drive when BVR machines crashed and did not have backed up properly.
> Another reason that could explain why some voters were not found on the
> EVIDs and were found on the printed register is data corruption during
> copying polling station data into the SD cards that the devices used. How
> can we ensure that databases are not corrupted during saving into the
> machines? I propose that each device should have a way of hashing a file
> and checking the hash against a verified hash of a working copy and where
> it differs transferring data to this device should be repeated. Backups of
> these registers on verified SD cards should also accompany each EVID to the
> field. We should explore how to keep the logs of the persons who have voted
> safe when devices get technology issues. There is also an inconvenient
> reality that in any given population there will always be some persons
> whose fingerprints are difficult or impossible to capture or verify. This
> raises a fundamental ideological question of whether a person should be
> disenfranchised because of limitations of a technology.
> The issues around the provisional transmission of results were also well
> documented, these also fell into 3 broad categories namely:
> 1) Technology problems – the server’s well documented issue with system
> logs and it running out of space due to server misconfiguration; The
> failover issues that followed this. Network coverage issues; Erroneous
> display of tallied votes due to late integration and limited retesting.
> 2) Procurement/Acquisition problems – there was no time to really develop
> the transmission application.
> 3) Rollout problems – late delivery of phones and specially configured
> simcards; issues with user credentials; versioning issues between server
> and phone; Lack of proper training.
> As with electronic voter identification, most of these can be sorted out
> with proper planning and following procedures, why do I say so? the IEBC
> has transmitted 100% of the results from all the by-elections that it has
> conducted since 2013. While in terms of scale these by-elections pale when
> compared to the general election, it’s my considered opinion that there
> have been numerous lessons learnt – these can be documented and used to
> inform the training and rollout process.
> What should happen in the event that result transmission fails for
> whatever reason? The IEBC still needs to have a fallback for electronic
> results transmission. Can some other technology offer a fallback? e.g. If
> results transmission from a primary device fails, should we have an
> electronic fallback using a different technology? Can the current election
> transmission system be used as a backup of whatever fancy results
> transmission system the IEBC procures? The IEBC has used satellite phones
> with success to transmit results for the Kalolol and Mosiro by-elections,
> why can this be used as a fallback on the telecommunication side. I think
> we can have all these fallbacks in place and these would be totally
> acceptable to all stakeholders.
> These questions are by no means comprehensive but should act as a starting
> point in deciding what the fallback(s) should be and when to fallback. It
> has always been my opinion that leaving the determination of important
> electoral matters at the polling station level to the discretion of people
> there without a trail of documentation that guides their decision making
> and a trail of accountability to why they took the action they did exposes
> the election operation to credibility questions. In 2012 Ghana went into
> their election with the NVNV (No [biometric] Verification, No Voting)
> mantra and they had to extend the voting period and also had many people
> disenfranchised because of the inadequacies of the technology they rolled
> out. In 2015 they rolled back and then introduced a manual verification
> fallback. The manual verification process required the presiding officer
> fill a manual verification form for each voter who is manually verified.
> The only way we can come up with this list of scenarios is if we carried
> out a proper and candid risk assessment and management process. This
> process should inform the IEBC on what to do to ensure that the “core
> business” on election day remains unaffected. From my perspective, human
> beings should always play the role of final "exception handlers" to ensure
> that during electronic voter identification no voter is ever
> disenfranchised by technology malfunction or it’s limitation. Indeed, if
> the electoral process must err, then it must err on the side of inclusion.
> However, these errors must be accounted for and thus the most appropriate
> role of technology is to ensure a level of transparency and accountability
> that allows for review of any of those human decisions on how to handle
> exceptions. As noted earlier on this paper, the process used for
> verification involves a one-to-one match of voters against their
> biometrics. The voter gets his ID No. captured by the verification device
> in a bid to ‘identify’ them and once their records are loaded on the screen
> of the device an additional fingerprint scan is required to ‘verify’ this
> person. i.e. answering the question – are you really the person who you
> claim to be? So, for example, if the validation device is unable to verify
> the fingerprint of a voter who the presiding officer knows or strongly
> believes to be a legitimate voter, and his/her particulars are on the voter
> register, the presiding officer should have the authority to override the
> device and allow the person to vote. In order to trigger the manual
> verification process, the presiding officer should collect as much
> information about the person being excluded from being electronically
> verified as possible. This information should include a photo of this
> person and the Serial Number not ID No. found on their National Identity
> card. Manual verification should not be misconstrued to mean manual
> verification using the physically printed out register or green books. This
> process should be endorsed by all party agents present at the polling
> station. It is important to have this information both in physical and
> electronic form. At the end of the day, any final reconciliation should
> include the number of decisions the presiding officer made contrary to the
> technology. This allows for review of the decisions of the presiding
> officer, and provides a deterrent since that officer knows that there will
> be an accounting of how many decisions he made of this nature. It also
> allows for reporting on anomalies where a polling station or ward has an
> inordinately high number of human exceptions. This information can be
> transmitted periodically so that during the course of the day to all
> stakeholders and thus all players are able to identify polling stations
> that have inordinately high numbers of human exceptions and vigilance can
> be increased to ensure only legitimate cases are excluded from electronic
> verification.
> Once this discussion has been held and we have a product that this has the
> blessing of all players contesting in the election. When accepted by all
> stakeholders the post-election process of massaging bruised egos and
> selling peace i.e. the 'accept and move on' message will be much easier.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.kictanet.or.ke/pipermail/kictanet/attachments/20161231/1a48c4c5/attachment.htm>