[kictanet] Poor show by IEBC: Data Protection in year 2017 and the case of raw voter registration data

Grace Mutung'u nmutungu at gmail.com
Fri Jun 30 16:12:38 EAT 2017


Hi everyone,

Two concerns we need to factor in:

NTSA motor vehicle transfer service (TIMS) uses serial numbers to verify.
It is so much trouble if for any reason you changed your ID and the serial
number of the ID you have is different from the one they have in the
database.

The second issue is that the purposes of this exercise is for the public to
verify the register. Not only for each person to verify their individual
details but also for the general public to inspect the whole register. The
question then would be, which parts of the information are public and which
ones are not.


Regards,



2017-06-30 15:30 GMT+03:00 Odhiambo Washington via kictanet <
kictanet at lists.kictanet.or.ke>:

> Chebukati,
>
> It was easy for IEBC to say send your IDNumber#IDSerialNumber to 70000,
> match the two in a procedure, strip whichever after the match and return
> results - just for instance. The inclusion of the SerialNumber is a tight
> check!
> Well, we all don't think programmatically, donge?
>
>
> On 30 June 2017 at 01:29, Emmanuel Chebukati via kictanet <
> kictanet at lists.kictanet.or.ke> wrote:
>
>> Greetings,
>>
>> Thinking out loud here: what are the alternatives to an open system? In
>> my view: Limiting requests per IP address would obviously lock out many
>> users. Implementing cookies et al to limit to one query per day would also
>> lock out several legitimate users (e.g. those who share PCs at cybers).
>> Introducing a username/password combo made out of perhaps the birth-date
>> would complicate matters for the average voter.
>>
>> I think the only legitimate options they have to prevent abuse/mass
>> mining of this information is to implement a service like Cloudflare on the
>> subdomain. This would at least stop a repetitive CURL request in its tracks
>> or at least severely slow it down. Nevertheless, a quick IP ping shows that
>> it appears as though the subdomain voterstatus.iebc.or.ke is running on
>> Google Cloud servers which offer similar services as Cloudflare these days.
>> I trust the good people at IEBC have explored these services.
>>
>> Let's brainstorm. Perhaps a legitimate, implementable solution may arise
>> from this discussion that works for the "Kenyan context".
>>
>>
>> Regards,
>>
>> EC
>>
>> On Thu, Jun 29, 2017 at 11:55 PM, Ronald Ojino via kictanet <
>> kictanet at lists.kictanet.or.ke> wrote:
>>
>>> This is a very serious anomaly that must be addressed soonest possible.
>>> It begs the question, are we safe as data subjects? If a body like IEBC
>>> that is expected to be beyond reproach can have such open flaws...then we
>>> say that we are ready to go for elections huh?its a disappointment.
>>>
>>> On 29-Jun-2017 11:47 PM, "Mwendwa Kivuva via kictanet" <
>>> kictanet at lists.kictanet.or.ke> wrote:
>>>
>>>> Dear Listers,
>>>>
>>>> Today I'm wearing my CISA hat.
>>>>
>>>> IEBC has launched a voter verification tool both through sms, and web
>>>> query at http://voterstatus.iebc.or.ke/voter
>>>>
>>>> If you are privacy conscious, and a little bit paranoid, you will
>>>> realize that IEBC is doing badly with how they are exposing  raw data of
>>>> nearly 20 million Kenyans to the world. Anybody with basic programing
>>>> skills can be able to harvest the raw data through an automated search. If
>>>> you search any random number with the format of Kenya ID numbers, say
>>>> hypothetically 12345678, you will realize you can pull up citizen's
>>>> details, at least ID number, and name, and where they live.
>>>>
>>>> Basic security tips would require the system to have a captcha to
>>>> prevent automated harvest of the information, and also have a challenge
>>>> questions like date of birth to supplement the ID number, therefore thwart
>>>> any mischievous individuals from harvesting the rich data
>>>>
>>>> Can IEBC correct the anomaly?
>>>>
>>>> Attached is a sample demo screenshot. Of course there is the other
>>>> thing of strange ID numbers finding their way into the voter register.
>>>>
>>>> Voter Details for Id: 12345678
>>>> Id / Passport Number 12345678
>>>> Primary Name KIBET
>>>> Secondary Name KIRUI
>>>> Birth Date 01/01/1994
>>>> Gender M
>>>> Polling Station Code 101
>>>> Polling Station LELACH PRIMARY SCHOOL
>>>> County KERICHO
>>>> Contituency BURETI
>>>> Ward CHEPLANGET
>>>>
>>>> ______________________
>>>> Mwendwa Kivuva, Nairobi, Kenya
>>>> twitter.com/lordmwesh
>>>>
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> kictanet mailing list
>>>> kictanet at lists.kictanet.or.ke
>>>> https://lists.kictanet.or.ke/mailman/listinfo/kictanet
>>>> Twitter: http://twitter.com/kictanet
>>>> Facebook: https://www.facebook.com/KICTANet/
>>>>
>>>> Unsubscribe or change your options at https://lists.kictanet.or.ke/m
>>>> ailman/options/kictanet/ronojinx%40gmail.com
>>>>
>>>> The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform
>>>> for people and institutions interested and involved in ICT policy and
>>>> regulation. The network aims to act as a catalyst for reform in the ICT
>>>> sector in support of the national aim of ICT enabled growth and development.
>>>>
>>>> KICTANetiquette : Adhere to the same standards of acceptable behaviors
>>>> online that you follow in real life: respect people's times and bandwidth,
>>>> share knowledge, don't flame or abuse or personalize, respect privacy, do
>>>> not spam, do not market your wares or qualifications.
>>>>
>>>>
>>> _______________________________________________
>>> kictanet mailing list
>>> kictanet at lists.kictanet.or.ke
>>> https://lists.kictanet.or.ke/mailman/listinfo/kictanet
>>> Twitter: http://twitter.com/kictanet
>>> Facebook: https://www.facebook.com/KICTANet/
>>>
>>> Unsubscribe or change your options at https://lists.kictanet.or.ke/m
>>> ailman/options/kictanet/echebukati%40gmail.com
>>>
>>> The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform
>>> for people and institutions interested and involved in ICT policy and
>>> regulation. The network aims to act as a catalyst for reform in the ICT
>>> sector in support of the national aim of ICT enabled growth and development.
>>>
>>> KICTANetiquette : Adhere to the same standards of acceptable behaviors
>>> online that you follow in real life: respect people's times and bandwidth,
>>> share knowledge, don't flame or abuse or personalize, respect privacy, do
>>> not spam, do not market your wares or qualifications.
>>>
>>>
>>
>> _______________________________________________
>> kictanet mailing list
>> kictanet at lists.kictanet.or.ke
>> https://lists.kictanet.or.ke/mailman/listinfo/kictanet
>> Twitter: http://twitter.com/kictanet
>> Facebook: https://www.facebook.com/KICTANet/
>>
>> Unsubscribe or change your options at https://lists.kictanet.or.ke/m
>> ailman/options/kictanet/odhiambo%40gmail.com
>>
>> The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform
>> for people and institutions interested and involved in ICT policy and
>> regulation. The network aims to act as a catalyst for reform in the ICT
>> sector in support of the national aim of ICT enabled growth and development.
>>
>> KICTANetiquette : Adhere to the same standards of acceptable behaviors
>> online that you follow in real life: respect people's times and bandwidth,
>> share knowledge, don't flame or abuse or personalize, respect privacy, do
>> not spam, do not market your wares or qualifications.
>>
>>
>
>
> --
> Best regards,
> Odhiambo WASHINGTON,
> Nairobi,KE
> +254 7 3200 0004/+254 7 2274 3223
> "Oh, the cruft."
>
> _______________________________________________
> kictanet mailing list
> kictanet at lists.kictanet.or.ke
> https://lists.kictanet.or.ke/mailman/listinfo/kictanet
> Twitter: http://twitter.com/kictanet
> Facebook: https://www.facebook.com/KICTANet/
>
> Unsubscribe or change your options at https://lists.kictanet.or.ke/
> mailman/options/kictanet/nmutungu%40gmail.com
>
> The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform
> for people and institutions interested and involved in ICT policy and
> regulation. The network aims to act as a catalyst for reform in the ICT
> sector in support of the national aim of ICT enabled growth and development.
>
> KICTANetiquette : Adhere to the same standards of acceptable behaviors
> online that you follow in real life: respect people's times and bandwidth,
> share knowledge, don't flame or abuse or personalize, respect privacy, do
> not spam, do not market your wares or qualifications.
>
>


-- 
Grace Mutung'u
Skype: gracebomu
@Bomu
PGP ID : 0x33A3450F
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.kictanet.or.ke/pipermail/kictanet/attachments/20170630/42fe540e/attachment.htm>


More information about the KICTANet mailing list