IEBC Official
Image Courtesy
Shares

Even as the dust is yet to settle on Facebook’s scandal with Cambridge Analytica in relation to the use of personal data to influence elections, another scandal is brewing in Kenya following a report that has been released by Strathmore University’s Center for Intellectual Property and Information Technology Law (CIPIT) that reveals the possibility that some IEBC (Independent Electoral and Boundaries Commission) staff selling voter’s data to politicians, who in turn used the data to influence voters with targeted messages.

Unlike Cambridge Analytica who used algorithms to profile people based on their Facebook data and then target them with political messages, it is believed that Kenyan politicians simply got access to the voter register and used this data to identify their potential supporters and thus target them.

Targeted Messages

CIPIT’s report indicates that from their survey, they got a total of 228 respondents who had received unsolicited political messages during the 2017 general elections in Kenya. Out of the 228, 96% had not even given their phone numbers to any politician.

The report points out that the political messages contained the receiver’s name and voting location, down to their polling station, with a 70 percent accuracy. The extent of the accuracy raises the question of where the data was obtained from. IEBC’s voter register contains alphanumeric data; including name, age, county, constituency and polling station. Note that the voter register is a public document and thus anyone can apply to get access to it through a letter to the IEBC CEO. With proper reason, access is granted, however, the data provided will be limited to name, electoral area (polling station, county
and ward) and truncated ID number, without other biometric information.

To achieve such high accuracy that was witnessed with the political messages, the senders would need to not only have one’s ID number but also their phone number. In Kenya, there are quite a number of ways that this can be achieved;

  • We leave our phone numbers and ID numbers at security desks when we check into buildings
  • Mobile money agents have access to our ID numbers
  • Merchants when we pay via Mobile Money
  • Telcos when we register as subscribers

Any of these would have served as sources of data to politicians and we have even heard rumours that Mobile Money agents and Security guards were selling the data they had, but there has been no solid evidence to support these claims. However, as CIPIT’s report points out, none of these sources has the kind of data that was present in the political messages, i.e. voting location.

The report notes that there is a possibility that the politicians used civic data to first profile voters by their voting location and then subscription data was used to get the voter’s phone number. It is only the IEBC that has voter registration data, therefore, this information would have only been available to politicians only if IEBC availed it to them.

“A voter’s detail with their phone number… was being sold at 3 shillings” – Unnamed Politician

It is prudent to know that when one registers as a voter, the IEBC receives comprehensive data about you, including your phone number. Based on the communication between the electoral body and CIPIT, the former emphasises that this comprehensive data is purely for internal use and would need the voter’s consent before releasing their phone number. However, there is no mention of what “internal use” entails.

Rogue IEBC Officials

“It is possible that political aspirants were able to obtain this data from the rogue officials at the
Commission,” reads the report. As of who has access to the voter register, IEBC lists the following:

  • Clerks – they capture biometric data during voter registration. They have limited access, only allowed to input data but not alter it.
  • Constituency registration officers – they can amend alphanumeric data to correct mistakes or deactivate a deceased voter’s account. This is limited to their specific constituency register.
  • County ICT officers –  they have a maintenance account.
  • The manager in charge of data at the IEBC headquarters – can view actions carried out to all data across the IEBC voter registers. They cannot, however, alter data and must refer any alteration request to the relevant constituency registration officer.
  • The Director of ICT – has slightly more access to the data but cannot amend or alter the data.
  • The biometric software vendor – grants the rights to view and access the data. The software vendor cannot alter the data.

Following up on CIPIT’s report, The Star Newspaper spoke to a couple of unnamed politicians who confirmed to them that voter data was up for sale in the run-up to the elections. “As long as you had money you could buy anything. A voter’s detail with their phone number, ID number, photo, age and polling station was being sold at Sh3,” The Star quotes one of the politicians.

At the time of publishing, the IEBC had not responded to our questions regarding the matter, however, The Star reports that the IEBC maintains that their systems are secure, “Our data is sufficiently secured. We have not received complaints that the data in our custody has been breached or compromised to warrant investigation and retribution,” IEBC communications manager Andrew Limo is quoted.

For now, we have more questions than answers in regard to how the data that IEBC has is used and stored. CIPIT cites that a significant number of people have access to the voter register, making it difficult to pinpoint the people that were involved in selling data from the IEBC, if at all that is what happened.

TL;DR

Facebook: “We are having a lot of negative press following this Cambridge Analytica scandal”
IEBC: “Hold my beer”
Shares