Lessons for India: High-tech Kenyan voting system hacked, Supreme Court annuls elections

1385
Jubilation in Nairobi after election results were declared. These results were annulled by the Supreme Court.

Above: Jubilation in Nairobi after election results were declared. These results were annulled by the Supreme Court.

~By Sujit Bhar

A recent news item about the cancellation of Kenyan elections by the country’s Supreme Court may not have raised too many eyebrows in India. Despite the presence of a large number of Indian expats in the country and a huge Indian investment atmosphere, the faraway African nation generally will not command front page coverage or prime time television.

However, a deeper look into the why the court annulled the elections results reveals an extraordinary piece of information. The election of President Uhuru Kenyatta on August 8 was annulled because the election process, held through electronic voting machines (EVM), was presumably hacked, favouring Kenyatta.

If that rings a bell, one has to put a caveat that Kenyan EVMs are different from Indian ones. While in India all machines are standalone systems, not connected to any internet or any other network, the Kenyan machines—the Independent Electoral and Boundaries Commission (IEBC) of Kenya selected the French firm Safran Identity & Security to supply the machines and the software—are online and polling can be monitored in real time as each input information is immediately relayed through the internet to the server and to the monitoring system.

The system was supposed to be one of the most advanced in the world and comprises biometric data input and analysis in the electoral process, a part of which was similarly achieved by India’s Aadhaar card, an initiative of the Unique Identification Authority of India (UIDAI).

The French firm, formally known as Morpho, is not new to Kenya. They were one of the vendors that supplied the kits for the 2013 general elections as well, and were the sole supplier of the kits in the January 16-February 19 mass voter registration, as per a report in Ureport.

Anybody who has made an Aadhaar card will be familiar with the process instituted in Kenya regarding voter registration. In Kenya, the voter registration itself was made in a similar fashion, with thumb impression biometrics being registered across the nation. There was no iris recording. On election day, voters would go into the polling booth and simply place their thumbs on the iPads or such device and his or her vote would immediately be logged. The biometric data stored in the system would automatically audit polling, check for duplicates and delete them.

This was done to get rid of the ‘ghost voter’ problem, an issue that India has suffered from for ages.

The claim was that this system would also eliminate the threat of vote manipulation.

Even if EVMs in India are standalone machines, it has been proved unofficially that these machines are hackable
Even if EVMs in India are standalone machines, it has been proved unofficially that these machines are hackable

Immediately after the August 8 elections, however, there were accusations by major political parties that the server, belong to the IEBC had been hacked. This allegation was put forth by the National Super Alliance (NASA). It claimed that thereafter results were manipulated.

The case went to the Supreme Court in Nairobi, and on September 1, the court declared that the elections were null and void. The court said that the IEBC had committed “irregularities and illegalities” during the elections, harming the integrity of the election and that another presidential election should to be held in 60 days.

Judge David Maraga’s pronouncement is critical— the decision was okayed by four out of a bench of six judges—because no presidential election in Kenya has ever been nullified before.

There remains a technical ambiguity, though. Judge Maraga said the IEBC had “failed, neglected or refused to conduct the presidential election in a manner consistent with the dictates of the constitution.” The details remain within wraps, but one would have expected a technical investigation before the court judgment. One is not sure what data or information the court judgment has been based upon. A mere comment on unconstitutionality is rather vague to disregard a president-elect who has come to power with 54 percent of the votes.

The IEBC had admitted to a hacking attempt but said that it had failed. The process seemed transparent to international election observers.

This is where India’s story could start. Indians have put their faith in Aadhaar and disseminated huge amounts of biometric data. Even if EVMs in India are standalone machines, it has been proved unofficially—no official testing was allowed with a free hand by the Election Commission of India—that these machines are hackable. Even VVPATs have been spewing wrong symbols.

If India wishes to opt for the Kenyan system, which is said to be fail-proof, it can easily use the huge Aadhaar data bank. But as Rajeev Mehrishi, ex-Union home secretary has pointed out in a parliamentary standing committee hearing, even smartphones can be hacked. What keeps the voting system safe? Russia had managed to hack into the US voting system’s email block and managed to influence the elections there.

The very idea of the government collating complete data banks on its systems lives within the risky zone. There could be hacking, or even deletion of all data, in which case a person can become identity-less in a second or less. The security network in the country could work against its own citizens.

We run the risk, all the time.