What you need to know:
- The report revealed existence of 10 users named 'Embakasi South Clerks'.
- There were four additional but unauthorised Information Technology users.
- It also revealed 11 active generic accounts on the Automated Biometric System (ABIS) application and another two ABIS users with the same login identification.
An audit report has exposed major security loopholes in the 2022 voter register that can be exploited to manipulate next week’s elections.
The report by KPMG unearthed weak password systems and log-in details of ghost electoral officials, pointing to the possibility of hackers accessing the database and proceeding to deny voters their right to cast their ballots by either deleting their details from the roll or transferring them away from their preferred polling stations.
The report has also pointed out that the Independent Electoral and Boundaries Commission’s (IEBC) decision to switch provision of technology from IDEMIA to Smartmatic could lead to loss of voters’ data due to differences in functionality of the two systems.
But in its implementation matrix, the IEBC has assured Kenyans that most of the loopholes have since been sealed to ensure credible elections on Tuesday next week.
Questions may still be raised about the report, which was released by the commission on Wednesday after months of pressure from stakeholders to have it made public.
The report’s ‘Table of content’, for instance, shows the document has 156 pages. The commission, however, made public the contents of 47 pages only.
The late release of the audit report makes it difficult for stakeholders to scrutinise the measures put in place by the electoral agency to safeguard the integrity of the elections, which are only three days away.
“Despite updating of the register of voters being the role of returning officers (ROs), there were 14 non-RO users' accounts that had been granted the voter update privileges in IEBC’s Integrated Database Management System (IDMS),” states the report.
The report revealed existence of 10 users named 'Embakasi South Clerks'. There were four additional but unauthorised IT users.
Additionally, there were 11 active generic accounts on the Automated Biometric System (ABIS) application and another two ABIS users with the same login identification.
Further scrutiny of the register revealed that the RO user accounts in IDMS were not allocated to the named users.
Instead, the accounts had been given constituency names.
The report revealed that there were 513 generic user accounts in IDMS, increasing the risks of sharing credentials, which subsequently reduces accountability on the part of the users. Generic user accounts are accounts that cannot be attributed to an individual.
“There is a risk that users who are not authorised by law may process transfers, change of particulars or deactivate voters in the system. The risk is further elevated because IEBC has not set up an access re-certification and user activity review process,” warns the report.
It adds, “The lists of users with access to the system should be immediately reviewed and approved to ensure that only valid users have access to the voter registration and update systems supporting the ROV – especially in the validation period before certifying the final ROV.”
This disclosure comes against the backdrop of a recent admission by the commission that some voters were irregularly transferred from their preferred polling stations. The commission announced it had taken action against the officials.
The commission said investigations were carried out and the results showed that the voter update activities were performed by duly authorised registration officers.
“The logs of updates and activities carried out on the IDMs are available for independent review. The commission has implemented the approval process to be followed prior to granting access rights. All user access was disabled,” the commission states.
Audit trails indicate some users who had not been gazetted as returning officers had updated voter data.
Further, the report shows some users were granted excessive access rights at database level, which could be abused. Other users were clandestinely handed access, compromising the integrity of the roll.
A recent analysis by Nation.Africa had flagged a record 29 per cent voter transfers in some counties, against an average of five per cent.
The counties that were affected by the high numbers of transfers included Garissa, Mandera, Wajir, Marsabit, Isiolo and Tana River. A total of 50,328 voters were transferred in Mandera County. The figure is higher than the number of voters registered between 2017 and 2022, which IEBC places at 40,210.
Migration of voter data
In Garissa, some 41,513 voters were transferred in the same period the counties recorded 46,241 new ones. The county had 163,350 registered voters in the run-up to the 2017 polls.
The total transfers represent 25 per cent of voters the county had in 2017.
It is the same case in Wajir, which recorded 32,190 transfers after registering 35,964 new voters.
The audit report also raised concerns over glaring gaps in the migration of voter data from IDEMIA systems to Smartmatic system.
IDIEMIA offered technology to IEBC in the 2017 polls but the electoral agency has this time round contracted Smartmatic to provide the services.
“Migrate voter records of all the elector status or avail access of voter history to registration officers to ease the investigation of claims regarding voter registration and updates,” states the report.
The report states that the IDEMIA system held approximately 19.8 million voter records, which were migrated to Smartmatic systems during the implementation.
The KPMG report concluded that the access controls around the application and the database hosting the register of voters were ineffective.
But IEBC said the voter history was initially not migrated due to differences in functionality between the two systems.
“The commission has prioritised preparations for the general election. The recommendation will be concluded once the full BVR system is commissioned after the general elections,” said IEBC in its implementation matrix.
The commission further notes that it worked with Smartmatic to successfully migrate the 19.8 million records from IDEMIA system.
The audit also established that a total of 481,711 individuals were registered as voters with duplicated blank IDs or passport references.
There were another 164,269 voters with invalid reference numbers as recorded in the register of voters when compared to the National Registration Bureau and the department of Immigration Services. Of the numbers, 12,435 had invalid passports while 151, 834 had invalid IDs.
A total of 246,465 were deceased but the records portrayed them as voters. There were 4,757 individuals who had registered more than once, with both an ID number and a passport.
Another 226,143 individuals were registered with reference numbers that matched the existing record but the names used did not match.
All the records were expunged from the audited register.