The Elephant


By Dauti Kahura

On September 30, 2017, the NASA quartet – Raila Odinga, Kalonzo Musyoka, Musalia Mudavadi and Moses Wetangula – held a press conference to alert Kenyans on a pressing issue they considered to be a hot-button election matter. The media briefing was about an IT company called OT-Morpho that had become something of a technological ogre to many Kenyans.

Looming large but shrouded in mystery, Kenyans only came to learn about the company after the Supreme Court of Kenya overturned the victory of Uhuru Kenyatta and his Jubilee Party in the August 8, 2017 elections. The thrust of the Supreme Court’s majority judgement rested in part on finding fault with the technological malpractices that clouded or interfered with the transmission of votes by the Independent Electoral and Boundaries Commission (IEBC)’s server. OT-Morpho was the French company that had been outsourced by IEBC to man the server and to ensure the correct transmission of tallied votes.

The statement read by Musalia Mudavadi, NASA’s national campaign chairman, said in part: “We are aware the KSh2.4 billion awarded sum is way above the KSh800 million that IEBC’s technical committee recommended. Kenyans should be excused if they were to conclude that the offensive amounts are being paid as a bribe to OT-Morpho for a shady job of using technology to tilt elections in favour of Jubilee in the same way it did last month.”

The thrust of the Supreme Court’s majority judgement rested on finding fault with the technological malpractices that clouded or interfered with the transmission of votes by the Independent Electoral and Boundaries Commission (IEBC)’s server. OT-Morpho was the French company that had been outsourced by IEBC to man the server and to ensure the correct transmission of tallied votes.

The key words Mudavadi used are bribe and shady job. The statement also claimed that “the two (OT-Morpho and Jubilee) have pulled another expensive fraud on Kenyan taxpayers even before the IEBC and OT-Morpho can address numerous questions regarding irregularities and illegalities in the August 8 elections.” The third key word is fraud. OT-Morpho has recently allegedly been involved in less than honest dealings in other parts of the world.

The NASA statement also accused OT-Morpho of being “firmly part and parcel of a criminal enterprise that has hijacked the Kenya electoral system with the sole aim of profiteering and frustrating the democratic ambitions of the people of Kenya.” Criminal enterprise are not charitable words to describe a global company that prides itself as a leader in the world of technological expertise and products. But has the company been charitable in its provision of its supposedly world class services?

On September 28, IEBC’s Chief Executive Officer Ezra Chiloba re-negotiated another deal with OT-Morpho to oversee the electronic transmission of the presidential results in the fresh election. (This new deal was the core theme of NASA’s press conference two days later). In its judgement, the Supreme Court said that a fresh election should be held within the constitutionally mandated 60 days from the date of the judgement.

Chiloba’s point of departure on once again contracting the French firm was that there was limited time between then and October 26, 2017 (the new date slated for the fresh elections. The initial date was October 17, 2017) to look for another IT firm to replace OT-Morpho. “The Commission held a series of meeting with OT-Morpho on the level of support we required for the fresh presidential election. This culminated into an addendum to the contract that was signed on Thursday (September 28, 2017) evening after negotiations were concluded as per the procurement law”, said Chiloba on September 30, 2017 to the media.

This new contract immediately was criticized by the opposition NASA coalition. The contract amounting to KSh2.4 billion “for an election involving only one position and two candidates is not only outrageous, but an act of fraud and deliberate theft of public funds and bribery,” said the NASA statement.

Two weeks earlier, Raila Odinga had asked the French government to investigate the Paris-based company and its alleged connection with IEBC officials who he claimed “acted in complicity and connived to undermine the will of the people of Kenya.”

Two weeks earlier, on September 8, 2017, in a protest letter to the French Embassy in Nairobi, NASA Presidential candidate Raila Odinga had asked the French government to investigate the Paris-based company and its alleged connection with IEBC officials who he claimed “acted in complicity and connived to undermine the will of the people of Kenya.”

He also requested the government to expose two alleged OT-Morpho employees, Laurent Lambert and Axel Gaucher, who allegedly helped some IEBC officials to gain unauthorised access to the electoral commission’s servers. In the letter, both were referred to with their respective titles: Lambert is said to work as head of Project Kenya, while Gaucher works as head of analytics at the same organisation.

OT-Morpho was tasked with providing two electronic systems that were to identify the Kenyan voter and consequently transmit election results from the 40,000-plus polling stations to a central tallying centre. Evidently, that did not happen. Raila, the NASA presidential candidate and the leading opposition figure in the August 8 general election, was quick to accuse the IT company of, “failing to comply with the prescribed format of results management data.”

Stung by criticism by the leader of the opposition and castigated by the Supreme Court for its electronic transmission system, OT-Morpho’s Chief Operating Officer, Frederic Beylier, in a terse statement on September 15, 2017 said: “We have conducted two in-depth audits of our system with the support of external and reputable companies. We refute any allegations of piracy or fraudulent intrusion into our system.” Beylier added that the internal audit done on their equipment did not find any foul play.

On election day itself, OT-Morpho supplied 45,000 Kenya Integrated Election Monitors (KIEMs) tablets that are used to identify voters biometrically and the Results Transmission System (RTS) software. Hence, while OT-Morpho was tasked with the provision of tablets, the transmission of encrypted data from KIEMs kits to the IEBC server was the work of three local mobile network companies, namely, Safaricom, Telkom Kenya and Airtel.

It is alleged that IEBC sub-contracted the French company to create a parallel system that gained access to the mobile network operators’ data, re-routed the data to Paris, then purportedly re-sent the figures to the IEBC server. According to people in the know, the reason why IEBC defied the Supreme Court’s order of opening its server to the judges’ scrutiny is that the server could be empty or with data that is not palatable to the public, hence lending credence to the allegation that the August 8 general election’s results were predetermined and preset.

So how is it that OT-Morpho was involved in electronic transmission? Bob Collymore, Safaricom’s Chief Executive Officer, in responding to Raila’s September 26, 2017 criticism of the company’s alleged culpability in abetting the electronic transmission malpractices, defended his company by stating: “In accordance with the contract with IEBC, all mobile companies connected their Virtual Private Networks (VPNs) and transmitted the data to the IEBC cloud servers. It was the IEBC’s responsibility to transmit results from its servers to the tallying centres (emphasis added).

This apparent “clarification” about IEBC being solely responsible for transmitting results to the tallying centres came about as a result of NASA pointing out that: “KIEMs kits were using two SIM cards. From contract provided by IEBC during scrutiny, the total SIM cards procured from the three mobile network operators combined “totalled 58,000 or thereabouts”. That is how the Safaricom position statement read by Bob Collymore, the Chief Executive Officer (CEO) put it on September 27, 2017.

This included the satellite phones. If two SIM cards were fitted in each KIEMs kit, you would have to divide the total by two. So basically only 29,000 KIEMs were fitted with SIM cards in this case. That means that only 29,000 KIEMs transmitted results.” It is noteworthy that Safaricom does not dispute that only 29,000 KIEMs were fitted with the dual SIM cards, which possibly explains why 11,000 Form 34As were not filled by IEBC’s returning officers.

It is at this point that OT-Morpho comes in. It is alleged that IEBC sub-contracted the French company to create a parallel system that gained access to the mobile network operators’ data, re-routed the data to Paris, then purportedly re-sent the figures to the IEBC server. According to people in the know, the reason why IEBC defied the Supreme Court’s order of opening its server to the judges’ scrutiny is that the server could be empty or with data that is not palatable to the public, hence lending credence to the allegation that the August 8 general election’s results were predetermined and preset. (The Elephant is on record on having written to the OT-Morpho public relations consultant Julien Tahmissian, to comment on the allegations levelled against the French company, but our email request went unanswered.)

Acting and talking tough, Beylier responded by saying that his company was going to sue unidentified people in France and Kenya for damaging “our reputation and honour.” Guns blazing, he warned: “We do not intend to become the scapegoat of the political situation in Kenya. We do not accept the reputation of OT-Morpho and its employees is tainted in any way by these allegations. This has to come to an end.”

In an interesting twist of events, Beylier had earlier pointed out on September 19 that the French firm had not signed a new contract with IEBC. Speaking to Alastair Leithead of the BBC’s Focus on Africa, he said: “We don’t have contract with them (IEBC) for the next election yet.” (He was then referring to the new election date of October 17, 2017, before it was moved to October 26, 2017.) “If we had the contract by now – and assuming that the Supreme Court does not recommend any technical change in its ruling – we would need up to the end of October to reconfigure our systems for the repeat election,” he added.

Beylier said the company was willing to open its system for scrutiny by an independent body under the authority of IEBC. But less than a fortnight later, when the chairman of the electoral commission, Wafula Chebukati, asked the company to open the servers before the upcoming fresh presidential election, OT-Morpho’s Vice President for Middle East and Africa, Olivier Charlane, promptly wrote to the commission, vehemently opposing the suggestion.

Posturing and seemingly on the offensive, Beylier said the company was willing to open its system for scrutiny by an independent body under the authority of IEBC. But less than a fortnight later, when the chairman of the electoral commission, Wafula Chebukati, asked the company to open the servers before the upcoming fresh presidential election, OT-Morpho’s Vice President for Middle East and Africa, Olivier Charlane, promptly wrote to the commission, vehemently opposing the suggestion.

“OT-Morpho would respectfully warn IEBC that opening access to servers, databases and logs prior to the election might open security weaknesses. We would rather recommend that access to server and databases be provided after the Election Day. Anyhow, logs will be shared on a daily basis with IEBC. Agents should be allowed to review them at IEBC premises only,” wrote Charlane.

Like Chiloba, OT-Morpho now ducked the issue of opening itself to an external audit, arguing that there was limited time for that kind of exercise. In the letter to Chebukati, Charlane pointed out that considering the short time left to the date of the fresh polls, it was impossible to conduct a dry-run of results transmission. “Even though OT-Morpho was and remains willing to support such a dry-run, IEBC has to realise that conducting such an operation is hogging the RTS (Results Transmission System) system for four days, so as to prepare test, run and clean the system.”

In reply to Chebukati’s terse memo to OT-Morpho on the issue of clearly displaying all the form 34B from the constituencies, Charlane said the firm would find it technologically impossible to do this given the bulky nature of the forms.

“In the current planning and considering the recent delays in receiving the SIM cards to start the KIEMS (Kenya Integrated Elections Management System) kits production as well as the latest IEBC requirement, we fear we have no room any more for such operations,” opined Charlane. In a roundabout way, what Charlane was saying in not so many words is that nothing should be done to compromise or interfere with OT-Morpho’s supposed data security.

Why would a company with such a huge reputation in digital technology and identification systems offer such flippant excuses for not accepting a reasonable request from a client? OT-Morpho’s website describes the company as, “the acknowledged expert in identification systems.” OT-Morpho used to be known as Safran Identities and Security (Morpho) until May 2017, when it sold its digital security unit and morphed into Advent International, owner of Colombes, France-based Oberthur Technologies SA and renamed the company OT-Morpho.

Deepak Kamani, was the one engaged in the passport deal, which NARC’s new corruption boys had expanded to include visa and border controls. Who was the supplier? Francois Charles Oberthur of Paris, France, then the world’s leading supplier of Visa and Mastercards.

Before Safran merged with Oberthur Technologies (OT), it dealt with supplies of systems and equipment in aerospace, defence and security. The company also sold aeroplane engines, helicopters, launch vehicles and missiles, landing and braking systems, nacelles on board electrical systems, optronics, avionics, identity documents, biometric equipment, smart cards explosives detection and trace analysis.

While Oberthur Technologies SA mainly dealt with security services, the company provided payment technology, smartcards, identity protection, authentication mechanisms conditional access management solutions. OT similarly had clients in the finance, telecom, digital and transport sectors globally. With the morphing of the two companies, they naturally combined and expanded their client base.

Dogged with scandals, in September 2012 Safran Morpho was fined the equivalent of KSh52 million (about US$520,000) for bribery by a Paris court. The company had bribed Nigerian public officials to win a contract for the provision of 70 million identity cards between 2000 and 2003. The deal was worth 170 million euros. After being slapped with the fine, Safran said that it was “deeply attached to strict respect of anti-corruption rules.”

Yet, even with this knowledge, an IEBC official was quoted at that time saying: “The deal with Safran is almost complete. It is only a matter of time.” Meaning, it is already too late to pull back. Someone must have smelt big money. Was this why the IEBC was ready to enter into negotiations with a company that had been implicated and fined in a corruption deal?

Not too long ago, IEBC had itself been caught up in a similar scandal, which was cheekily baptised “Chickengate”. The Chickengate scandal was about a UK-based security printing company that had bribed IEBC and Kenya National Examination Council (KNEC) officials to win their respective ballot paper and certificate tenders. Smith and Ouzman, based in Eastborne, Sussex, became the first company to be convicted under the Prevention of Corruption Act of 1906. Investigations found that Smith and Ouzman had paid bribes amounting to £433,062 to Kenyan officials. The key suspects were investigated by the Serious Fraud Office in the UK, yet their counterparts in Kenya have yet to face the law, or even be investigated.

When sentencing Christopher Smith, 72, and his son Nicholas, 42, in December 2014, Judge David Higgins said: “The pair were guilty of a premeditated, preplanned, sophisticated and very serious crime.” The offence, which took four years to unravel and which occurred between 2006 and 2010, was dubbed Chickengate because they had codenamed the bribe “chicken” for IEBC and KNEC officials.

Back to Safran Morpho. Safran was arraigned before a federal court of law in San Jose, California on August 14, 2016, for allegedly supplying software deemed to have originated from Russia. The case was filed in San Jose because Safran’s local subsidiary is located there.

Safran used to supply fingerprint identification systems to the Federal Bureau of Investigation (FBI), the US Defence Department and drivers’ agencies in most US states. All that time it described its technology as originating from France. However, two former company executives confessed that the technology was actually developed in Russia. The two former Safran employees – Philipe Desbois, the former Chief Executive Officer of Morpho’s Russian affiliate, and Vincent Hascoet, a deputy director of an affiliate company, Powerjet, in Moscow from July 2012 to May 2014 – told the court that the technology was actually used by Russia’s security agency and could easily be sabotaged in the event of a crisis.

Desbois, who had also served as Safran’s financial representative in Russia, and Hascoet were referred to as “whistleblowers” and “very credible” plaintiffs. In fact, Hascoet was sacked after he raised the alarm over corruption tendencies in the company. Both lived in Russia then.

Through their defence attorney, the duo said that it was “conceivable” that the software contained a “back door” that could enable the Russian government to “override” fingerprint identification devices in such strategic organisations such as the Pentagon, the CIA, the NSA (National Security Agency) and other security areas to gain unauthorised entry.

At the federal court, Morpho and its parent company Safran Group were accused of making “surreptitious sales” of more than US$1billion in Russian technology to federal, state and local governments in the US between 2009 and 2015. The suit said that Morpho and Safran defrauded the US government and the state of California by falsely claiming that their technology was from France, not Russia. In essence, they violated antitrust laws and presented false claims for payment.

The court was told that there existed a confidential 25-year agreement between the French and Russian companies signed in 2008 that included a declaration by the Russian firm Papillon ZAO that stated that its software did not contain “any undisclosed ‘back door’ or other disabling mechanisms.”

In the law suit filed by Daniel Bartley, he noted that the declaration had not been independently verified by either the French firm or any government agency. The point is, although the verification may not have mattered when checking out fingerprint identification technology, like in the issuance of driver’s licences, it would have mattered when it came to matters such as high level security.

“The national security implications are significant,” said Bartley. In agencies that require only cleared people to gain access to secure areas, “such protection could be bypassed if the technology is hacked.”

At the federal court, Morpho and its parent company Safran Group were accused of making “surreptitious sales” of more than US$1billion in Russian technology to federal, state and local governments in the US between 2009 and 2015. The suit said that Morpho and Safran defrauded the US government and the state of California by falsely claiming that their technology was from France, not Russia. In essence, they violated antitrust laws and presented false claims for payment.

In its defence, Safran Group’s US affiliate counterargued that the government agencies exercised “due diligence” in deciding not to intervene in the case. The suit “contains inflammatory and baseless allegations and lacks merit,” said the group. “As leaders of biometric industry for 42 years, we take defence of our reputation and security matters about products solutions very seriously. We are confident that we will successfully defend our case.”

Bartley, in responding to Safran, argued that their statement was “evasive” because it did not address the central claim that the technology in Safran and Morpho products was from Russia.

According to a leaked NSA report of June 5, 2017, Russian hackers gained access to the US voting system. The document talks of how Russian military intelligence, “executed cyber espionage operations against a named US company in August 2016 evidently to obtain information on election-related software and hardware solutions, according to information that become available in April 2017.”

The company in question is suspected to have been Safran. President Vladimir Putin opined that “patriotically minded” Russian hackers may have been behind the cyberattacks during the 2016 US elections.

On September 30, 2017, OT-Morpho rebranded itself to IDEMIA, possibly in an effort to look and sound different as it polishes its image and re-positions itself as a global leader in digital technologies. (The Supreme Court of Kenya had dealt the company a “credibility blow” when it questioned the electronic transmission of the August 8 results.)

It is suspected that this sudden rebranding by the company is not a mere coincidence; it coincides with its signing of a new contract with IEBC. Together with its alleged past scandals, and with the world closely watching its behaviour and performance in Kenya, the company must have been concerned that its global reputation had been tainted. What better way to remain in a competitive and highly lucrative business than to rebrand?

By Dauti Kahura
Mr Kahura is a freelance journalist based in Nairobi, Kenya


Published by the good folks at The Elephant.

The Elephant is a platform for engaging citizens to reflect, re-member and re-envision their society by interrogating the past, the present, to fashion a future.

Follow us on Twitter.