[kictanet] Poor show by IEBC: Data Protection in year 2017 and the case of raw voter registration data

Emmanuel Chebukati echebukati at gmail.com
Fri Jun 30 07:59:38 EAT 2017


Good morning,

ECitizen integration sounds like a great idea! IEBC could make use of the
login credentials - via an API perhaps - and authenticate the user before
allowing them to check their status.

The challenge I foresee with this is the perception of lack of independence
stemming from an Independent institution "sharing" I.T services with a
government entity. In essence, while you and I know that the two databases
can sit on separate servers: will the average Kenyan be convinced of
this? *"Kenyan
context".*

Using the serial number - which is printed on both the passport and the
National ID - as the "password" sounds like a better idea. It is unique,
user friendly and addresses the concerns raised by Mwendwa on this thread.
While possible to brute force - as it only contains numbers - any competent
system should be able to ban that specific user after a number of tries.
Question is: Does IEBC have access to this data in their database?


Regards,

EC


On Fri, Jun 30, 2017 at 7:07 AM, Victor Kapiyo via kictanet <
kictanet at lists.kictanet.or.ke> wrote:

> I dunno how practical it is now, but I think this is one of the things
> that would benefit from integration on the ecitizen platform.
>
> Plus, the implementation shows that in the absence of guidelines on how
> citizens data is managed, then anything is possible. Besides, it wouldn't
> be so hard to mine this data from iebc servers for whatever purpose.
>
> Victor
>
> On 30 Jun 2017 6:55 a.m., "Ali Hussein via kictanet" <
> kictanet at lists.kictanet.or.ke> wrote:
>
>> Do we have someone from IEBC on this list?
>>
>> This is a serious breach. In the dark web there are vendors of stolen
>> identities. What IEBC has done is to basically leave the bank vaults open
>> and invite every identity theft vendor in the world into this treasure
>> trove..
>>
>> This whole verification exercise needs to be suspended until this rookie
>> mistake is rectified.
>>
>> *Ali Hussein*
>> *Principal*
>> *Hussein & Associates*
>> +254 0713 601113
>>
>> Twitter: @AliHKassim
>>
>> Skype: abu-jomo
>>
>> LinkedIn: http://ke.linkedin.com/in/alihkassim
>>
>> "We are what we repeatedly do. Excellence, therefore, is not an act but a
>> habit."  ~ Aristotle
>>
>>
>> Sent from my iPad
>>
>> On 30 Jun 2017, at 1:05 AM, Grace Githaiga via kictanet <
>> kictanet at lists.kictanet.or.ke> wrote:
>>
>> @Chebukati
>>
>> I like the idea of a legitimate implementable solution. And I believe we
>> have many of those here--on this list. So Listers, take up Chebukati's
>> challenge and suggest what is pragmatic and would probably help the techies
>> at IEBC  move this process forward with less glitches.
>>
>>
>>
>> Best regards
>>
>>
>> Githaiga, Grace
>>
>>
>>
>> On Friday, 30-06-2017 at 01:29 Emmanuel Chebukati via kictanet wrote:
>>
>> Greetings,
>>
>> Thinking out loud here: what are the alternatives to an open system? In
>> my view: Limiting requests per IP address would obviously lock out many
>> users. Implementing cookies et al to limit to one query per day would also
>> lock out several legitimate users (e.g. those who share PCs at cybers).
>> Introducing a username/password combo made out of perhaps the birth-date
>> would complicate matters for the average voter.
>>
>> I think the only legitimate options they have to prevent abuse/mass
>> mining of this information is to implement a service like Cloudflare on the
>> subdomain. This would at least stop a repetitive CURL request in its tracks
>> or at least severely slow it down. Nevertheless, a quick IP ping shows that
>> it appears as though the subdomain voterstatus.iebc.or.ke is running on
>> Google Cloud servers which offer similar services as Cloudflare these days.
>> I trust the good people at IEBC have explored these services.
>>
>> Let's brainstorm. Perhaps a legitimate, implementable solution may arise
>> from this discussion that works for the "Kenyan context".
>>
>>
>> Regards,
>>
>> EC
>>
>> On Thu, Jun 29, 2017 at 11:55 PM, Ronald Ojino via kictanet <
>> kictanet at lists.kictanet.or.ke> wrote:
>>
>>> This is a very serious anomaly that must be addressed soonest possible.
>>> It begs the question, are we safe as data subjects? If a body like IEBC
>>> that is expected to be beyond reproach can have such open flaws...then we
>>> say that we are ready to go for elections huh?its a disappointment.
>>>
>>> On 29-Jun-2017 11:47 PM, "Mwendwa Kivuva via kictanet" <
>>> kictanet at lists.kictanet.or.ke> wrote:
>>>
>>>> Dear Listers,
>>>>
>>>> Today I'm wearing my CISA hat.
>>>>
>>>> IEBC has launched a voter verification tool both through sms, and web
>>>> query at http://voterstatus.iebc.or.ke/voter
>>>>
>>>> If you are privacy conscious, and a little bit paranoid, you will
>>>> realize that IEBC is doing badly with how they are exposing  raw data of
>>>> nearly 20 million Kenyans to the world. Anybody with basic programing
>>>> skills can be able to harvest the raw data through an automated search. If
>>>> you search any random number with the format of Kenya ID numbers, say
>>>> hypothetically 12345678, you will realize you can pull up citizen's
>>>> details, at least ID number, and name, and where they live.
>>>>
>>>> Basic security tips would require the system to have a captcha to
>>>> prevent automated harvest of the information, and also have a challenge
>>>> questions like date of birth to supplement the ID number, therefore thwart
>>>> any mischievous individuals from harvesting the rich data
>>>>
>>>> Can IEBC correct the anomaly?
>>>>
>>>> Attached is a sample demo screenshot. Of course there is the other
>>>> thing of strange ID numbers finding their way into the voter register.
>>>>
>>>> Voter Details for Id: 12345678
>>>> Id / Passport Number 12345678
>>>> Primary Name KIBET
>>>> Secondary Name KIRUI
>>>> Birth Date 01/01/1994
>>>> Gender M
>>>> Polling Station Code 101
>>>> Polling Station LELACH PRIMARY SCHOOL
>>>> County KERICHO
>>>> Contituency BURETI
>>>> Ward CHEPLANGET
>>>>
>>>> ______________________
>>>> Mwendwa Kivuva, Nairobi, Kenya
>>>> twitter.com/lordmwesh
>>>>
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> kictanet mailing list
>>>> kictanet at lists.kictanet.or.ke
>>>> https://lists.kictanet.or.ke/mailman/listinfo/kictanet
>>>> Twitter: http://twitter.com/kictanet
>>>> Facebook: https://www.facebook.com/KICTANet/
>>>>
>>>> Unsubscribe or change your options at https://lists.kictanet.or.ke/m
>>>> ailman/options/kictanet/ronojinx%40gmail.com
>>>>
>>>> The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform
>>>> for people and institutions interested and involved in ICT policy and
>>>> regulation. The network aims to act as a catalyst for reform in the ICT
>>>> sector in support of the national aim of ICT enabled growth and development.
>>>>
>>>> KICTANetiquette : Adhere to the same standards of acceptable behaviors
>>>> online that you follow in real life: respect people's times and bandwidth,
>>>> share knowledge, don't flame or abuse or personalize, respect privacy, do
>>>> not spam, do not market your wares or qualifications.
>>>>
>>>>
>>> _______________________________________________
>>> kictanet mailing list
>>> kictanet at lists.kictanet.or.ke
>>> https://lists.kictanet.or.ke/mailman/listinfo/kictanet
>>> Twitter: http://twitter.com/kictanet
>>> Facebook: https://www.facebook.com/KICTANet/
>>>
>>> Unsubscribe or change your options at https://lists.kictanet.or.ke/m
>>> ailman/options/kictanet/echebukati%40gmail.com
>>>
>>> The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform
>>> for people and institutions interested and involved in ICT policy and
>>> regulation. The network aims to act as a catalyst for reform in the ICT
>>> sector in support of the national aim of ICT enabled growth and development.
>>>
>>> KICTANetiquette : Adhere to the same standards of acceptable behaviors
>>> online that you follow in real life: respect people's times and bandwidth,
>>> share knowledge, don't flame or abuse or personalize, respect privacy, do
>>> not spam, do not market your wares or qualifications.
>>>
>>>
>>
>> Co-Convenor
>> Kenya ICT Action Network (KICTANet)
>> Twitter:@ggithaiga
>> Tel: 254722701495
>> Skype: gracegithaiga
>> Alternate email: ggithaiga at hotmail.com
>> Linkedin: https://www.linkedin.com/in/gracegithaiga
>> www.kictanet.or.ke
>>
>> "Change only happens when ordinary people get involved, get engaged and
>> come together to demand it. I am asking you to believe. Not in my ability
>> to bring about change – but in yours"---Barrack Obama.
>>
>> _______________________________________________
>> kictanet mailing list
>> kictanet at lists.kictanet.or.ke
>> https://lists.kictanet.or.ke/mailman/listinfo/kictanet
>> Twitter: http://twitter.com/kictanet
>> Facebook: https://www.facebook.com/KICTANet/
>>
>> Unsubscribe or change your options at https://lists.kictanet.or.ke/m
>> ailman/options/kictanet/info%40campusciti.com
>>
>> The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform
>> for people and institutions interested and involved in ICT policy and
>> regulation. The network aims to act as a catalyst for reform in the ICT
>> sector in support of the national aim of ICT enabled growth and development.
>>
>> KICTANetiquette : Adhere to the same standards of acceptable behaviors
>> online that you follow in real life: respect people's times and bandwidth,
>> share knowledge, don't flame or abuse or personalize, respect privacy, do
>> not spam, do not market your wares or qualifications.
>>
>>
>> _______________________________________________
>> kictanet mailing list
>> kictanet at lists.kictanet.or.ke
>> https://lists.kictanet.or.ke/mailman/listinfo/kictanet
>> Twitter: http://twitter.com/kictanet
>> Facebook: https://www.facebook.com/KICTANet/
>>
>> Unsubscribe or change your options at https://lists.kictanet.or.ke/m
>> ailman/options/kictanet/vkapiyo%40gmail.com
>>
>> The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform
>> for people and institutions interested and involved in ICT policy and
>> regulation. The network aims to act as a catalyst for reform in the ICT
>> sector in support of the national aim of ICT enabled growth and development.
>>
>> KICTANetiquette : Adhere to the same standards of acceptable behaviors
>> online that you follow in real life: respect people's times and bandwidth,
>> share knowledge, don't flame or abuse or personalize, respect privacy, do
>> not spam, do not market your wares or qualifications.
>>
>>
> _______________________________________________
> kictanet mailing list
> kictanet at lists.kictanet.or.ke
> https://lists.kictanet.or.ke/mailman/listinfo/kictanet
> Twitter: http://twitter.com/kictanet
> Facebook: https://www.facebook.com/KICTANet/
>
> Unsubscribe or change your options at https://lists.kictanet.or.ke/
> mailman/options/kictanet/echebukati%40gmail.com
>
> The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform
> for people and institutions interested and involved in ICT policy and
> regulation. The network aims to act as a catalyst for reform in the ICT
> sector in support of the national aim of ICT enabled growth and development.
>
> KICTANetiquette : Adhere to the same standards of acceptable behaviors
> online that you follow in real life: respect people's times and bandwidth,
> share knowledge, don't flame or abuse or personalize, respect privacy, do
> not spam, do not market your wares or qualifications.
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.kictanet.or.ke/pipermail/kictanet/attachments/20170630/0a8d6e12/attachment.htm>


More information about the KICTANet mailing list