[kictanet] [SST whitelist considerations] It will be hard to access Government services without a Huduma Namba, Matiang'i says
Patrick A. M. Maina
pmaina2000 at yahoo.com
Thu Apr 11 19:10:44 EAT 2019
Huduma number is a great idea that can unlock many benefits for Kenyans. I would really wish for it to succeed. However I fear that the current state of runaway corruption puts the entire project at risk.
A Single Source of Truth (SST) acts as a citizen whitelist which can help speed up service delivery and make things more efficient (e.g. by removing the need for ID cross-checks). This strength is also a weakness, unfortunately. Anyone with an SST ID (and "valid fingerprint") is presumed to be a bona fide citizen - but such a conclusion can only be sensibly relied on in an environment with negligible/immaterial levels of corruption.
National scale SST whitelist systems are heavily reliant on human factors (e.g. human integrity, personal values, and patriotism) at their points of highest vulnerability. So hackers will likely target the weakest link i.e. gov employees (e.g. via huge bribes or blackmail or workforce infiltration via recruitment process) in order to get to the system.
Researchers (link below) have shown that fingerprints can be easily stolen by tech-savvy criminals to facilitate illegal access e.g. via affordable 3D printing technology. Fake fingerprints (and fingers) can also be manufactured to create fictitious persons (e.g. ghost workers or organized criminals).
Case in point is India's Aadhaar... just prior to the attack that almost triggered a war with Pakistan, there had been media reports of terrorists being caught in posession of Aadhaar cards. How did they get the cards? Did the "whitelist effect" of Aaadhaar facilitate their movements or planning? The possibility cannot be discounted. Human flaws are the weakest link in any technology solution.
What about laws? Surely strict / harsh laws will "protect" the data by deterring illegal activity?
1. Local laws do not deal with or deter international (or state sponsored) perpetrators with high budgets, sophisticated hacking technology and ability to evade acountability (geopolitical powers).
2. Attribution challenges (hackers often leave spoofed breadcrumbs (fake trails) to mislead investigators... so innocent people or even countries can be framed for things they did not do, triggering unjust arrests/convictions or costly and potentially destabilising geopolitical hostilities).
Sometimes backdoors are disguised as innocent acts of user or supplier incompetence (e.g. via deliberate insecure design). Sometimes they are a result of genuinely innocent incompetence or accidental oversight. How will Government know which is which?
3. Reactive laws (as opposed to strategic or tactical laws which consider the holistic contextualized picture) only increase compliance costs for law abiding citizens but do not guarantee deterrence for criminals who don't care about laws. Cybercrime laws don't stop or deter sophisticated cybercriminals (e.g. due to atrribution & jurisdictional challenges).
4. Unlike property theft, data can be stolen without the owner's knowledge. By the time the loss is detected (e.g. via numerous incidents of actual unlawful use) it is too late to do anything. It is often impossible to establish the extent by which a honeypot system has been compromised, how the breach happened, who did it and for how long it has been compromised.
5. Massive resources will have to be expended to perform an impossible task of protecting Kenya's most sensitive (and most valuable) data. As security experts keep reminding us, it is not a question of whether a system, any system, can be hacked, it's a question of when - and what will be the consequences.
6. Once biometric data has been stolen, the loss is permanent and irreversible. You cannot issue new fingerprints. So what happens next?
7. As soon as the credibility of the data is in material doubt, we will have to revert to the old system of manual cross checking and all the envisaged benefits will dissapear (as well as the 6B investment). Whether the perpetrators are caught / jailed or not, does not make a difference.
To help put things in context, consider this: Government has been unable to secure IFMIS (which was supposed to help eliminate corruption - but became an enabler), TIMS (we still have fake number plates and vehicle duty evasion), SIMBA (we still have massive levels of duty evasion at ports), the IEBC Election System (we had to do two costly elections - leading to a massive waste of funds and an increase of perceived political risks, which also hit the economy very hard adding billions in hidden costs).. even eCitizen has reportedly not been spared, going by media reports.
These challenges point to a pattern where we fail to deliberately contextualize solutions and come up with holistic approaches. We put too much trust in silo solutions and reactive laws but we have repeatedly ignored the HUMAN ASPECTS leading to repeated failure to realize envisaged benefits. Any system implemented within a corrupt culture will, more likely than not, end up facilitating (and worsening the cost and scale of) corruption. Guaranteed. This is our reality.
Can corruption be solved in Kenya in a sustainable way (without risking stability)? Perhaps government can run a global competition for innovative ideas on how to solve corruption in Kenya. The public can watch high profile debates by local and foreign experts, as part of sensitization/education, and then vote on the top five ideas in every major economic sector, which would then be piloted at designated institutions or counties. Prize for the winning idea in every sector (say USD 1Million) can be linked to results, say after 10-15 years, once the idea is fully implemented and proven to have significantly met the ToR targets in an independently verifiable way (and backed by public perceptions).
Good evening.
Brgds, Patrick.
Patrick A. M. Maina[Cross-domain Innovator | Independent Public Policy Analyst - Indigenous Innovations]
On Thursday, April 11, 2019, 2:25:32 PM GMT+3, Eshuchi Richard via kictanet <kictanet at lists.kictanet.or.ke> wrote:
Just to put CS's full remarks into context and an illustration on why accessing services would be harder in comparison, Ministry of Interior posted the audio through:
Facebook: https://www.facebook.com/662150267181777/posts/2305403209523133?sfns=mo
Twitter: https://twitter.com/InteriorKE/status/1116221458966044673?s=19
On Thu, Apr 11, 2019, 13:10 Wamathai (HapaKenya) via kictanet <kictanet at lists.kictanet.or.ke> wrote:
Interior Cabinet Secretary Dr. Fred Matiang’i has said that it will be very hard for those who will not have registered for the Huduma Namba to access Government services.
https://hapakenya.com/2019/04/11/it-will-hard-to-access-government-services-without-a-huduma-namba-matiangi-says/
_______________________________________________
kictanet mailing list
kictanet at lists.kictanet.or.ke
https://lists.kictanet.or.ke/mailman/listinfo/kictanet
Twitter: http://twitter.com/kictanet
Facebook: https://www.facebook.com/KICTANet/
Unsubscribe or change your options at https://lists.kictanet.or.ke/mailman/options/kictanet/eshuchi.richard%40gmail.com
The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development.
KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.
_______________________________________________
kictanet mailing list
kictanet at lists.kictanet.or.ke
https://lists.kictanet.or.ke/mailman/listinfo/kictanet
Twitter: http://twitter.com/kictanet
Facebook: https://www.facebook.com/KICTANet/
Unsubscribe or change your options at https://lists.kictanet.or.ke/mailman/options/kictanet/pmaina2000%40yahoo.com
The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development.
KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.kictanet.or.ke/pipermail/kictanet/attachments/20190411/d37c95c3/attachment.htm>
More information about the KICTANet
mailing list