<html><head></head><body><div class="ydp2ac525cdyahoo-style-wrap" style="font-family: times new roman, new york, times, serif; font-size: 16px;"><div id="ydp2ac525cdyiv9545243635"><div><div class="ydp2ac525cdyiv9545243635ydp5af6b7beyahoo-style-wrap" style="font-family:Helvetica Neue, Helvetica, Arial, sans-serif;font-size:16px;"><div></div><div><span>Listers, <br></span></div><div><span><br></span></div><div><span>On NIIMS, I believe the intentions are noble but the solution chosen hints at limited <b>cybersecurity awareness</b> in our national security / defense sector - which is a bit worrying. <br></span></div><div><span><br></span></div><div><span></span><span>I don't know if the teams involved considered the risks of concentrating that kind of *internationally valuable* data... In our current world, NIIMS will (guaranteed) <b>attract </b>and literally *<b>invite</b>* a deluge of <b>the most sophisticated cyber-attacks</b> from all sorts of places (including: untraceable state sponsored actors, international criminal networks, local corruption networks teaming up with international criminals etc)... <br></span></div><div><span><br></span></div><div><span></span><span>The reasoning behind this is the fact that the amount of <b>resources </b>expended towards cyber-crime are <b>directly proportional</b> to the perceived <b>value of the anticipated payoff</b>. </span></div><div><span></span><br></div><span></span><div><span>Hmm.. Just how valuable is an entire country's biometric ID and GPS linked database? What are the implications for the country if that kind of data falls into the wrong hands (or if the systems are infiltrated by some kind of ransom-ware with the help of insider collusion)? <br></span></div><div><span><br></span></div><div><span><br></span></div><div><div><span><u><b>Can NIIMS be protected? </b></u><br></span></div><div><span><br></span></div><div><span>No chance.</span><span> <b>State sponsored intrusion</b> uses <span><span>low-level attack</span></span> vectors (e.g. <b>chip-level trojans</b> / <b>backdoors </b>or <b>DBEngine </b>/ <b>OS / Driver level</b> backdoors etc introduced at<b> OEM level</b> (sometimes without the OEM company itself being aware); such risks cannot be defended against unless you make - i.e. design and build, not just assemble - your own critical ICT components and have full control of your supply chain.</span></div><div><span><br></span></div><div><span><span><span>At his time, Kenya does not have,<span><span><span><span> but can develop
if it wishes - </span></span></span></span>the <b>indigenous technical capacity,</b> to protect and defend such a <b>super-high-value database.</b></span></span><br></span></div><div><span><br></span></div><span></span></div><span><br></span><div><span><u><b>Can the protection be outsourced (e.g. to friendly countries)? </b></u><br></span></div><div><span><br></span></div><div><span>Yes, but <b>at what cost</b><b>?</b> By doing so, Kenya (and any African country that adopts such tech without first developing indigenous capabilities) will technically be relinquishing whatever *<b>national sovereignty</b>* it currently has. This is because the government will have to place <b>100% reliance</b> and <b>faith </b>on the *benevolent intentions* and *altruistic protection* of a technologically advanced <b>supplier partner state</b> (typically the hardware and OS manufacturer's originating country)... and that is not a problem that can be solved by component diversification (because then its a free for all), we will have little choice but to <b>choose a coloniser</b> to help us "protect" our national data (I think there are only three credible options: US, China or Russia). Looks like a tricky and unwise position for a non-aligned country/region to place itself in. Do we really want to checkmate ourselves geo-politically?</span></div><span><br></span><div><span>I urge our government to consider setting up <b>Holistic Analysis Units</b> in each Ministry (and even at county levels) to<b> </b>examine policies / proposals / ideas across <b>multiple subject domains</b> and identify <b>non-obvious factors </b>such as the risks of <b>unintended consequences</b> (to facilitate more robust decisions and outcomes). </span>G<span>ood intentions do not always yield the intended positive outcomes; they can make the problem worse.</span></div><div><span><br></span></div><div><span><span><span>Will criminals and terrorists sign up to NIIMS? Can the government prevent insider corruption networks
from selling or corrupting the data for a fee? Instead of solving identity
problems NIIMS could lead to the creation of very complex and
sophisticated identity crimes. In fact the original problems might never
get solved (yet we will have introduced new problems and costly challenges)</span></span>.<br></span></div><div><span><br></span></div><div><span></span><span><span>Perhaps, at some point in future, an idea like NIIMS could make sense. Right now, I don't think it does. </span></span></div><div><br></div><div>Good day,</div><div>Patrick.<br></div><div><br></div><br><div><br clear="none"></div><div><br clear="none"></div>
<div class="ydp2ac525cdyiv9545243635ydp5af6b7beyahoo_quoted" id="ydp2ac525cdyiv9545243635ydp5af6b7beyahoo_quoted_0624155395">
<div style="font-family:'Helvetica Neue', Helvetica, Arial, sans-serif;font-size:13px;color:#26282a;">
</div>
</div></div></div></div></div><div class="ydp11d43807yiv9545243635yqt7898535323" id="ydp11d43807yiv9545243635yqt44123"><div>
On Thursday, February 14, 2019, 8:46:39 AM GMT+3, Grace Bomu via kictanet <kictanet@lists.kictanet.or.ke> wrote:
</div>
<div><br clear="none"></div>
<div><br clear="none"></div>
<div><div id="ydp11d43807yiv9545243635ydp5af6b7beyiv1308299020"><div><div dir="ltr"><div class="ydp11d43807yiv9545243635ydp5af6b7beyiv1308299020gmail_default" style="font-family:verdana, sans-serif;">Listers, <br clear="none"></div><div class="ydp11d43807yiv9545243635ydp5af6b7beyiv1308299020gmail_default" style="font-family:verdana, sans-serif;">Came across this presentation on NIIMS. It seems that the implementation does not envisage privacy. It is all from a traditional security and technology as a solution perspective. <br clear="none"></div><div class="ydp11d43807yiv9545243635ydp5af6b7beyiv1308299020gmail_default" style="font-family:verdana, sans-serif;"><br clear="none"></div><div class="ydp11d43807yiv9545243635ydp5af6b7beyiv1308299020gmail_default" style="font-family:verdana, sans-serif;">Of course there are many other questions such as how this will be integrated with existing and recently collected biometric data such as the voter register, passport and immigration data. <br clear="none"></div><div class="ydp11d43807yiv9545243635ydp5af6b7beyiv1308299020gmail_default" style="font-family:verdana, sans-serif;"><br clear="none"></div><div class="ydp11d43807yiv9545243635ydp5af6b7beyiv1308299020gmail_default" style="font-family:verdana, sans-serif;">Security should also include protection of our society's long term goals. We should have started with the data protection law. And even then, collection of DNA is a really big deal. Should we not discuss how it shall be done, by whom, for what purpose etc before ?</div><div class="ydp11d43807yiv9545243635ydp5af6b7beyiv1308299020gmail_default" style="font-family:verdana, sans-serif;"><br clear="none"></div><div class="ydp11d43807yiv9545243635ydp5af6b7beyiv1308299020gmail_default" style="font-family:verdana, sans-serif;"><br clear="none"></div><div class="ydp11d43807yiv9545243635ydp5af6b7beyiv1308299020gmail_default" style="font-family:verdana, sans-serif;">Regards<br clear="none"></div><div class="ydp11d43807yiv9545243635ydp5af6b7beyiv1308299020gmail_default" style="font-family:verdana, sans-serif;"><br clear="none"></div></div><br clear="none"><div class="ydp11d43807yiv9545243635ydp5af6b7beyiv1308299020gmail_quote"><div class="ydp11d43807yiv9545243635ydp5af6b7beyiv1308299020gmail_attr" dir="ltr">Il giorno mer 13 feb 2019 alle ore 19:11 Eshuchi Richard via kictanet <<a shape="rect" href="mailto:kictanet@lists.kictanet.or.ke" rel="nofollow" target="_blank">kictanet@lists.kictanet.or.ke</a>> ha scritto:<br clear="none"></div><blockquote class="ydp11d43807yiv9545243635ydp5af6b7beyiv1308299020gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex;"><div dir="ltr">Misinformation galore.<div><br clear="none"></div><div>To each his/her own though.</div></div><br clear="none"><div class="ydp11d43807yiv9545243635ydp5af6b7beyiv1308299020gmail_quote"><div class="ydp11d43807yiv9545243635ydp5af6b7beyiv1308299020gmail_attr" dir="ltr">On Wed, 13 Feb 2019 at 15:11, Alice Munyua via kictanet <<a shape="rect" href="mailto:kictanet@lists.kictanet.or.ke" rel="nofollow" target="_blank">kictanet@lists.kictanet.or.ke</a>> wrote:<br clear="none"></div><blockquote class="ydp11d43807yiv9545243635ydp5af6b7beyiv1308299020gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex;"><br clear="none">
<br clear="none">
<a shape="rect" href="https://blog.mozilla.org/netpolicy/2019/02/08/kenya-government-mandates-dna-linked-national-id-without-data-protection-law/" rel="nofollow" target="_blank">https://blog.mozilla.org/netpolicy/2019/02/08/kenya-government-mandates-dna-linked-national-id-without-data-protection-law/</a><br clear="none">
<br clear="none">
<br clear="none">
Last month, the Kenya Parliament passed a seriously concerning amendment<br clear="none">
to the country’s national ID law, making Kenya home to the most<br clear="none">
privacy-invasive national ID system in the world. The rebranded, National<br clear="none">
Integrated Identity Management System (NIIMS) now requires all Kenyans,<br clear="none">
immigrants, and refugees to turn over their DNA, GPS coordinates of their<br clear="none">
residential address, retina scans, iris pattern, voice waves, and earlobe<br clear="none">
geometry before being issued critical identification documents. NIIMS will<br clear="none">
consolidate information contained in other government agency databases and<br clear="none">
generate a unique identification number known as Huduma Namba.<br clear="none">
<br clear="none">
It is hard to see how this system comports with the right to privacy<br clear="none">
articulated in Article 31 of the Kenyan Constitution. It is deeply<br clear="none">
troubling that these amendments passed without public debate, and were<br clear="none">
approved even as a data protection bill which would designate DNA and<br clear="none">
biometrics as sensitive data is pending.<br clear="none">
<br clear="none">
Before these amendments, in order to issue the National ID Card (ID), the<br clear="none">
government only required name, date and place of birth, place of<br clear="none">
residence, and postal address. The ID card is a critical document that<br clear="none">
impacts everyday life, without it, an individual cannot vote, purchase<br clear="none">
property, access higher education, obtain employment, access credit, or<br clear="none">
public health, among other fundamental rights.<br clear="none">
<br clear="none">
Mozilla strongly believes that that no digital ID system should be<br clear="none">
implemented without strong privacy and data protection legislation. The<br clear="none">
proposed Data Protection Bill of 2018 which Parliament is likely to<br clear="none">
consider next month, is a strong and thorough framework that contains<br clear="none">
provisions relating to data minimization as well as collection and purpose<br clear="none">
limitation. If NIIMS is implemented, it will be in conflict with these<br clear="none">
provisions, and more importantly in conflict with Article 31 of the<br clear="none">
Constitution, which specifically protects the right to privacy.<br clear="none">
<br clear="none">
Proponents of NIIMS claim that the system provides a number of benefits,<br clear="none">
such as accurate delivery of government services. These arguments also<br clear="none">
seem to conflate legal and digital identity. Legal ID used to certify<br clear="none">
one’s identity through basic data about one’s personhood (such as your<br clear="none">
name and the date and place of your birth) is a commendable goal. It is<br clear="none">
one of the United Nations Sustainable Development Goals 16.9 that aims “to<br clear="none">
provide legal identity for all, including birth registration by 2030”. <br clear="none">
However, it is important to remember this objective can be met in several<br clear="none">
ways. “Digital ID” systems, and especially those that involve sensitive<br clear="none">
biometrics or DNA, are not a necessary means of verifying identity, and in<br clear="none">
practice raise significant privacy and security concerns. The choice of<br clear="none">
whether to opt for a digital ID let alone a biometric ID therefore should<br clear="none">
be closely scrutinized by governments in light of these risks, rather than<br clear="none">
uncritically accepted as beneficial.<br clear="none">
<br clear="none">
Security Concerns: The centralized nature of NIIMS creates massive<br clear="none">
security vulnerabilities. It could become a honeypot for malicious<br clear="none">
actors and identity thieves who can exploit other identifying<br clear="none">
information linked to stolen biometric data. The amendment is unclear<br clear="none">
on how the government will establish and institute strong security<br clear="none">
measures required for the protection of such a sensitive database. If<br clear="none">
there’s a breach, it’s not as if your DNA or retina can be reset like<br clear="none">
a password or token.<br clear="none">
Surveillance Concerns: By centralizing a tremendous amount of<br clear="none">
sensitive data in a government database, NIIMS creates an opportunity<br clear="none">
for mass surveillance by the State. Not only is the collection of<br clear="none">
biometrics incredibly invasive, but gathering this data combined with<br clear="none">
transaction logs of where ID is used could substantially reduce<br clear="none">
anonymity. This is all the more worrying considering Kenya’s history<br clear="none">
of extralegal surveillance and intelligence sharing.<br clear="none">
Ethnic Discrimination Concerns: The collection of DNA is particularly<br clear="none">
concerning as this information can be used to identify an individual’s<br clear="none">
ethnic identity. Given Kenya’s history of politicization of ethnic<br clear="none">
identity, collecting this data in a centralized database like NIIMS<br clear="none">
could reproduce and exacerbate patterns of discrimination.<br clear="none">
<br clear="none">
The process was not constitutional<br clear="none">
<br clear="none">
Kenya’s constitution requires public input before any new law can be<br clear="none">
adopted. No public discussions were conducted for this amendment. It was<br clear="none">
offered for parliamentary debate under “Miscellaneous” amendments, which<br clear="none">
exempted it from procedures and scrutiny that would have required<br clear="none">
introduction as a substantive bill and corresponding public debate. The<br clear="none">
Kenyan government must not implement this system without sufficient public<br clear="none">
debate and meaningful engagement to determine how such a system should be<br clear="none">
implemented if at all.<br clear="none">
<br clear="none">
The proposed law does not provide people with the opportunity to opt in or<br clear="none">
out of giving their sensitive and precise data. The Constitution requires<br clear="none">
that all Kenyans be granted identification. However, if an individual were<br clear="none">
to refuse to turn over their DNA or other sensitive information to the<br clear="none">
State, as they should have the right to do, they could risk not being<br clear="none">
issued their identity or citizenship documents. Such a denial would<br clear="none">
contravene Articles 12, 13, and 14 of the Constitution.<br clear="none">
<br clear="none">
Opting out of this system should not be used to discriminate or exclude<br clear="none">
any individual from accessing essential public services and exercising<br clear="none">
their fundamental rights.<br clear="none">
<br clear="none">
Individuals must be in full control of their digital identities with the<br clear="none">
right to object to processing and use and withdraw consent. These aspects<br clear="none">
of control and choice are essential to empowering individuals in the<br clear="none">
deployment of their digital identities. Therefore policy and technical<br clear="none">
decisions must take into account systems that allow individuals to<br clear="none">
identify themselves rather than the system identifying them.<br clear="none">
<br clear="none">
Mozilla urges the government of Kenya to suspend the implementation of<br clear="none">
NIIMS and we hope Kenyan members of parliament will act swiftly to pass<br clear="none">
the Data Protection Bill of 2018.<br clear="none">
<br clear="none">
<br clear="none">
<br clear="none">
<br clear="none">
<br clear="none">
<br clear="none">
<br clear="none">
_______________________________________________<br clear="none">
kictanet mailing list<br clear="none">
<a shape="rect" href="mailto:kictanet@lists.kictanet.or.ke" rel="nofollow" target="_blank">kictanet@lists.kictanet.or.ke</a><br clear="none">
<a shape="rect" href="https://lists.kictanet.or.ke/mailman/listinfo/kictanet" rel="nofollow" target="_blank">https://lists.kictanet.or.ke/mailman/listinfo/kictanet</a><br clear="none">
Twitter: <a shape="rect" href="http://twitter.com/kictanet" rel="nofollow" target="_blank">http://twitter.com/kictanet</a><br clear="none">
Facebook: <a shape="rect" href="https://www.facebook.com/KICTANet/" rel="nofollow" target="_blank">https://www.facebook.com/KICTANet/</a><br clear="none">
<br clear="none">
Unsubscribe or change your options at <a shape="rect" href="https://lists.kictanet.or.ke/mailman/options/kictanet/eshuchi.richard%40gmail.com" rel="nofollow" target="_blank">https://lists.kictanet.or.ke/mailman/options/kictanet/eshuchi.richard%40gmail.com</a><br clear="none">
<br clear="none">
The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development.<br clear="none">
<br clear="none">
KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.<br clear="none">
</blockquote></div><br clear="all"><div><br clear="none"></div>-- <br clear="none"><div class="ydp11d43807yiv9545243635ydp5af6b7beyiv1308299020gmail-m_-857713360192596383gmail_signature" dir="ltr"><div dir="ltr"><font face="verdana, sans-serif">Regards,</font><div><div><b><font face="verdana, sans-serif">Eshuchi Richard</font></b></div></div></div></div>
_______________________________________________<br clear="none">
kictanet mailing list<br clear="none">
<a shape="rect" href="mailto:kictanet@lists.kictanet.or.ke" rel="nofollow" target="_blank">kictanet@lists.kictanet.or.ke</a><br clear="none">
<a shape="rect" href="https://lists.kictanet.or.ke/mailman/listinfo/kictanet" rel="nofollow" target="_blank">https://lists.kictanet.or.ke/mailman/listinfo/kictanet</a><br clear="none">
Twitter: <a shape="rect" href="http://twitter.com/kictanet" rel="nofollow" target="_blank">http://twitter.com/kictanet</a><br clear="none">
Facebook: <a shape="rect" href="https://www.facebook.com/KICTANet/" rel="nofollow" target="_blank">https://www.facebook.com/KICTANet/</a><br clear="none">
<br clear="none">
Unsubscribe or change your options at <a shape="rect" href="https://lists.kictanet.or.ke/mailman/options/kictanet/nmutungu%40gmail.com" rel="nofollow" target="_blank">https://lists.kictanet.or.ke/mailman/options/kictanet/nmutungu%40gmail.com</a><div class="ydp11d43807yiv9545243635ydp5af6b7beyiv1308299020yqt1756333992" id="ydp11d43807yiv9545243635ydp5af6b7beyiv1308299020yqtfd50705"><br clear="none">
<br clear="none">
The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development.<br clear="none">
<br clear="none">
KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.</div><br clear="none">
</blockquote></div><br clear="all"><br clear="none">-- <br clear="none"><div class="ydp11d43807yiv9545243635ydp5af6b7beyiv1308299020gmail_signature" dir="ltr"><div dir="ltr"><div><div dir="ltr"><div dir="ltr"><div dir="ltr"><div>Grace Mutung'u <br clear="none">Skype: gracebomu<br clear="none">@Bomu<br clear="none"><span style="font-size:12.8px;">PGP ID : 0x33A3450F</span><div class="ydp11d43807yiv9545243635ydp5af6b7beyiv1308299020yqt1756333992" id="ydp11d43807yiv9545243635ydp5af6b7beyiv1308299020yqtfd17222"><br clear="none"></div></div><div class="ydp11d43807yiv9545243635ydp5af6b7beyiv1308299020yqt1756333992" id="ydp11d43807yiv9545243635ydp5af6b7beyiv1308299020yqtfd59143"><div><br clear="none"></div></div></div></div></div></div></div></div></div></div><div class="ydp11d43807yiv9545243635ydp5af6b7beyqt1756333992" id="ydp11d43807yiv9545243635ydp5af6b7beyqtfd83356">_______________________________________________<br clear="none">kictanet mailing list<br clear="none"><a shape="rect" href="mailto:kictanet@lists.kictanet.or.ke" rel="nofollow" target="_blank">kictanet@lists.kictanet.or.ke</a><br clear="none"><a shape="rect" href="https://lists.kictanet.or.ke/mailman/listinfo/kictanet" rel="nofollow" target="_blank">https://lists.kictanet.or.ke/mailman/listinfo/kictanet</a><br clear="none">Twitter: <a shape="rect" href="http://twitter.com/kictanet" rel="nofollow" target="_blank">http://twitter.com/kictanet</a><br clear="none">Facebook: <a shape="rect" href="https://www.facebook.com/KICTANet/" rel="nofollow" target="_blank">https://www.facebook.com/KICTANet/</a><br clear="none"><br clear="none">Unsubscribe or change your options at <a shape="rect" href="https://lists.kictanet.or.ke/mailman/options/kictanet/pmaina2000%40yahoo.com" rel="nofollow" target="_blank">https://lists.kictanet.or.ke/mailman/options/kictanet/pmaina2000%40yahoo.com</a><br clear="none"><br clear="none">The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development.<br clear="none"><br clear="none">KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.<br clear="none"></div></div></div></body></html>