[kictanet] [SST whitelist considerations] It will be hard to access Government services without a Huduma Namba, Matiang'i says
Wamathai (HapaKenya)
w at hapakenya.com
Thu Apr 11 19:16:14 EAT 2019
At a bare minimum this should be implemented in the presence of a strong
data protection law.
On Thu, Apr 11, 2019, 19:11 Patrick A. M. Maina via kictanet <
kictanet at lists.kictanet.or.ke> wrote:
> Huduma number is a great idea that can unlock many benefits for Kenyans. I
> would really wish for it to succeed. However I fear that the current state
> of runaway corruption puts the entire project at risk.
>
> A Single Source of Truth (SST) acts as a citizen whitelist which can help
> speed up service delivery and make things more efficient (e.g. by removing
> the need for ID cross-checks). This strength is also a weakness,
> unfortunately. Anyone with an SST ID (and "valid fingerprint") is presumed
> to be a bona fide citizen - but such a conclusion can only be sensibly
> relied on in an environment with negligible/immaterial levels of
> corruption.
>
> National scale SST whitelist systems are heavily reliant on human factors
> (e.g. human integrity, personal values, and patriotism) at their points of
> highest vulnerability. So hackers will likely target the weakest link i.e.
> gov employees (e.g. via huge bribes or blackmail or workforce infiltration
> via recruitment process) in order to get to the system.
>
> Researchers (link below) have shown that fingerprints can be easily stolen
> by tech-savvy criminals to facilitate illegal access e.g. via affordable 3D
> printing technology. Fake fingerprints (and fingers) can also be
> manufactured to create fictitious persons (e.g. ghost workers or organized
> criminals).
>
> Case in point is India's Aadhaar... just prior to the attack that almost
> triggered a war with Pakistan, there had been media reports of terrorists
> being caught in posession of Aadhaar cards. How did they get the cards? Did
> the "whitelist effect" of Aaadhaar facilitate their movements or planning?
> The possibility cannot be discounted. Human flaws are the weakest link in
> any technology solution.
>
> What about laws? Surely strict / harsh laws will "protect" the data by
> deterring illegal activity?
>
> 1. Local laws do not deal with or deter international (or state sponsored)
> perpetrators with high budgets, sophisticated hacking technology and
> ability to evade acountability (geopolitical powers).
>
> 2. Attribution challenges (hackers often leave spoofed breadcrumbs (fake
> trails) to mislead investigators... so innocent people or even countries
> can be framed for things they did not do, triggering unjust
> arrests/convictions or costly and potentially destabilising geopolitical
> hostilities).
>
> Sometimes backdoors are disguised as innocent acts of user or supplier
> incompetence (e.g. via deliberate insecure design). Sometimes they are a
> result of genuinely innocent incompetence or accidental oversight. How will
> Government know which is which?
>
> 3. Reactive laws (as opposed to strategic or tactical laws which consider
> the holistic contextualized picture) only increase compliance costs for law
> abiding citizens but do not guarantee deterrence for criminals who don't
> care about laws. Cybercrime laws don't stop or deter sophisticated
> cybercriminals (e.g. due to atrribution & jurisdictional challenges).
>
> 4. Unlike property theft, data can be stolen without the owner's
> knowledge. By the time the loss is detected (e.g. via numerous incidents of
> actual unlawful use) it is too late to do anything. It is often impossible
> to establish the extent by which a honeypot system has been compromised,
> how the breach happened, who did it and for how long it has been
> compromised.
>
> 5. Massive resources will have to be expended to perform an impossible
> task of protecting Kenya's most sensitive (and most valuable) data. As
> security experts keep reminding us, it is not a question of whether a
> system, any system, can be hacked, it's a question of when - and what will
> be the consequences.
>
> 6. Once biometric data has been stolen, the loss is permanent and
> irreversible. You cannot issue new fingerprints. So what happens next?
>
> 7. As soon as the credibility of the data is in material doubt, we will
> have to revert to the old system of manual cross checking and all the
> envisaged benefits will dissapear (as well as the 6B investment). Whether
> the perpetrators are caught / jailed or not, does not make a difference.
>
> To help put things in context, consider this: Government has been unable
> to secure IFMIS (which was supposed to help eliminate corruption - but
> became an enabler), TIMS (we still have fake number plates and vehicle duty
> evasion), SIMBA (we still have massive levels of duty evasion at ports),
> the IEBC Election System (we had to do two costly elections - leading to a
> massive waste of funds and an increase of perceived political risks, which
> also hit the economy very hard adding billions in hidden costs).. even
> eCitizen has reportedly not been spared, going by media reports.
>
> These challenges point to a pattern where we fail to deliberately
> contextualize solutions and come up with holistic approaches. We put too
> much trust in silo solutions and reactive laws but we have repeatedly
> ignored the HUMAN ASPECTS leading to repeated failure to realize envisaged
> benefits. Any system implemented within a corrupt culture will, more likely
> than not, end up facilitating (and worsening the cost and scale of)
> corruption. Guaranteed. This is our reality.
>
> Can corruption be solved in Kenya in a sustainable way (without risking
> stability)? Perhaps government can run a global competition for innovative
> ideas on how to solve corruption in Kenya. The public can watch high
> profile debates by local and foreign experts, as part of
> sensitization/education, and then vote on the top five ideas in every major
> economic sector, which would then be piloted at designated institutions or
> counties. Prize for the winning idea in every sector (say USD 1Million) can
> be linked to results, say after 10-15 years, once the idea is fully
> implemented and proven to have significantly met the ToR targets in an
> independently verifiable way (and backed by public perceptions).
>
> Good evening.
>
> Brgds,
> Patrick.
>
> Patrick A. M. Maina
> [Cross-domain Innovator | Independent Public Policy Analyst - Indigenous
> Innovations]
>
>
>
>
> On Thursday, April 11, 2019, 2:25:32 PM GMT+3, Eshuchi Richard via
> kictanet <kictanet at lists.kictanet.or.ke> wrote:
>
>
> Just to put CS's *full* remarks into context and an illustration on why
> accessing services would be harder in comparison, Ministry of Interior
> posted the audio through:
>
> *Facebook*:
> https://www.facebook.com/662150267181777/posts/2305403209523133?sfns=mo
>
> *Twitter*: https://twitter.com/InteriorKE/status/1116221458966044673?s=19
>
>
> On Thu, Apr 11, 2019, 13:10 Wamathai (HapaKenya) via kictanet <
> kictanet at lists.kictanet.or.ke> wrote:
>
> Interior Cabinet Secretary Dr. Fred Matiang’i has said that it will be
> very hard for those who will not have registered for the Huduma Namba to
> access Government services.
>
>
> https://hapakenya.com/2019/04/11/it-will-hard-to-access-government-services-without-a-huduma-namba-matiangi-says/
>
> _______________________________________________
> kictanet mailing list
> kictanet at lists.kictanet.or.ke
> https://lists.kictanet.or.ke/mailman/listinfo/kictanet
> Twitter: http://twitter.com/kictanet
> Facebook: https://www.facebook.com/KICTANet/
>
> Unsubscribe or change your options at
> https://lists.kictanet.or.ke/mailman/options/kictanet/eshuchi.richard%40gmail.com
>
> The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform
> for people and institutions interested and involved in ICT policy and
> regulation. The network aims to act as a catalyst for reform in the ICT
> sector in support of the national aim of ICT enabled growth and development.
>
> KICTANetiquette : Adhere to the same standards of acceptable behaviors
> online that you follow in real life: respect people's times and bandwidth,
> share knowledge, don't flame or abuse or personalize, respect privacy, do
> not spam, do not market your wares or qualifications.
>
> _______________________________________________
> kictanet mailing list
> kictanet at lists.kictanet.or.ke
> https://lists.kictanet.or.ke/mailman/listinfo/kictanet
> Twitter: http://twitter.com/kictanet
> Facebook: https://www.facebook.com/KICTANet/
>
> Unsubscribe or change your options at
> https://lists.kictanet.or.ke/mailman/options/kictanet/pmaina2000%40yahoo.com
>
> The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform
> for people and institutions interested and involved in ICT policy and
> regulation. The network aims to act as a catalyst for reform in the ICT
> sector in support of the national aim of ICT enabled growth and development.
>
> KICTANetiquette : Adhere to the same standards of acceptable behaviors
> online that you follow in real life: respect people's times and bandwidth,
> share knowledge, don't flame or abuse or personalize, respect privacy, do
> not spam, do not market your wares or qualifications.
>
> _______________________________________________
> kictanet mailing list
> kictanet at lists.kictanet.or.ke
> https://lists.kictanet.or.ke/mailman/listinfo/kictanet
> Twitter: http://twitter.com/kictanet
> Facebook: https://www.facebook.com/KICTANet/
>
> Unsubscribe or change your options at
> https://lists.kictanet.or.ke/mailman/options/kictanet/w%40hapakenya.com
>
> The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform
> for people and institutions interested and involved in ICT policy and
> regulation. The network aims to act as a catalyst for reform in the ICT
> sector in support of the national aim of ICT enabled growth and development.
>
> KICTANetiquette : Adhere to the same standards of acceptable behaviors
> online that you follow in real life: respect people's times and bandwidth,
> share knowledge, don't flame or abuse or personalize, respect privacy, do
> not spam, do not market your wares or qualifications.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.kictanet.or.ke/pipermail/kictanet/attachments/20190411/9c0246ad/attachment.htm>
More information about the KICTANet
mailing list