<div dir="ltr"><div>Thank you Grace,</div><div><br></div><div>The discussion is now back in focus. Indeed, there are lessons to be learnt from KRA. What separates their system from what IEBC currently has is two things:</div><div><ol><li>KRA Pin numbers are not consecutive meaning they can't easily be guessed.<br></li><li>They use a mathematical equation as a Captcha.<br></li></ol></div><div>As regards #1, let's assume IEBC does have several non-consecutive numbers in their DB such as the <i>Elector's number</i> (found on the acknowledgment slip), <i>ID/Passport Serial Numbers</i>, etc. Can they use these details for verification purposes and still maintain the simplicity of the process to the grassroots level? We will have to run assessment of the voter's knowledge on two of the three authentication factors - namely the knowledge factor and the possession factor - to find out.</div><div><br></div><div>On #2, if you refer to my first email on this thread, I suggested a service such as <a href="http://www.cloudflare.com">Cloudflare</a> which provides this service in a much more secure and user friendly way. I also noted that the IEBC subdomain in question is running on Google cloud servers. Google offers some of the best captcha services in the world in their <a href="https://www.google.com/recaptcha/intro/">Google reCaptcha</a> product.</div><div><br></div><div>As regards to what is made public; we can only weigh in opinions as there is a lack of laws to guide us. I do, however, repeat that in such instances: "we are at the liberty of the service provider whom we trust is doing the right thing". Where we can advise is on keeping this data safe from harvesting in whatever format it is presented - and this is what this discussion serves to achieve.</div><div><br></div><div><br></div><div>Regards,</div><div><br></div><div>EC </div></div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Jun 30, 2017 at 7:58 PM, Grace Mutung'u via kictanet <span dir="ltr"><<a href="mailto:kictanet@lists.kictanet.or.ke" target="_blank">kictanet@lists.kictanet.or.ke</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div class="gmail_default" style="font-family:verdana,sans-serif">Thank you Emmanuel, <br><br>Just bringing in the provision for inspection of the register from the Elections Act: <br><br>6. Inspection of register of voters<br>(1) The Commission shall cause the Register of Voters to be opened for<br>inspection <b>by members of the public</b> at all times for the purpose of rectifying the<br>particulars therein, except for such period of time as the Commission may consider<br>appropriate.<br><br></div><div class="gmail_default" style="font-family:verdana,sans-serif">The idea here is not only for voters to verify their details but also for the public to inspect the register. Inspection serves an important role in assuring the integrity of the vote by weeding out errors, dead voters etc. The register is also available in physical form at constituency offices for public inspection. <br><br></div><div class="gmail_default" style="font-family:verdana,sans-serif">It should therefore be possible for members of the public to view other people's voter registration details. The question should only be what details are made public and also how to prevent harvesting of the data. I do not see a justification for serial numbers or SMS verification. <br><br></div><div class="gmail_default" style="font-family:verdana,sans-serif">I wonder whether there are lessons we can pick from KRA's PIN verification system <a href="https://itax.kra.go.ke/KRA-Portal/pinChecker.htm?actionCode=loadPage&viewType=static" target="_blank">https://itax.kra.go.ke/KRA-<wbr>Portal/pinChecker.htm?<wbr>actionCode=loadPage&viewType=<wbr>static</a><br><br></div></div><div class="gmail_extra"><br><div class="gmail_quote"><div><div class="h5">2017-06-30 19:44 GMT+03:00 Ngigi Waithaka via kictanet <span dir="ltr"><<a href="mailto:kictanet@lists.kictanet.or.ke" target="_blank">kictanet@lists.kictanet.or.ke</a><wbr>></span>:<br></div></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div class="h5"><div dir="ltr"><div><div><div><div>Chebukati,<br><br></div>Phone gets lost either:<br></div>1. Use an alternate number (Google does this all the time)<br></div>2. Log in with your Username/Password (ID / Serial No) combo, list a different number<br><br></div>Regards<br></div><div class="m_5777257711475880043HOEnZb"><div class="m_5777257711475880043h5"><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Jun 30, 2017 at 7:37 PM, Emmanuel Chebukati via kictanet <span dir="ltr"><<a href="mailto:kictanet@lists.kictanet.or.ke" target="_blank">kictanet@lists.kictanet.or.ke</a><wbr>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Good evening,<div><br></div><div>Victor: Unfortunately, perception is reality in all matters electoral in Kenya. </div><div><br></div><div>Denis & Ngigi: SMS 2FA is not exactly full proof as a solution to the problem of voter verification. What if phone numbers change, get lost or expire? How does that voter then confirm their polling station & details?</div><div><br></div><div>Washington: Glad we agree. Donge!</div><div><br></div><div>Grace:</div><div>1) In an ideal world, NRB should update their database and sambaza changes to all connected parties in case of a serial number or any other change.</div><div>2) As we await stricter privacy laws, we are at the liberty of the service provider whom we trust to do the right thing.</div><div><br></div><div><br></div><div>Regards,</div><div><br></div><div>EC</div></div><div class="gmail_extra"><br><div class="gmail_quote"><div><div class="m_5777257711475880043m_4298102433583339857h5">On Fri, Jun 30, 2017 at 7:13 PM, Ngigi Waithaka via kictanet <span dir="ltr"><<a href="mailto:kictanet@lists.kictanet.or.ke" target="_blank">kictanet@lists.kictanet.or.ke</a><wbr>></span> wrote:<br></div></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div class="m_5777257711475880043m_4298102433583339857h5"><div dir="ltr"><div><div><div>Mark,<br><br></div>On a security vs affordability basis, how exactly would SMS 2FA not be an effective solution?<br><br></div>Unless you are going to hack the Telco SMS Gateway where the SMS is in clear txt, in which case I would think even our M-Pesa Pins would be vulnerable, where else is do you have a credible attack surface?<br><br></div>Rgds<br></div><div class="gmail_extra"><br><div class="gmail_quote"><div><div class="m_5777257711475880043m_4298102433583339857m_7934179117276832966h5">On Fri, Jun 30, 2017 at 3:25 PM, Mark Kipyegon via kictanet <span dir="ltr"><<a href="mailto:kictanet@lists.kictanet.or.ke" target="_blank">kictanet@lists.kictanet.or.ke</a><wbr>></span> wrote:<br></div></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div class="m_5777257711475880043m_4298102433583339857m_7934179117276832966h5">
<div bgcolor="#FFFFFF">
<div>
<div><span class="m_5777257711475880043m_4298102433583339857m_7934179117276832966m_330496142421220469m_6617591784149783904Apple-style-span">SMS as a form of 2FA is unsuitable
considering the sensitivity of such information. On the other hand a government backed smart card would offer the appropriate level of authentication without locking out access to a section of users.</span><br>
</div><span>
<div><br>
On 30 Jun 2017, at 12:30, "Denis G. Wahome" <<a href="mailto:dwahome@gmail.com" target="_blank">dwahome@gmail.com</a>> wrote:<br>
<br>
</div>
<div></div>
<blockquote type="cite">
<div>
<div dir="ltr">Mark,
<div><br>
</div>
<div>While I do concur completely with your observation. I was considering the user group for the service. Other more advanced mechanisms would reduce the usability/accessibility by a large portion of the Country.</div>
<div><br>
</div>
<div>A better way would be a registration process to access your records where one can select a Channel for 2FA</div>
<div><br>
</div>
<div>Denis</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Fri, Jun 30, 2017 at 10:54 AM, Mark Kipyegon via kictanet
<span dir="ltr"><<a href="mailto:kictanet@lists.kictanet.or.ke" target="_blank">kictanet@lists.kictanet.or.ke</a><wbr>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
SMS is not a secure implementation of two factor authentication.<br>
<span class="m_5777257711475880043m_4298102433583339857m_7934179117276832966m_330496142421220469m_6617591784149783904im m_5777257711475880043m_4298102433583339857m_7934179117276832966m_330496142421220469m_6617591784149783904HOEnZb"><br>
On 30 Jun 2017, at 10:40, "<a href="mailto:kictanet-request@lists.kictanet.or.ke" target="_blank">kictanet-request@lists.kictan<wbr>et.or.ke</a>" <<a href="mailto:kictanet-request@lists.kictanet.or.ke" target="_blank">kictanet-request@lists.kictan<wbr>et.or.ke</a>> wrote:<br>
<br>
<br>
><br>
> A simple 2 Factor Authentication mechanism via SMS would suffice to start<br>
> with.<br>
<br>
</span></blockquote>
</div>
<br>
</div>
</div>
</blockquote>
</span></div>
<div></div>
</div>
<br></div></div><span>______________________________<wbr>_________________<br>
kictanet mailing list<br>
<a href="mailto:kictanet@lists.kictanet.or.ke" target="_blank">kictanet@lists.kictanet.or.ke</a><br>
<a href="https://lists.kictanet.or.ke/mailman/listinfo/kictanet" rel="noreferrer" target="_blank">https://lists.kictanet.or.ke/m<wbr>ailman/listinfo/kictanet</a><br>
Twitter: <a href="http://twitter.com/kictanet" rel="noreferrer" target="_blank">http://twitter.com/kictanet</a><br>
Facebook: <a href="https://www.facebook.com/KICTANet/" rel="noreferrer" target="_blank">https://www.facebook.com/KICTA<wbr>Net/</a><br>
<br></span>
Unsubscribe or change your options at <a href="https://lists.kictanet.or.ke/mailman/options/kictanet/ngigi%40at.co.ke" rel="noreferrer" target="_blank">https://lists.kictanet.or.ke/m<wbr>ailman/options/kictanet/ngigi%<wbr>40at.co.ke</a><span><br>
<br>
The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development.<br>
<br>
KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.<br>
<br></span></blockquote></div><br><br clear="all"><span><br>-- <br><div class="m_5777257711475880043m_4298102433583339857m_7934179117276832966m_330496142421220469gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><div style="border-collapse:collapse;color:rgb(136,136,136);font-family:'Droid Sans',arial,sans-serif;font-size:13px"><div><font face="Calibri"><font size="2"><b>Regards,</b></font></font></div><div><br></div><div><font face="Calibri"><font size="2"><b>Wait</b></font></font><b style="font-size:small;font-family:Calibri">haka Ngigi</b></div></div><div><div><font face="Calibri"><font size="2"><font color="#888888" face="'Droid Sans', arial, sans-serif"><span style="border-collapse:collapse">Chief </span></font><font color="#888888"><span style="border-collapse:collapse">Executive</span></font><font color="#888888" face="'Droid Sans', arial, sans-serif"><span style="border-collapse:collapse"> Officer | </span></font><font style="border-collapse:collapse;font-family:'Droid Sans',arial,sans-serif;font-size:13px" color="#FF6600">Alliance Technologies</font><font color="#888888" face="'Droid Sans', arial, sans-serif"><span style="border-collapse:collapse"> | MCK Nairobi Synod Building</span></font></font></font></div></div><div style="border-collapse:collapse;color:rgb(136,136,136);font-family:'Droid Sans',arial,sans-serif;font-size:13px"><div><font face="Calibri"><font size="2"><span style="font-family:arial"><font face="Calibri"><font size="2">T +254 20 525 0750</font></font></span></font></font><span style="font-family:Calibri,sans-serif;font-size:13px;line-height:14px"> </span><span style="font-family:Calibri,sans-serif;font-size:13px;line-height:14px">|Office Mobile: <a href="tel:+254%20716%20201061" value="+254716201061" target="_blank">+254 716 201061</a> </span><span style="font-family:Calibri,sans-serif;font-size:13px;line-height:14px"></span><span style="font-family:Calibri,sans-serif;font-size:13px;line-height:14px">| </span><span style="font-family:Calibri">M +254 737 811 000<a style="color:rgb(103,117,58)"><br></a></span></div></div><div style="border-collapse:collapse;color:rgb(136,136,136);font-family:'Droid Sans',arial,sans-serif;font-size:13px"><div><span style="font-family:Calibri"><a href="http://www.at.co.ke" target="_blank">www.at.co.ke</a></span></div><div></div></div></div></div></div>
</span></div>
<br>______________________________<wbr>_________________<br>
kictanet mailing list<br>
<a href="mailto:kictanet@lists.kictanet.or.ke" target="_blank">kictanet@lists.kictanet.or.ke</a><br>
<a href="https://lists.kictanet.or.ke/mailman/listinfo/kictanet" rel="noreferrer" target="_blank">https://lists.kictanet.or.ke/m<wbr>ailman/listinfo/kictanet</a><br>
Twitter: <a href="http://twitter.com/kictanet" rel="noreferrer" target="_blank">http://twitter.com/kictanet</a><br>
Facebook: <a href="https://www.facebook.com/KICTANet/" rel="noreferrer" target="_blank">https://www.facebook.com/KICTA<wbr>Net/</a><br>
<br></div></div>
Unsubscribe or change your options at <a href="https://lists.kictanet.or.ke/mailman/options/kictanet/echebukati%40gmail.com" rel="noreferrer" target="_blank">https://lists.kictanet.or.ke/m<wbr>ailman/options/kictanet/echebu<wbr>kati%40gmail.com</a><span><br>
<br>
The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development.<br>
<br>
KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.<br>
<br></span></blockquote></div><br></div>
<br>______________________________<wbr>_________________<br>
kictanet mailing list<br>
<a href="mailto:kictanet@lists.kictanet.or.ke" target="_blank">kictanet@lists.kictanet.or.ke</a><br>
<a href="https://lists.kictanet.or.ke/mailman/listinfo/kictanet" rel="noreferrer" target="_blank">https://lists.kictanet.or.ke/m<wbr>ailman/listinfo/kictanet</a><br>
Twitter: <a href="http://twitter.com/kictanet" rel="noreferrer" target="_blank">http://twitter.com/kictanet</a><br>
Facebook: <a href="https://www.facebook.com/KICTANet/" rel="noreferrer" target="_blank">https://www.facebook.com/KICTA<wbr>Net/</a><br>
<br>
Unsubscribe or change your options at <a href="https://lists.kictanet.or.ke/mailman/options/kictanet/ngigi%40at.co.ke" rel="noreferrer" target="_blank">https://lists.kictanet.or.ke/m<wbr>ailman/options/kictanet/ngigi%<wbr>40at.co.ke</a><br>
<br>
The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development.<br>
<br>
KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.<br>
<br></blockquote></div><br><br clear="all"><br>-- <br><div class="m_5777257711475880043m_4298102433583339857gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><div style="border-collapse:collapse;color:rgb(136,136,136);font-family:'Droid Sans',arial,sans-serif;font-size:13px"><div><font face="Calibri"><font size="2"><b>Regards,</b></font></font></div><div><br></div><div><font face="Calibri"><font size="2"><b>Wait</b></font></font><b style="font-size:small;font-family:Calibri">haka Ngigi</b></div></div><div><div><font face="Calibri"><font size="2"><font color="#888888" face="'Droid Sans', arial, sans-serif"><span style="border-collapse:collapse">Chief </span></font><font color="#888888"><span style="border-collapse:collapse">Executive</span></font><font color="#888888" face="'Droid Sans', arial, sans-serif"><span style="border-collapse:collapse"> Officer | </span></font><font style="border-collapse:collapse;font-family:'Droid Sans',arial,sans-serif;font-size:13px" color="#FF6600">Alliance Technologies</font><font color="#888888" face="'Droid Sans', arial, sans-serif"><span style="border-collapse:collapse"> | MCK Nairobi Synod Building</span></font></font></font></div></div><div style="border-collapse:collapse;color:rgb(136,136,136);font-family:'Droid Sans',arial,sans-serif;font-size:13px"><div><font face="Calibri"><font size="2"><span style="font-family:arial"><font face="Calibri"><font size="2">T +254 20 525 0750</font></font></span></font></font><span style="font-family:Calibri,sans-serif;font-size:13px;line-height:14px"> </span><span style="font-family:Calibri,sans-serif;font-size:13px;line-height:14px">|Office Mobile: <a href="tel:+254%20716%20201061" value="+254716201061" target="_blank">+254 716 201061</a> </span><span style="font-family:Calibri,sans-serif;font-size:13px;line-height:14px"></span><span style="font-family:Calibri,sans-serif;font-size:13px;line-height:14px">| </span><span style="font-family:Calibri">M +254 737 811 000<a style="color:rgb(103,117,58)"><br></a></span></div></div><div style="border-collapse:collapse;color:rgb(136,136,136);font-family:'Droid Sans',arial,sans-serif;font-size:13px"><div><span style="font-family:Calibri"><a href="http://www.at.co.ke" target="_blank">www.at.co.ke</a></span></div><div></div></div></div></div></div>
</div>
</div></div><br>______________________________<wbr>_________________<br>
kictanet mailing list<br>
<a href="mailto:kictanet@lists.kictanet.or.ke" target="_blank">kictanet@lists.kictanet.or.ke</a><br>
<a href="https://lists.kictanet.or.ke/mailman/listinfo/kictanet" rel="noreferrer" target="_blank">https://lists.kictanet.or.ke/m<wbr>ailman/listinfo/kictanet</a><br>
Twitter: <a href="http://twitter.com/kictanet" rel="noreferrer" target="_blank">http://twitter.com/kictanet</a><br>
Facebook: <a href="https://www.facebook.com/KICTANet/" rel="noreferrer" target="_blank">https://www.facebook.com/KICTA<wbr>Net/</a><br>
<br></div></div>
Unsubscribe or change your options at <a href="https://lists.kictanet.or.ke/mailman/options/kictanet/nmutungu%40gmail.com" rel="noreferrer" target="_blank">https://lists.kictanet.or.ke/m<wbr>ailman/options/kictanet/nmutun<wbr>gu%40gmail.com</a><span class=""><br>
<br>
The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development.<br>
<br>
KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.<br>
<br></span></blockquote></div><br><br clear="all"><br>-- <br><span class=""><div class="m_5777257711475880043gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div dir="ltr"><div dir="ltr"><div>Grace Mutung'u <br>Skype: gracebomu<br>@Bomu<br><span style="font-size:12.8px">PGP ID : 0x33A3450F</span><br></div><div><br></div></div></div></div></div></div></div>
</span></div>
<br>______________________________<wbr>_________________<br>
kictanet mailing list<br>
<a href="mailto:kictanet@lists.kictanet.or.ke">kictanet@lists.kictanet.or.ke</a><br>
<a href="https://lists.kictanet.or.ke/mailman/listinfo/kictanet" rel="noreferrer" target="_blank">https://lists.kictanet.or.ke/<wbr>mailman/listinfo/kictanet</a><br>
Twitter: <a href="http://twitter.com/kictanet" rel="noreferrer" target="_blank">http://twitter.com/kictanet</a><br>
Facebook: <a href="https://www.facebook.com/KICTANet/" rel="noreferrer" target="_blank">https://www.facebook.com/<wbr>KICTANet/</a><br>
<br>
Unsubscribe or change your options at <a href="https://lists.kictanet.or.ke/mailman/options/kictanet/echebukati%40gmail.com" rel="noreferrer" target="_blank">https://lists.kictanet.or.ke/<wbr>mailman/options/kictanet/<wbr>echebukati%40gmail.com</a><br>
<br>
The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development.<br>
<br>
KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.<br>
<br></blockquote></div><br></div>