Skip to main content
December 17, 2017

Audit report on IEBC servers: login trails, forms 34A, B not provided

Forms 34 A,B and C which were filed at the Supreme court by IEBC on Tuesday,August 22, 2017. /COLLINS KWEYU
Forms 34 A,B and C which were filed at the Supreme court by IEBC on Tuesday,August 22, 2017. /COLLINS KWEYU

Supreme Court judges on Monday ordered the IEBC to grant the National Super Alliance access to its servers.

The coalition, following a petition by its leader Raila Odinga, wanted this for verification of information used to declare results of the August 8 poll.

Raila is challenging the declaration of President Uhuru Kenyatta as the winner of the presidential election. 

Chief Justice David Maraga consented to limited access to avoid compromising the integrity of the commission's ICT system.

The scope of access included login trails of users into servers, access to password policy and matrix.

It was also to include certified copies of key result collation statutory records, popularly known as forms 34A and 34B.

The report on the audit by IT experts appointed by the court was to be tabled before the court on Tuesday, August 29 latest 5pm.

However, technicalities attributed to “layers of security levels in accessing the servers" by IEBC lawyers saw the report being tabled at 9pm.

Here is what the IT experts found in the study as well as what was complied with or not: 

 

Access to firewalls

IEBC complied with the order to provide NASA with information on the number of servers in its possession.

The commission, however, refused to grant access to firewalls saying this would compromise the security of its system.

It only provided schematic diagram and hardware model.

"They were not willing to provide configuration of internal and external firewalls. Said that the configurations for internal and external firewalls were identical, disclosing one would compromise the other," the report noted.

The court and appointed IT experts however disagreed with the stand on internal firewalls saying "respondent to provide internal firewalls as the request is genuine and doesn’t affect the vulnerability of the system".

Operating Systems and passwords

IEBC complied with order to provide identity of the Operating System without revealing the identity of the software.

It also complied and provided a softcopy of password policy, password matrix, systems user types and levels of access.

"Document provided complies with the requirement," the report said.

The electoral body also complied with court order to provide its Election Technology System Redundancy Plan which comprises its business continuity and disaster recovery plan.

Copies of certificates of penetration tests conducted on the Election Technology System before and during the August 8 election were also provided.

The report however said the reports on the tests conducted were not certified by the electoral body pursuant to Regulation 10 of the Elections Technology Regulations.

GPR locations of KIEMS kits used

The report said IEBC provided only the GPS location of polling stations but not for the KIEMS kits.

NASA had wanted the location of the Kenya Integrated Elections Management Kits for the period between August 5 and August 11.

The report said IEBC was to provide the correct report.

It added that a certified list of all the KIEMS kits procured and used on Election Day was provided.

It however said the report on deployment or non-deployment of the kits was not comprehensive.

The report also said it provided technical partnership agreements including the list of technical partners and the kind of access to information they had.

Refused to reveal data sharing interface

The experts however said IEBC refused to provide a list of APIs used form exchange of data with the partners.

API stands for application program interface. It is a set of routines, protocols, and tools for building software applications.

Basically, an API specifies how software components should interact.

Login trail of users and equipments into IEBC servers, KIEMS systems

The report said IEBC failed to comply. It said the commission provided only softcopy logs to NASA who on their part insisted on the logs being accessed as they watched.

The report said IEBC stood its ground saying as long as the softcopies were provided, they served the purpose.

"Live access was provided on August 29 at about 3:50pm without the ability to access the logs or even view them. Therefore, the request was not granted, the IT experts said.

Similar, the report said IEBC refused to comply with an order to provide log in trails into KIEMS Database Management System but provided softcopy logs.

Certified copies of forms 34A, 34B and 34C

On the access of the above documents, the report said: "All parties were in agreement that this order was not to be handled by this team."

This order covered the provision of certified copies of all forms 34A from all the 40,833 polling stations, forms 34B from all the 291 tallying centres and form 34C used to announce the final presidential result.

The report presented by Supreme Court Registrar Esther Nyaiyaki said IEBC refused to provide scanned and transmitted forms 34A and 34B to NASA.

The audit was prepared and signed by Prof Elijah Omwenga, Prof Joseph Sevilla and Judiciary ICT staff Janet Kadenyi - the court appointed IT experts.

Responses

The petitioner and the two respondents, IEBC and Uhuru, were each given 15 minutes to respond to the findings in the report.

NASA’s lead counsel James Orengo said that some of the forms 34A and 34B did not have security features.

He said some forms lacked water marks and serial numbers and some appeared to be carbon copies of the original forms.

Orengo said the revelations were enough grounds for the court to nullify Uhuru's re-election.

"My lords, these documents support our case," he said.

In response, IEBC lawyer Paul Muite said the security features were not a legal requirement but a feature introduced by Al Ghurair, the Dubai-based firm contracted to print the ballot papers.

“There is no requirement in the regulations regarding security features…it is not a requirement of the law,” Muite said when pressed further by Maraga. 

The The court retreated on Tuesday after all parties responded to the report.

 CJ said the seven-judge bench will issue its verdict on the presidential petition on Friday, September 1.

 

 

 

 

 

STAR COMMUNITY POLICY AND PARTICIPATION GUIDLINES
  • Thank you for participating in discussions on The Star, Kenya website. You are welcome to comment and debate issues, however take note that:
  • Comments that are abusive; defamatory; obscene; promote or incite violence, terrorism, illegal acts, hate speech, or hatred on the grounds of race, ethnicity, cultural identity, religious belief, disability, gender, identity or sexual orientation, or are otherwise objectionable in the Star’s  reasonable discretion shall not be tolerated and will be deleted.
  • Comments that contain unwarranted personal abuse will be deleted.
  • Strong personal criticism is acceptable if justified by facts and arguments.
  • Deviation from points of discussion may lead to deletion of comments.
  • Failure to adhere to this policy and guidelines may lead to blocking of offending users. Our moderator’s decision to block offending users is final.
Poll of the day