9 minute read
the lead 2
ARTICLE by Francis Kamuyu CIO, Multichoice Kenya.
the lead
Advertisement
Why, And How, Kenya Must Prepare For Elections 3.0
Kenya’s elections have been hedging slowly towards more sophisticated technology to simplify the process. You would be forgiven for thinking that 9 August only complicated this process. Not so. If anything, it might just inspire Elections 3.0 five years down the road.
• Calling the election will henceforth require investment in ML/DNN to read the forms, not just humans. • Azimio asked for the wrong logs. They should have asked for the logs of the CA, not just portal or database, as all evidence must trace back to the immutability of form 34A.
• Former Chief Justice Maraga’s court made form 34A immutable. Chief Justice Koome’s court would benefit future elections by making it infallible.
• Kenya operates a Zero-Trust election context, and the solution is to have Open Data philosophy before the elections, not after the elections during a petition. This will involve sharing of all log data with all stakeholders as the election progresses, after prior understanding and mapping of all systems to configure these logs for complete transparency. • Once uploaded onto the portal, the form must not be edited, deleted or changed in any way. Form 34A immutability should be shared with the form 34A IEBC portal. • The main challenge of fully digitizing electoral technology is simultaneously guaranteeing both confidentiality and transparency. • Eventually we could perfect elections technologies (perhaps on blockchain) and export to the rest of the world, hence turning our expensive electoral technology to an export asset. As the results of forms 34A started trickling into the portal in the 2022 General Election in Kenya, the Starehe IT Professionals WhatsApp group, like most IT groups in the country, got immersed in trying to find an Optical Character Recognition (OCR) solution to read the results and update the tallies automatically. Two initiatives were tried out, but the different handwritings were difficult for OCR to read. The next solution to test was based on Machine Learning, but that didn’t work either. In the CIO Council WhatsApp group, someone else also had a similar problem. It is then that I got one of those Eureka! moments. Most algorithms are lazy, and so they preferred to learn to read the typed sections that were easy, repetitive no-brainers as opposed to the dynamic handwritten sections. As with all problems in life, it’s the difficult-toread sections that were valuable. They were information intensive. The typed sections had no actual value.
They then isolated the section of the form with the handwritten figures, as the names of the presidential candidates always appeared typed in the same way thanks to a previous Supreme Court of Kenya order. In all cases, the results were a lot more promising. By the next elections, I am certain, there will be ready solutions to read the forms in real time as they are uploaded. Consistency and uniformity of results is something the Media Society of Kenya could pool resources over, providing a unified solution to supply all media houses with the same results, instead of all media houses struggling with sub optimal solutions. When the petitions made waves online, the various IT WhatsApp groups once again started interrogating the technical claims. One of us had handed in a technical affidavit in support of the petition. Unfortunately, it was time barred. I then contributed to the Amici Curiae petition along with a raft of CIOs. My part was specifically to refute the Benson Wesonga affidavit. However, in the spirit of resolution, we all worked together to interrogate any and all technical claims.
The Wesonga affidavit that was time barred was premised on an interesting hypothesis: that the time stamps when the forms 34A were uploaded were easily available in a report. The times the forms were created on the KIEMS kit were stated to also be easily available. Wesonga’s hypothesis was that forms that took longer than average to transit
from the KIEMS kit to the portal must have been modified. By this time, the Independent Electoral and Boundaries Commission (IEBC), had not explained these scenarios.
It didn’t take long to munge the data and analyse it. We didn’t find any visual evidence of any modifications after isolating the forms that took the longest. There were tools that seemed to suggest most of the forms had been modified, but the distribution of the forms, the results and the number just didn’t make sense. Most importantly, we realised the good justices of the Supreme Court would be interested in visual evidence corroborated by actual data and a reconstruction of the original form to show the changes made. If the changes were then tallied and the total was significantly higher than an estimated 70,000 votes, no court would uphold the election. This is because Dr William Ruto escaped a run-off with less than 70,000 votes.
They say hindsight is 20/20. What might have helped the case now that this hypothesis wasn’t proven?
The Sovereign is Wanjiku, And Form 34A is Her Sceptre
It can’t be over emphasised that any technical evidence will not be enough unless it shows modifications on Form 34A. The results of Form 34A are therefore immutable as per CJ Maraga’s court.
The election takes place at the polling station. That dusty, dilapidated classroom with drunk-looking wooden desks, dirt earth and holes in the noisy iron sheet roof and is the dais on which the poor peasants exercise their sovereignty in accordance with the 2010 Constitution.
No commission, however pre-eminent the members; no parliament, president, petition, or justice, however powerful, noble or numerous, can overturn the decision of the citizen as captured on that humble form 34A. Every step of the process; every check and balance; every commissioner, clerk, or chairman of the commission is employed to safeguard the sanctity of the correctly filled Form 34A. It is difficult to pontificate on the importance of this one form that is then collated into Forms 34B and 34C, which don’t share its sanctity. It could even be argued that the Polling Officer at that humble polling station is the most important employee of IEBC, and everyone else above that is an overpaid clerk, including the IEBC Chairman. Any technical evidence must therefore be about this one form. The most successful evidence is evidence that shows the defilement of Form 34A’s sanctity, as this is treasonable usurpation of the sovereignty of the citizen.
Now that we have established the primacy of Form 34A, let us figure out the three points where illegalities and irregularities can change the will of the people. a. Polling Station: The most obvious illegality is that the votes cast are not reflected on Form 34A. This can be due to (as per some petitions) votes meant for one candidate credited to another candidate, total votes cast underreported (makes it easier for the leading candidate to avoid a runoff), voter suppression, lost ballots, ballot stuffing, etc. • All these illegalities are the reason why parties have agents at polling stations, in addition to use of KIEMS kits for registration, identification and authorisation, among other measures. b. Portal: The form can indeed be properly filled, but when uploaded, it is replaced with another form. Any agents who signed the original form would have to be compromised not to raise the alarm. They could even sign on another form as instructed but this is not compulsory. c. Constituency and National Tallying
Centers. When collating or verifying the forms at the constituency or national tallying centers, illegalities and irregularities can change the form.
False Sense Of Security
Kenya is a Zero-Trust election context. In the never-ending quest to seal loopholes, we have comforted ourselves with several false assumptions about technology: 1. Agents must sign the modified
Form 34A forms afresh
This is not necessary. In fact, in this era of deep fakes, the PDF can be modified using deep neural networks. This is an advanced branch of AI that can be used to write different figures on a form that looks the same as the original, complete with the same handwriting and signatures. All that is needed is collusion with the IEBC staff and the party agents and samples of the handwritings. 2. A Certification Authority is a sure
sign that the forms were not modified.
Not necessarily. Smartmatic supplied the Certification Authority (CA). Meaning they could configure it to give the same certificate to a modified PDF as to the original PDF.
the lead
3. The portal’s transparency
directly correlates with election transparency.
Again, this is not a given. In polling stations where a party didn’t have agents, the polling staff could collude with the agents of the represented party. This is a case of garbage in, garbage out. 4. Voter registration using bio data
on the KEIMS kits is enough to safeguard the voter register.
It’s not, as the audit just before the last elections revealed. There needs to be an open mechanism to ensure that all dead voters, double registrations, and other anomalies are dealt with at least three months before the elections.
How then can we safeguard the election of the future with technology while avoiding false self-assuring security?
Proposed Future Improvements:
1. Smartmatic uses a local, internal Certification Authority (CA). Best practice is to use an independent CA. As mentioned briefly above, an internal CA could be compromised to reissue the same certificate to a modified PDF, hence defeating the purpose of the digital signature. • One of the Azimio affidavits focused on log files of the Linux operating system instead of the database server. The consensus is that the database log files would have shown which data was modified. However, the log files that would have shed light on any modifications are the portal’s log files, as the portal doesn’t necessarily have to store the documents in a database. Unfortunately, there was no requirement for the portal to log uploads and changes other than the basic upload time. This is a significant gap that I address later below.
• What no one seems to realise so far is that the most important log files might not be the database or even portal log files, but the CA log files. The CA shows when the Form 34A was issued a digital certificate as it was created at the polling station.
• That’s a critical audit data point that can only be picked from the 46,000 KIEMS kits, a near impossibility in the two days for investigations. Getting the log files from the CA would, however, take just a few minutes, and they can be analysed within an hour. The next critical audit data point is any other certificate issued to the Form 34A from the same polling station, as that could be a red alert signifying a modified Form 34A.
• Of all the missed opportunities of the Azimio petitions, this is probably the most significant technical analysis that should have taken place. It would have proven the most important possible illegality: that Forms 34A were modified after they left the KIEMS kits.