[kictanet] Poor show by IEBC: Data Protection in year 2017 and the case of raw voter registration data
Denis G. Wahome
dwahome at gmail.com
Fri Jun 30 10:36:31 EAT 2017
Dear All,
A simple 2 Factor Authentication mechanism via SMS would suffice to start
with.
Regards,
Denis
On Fri, Jun 30, 2017 at 9:34 AM, Victor Kapiyo via kictanet <
kictanet at lists.kictanet.or.ke> wrote:
> I don't think information sharing affects the independence of the
> institution. IEBC itself benefits from the register of persons &
> immigration, managed under Ministry of Interior. Besides, these
> institutions are public institutions and as such it would benefit the
> taxpayer if they could provide their services under the same platform, just
> as they do at Huduma Centre, such that ecitizen is the online huduma.
> Further, and just as they manage their desks at the Huduma centre, they can
> maintain control over the general management of their database while
> allowing citizens to access their information from the online system. I
> think NTSA started doing that on ecitizen for the Driving Licenses, but
> then moved MV registration & other services to their TIMS platform.
>
> But then again, who wants a verifiable register?
>
> *Victor Kapiyo*
> Partner | *Lawmark Partners LLP*
> Advocate of the High Court of Kenya & Commissioner for Oaths
> *Suite No. 8, Centro House, Westlands, Nairobi | **Web: www.lawmark.co.ke
> <http://www.lawmark.co.ke> *
> ====================================================
>
> *“Your attitude, not your aptitude, will determine your altitude” Zig
> Ziglar*
>
> On 30 June 2017 at 07:59, Emmanuel Chebukati <echebukati at gmail.com> wrote:
>
>> Good morning,
>>
>> ECitizen integration sounds like a great idea! IEBC could make use of the
>> login credentials - via an API perhaps - and authenticate the user before
>> allowing them to check their status.
>>
>> The challenge I foresee with this is the perception of lack of
>> independence stemming from an Independent institution "sharing" I.T
>> services with a government entity. In essence, while you and I know that
>> the two databases can sit on separate servers: will the average Kenyan be
>> convinced of this? *"Kenyan context".*
>>
>> Using the serial number - which is printed on both the passport and the
>> National ID - as the "password" sounds like a better idea. It is unique,
>> user friendly and addresses the concerns raised by Mwendwa on this thread.
>> While possible to brute force - as it only contains numbers - any competent
>> system should be able to ban that specific user after a number of tries.
>> Question is: Does IEBC have access to this data in their database?
>>
>>
>> Regards,
>>
>> EC
>>
>>
>> On Fri, Jun 30, 2017 at 7:07 AM, Victor Kapiyo via kictanet <
>> kictanet at lists.kictanet.or.ke> wrote:
>>
>>> I dunno how practical it is now, but I think this is one of the things
>>> that would benefit from integration on the ecitizen platform.
>>>
>>> Plus, the implementation shows that in the absence of guidelines on how
>>> citizens data is managed, then anything is possible. Besides, it wouldn't
>>> be so hard to mine this data from iebc servers for whatever purpose.
>>>
>>> Victor
>>>
>>> On 30 Jun 2017 6:55 a.m., "Ali Hussein via kictanet" <
>>> kictanet at lists.kictanet.or.ke> wrote:
>>>
>>>> Do we have someone from IEBC on this list?
>>>>
>>>> This is a serious breach. In the dark web there are vendors of stolen
>>>> identities. What IEBC has done is to basically leave the bank vaults open
>>>> and invite every identity theft vendor in the world into this treasure
>>>> trove..
>>>>
>>>> This whole verification exercise needs to be suspended until this
>>>> rookie mistake is rectified.
>>>>
>>>> *Ali Hussein*
>>>> *Principal*
>>>> *Hussein & Associates*
>>>> +254 0713 601113 <+254%20713%20601113>
>>>>
>>>> Twitter: @AliHKassim
>>>>
>>>> Skype: abu-jomo
>>>>
>>>> LinkedIn: http://ke.linkedin.com/in/alihkassim
>>>>
>>>> "We are what we repeatedly do. Excellence, therefore, is not an act but
>>>> a habit." ~ Aristotle
>>>>
>>>>
>>>> Sent from my iPad
>>>>
>>>> On 30 Jun 2017, at 1:05 AM, Grace Githaiga via kictanet <
>>>> kictanet at lists.kictanet.or.ke> wrote:
>>>>
>>>> @Chebukati
>>>>
>>>> I like the idea of a legitimate implementable solution. And I believe
>>>> we have many of those here--on this list. So Listers, take up Chebukati's
>>>> challenge and suggest what is pragmatic and would probably help the techies
>>>> at IEBC move this process forward with less glitches.
>>>>
>>>>
>>>>
>>>> Best regards
>>>>
>>>>
>>>> Githaiga, Grace
>>>>
>>>>
>>>>
>>>> On Friday, 30-06-2017 at 01:29 Emmanuel Chebukati via kictanet wrote:
>>>>
>>>> Greetings,
>>>>
>>>> Thinking out loud here: what are the alternatives to an open system? In
>>>> my view: Limiting requests per IP address would obviously lock out many
>>>> users. Implementing cookies et al to limit to one query per day would also
>>>> lock out several legitimate users (e.g. those who share PCs at cybers).
>>>> Introducing a username/password combo made out of perhaps the birth-date
>>>> would complicate matters for the average voter.
>>>>
>>>> I think the only legitimate options they have to prevent abuse/mass
>>>> mining of this information is to implement a service like Cloudflare on the
>>>> subdomain. This would at least stop a repetitive CURL request in its tracks
>>>> or at least severely slow it down. Nevertheless, a quick IP ping shows that
>>>> it appears as though the subdomain voterstatus.iebc.or.ke is running
>>>> on Google Cloud servers which offer similar services as Cloudflare these
>>>> days. I trust the good people at IEBC have explored these services.
>>>>
>>>> Let's brainstorm. Perhaps a legitimate, implementable solution may
>>>> arise from this discussion that works for the "Kenyan context".
>>>>
>>>>
>>>> Regards,
>>>>
>>>> EC
>>>>
>>>> On Thu, Jun 29, 2017 at 11:55 PM, Ronald Ojino via kictanet <
>>>> kictanet at lists.kictanet.or.ke> wrote:
>>>>
>>>>> This is a very serious anomaly that must be addressed soonest
>>>>> possible. It begs the question, are we safe as data subjects? If a body
>>>>> like IEBC that is expected to be beyond reproach can have such open
>>>>> flaws...then we say that we are ready to go for elections huh?its a
>>>>> disappointment.
>>>>>
>>>>> On 29-Jun-2017 11:47 PM, "Mwendwa Kivuva via kictanet" <
>>>>> kictanet at lists.kictanet.or.ke> wrote:
>>>>>
>>>>>> Dear Listers,
>>>>>>
>>>>>> Today I'm wearing my CISA hat.
>>>>>>
>>>>>> IEBC has launched a voter verification tool both through sms, and web
>>>>>> query at http://voterstatus.iebc.or.ke/voter
>>>>>>
>>>>>> If you are privacy conscious, and a little bit paranoid, you will
>>>>>> realize that IEBC is doing badly with how they are exposing raw data of
>>>>>> nearly 20 million Kenyans to the world. Anybody with basic programing
>>>>>> skills can be able to harvest the raw data through an automated search. If
>>>>>> you search any random number with the format of Kenya ID numbers, say
>>>>>> hypothetically 12345678, you will realize you can pull up citizen's
>>>>>> details, at least ID number, and name, and where they live.
>>>>>>
>>>>>> Basic security tips would require the system to have a captcha to
>>>>>> prevent automated harvest of the information, and also have a challenge
>>>>>> questions like date of birth to supplement the ID number, therefore thwart
>>>>>> any mischievous individuals from harvesting the rich data
>>>>>>
>>>>>> Can IEBC correct the anomaly?
>>>>>>
>>>>>> Attached is a sample demo screenshot. Of course there is the other
>>>>>> thing of strange ID numbers finding their way into the voter register.
>>>>>>
>>>>>> Voter Details for Id: 12345678
>>>>>> Id / Passport Number 12345678
>>>>>> Primary Name KIBET
>>>>>> Secondary Name KIRUI
>>>>>> Birth Date 01/01/1994
>>>>>> Gender M
>>>>>> Polling Station Code 101
>>>>>> Polling Station LELACH PRIMARY SCHOOL
>>>>>> County KERICHO
>>>>>> Contituency BURETI
>>>>>> Ward CHEPLANGET
>>>>>>
>>>>>> ______________________
>>>>>> Mwendwa Kivuva, Nairobi, Kenya
>>>>>> twitter.com/lordmwesh
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> kictanet mailing list
>>>>>> kictanet at lists.kictanet.or.ke
>>>>>> https://lists.kictanet.or.ke/mailman/listinfo/kictanet
>>>>>> Twitter: http://twitter.com/kictanet
>>>>>> Facebook: https://www.facebook.com/KICTANet/
>>>>>>
>>>>>> Unsubscribe or change your options at https://lists.kictanet.or.ke/m
>>>>>> ailman/options/kictanet/ronojinx%40gmail.com
>>>>>>
>>>>>> The Kenya ICT Action Network (KICTANet) is a multi-stakeholder
>>>>>> platform for people and institutions interested and involved in ICT policy
>>>>>> and regulation. The network aims to act as a catalyst for reform in the ICT
>>>>>> sector in support of the national aim of ICT enabled growth and development.
>>>>>>
>>>>>> KICTANetiquette : Adhere to the same standards of acceptable
>>>>>> behaviors online that you follow in real life: respect people's times and
>>>>>> bandwidth, share knowledge, don't flame or abuse or personalize, respect
>>>>>> privacy, do not spam, do not market your wares or qualifications.
>>>>>>
>>>>>>
>>>>> _______________________________________________
>>>>> kictanet mailing list
>>>>> kictanet at lists.kictanet.or.ke
>>>>> https://lists.kictanet.or.ke/mailman/listinfo/kictanet
>>>>> Twitter: http://twitter.com/kictanet
>>>>> Facebook: https://www.facebook.com/KICTANet/
>>>>>
>>>>> Unsubscribe or change your options at https://lists.kictanet.or.ke/m
>>>>> ailman/options/kictanet/echebukati%40gmail.com
>>>>>
>>>>> The Kenya ICT Action Network (KICTANet) is a multi-stakeholder
>>>>> platform for people and institutions interested and involved in ICT policy
>>>>> and regulation. The network aims to act as a catalyst for reform in the ICT
>>>>> sector in support of the national aim of ICT enabled growth and development.
>>>>>
>>>>> KICTANetiquette : Adhere to the same standards of acceptable behaviors
>>>>> online that you follow in real life: respect people's times and bandwidth,
>>>>> share knowledge, don't flame or abuse or personalize, respect privacy, do
>>>>> not spam, do not market your wares or qualifications.
>>>>>
>>>>>
>>>>
>>>> Co-Convenor
>>>> Kenya ICT Action Network (KICTANet)
>>>> Twitter:@ggithaiga
>>>> Tel: 254722701495
>>>> Skype: gracegithaiga
>>>> Alternate email: ggithaiga at hotmail.com
>>>> Linkedin: https://www.linkedin.com/in/gracegithaiga
>>>> www.kictanet.or.ke
>>>>
>>>> "Change only happens when ordinary people get involved, get engaged and
>>>> come together to demand it. I am asking you to believe. Not in my ability
>>>> to bring about change – but in yours"---Barrack Obama.
>>>>
>>>> _______________________________________________
>>>> kictanet mailing list
>>>> kictanet at lists.kictanet.or.ke
>>>> https://lists.kictanet.or.ke/mailman/listinfo/kictanet
>>>> Twitter: http://twitter.com/kictanet
>>>> Facebook: https://www.facebook.com/KICTANet/
>>>>
>>>> Unsubscribe or change your options at https://lists.kictanet.or.ke/m
>>>> ailman/options/kictanet/info%40campusciti.com
>>>>
>>>> The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform
>>>> for people and institutions interested and involved in ICT policy and
>>>> regulation. The network aims to act as a catalyst for reform in the ICT
>>>> sector in support of the national aim of ICT enabled growth and development.
>>>>
>>>> KICTANetiquette : Adhere to the same standards of acceptable behaviors
>>>> online that you follow in real life: respect people's times and bandwidth,
>>>> share knowledge, don't flame or abuse or personalize, respect privacy, do
>>>> not spam, do not market your wares or qualifications.
>>>>
>>>>
>>>> _______________________________________________
>>>> kictanet mailing list
>>>> kictanet at lists.kictanet.or.ke
>>>> https://lists.kictanet.or.ke/mailman/listinfo/kictanet
>>>> Twitter: http://twitter.com/kictanet
>>>> Facebook: https://www.facebook.com/KICTANet/
>>>>
>>>> Unsubscribe or change your options at https://lists.kictanet.or.ke/m
>>>> ailman/options/kictanet/vkapiyo%40gmail.com
>>>>
>>>> The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform
>>>> for people and institutions interested and involved in ICT policy and
>>>> regulation. The network aims to act as a catalyst for reform in the ICT
>>>> sector in support of the national aim of ICT enabled growth and development.
>>>>
>>>> KICTANetiquette : Adhere to the same standards of acceptable behaviors
>>>> online that you follow in real life: respect people's times and bandwidth,
>>>> share knowledge, don't flame or abuse or personalize, respect privacy, do
>>>> not spam, do not market your wares or qualifications.
>>>>
>>>>
>>> _______________________________________________
>>> kictanet mailing list
>>> kictanet at lists.kictanet.or.ke
>>> https://lists.kictanet.or.ke/mailman/listinfo/kictanet
>>> Twitter: http://twitter.com/kictanet
>>> Facebook: https://www.facebook.com/KICTANet/
>>>
>>> Unsubscribe or change your options at https://lists.kictanet.or.ke/m
>>> ailman/options/kictanet/echebukati%40gmail.com
>>>
>>> The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform
>>> for people and institutions interested and involved in ICT policy and
>>> regulation. The network aims to act as a catalyst for reform in the ICT
>>> sector in support of the national aim of ICT enabled growth and development.
>>>
>>> KICTANetiquette : Adhere to the same standards of acceptable behaviors
>>> online that you follow in real life: respect people's times and bandwidth,
>>> share knowledge, don't flame or abuse or personalize, respect privacy, do
>>> not spam, do not market your wares or qualifications.
>>>
>>>
>>
>
> _______________________________________________
> kictanet mailing list
> kictanet at lists.kictanet.or.ke
> https://lists.kictanet.or.ke/mailman/listinfo/kictanet
> Twitter: http://twitter.com/kictanet
> Facebook: https://www.facebook.com/KICTANet/
>
> Unsubscribe or change your options at https://lists.kictanet.or.ke/
> mailman/options/kictanet/dwahome%40gmail.com
>
> The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform
> for people and institutions interested and involved in ICT policy and
> regulation. The network aims to act as a catalyst for reform in the ICT
> sector in support of the national aim of ICT enabled growth and development.
>
> KICTANetiquette : Adhere to the same standards of acceptable behaviors
> online that you follow in real life: respect people's times and bandwidth,
> share knowledge, don't flame or abuse or personalize, respect privacy, do
> not spam, do not market your wares or qualifications.
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.kictanet.or.ke/pipermail/kictanet/attachments/20170630/68fcc18a/attachment.htm>
More information about the KICTANet
mailing list