[kictanet] Poor show by IEBC: Data Protection in year 2017 and the case of raw voter registration data

Fri Jun 30 02:05:36 EAT 2017

@Chebukati

I like the idea of a legitimate implementable solution. And I believe
we have many of those here--on this list. So Listers, take up
Chebukati's challenge and suggest what is pragmatic and would probably
help the techies at IEBC  move this process forward with less
glitches. 

Best regards

Githaiga, Grace

On Friday, 30-06-2017 at 01:29 Emmanuel Chebukati via kictanet wrote:

Greetings,

Thinking out loud here: what are the alternatives to an open system?
In my view: Limiting requests per IP address would obviously lock out
many users. Implementing cookies et al to limit to one query per day
would also lock out several legitimate users (e.g. those who share PCs
at cybers). Introducing a username/password combo made out of perhaps
the birth-date would complicate matters for the average voter.

I think the only legitimate options they have to prevent abuse/mass
mining of this information is to implement a service like Cloudflare
on the subdomain. This would at least stop a repetitive CURL request
in its tracks or at least severely slow it down. Nevertheless, a quick
IP ping shows that it appears as though the subdomain
voterstatus.iebc.or.ke [1] is running on Google Cloud servers which
offer similar services as Cloudflare these days. I trust the good
people at IEBC have explored these services.

Let's brainstorm. Perhaps a legitimate, implementable solution may
arise from this discussion that works for the "Kenyan context".

Regards,

EC

On Thu, Jun 29, 2017 at 11:55 PM, Ronald Ojino via kictanet  wrote:

This is a very serious anomaly that must be addressed soonest
possible. It begs the question, are we safe as data subjects? If a
body like IEBC that is expected to be beyond reproach can have such
open flaws...then we say that we are ready to go for elections huh?its
a disappointment.

On 29-Jun-2017 11:47 PM, "Mwendwa Kivuva via kictanet"  wrote:

Dear Listers,

Today I'm wearing my CISA hat.

IEBC has launched a voter verification tool both through sms, and web
query at http://voterstatus.iebc.or.ke/voter

If you are privacy conscious, and a little bit paranoid, you will
realize that IEBC is doing badly with how they are exposing  raw data
of nearly 20 million Kenyans to the world. Anybody with basic
programing skills can be able to harvest the raw data through an
automated search. If you search any random number with the format of
Kenya ID numbers, say hypothetically 12345678, you will realize you
can pull up citizen's details, at least ID number, and name, and where
they live.

Basic security tips would require the system to have a captcha to
prevent automated harvest of the information, and also have a
challenge questions like date of birth to supplement the ID number,
therefore thwart any mischievous individuals from harvesting the rich
data

Can IEBC correct the anomaly?

Attached is a sample demo screenshot. Of course there is the other
thing of strange ID numbers finding their way into the voter register.

Voter Details For Id: 12345678

		ID / PASSPORT NUMBER
		12345678

		PRIMARY NAME
		KIBET

		SECONDARY NAME
		KIRUI

		BIRTH DATE
		01/01/1994

		GENDER
		M

		POLLING STATION CODE
		101

		POLLING STATION
		LELACH PRIMARY SCHOOL

		COUNTY
		KERICHO

		CONTITUENCY
		BURETI

		WARD
CHEPLANGET

______________________
Mwendwa Kivuva, Nairobi, Kenya
twitter.com/lordmwesh [2]

_______________________________________________
kictanet mailing list
kictanet at lists.kictanet.or.ke
https://lists.kictanet.or.ke/mailman/listinfo/kictanet
Twitter: http://twitter.com/kictanet
Facebook: https://www.facebook.com/KICTANet/

Unsubscribe or change your options at
https://lists.kictanet.or.ke/mailman/options/kictanet/ronojinx%40gmail.com

The Kenya ICT Action Network (KICTANet) is a multi-stakeholder
platform for people and institutions interested and involved in ICT
policy and regulation. The network aims to act as a catalyst for
reform in the ICT sector in support of the national aim of ICT enabled
growth and development.

KICTANetiquette : Adhere to the same standards of acceptable behaviors
online that you follow in real life: respect people's times and
bandwidth, share knowledge, don't flame or abuse or personalize,
respect privacy, do not spam, do not market your wares or
qualifications.

_______________________________________________
kictanet mailing list
kictanet at lists.kictanet.or.ke
https://lists.kictanet.or.ke/mailman/listinfo/kictanet
Twitter: http://twitter.com/kictanet
Facebook: https://www.facebook.com/KICTANet/

Unsubscribe or change your options at
https://lists.kictanet.or.ke/mailman/options/kictanet/echebukati%40gmail.com

The Kenya ICT Action Network (KICTANet) is a multi-stakeholder
platform for people and institutions interested and involved in ICT
policy and regulation. The network aims to act as a catalyst for
reform in the ICT sector in support of the national aim of ICT enabled
growth and development.

KICTANetiquette : Adhere to the same standards of acceptable behaviors
online that you follow in real life: respect people's times and
bandwidth, share knowledge, don't flame or abuse or personalize,
respect privacy, do not spam, do not market your wares or
qualifications.

Co-Convenor
Kenya ICT Action Network (KICTANet)
Twitter:@ggithaiga
Tel: 254722701495
Skype: gracegithaiga
Alternate email: ggithaiga at hotmail.com
Linkedin: https://www.linkedin.com/in/gracegithaiga
www.kictanet.or.ke

"Change only happens when ordinary people get involved, get engaged
and come together to demand it. I am asking you to believe. Not in my
ability to bring about change – but in yours"---Barrack Obama.

Links:
------
[1] http://voterstatus.iebc.or.ke
[2] http://twitter.com/lordmwesh
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.kictanet.or.ke/pipermail/kictanet/attachments/20170630/74a34007/attachment.htm>