Zimbabwe’s pro-democracy groups have alleged significant information security breaches of voters’ personal data ahead of the Monday 30 July elections. While there haven’t been any reported significant network disruptions so far, nevertheless, these breaches, some of which the electoral commission has admitted pose a significant threat to privacy, expression and political participation. While two of the cases involve an alleged interference with data stored and at rest in the election commission’s servers, the other case concerns the ‘black boxing’ of the ballot paper’s security features. This lack of transparency erodes trust and confidence in biometric technology but it also frustrates the verifiability and audit of the of the technical functionality especially its potential capabilities to obfuscate data. All the above developments challenge the Internet Freedom Community to reconsider the ambit of information controls particularly during key political events such as current Zimbabwe’s elections. As a number of African countries embrace biometric technology-driven elections, the community needs to adopt a broader approach to information controls that address all information security breaches since big data and decentralized technologies. This is regardless of the fact that some of these technologies do not exclusively rely on internet transmission control protocols to transmit and store data. This article argues that such a broader approach accords with The Citizen Lab’s conceptualisation to information controls: a broad term used to define all actions that governments, the private sector, and other actors take through the Internet and other information communications technologies, for example, to secure (e.g., encryption) information for political ends. An acceptance of this view will lead to a more evidence-based and broader elections threat modeling. Such a modeling, based on revised indicators, would take into account a wide range of adversaries that potentially exploit vulnerabilities in decentralized technologies and also in data regardless of medium or whether such data is in transit, cloud, storage or at rest.
Zimbabwe’s alleged information security compromises
In the run-up to Zimbabwe’s 2018 elections, the main opposition party, the Movement for Democratic Alliance, supported by some local NGOs raised the following information security concerns in connection with the integrity, availability and confidentiality of voters’ personal data:
Selective access to voters’ personal data
The first complaint relates to the election commission’s refusal to give the opposition access to the voters’ roll stored in its servers on the ground that this may compromise the security of sensitive data. Subsequent to this refusal, some voters received targeted campaign text messages from the ruling ZANU PF party, leading to further allegations that the commission had selectively availed the voters’ data base to the ruling party contrary to the provisions of the law which it had cited to deny the opposition the same right. The commission responded to the accusation by stating that its data base was hacked. This admission contradicts its earlier claim that its data base was tamper- proof. The commission’s head, Judge Chigumba had previously issued a press statement that the 2018 elections could not be rigged as the country’s voting system is “tamper-proof’ for the simple reason that the data that they collected are housed in a ‘consolidation server’. She continued, “The consolidation server contains the master server that contains all the information and we then have other servers which we are using to connect that data. Those servers have very strict protection files. They have very strict un-hackable access level passwords that are tamper-free,” For more on this issue, please read our previous analysis: Verifiability and Trust: Two Key Ingredients to a Credible Election in Zimbabwe. The current alleged data breach draws parallels to Kenya’s elections where there were reports that individuals received texts via short messaging service (SMS) from candidates vying for various political seats during the campaign period of the elections. These SMS texts were allegedly accurate as to where the individuals were voting and to some extent, their political inclinations.
The issue of data mining for political campaigns has been topical since the revelations that Cambridge Analytica used enormous datasets of personal information from Facebook to advertise to micro-targeted voters in the U.K. and the U.S. The information had initially been obtained from Facebook through a researcher, and then reportedly sold to Cambridge Analytica. When this happened, Facebook said this practice was a violation of their terms of service, but the incident raised important questions about data protection in the age of data harvesting.
Integrity of voters’ biometric data
Both the opposition and NGOs raised the second allegation of gross errors and omissions, the inclusion of ‘ghost voters’ and a demographic distribution in the 2018 voters’ which is not consistent with the prevailing demographic models for Zimbabwe, along with precedent models from the 1982 up to the 2012 censuses. This pointed to the possible manipulation of the entries on the voters’ roll.
Data obfuscation and black boxing
Lastly, they alleged a lack of transparency in the printing of the ballot paper and failing to fully disclose the ballot paper’s hidden technological capabilities and security features.
Some of the above issues had been raised before in Zimbabwe’s previous elections and elsewhere. During the 2013 elections, the Zimbabwean opposition had to petition the court after failing to access an electronic copy of the voters’ roll. Also, in the neighbouring Zambia, during the 2015 elections which I observed, the opposition complained about the printing of the ballot paper and a lack of transparency over its features.
Information security implications
While some of the concerns were of a cyber-security nature, some went beyond such to encompass broader the information security field, for example, voters’ data in storage, at rest and partly on static websites but also information that is’ encrypted’ on ballot papers. While the internet freedom community in Africa has by and large focussed on internet shutdowns during elections, information controls are evolving and governments are now applying them in highly dynamic ways often responding to events on the ground displaying wide-ranging motives. Also, the governments choose the technology that suits its goals and this depends on whether the data at stake is in storage, at rest, transit or in the cloud. However, in the case of Zimbabwe, a pattern is emerging: the country is gradually acquiring biometric based technologies, sometimes outsourcing, to control when such information can be accessed and under which conditions. It may encrypt or use similar technologies to hide information that gives it an advantage. All in all, it uses information security doctrine and rule by law to cement its position.
Need for a revised threat model?
The above should inform a more accurate risk assessment and threat modelling. For instance, in Zimbabwe’s case, the risk assessment should take into account the fact that the adversaries could be “thousands of miles away or in the very next cubicle at work, or both!” Attention should not only be paid to the unknown hackers from the outside, but insiders are a much greater threat, and can do far greater damage, which is likely to be the case in Zimbabwe’s current data privacy breach. Insiders already have some level of access, means, and opportunity to hack. In Kenya’s election data breach case, the hackers who compromised the voters’ data were insiders and while the consequences of their action were partly based on making a profit, their conduct also gave certain political parties an advantage.
Obfuscation: Security through obscurity and the information security doctrine
In the past, the reliance on information security as a form of a data breach in Zimbabwe was based on overt militarisation and securitisation of the Internet, for example, the involvement of the Israeli Nikuv collaborating with the army. However, the current allegations in Zimbabwe appear to suggest more covert embedding political intentions in technologies. First, the management of the election is mostly civilian-led and under the auspices of a respected former judge who know the importance of adhering to the rule of law. In this case, the rule of law becomes a double edged sword since the constitution gives the election commission the mandate over election management including the technology aspects. For example, the commission has the full mandate to oversee the printing of the ballot paper. This in turn denies the opposition an avenue to technically test the ballot paper’s ‘encrypted’ technological capabilities and security features. This has rendered the opposition powerless and is leading it to slide in the dangerous terrain of propaganda and fake news.
Zimbabwe’s case is not novel in this regard. In 2016, the Tunisian planned to equip all ID cards with an electronic chip that stored information — a part of which would be encrypted and unknown. It had no procedural or substantive safeguards to protect the data from abuse. The New York-based Access now raised concerns that, “ A “black box” ID card could be used to trample on the rights of Tunisians, granting officials access to rich data profiles that could be turned against citizens. But even if that doesn’t happen, creating a large database of this type of information would likely attract criminals and hackers seeking to exploit it. That’s not safe.”
General concerns with biometric technology deployment in Africa
According to CIPIT, the use of biometric technology in political processes, i.e. the use of peoples’ physical and behavioural characteristics to authenticate claimed identity, has swept across the African region, with other 75% of African countries adopting one form or other of biometric technology in their electoral processes. This has been necessitated in part due to the low trust majority of citizens have had with electoral management bodies and the assumptions that adopting such technologies will increase confidence and efficiency in the elections. This comes at a high cost to countries already struggling with expensive elections. Despite such costs, the adoption of biometrics has not restored the public’s trust in the electoral process, as illustrated by post-election violence and legal challenges to the results of the 2017 Kenyan elections. An unexplored implication of this techno-optimism of biometric technology in elections is the privacy aspect.
Although Kenya’s elections were fully electronic, nevertheless, Zimbabwe could still draw key lessons from Kenya as both countries legal landscape lack the protections needed to safeguard the privacy of its citizens and protect their data. “Transparency, trust, and security are key when deploying biometrics technologies. When such technologies are adopted in the absence of a strong legal framework and strict safeguards, they pose significant threats to privacy and personal security, as their application can be broadened to facilitate discrimination, social sorting and mass surveillance. In Zimbabwe, some politically connected parties have already threatened reprisals against people who vote a certain way since they have access to biometric data and voters’ serial numbers to monitor voting patterns. Also, the varying accuracy of the technology can lead to misidentification, fraud and civic exclusion. As such, it is crucial that [African countries] review their election and referenda processes, the use of biometric technologies be understood from a privacy and security perspective” (CIPIT, 2017)
Are decentralised technologies such as blockchain the future for election security?
Blockchain has already been piloted in Sierra Leone where the national electoral commission (NEC) accredited Agora, a Swiss foundation focused on digital solutions, as an independent observer during its March 2017 election, to test its permissioned blockchain technology during elections. Blockchain was not used to tally the entire election but just to demonstrate blockchain capabilities. The results Agora manually entered announced by local polling station agents from 280 polling centres in Sierra Leone’s Western District on its blockchain ledger could be accessed publicly. It published the results of its blockchain count on its website. These results could be checked against those tallied by the NEC.
While it was not officially adopted by the electoral commission, there is some potential for use of decentralized technology in elections across the continent. As with cryptocurrencies such as bitcoin and ethereum, recording votes on publicly accessible ledgers in real-time could bring more transparency to electoral processes and possibly prevent electoral disputes which often follow elections on the continent. For instance, the Brazilian legislature is testing the use of the ethereum blockchain to verify signatures collected for popular petitions. In a related development, a supporter of a Chinese student’s protest was able to circumvent speech restrictions on a topic by embedding a letter into the tamper-proof Ethereum blockchain.
While nothing is fully hack proof, blockchain is significantly more secure as transactions on blockchain are irreversible, so the information cannot be altered. Furthermore, an open-source, public, distributed computing technology, transactions can generate distributed copies of themselves within the network. However, as we point out in our previous blogs, in addition to verifiability, the management of election processes go beyond technology but trust and adherence to the rule of law. The InfoSec community should engage to encourage secure and transparent decentralised technologies as was the case in Sierra Leone. However, this is a long shot in Africa as no government is likely to use technology that leads to its defeat.
Source: Arthur Gwagwa
Arthur Gwagwa specialises in technology and law particularly during elections