[kictanet] Poor show by IEBC: Data Protection in year 2017 and the case of raw voter registration data

Mon Jul 3 08:28:19 EAT 2017

Happy Monday!
Is this a breach or it is what has become the usual with the adage that the *Internet/internet makes information public and accessible? So who defines where a line is drawn.
Is it legit for the whole world to have access to National Examination results for all candidates? Is there a right to know or not that the candidate can decide - NO . Actually as an education analyst, you would have access to the whole database.
This being the case already in Kenya, what makes the current IEBC system a breach? As apolitical analyst, the whole database is yours to use - as long as you can navigate.
Very soon, even medical information will be how private, if not already public as people make use of the Internet for storage and access.
A breach to what? Privacy? When is privacy, privacy really? Or it depends on whose privacy it is?
Be blessed.
Regards/Wangari---
Pray God Bless. 2013Wangari circa - "Being of the Light, We are Restored Through Faith in Mind, Body and Spirit; We Manifest The Kingdom of God on Earth".

    On Saturday, 1 July 2017, 4:40, Rad! via kictanet <kictanet at lists.kictanet.or.ke> wrote:

 I think a good, simple, and immediately implementable solution would be a combination of multiple, easy to implement strategies.
First, require two  pieces of information - ID number and date of birth rather than just one. Only if the two match would results be returned. This is much simpler than serial number as more people know their date or birth than their ID serial number
You could further implement a sliding throttle based where the API implements an increasing delay based on the frequency of requests from a given single IP address. In other words each subsequent request from the same IP greater than a certain threshold has an increasing delay. You can chain this with additionally further increasing the delay if the ID number and date of birth do not match. 
This should balance the risk of automated attacks vs legitimate use of multiple requests from a single IP address. 
Finally, there is no need to return the level of detail in the response. The station and name are enough. And even the name can be suitably masked as follows. Assuming a chap named John James Kibet runs a request multiple times his name can be returned slightly differently each time
- J J Kibet- Kibet, J J- John J Kibet- John James K- J J K
The rational here is there is no need to a great level of detail because the response has enough detail for the voter to verify the information. 
A  combination of such measures, each pretty simple to implement by a competent developer should provide pretty good mitigation against automated data harvesting. 
If anyone from IEBC technical is on this forum I would be happy to freely provide any assistance to implement this
On Fri, 30 Jun 2017 at 21:02 Emmanuel Chebukati via kictanet <kictanet at lists.kictanet.or.ke> wrote:

Thank you Grace,
The discussion is now back in focus. Indeed, there are lessons to be learnt from KRA. What separates their system from what IEBC currently has is two things:   
   - KRA Pin numbers are not consecutive meaning they can't easily be guessed.   

   - They use a mathematical equation as a Captcha.   

As regards #1, let's assume IEBC does have several non-consecutive numbers in their DB such as the Elector's number (found on the acknowledgment slip), ID/Passport Serial Numbers, etc. Can they use these details for verification purposes and still maintain the simplicity of the process to the grassroots level? We will have to run assessment of the voter's knowledge on two of the three authentication factors - namely the knowledge factor and the possession factor - to find out.
On #2, if you refer to my first email on this thread, I suggested a service such as Cloudflare which provides this service in a much more secure and user friendly way. I also noted that the IEBC subdomain in question is running on Google cloud servers. Google offers some of the best captcha services in the world in their Google reCaptcha product.
As regards to what is made public; we can only weigh in opinions as there is a lack of laws to guide us. I do, however, repeat that in such instances: "we are at the liberty of the service provider whom we trust is doing the right thing". Where we can advise is on keeping this data safe from harvesting in whatever format it is presented - and this is what this discussion serves to achieve.

Regards,
EC 
On Fri, Jun 30, 2017 at 7:58 PM, Grace Mutung'u via kictanet <kictanet at lists.kictanet.or.ke> wrote:

Thank you Emmanuel, 

Just bringing in the provision for inspection of the register from the Elections Act: 

6. Inspection of register of voters
(1) The Commission shall cause the Register of Voters to be opened for
inspection by members of the public at all times for the purpose of rectifying the
particulars therein, except for such period of time as the Commission may consider
appropriate.

The idea here is not only for voters to verify their details but also for the public to inspect the register. Inspection serves an important role in assuring the integrity of the vote by weeding out errors, dead voters etc. The register is also available in physical form at constituency offices for public inspection. 

It should therefore be possible for members of the public to view other people's voter registration details. The question should only be what details are made public and also how to prevent harvesting of the data. I do not see a justification for serial numbers or SMS verification. 

I wonder whether there are lessons we can pick from KRA's PIN verification system https://itax.kra.go.ke/KRA-Portal/pinChecker.htm?actionCode=loadPage&viewType=static

2017-06-30 19:44 GMT+03:00 Ngigi Waithaka via kictanet <kictanet at lists.kictanet.or.ke>:

Chebukati,

Phone gets lost either:
1. Use an alternate number (Google does this all the time)
2. Log in with your Username/Password (ID / Serial No) combo, list a different number

Regards

On Fri, Jun 30, 2017 at 7:37 PM, Emmanuel Chebukati via kictanet <kictanet at lists.kictanet.or.ke> wrote:

Good evening,
Victor: Unfortunately, perception is reality in all matters electoral in Kenya. 
Denis & Ngigi: SMS 2FA is not exactly full proof as a solution to the problem of voter verification. What if phone numbers change, get lost or expire? How does that voter then confirm their polling station & details?
Washington: Glad we agree. Donge!
Grace:1) In an ideal world, NRB should update their database and sambaza changes to all connected parties in case of a serial number or any other change.2) As we await stricter privacy laws, we are at the liberty of the service provider whom we trust to do the right thing.

Regards,
EC
On Fri, Jun 30, 2017 at 7:13 PM, Ngigi Waithaka via kictanet <kictanet at lists.kictanet.or.ke> wrote:

Mark,

On a security vs affordability basis, how exactly would SMS 2FA not be an effective solution?

Unless you are going to hack the Telco SMS Gateway where the SMS is in clear txt, in which case I would think even our M-Pesa Pins would be vulnerable, where else is do you have a credible attack surface?

Rgds

On Fri, Jun 30, 2017 at 3:25 PM, Mark Kipyegon via kictanet <kictanet at lists.kictanet.or.ke> wrote:

SMS as a form of 2FA is unsuitable considering the sensitivity of such information. On the other hand a government backed smart card would offer the appropriate level of authentication without locking out access to a section of users.

On 30 Jun 2017, at 12:30, "Denis G. Wahome" <dwahome at gmail.com> wrote:

Mark,
While I do concur completely with your observation. I was considering the user group for the service. Other more advanced mechanisms would reduce the usability/accessibility by a large portion of the Country.
A better way would be a registration process to access your records where one can select a Channel for 2FA
Denis
On Fri, Jun 30, 2017 at 10:54 AM, Mark Kipyegon via kictanet<kictanet at lists.kictanet.or.ke> wrote:

SMS is not a secure implementation of two factor authentication.

On 30 Jun 2017, at 10:40, "kictanet-request at lists.kictanet.or.ke" <kictanet-request at lists.kictanet.or.ke> wrote:

>
> A simple 2 Factor Authentication mechanism via SMS would suffice to start
> with.

_______________________________________________
kictanet mailing list
kictanet at lists.kictanet.or.ke
https://lists.kictanet.or.ke/mailman/listinfo/kictanet
Twitter: http://twitter.com/kictanet
Facebook: https://www.facebook.com/KICTANet/

Unsubscribe or change your options at https://lists.kictanet.or.ke/mailman/options/kictanet/ngigi%40at.co.ke

The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development.