Fresh details have emerged on
how Independent Electoral and Boundaries Commission chairman Wafula Chebukati could have compromised the security of the technology and by extension last year's general elections.
Correspondence between IEBC chairman Chebukati and Safran Morpho, the suppliers of the Kenya Integrated Election Management System (KIEMS) reveals how the kit was handed to a third party for review less than two weeks to the hotly contested elections.
Chebukati, who had disagreed with half of the commissioners at the time, disregarded official advice from the commission’s IT experts, and took the kit together with the passwords to "a personal consultant" to test their efficacy.
After the personal consultant — believed to be his son — had completed his audit, he wrote a report which raised a number of questions ten days to the elections.
Chebukati pointed out several “potential ways the kits may fail or be engineered to fail” including rebooting the EVID kit “into recovery mode without any special permissions or notifications on the monitoring platform”.
“In recovery mode, an individual with physical access to the device can —among other things — factory reset the EVID o the default Android system it came within less than one minute,” he said.
Even more significant, the chairman also raised the possibility that “one EVID kit can scan multiple results transmission QR codes and recognize them.”
“This implies that one kit can transmit results on behalf of another polling station,” he observed.
Without the knowledge of his fellow commissioners and the commission secretary Ezra Chiloba, he wrote to Safran Morpho, giving the company 24 hours to respond to the queries with “concrete suggestions on how to alleviate and/or eliminate the concerns”.
He wrote: “The findings came about through preliminary testing of the kit by an independent body in less than a day further testing is still going on. The findings can be replicated without any special permission and may cause the kits to fail on election day.”
“I hereby insist you respond to these queries with concrete suggestions on how to alleviate and/or eliminate the concerns raised. We can then convene to discuss the proposals," said Chebukati in an email dated July 24.
He reminded Safran that the commission was relying on the EVID kits for the elections and “any shortcomings must be addressed as soon as possible.”
Safran declined Chebukati’s request pending his disclosure of the the name of the independent body that conducted the tests and and the process followed.
Specifically, Safran posed: Where did the kits come from? What was the environment for testing? What was the procedure for testing? Who was supervising the tests?
The Chairman did not respond to the above questions. Instead, he explained that he had every right to know because, “as chairman of IEBC, the responsibility of managing Kenya’s elections is on my shoulders.”
Moreover, he added; “I am head of Commission which comprises six commissioners and the CEO is the commission secretary. Am also the National Returning Officer of the Presidential Elections. In that regard I must know everything in matters elections. This is a duty I must do within the framework of the Constitution and the laws of Kenya.”
“I shall not at the moment give details of the procedure adopted and issues of the supervision of the testing or even details of the environment thereof. Incase I do not hear from you; I shall then place the matter before the commissioners for open discussion," said Chebukati in an email to Safran Morpho on 25 July.
The chairman insisted that the tests were carried out by his personal consultant in his presence and threatened to share the findings with the commission if Safran did not respond within 24 hours.
The chairman did not disclose the name of the consultant — whom he referred to as his relative — to the commission. He had, however, earlier wanted his son, who was then studying in the US, to be attached to the ICT department but the son turned down the idea.
“The KIEMS kit was more or less a national security asset. When the Chairman of the IEBC took this kit to his personal consultant for testing, with whom did he consult? With whom did he share the purported findings?" asked a former IEBC Commissioner yesterday.
Chebukati did not answer calls and messages from the Star but instead the commission’s communications manager Andrew Limo responded with a defensive text message.
“The Chairman has the liberty to consult anyone on any issue. Secondly, the Commission sitting at Bomas in a joint meeting with Morpho discussed the issues raised and a way forward was agreed,” said Limo.
Experts in the ICT industry have standard procedures for testing complex technology before release to the market. In the case of the 2017 elections, the law required that all applicable technology be tested months before being deployed.
Some of the tech companies involved in the KIEMS project reportedly expressed shock at the time at the conduct of some of IEBC officials they were working with.
It is said that there was too much time spent in trying to build consensus even on obvious issues. Due to delays in decision-making, there was pressure on suppliers, especially to ensure that all relevant security measures were in place so that the KIEMS was not compromised.
“The appropriate thing for the chairman to have done was to make a formal request for assurance of the security of the KIEMS from his officers. A proper briefing would then be arranged. If the chairman indeed took the kit away without full disclosure, then there must be something wrong somewhere,” said a senior IEBC official yesterday on condition of anonymity.
The Star learnt that once the information about the KIEMS leaked, the National Intelligence Service moved in to monitor all the developments. Commissioners were informed that all matters relating to KIEMS were a national security concern and had to be handled with a lot care.
NIS also raised the question of abuse of office and breach of trust by the chairman and advised that the commission restricts the handling of sensitive information to trusted IEBC staff only.
Then Vice-chairman Consolata Nkatha is reported to have confronted the chairman regarding his secret dealings with Safran Morpho. “She got the information through a third party. Her concern at the time was whether the fact of non-disclosure by the chairman would compromise the election," an IEBC official told the Star.