How rogue IEBC staff minted cash from sale of voters’ data

The presidential tallying centre at Bomas of Kenya on August 2 last year /HEZRON NJOROGE
The presidential tallying centre at Bomas of Kenya on August 2 last year /HEZRON NJOROGE

The IEBC has found itself in the eye of another storm after it emerged that staff within its ICT department illegally sold private voter data to politicians in the 2017 General Election.

Strathmore University's Centre for Intellectual Property and Information Technology has revealed in a report that some IEBC employees shared private voter data with politicians, who then used it to send campaign messages to several citizens.

Two individuals that vied for Member of County Assembly positions yesterday confirmed to the Star that voter data was up for sale in the run up to the elections.

“As long as you had money you could buy anything. A voter's detail with their phone number, ID number, photo, age and polling station was being sold at Sh3,” one of the aspirants said in an interview.

Read:

The staff minted millions by trading in private data they were supposed to protect.

Some of the campaign messages CIPIT collected were from aspirants for MCA, senator, women representative and MP positions.

Nairobi for instance has 2,250,853 registered voters. If an IEBC employee sold data for just a quarter of those voters to a senator or women representative aspirant, he or she would have earned Sh1.6 million from each buyer.

With hundreds of contestants in the polls, the crooks could have earned millions from the election.

The Centre for Intellectual Property and Information Technology (CIPIT) on Monday released a report citing privacy violations with the sharing of voter data.

The research centre holds that Kenya's lack of stringent data protection laws have hindered protection of sensitive data, such as personal details of voters.

That, the report indicates, provided a loophole for the private data business during the campaign period.

A copy of the voter register can be availed to any citizen at the IEBC offices upon request and with justification for the document, but the polls body is required to redact private information such as phone numbers, ID numbers and polling stations.

CIPIT adds that interviews with content service providers (firms that send bulk messages at a cost) revealed that politicians would obtain voter data from the IEBC then pay them to direct targeted campaign messages to potential voters.

“Only the IEBC has voter registration data, which was included in the messages that we collected in the survey. It is possible that political aspirants were able to obtain this data from the rogue officials at the Commission.

“Moreover, the CSP suggests that voters’ information, including their personal data, can be obtained from the IEBC,” the report further reads.

But the IEBC insists that its systems are secure, and that it did not receive any complaints in regard to sharing of private voter details.

The polls body says it can only act once a complaint has been made.

“The voter register is a public document. What we do not avail is the personally identifiable information (PII) such as date of birth or ID numbers and phone numbers. We remove such personal details or truncate them when shared with political parties and the public.”

“Our data is sufficiently secured. We have not received complaints that the data in our custody has been breached or compromised to warrant investigation and retribution,” IEBC communications manager Andrew Limo told the Star.

Efforts to reach IEBC chairman Wafula Chebukati hit a dead end as he did not pick our calls or respond to text messages.

CIPIT says that of the 228 people it interviewed, only four per cent had shared their phone numbers with politicians or their associates. Only three per cent of the people interviewed reported unsolicited campaign text messages to relevant authorities such as the Communications Authority of Kenya (CA).

CA director Francis did not respond to our calls or texts. But a CA insider who is not authorised to speak to the press without the director's permission told the Star that the regulator did not receive any complaints on privacy violations.

CIPIT adds that its research found that the CA lacks a centralised complaints system and an anonymous reporting avenue.

“A significant number of surveyed respondents said that they were opposed to receiving targeted political text messages but they do not seem to have adequate channels to report infringements of their privacy.