[kictanet] Poor show by IEBC: Data Protection in year 2017 and the case of raw voter registration data

Odhiambo Washington odhiambo at gmail.com
Fri Jun 30 15:30:08 EAT 2017 

Chebukati,

It was easy for IEBC to say send your IDNumber#IDSerialNumber to 70000,
match the two in a procedure, strip whichever after the match and return
results - just for instance. The inclusion of the SerialNumber is a tight
check!
Well, we all don't think programmatically, donge?


On 30 June 2017 at 01:29, Emmanuel Chebukati via kictanet <
kictanet at lists.kictanet.or.ke> wrote:

> Greetings,
>
> Thinking out loud here: what are the alternatives to an open system? In my
> view: Limiting requests per IP address would obviously lock out many users.
> Implementing cookies et al to limit to one query per day would also lock
> out several legitimate users (e.g. those who share PCs at cybers).
> Introducing a username/password combo made out of perhaps the birth-date
> would complicate matters for the average voter.
>
> I think the only legitimate options they have to prevent abuse/mass mining
> of this information is to implement a service like Cloudflare on the
> subdomain. This would at least stop a repetitive CURL request in its tracks
> or at least severely slow it down. Nevertheless, a quick IP ping shows that
> it appears as though the subdomain voterstatus.iebc.or.ke is running on
> Google Cloud servers which offer similar services as Cloudflare these days.
> I trust the good people at IEBC have explored these services.
>
> Let's brainstorm. Perhaps a legitimate, implementable solution may arise
> from this discussion that works for the "Kenyan context".
>
>
> Regards,
>
> EC
>
> On Thu, Jun 29, 2017 at 11:55 PM, Ronald Ojino via kictanet <
> kictanet at lists.kictanet.or.ke> wrote:
>
>> This is a very serious anomaly that must be addressed soonest possible.
>> It begs the question, are we safe as data subjects? If a body like IEBC
>> that is expected to be beyond reproach can have such open flaws...then we
>> say that we are ready to go for elections huh?its a disappointment.
>>
>> On 29-Jun-2017 11:47 PM, "Mwendwa Kivuva via kictanet" <
>> kictanet at lists.kictanet.or.ke> wrote:
>>
>>> Dear Listers,
>>>
>>> Today I'm wearing my CISA hat.
>>>
>>> IEBC has launched a voter verification tool both through sms, and web
>>> query at http://voterstatus.iebc.or.ke/voter
>>>
>>> If you are privacy conscious, and a little bit paranoid, you will
>>> realize that IEBC is doing badly with how they are exposing  raw data of
>>> nearly 20 million Kenyans to the world. Anybody with basic programing
>>> skills can be able to harvest the raw data through an automated search. If
>>> you search any random number with the format of Kenya ID numbers, say
>>> hypothetically 12345678, you will realize you can pull up citizen's
>>> details, at least ID number, and name, and where they live.
>>>
>>> Basic security tips would require the system to have a captcha to
>>> prevent automated harvest of the information, and also have a challenge
>>> questions like date of birth to supplement the ID number, therefore thwart
>>> any mischievous individuals from harvesting the rich data
>>>
>>> Can IEBC correct the anomaly?
>>>
>>> Attached is a sample demo screenshot. Of course there is the other thing
>>> of strange ID numbers finding their way into the voter register.
>>>
>>> Voter Details for Id: 12345678
>>> Id / Passport Number 12345678
>>> Primary Name KIBET
>>> Secondary Name KIRUI
>>> Birth Date 01/01/1994
>>> Gender M
>>> Polling Station Code 101
>>> Polling Station LELACH PRIMARY SCHOOL
>>> County KERICHO
>>> Contituency BURETI
>>> Ward CHEPLANGET
>>>
>>> ______________________
>>> Mwendwa Kivuva, Nairobi, Kenya
>>> twitter.com/lordmwesh
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> kictanet mailing list
>>> kictanet at lists.kictanet.or.ke
>>> https://lists.kictanet.or.ke/mailman/listinfo/kictanet
>>> Twitter: http://twitter.com/kictanet
>>> Facebook: https://www.facebook.com/KICTANet/
>>>
>>> Unsubscribe or change your options at https://lists.kictanet.or.ke/m
>>> ailman/options/kictanet/ronojinx%40gmail.com
>>>
>>> The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform
>>> for people and institutions interested and involved in ICT policy and
>>> regulation. The network aims to act as a catalyst for reform in the ICT
>>> sector in support of the national aim of ICT enabled growth and development.
>>>
>>> KICTANetiquette : Adhere to the same standards of acceptable behaviors
>>> online that you follow in real life: respect people's times and bandwidth,
>>> share knowledge, don't flame or abuse or personalize, respect privacy, do
>>> not spam, do not market your wares or qualifications.
>>>
>>>
>> _______________________________________________
>> kictanet mailing list
>> kictanet at lists.kictanet.or.ke
>> https://lists.kictanet.or.ke/mailman/listinfo/kictanet
>> Twitter: http://twitter.com/kictanet
>> Facebook: https://www.facebook.com/KICTANet/
>>
>> Unsubscribe or change your options at https://lists.kictanet.or.ke/m
>> ailman/options/kictanet/echebukati%40gmail.com
>>
>> The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform
>> for people and institutions interested and involved in ICT policy and
>> regulation. The network aims to act as a catalyst for reform in the ICT
>> sector in support of the national aim of ICT enabled growth and development.
>>
>> KICTANetiquette : Adhere to the same standards of acceptable behaviors
>> online that you follow in real life: respect people's times and bandwidth,
>> share knowledge, don't flame or abuse or personalize, respect privacy, do
>> not spam, do not market your wares or qualifications.
>>
>>
>
> _______________________________________________
> kictanet mailing list
> kictanet at lists.kictanet.or.ke
> https://lists.kictanet.or.ke/mailman/listinfo/kictanet
> Twitter: http://twitter.com/kictanet
> Facebook: https://www.facebook.com/KICTANet/
>
> Unsubscribe or change your options at https://lists.kictanet.or.ke/
> mailman/options/kictanet/odhiambo%40gmail.com
>
> The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform
> for people and institutions interested and involved in ICT policy and
> regulation. The network aims to act as a catalyst for reform in the ICT
> sector in support of the national aim of ICT enabled growth and development.
>
> KICTANetiquette : Adhere to the same standards of acceptable behaviors
> online that you follow in real life: respect people's times and bandwidth,
> share knowledge, don't flame or abuse or personalize, respect privacy, do
> not spam, do not market your wares or qualifications.
>
>


-- 
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft."
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.kictanet.or.ke/pipermail/kictanet/attachments/20170630/b8dd071f/attachment.htm>

More information about the KICTANet mailing list