Early in July 2021, cyber attacks originating from Russia prompted US President Joe Biden to call for action from Moscow. This, Biden said, was conveyed to Russian President Vladimir Putin during an hour-long phone call. While the Kremlin denies the US even contacted Moscow about the attacks, recent events have promoted debate around the responsibility of state actors, including Russia, in cyberspace.
That country’s attempts to promote or resist norms around traditional global governance areas are well documented. It is known to offer a more conservative approach towards issues of human rights and military intervention, for example. And now it is under scrutiny in newer areas of contestation, including cyber governance and cyber security.
Over the past five years, Russia has become an active promoter of cyber governance norms. As it continues to push its cyber proposals on the international stage, where does Africa stand? Do growing relations between Africa and Russia mean they always share the same stance?
‘Splinternet’ or global infrastructure?
Moscow’s cyber norm promotion is closely linked to its national interests. Russia seeks to reclaim its stature as a global power (including in the technology landscape), but is also interested in how cyberspace can be harnessed for domestic purposes.
In deciding whether the internet should remain a global infrastructure or become a “splinternet” (controlled nationally), Russia and China are proponents of cyber sovereignty. They argue that countries should manage their own cyberspace and that the internet should be bordered and thus restricted.
This has led to a range of concerns around internet freedoms, from the censorship of political content online to large-scale internet shutdowns (a practice that has gained traction in some parts of Africa, Asia and the Middle East, especially around elections or public protests). While traditionally opposed by the US and other democracies, the ability to confront cyber threats, conduct surveillance and enforce regulations on harmful content such as child pornography and terrorist propaganda, means the idea of cyber sovereignty is gaining ground in the Western world too.
In promoting this cyber norm, Russia seeks to pull as many countries as possible into its orbit to enhance its soft power capabilities. At the UN in 2018, a Russian-proposed working group, open to all UN member states, garnered the support of 109 countries. Many of these countries were African, demonstrating international interest in discussing cyber norms in terms favourable to Russia.
Of the working group’s initiatives, capacity-building efforts to enhance countries’ abilities to protect their ICT environment may particularly appeal to African states who perceive themselves as lagging. Indeed, the rise in cybercrime — with critical national services often affected — has seen cyber security become an issue of international concern.
African support for Russian cybercrime resolutions
Russia is a major supporter (and sponsor) of several international cybercrime resolutions at the UN. In December 2018, a Russia-backed resolution that required the UN Secretary-General to collect countries’ views about cybercrime was adopted by a majority vote. Of the 88 countries that voted in favour, 32 were African. Only four African countries — Botswana, Ghana, Morocco and South Africa — submitted their views, but all four listed lack of state capacity and lack of international consensus as major challenges in combating cybercrime. These and other views were summarised into a report for consideration by the General Assembly.
Moving the ball forward once more, in December 2019, Russia succeeded in pushing through a UN General Assembly resolution that aimed to create a negotiating platform, under UN auspices, for the consideration of a new cybercrime treaty. This move was strongly opposed by the US which expressed concerns that this resolution would stifle existing global anti-cybercrime efforts. But with 79 votes in favour, including 30 from Africa, the resolution was adopted. Officers were elected to the ad hoc committee in May 2021 and it has been agreed that six negotiating sessions will take place before the possible adoption of a treaty.
One of the major concerns with Russia’s resolution is its vagueness around the definition of cybercrime. Not only could this lead to legal uncertainty among countries, but could perhaps provide Russia with the regulatory room it needs to stifle political opposition or citizen dissent. A month before Russia’s UN resolution was passed, amendments to domestic legislation allowing the government to block internet traffic from outside Russia came into force. Human Rights Watch said the laws undermined freedom of expression and privacy.
How do Africa’s own cybercrime initiatives compare with Russia’s international efforts?
“A global governance system will be important,” Tomiwa Ilori, researcher at the University of Pretoria’s Expression, Information and Digital Rights Unit, told SAIIA. But African countries need to be wary of external influence, he said. “When deciding on a framework, a human rights-based approach should be used.”
An African Union Convention on Cyber Security and Personal Data Protection was adopted in 2014, but has yet to meet the minimum number of ratifications required for it to come into force. The convention references the need for regulatory frameworks to respect the rights of citizens, but it does not establish a framework for all member states. Instead, it encourages signatories to draft their own legal, policy and regulatory measures to manage cybercrime.
Almost 40 African countries have introduced legislation that deals with cybercrime. Some of the laws, like Russia’s UN resolution, are vaguely worded while others are similar to the European Union’s General Data Protection Regulation — an earlier attempt to establish uniform cyberspace policies across countries.
This tells us that as a continent of 54 states, African views on cyber governance are not homogenous. And while many share a preference for cyber sovereignty, particularly as a means to quash political dissent, African countries do have some level of agency when it comes to adopting a model. With cyberspace fast becoming the new battleground for competing norms and influence, there is also a role for civil society in Africa to continue advocating for cyber freedoms.
This article was first published by the South African Institute of International Affairs (SAIIA).
Support The Elephant.
The Elephant is helping to build a truly public platform, while producing consistent, quality investigations, opinions and analysis. The Elephant cannot survive and grow without your participation. Now, more than ever, it is vital for The Elephant to reach as many people as possible.
Your support helps protect The Elephant's independence and it means we can continue keeping the democratic space free, open and robust. Every contribution, however big or small, is so valuable for our collective future.
Elections 2022: Mt Kenya Foundation Remains Mum
Mt Kenya Foundation — a league of top business and political leaders has refrained from publicly declaring its support for presidential hopeful Raila Odinga. An influential institution formed in 2007, the foundation’s approach is a tactical public retreat but its support for Azimio remains strong and unwavering.
As the presidential campaign gets into high gear and with only 48 days to the general election, a key plank of Raila Odinga’s support group has been very quiet and less and less visible from the public.
For the better part of 2021, the Mt Kenya Foundation (MKF) was very much in the limelight, meeting with the Azimio alliance presidential candidate in carefully choreographed business bashes, cocktail parties, prayer meetings and even in public rallies. Come 2022 and the meetings have gradually petered out.
Or, let’s put this way: their soirées are no longer being reported by the mainstream media, including their “in-house” media house, the Royal Media Services (RMS) owned by media mogul S.K. Macharia, one of the foundation’s members.
Two weeks ago, I had a lengthy discussion with one of their members, who told me that nothing has changed. “Our position and support hasn’t changed; Raila is still our preferred choice. We only decided to continue lending our support away from the public glare.”
The foundation still funds some of his presidential campaigns, albeit discreetly. “Our people [Gikuyu, Meru, Embu Association GEMA] were not, and are not, enthused by our [open] support for Raila. We were getting a lot of flak from them and we reckoned it wasn’t helping his and our cause. Nothing will sway GEMA from not voting for Raila. That’s the brutal fact.”
It’s not only MKF that has stopped declaring their support for Raila publicly. The Council of Elders, which in October 2020 made a hyped trip to Bondo, the ancestral home of the Odinga family in Siaya County, have equally gone mute. “After that trip, the [Kikuyu] people shunned our activities and seemingly avoided us,” one of the elders told me recently. “They didn’t take well to our partisan and public support of Raila.”
The MKF, which was formed in 2007, comprises among others, captains of industry, very senior and influential civil servants, and powerful politicians. The year 2007 was a critical juncture in the politics of Kenya: President Mwai Kibaki, who died in April 2022, was going to face Raila in the coming December presidential elections.
Although Raila had helped Kibaki clinch the presidential seat in the crucial 2002 general elections, against the greenhorn duo of Uhuru Kenyatta and William Ruto, by the end of his first term Kibaki had become Raila’s nemesis. Under the Orange Democratic Party (ODM) banner, Raila had already sent shivers down Kibaki’s party ranks that in 2007 elections ODM was ready to wrestle power from him.
It is against this backdrop that some of the richest among the GEMA fraternity coalesced around the MKF. Basically, it was a platform for raising campaign money for Kibaki’s second term. Not ready to witness another change of the rear guard just when they had begun consolidating their riches, after a 24-year hiatus during President Daniel arap Moi’s reign, this ethnic group was not about to take any chances.
Raila mounted a formidable if disorganised campaign. But just as he was on the cusp of wresting power from Kibaki, who was now running under the Party of National Unity (PNU), a new party that had been quickly cobbled together, the Electoral Commission of Kenya (ECK) —precursor to the Independent Electoral and Boundaries Commission (IEBC)—started relaying startling results.
What the end result of this “startling results” heralded for Kenya is now in the history books: post-election violence (PEV), over 600,000 internally displaced people (IDPs), unmitigated deaths officially put at 1,000 by the state, but recorded figure by non-governmental organisation (NGOs) placed the numbers at three time as much.
The MKF is not an entirely new invention—in 1996, some of the richest Kikuyus from Central Kenya came together to form the Central Province Development Support Group (CPDSG) in anticipation of the GEMA–KAMATUSA (Kalenjin, Maasai, Turkana, Samburu) peace talks. The supposedly “peace group” was formed presumably to stem (ethnic and post-election) tensions that first occurred after the first multiparty elections in 1992.
The talks were also supposed to culminate in the re-settling of the victims of the so-called tribal violence that had erupted in the expansive Rift Valley Province and which mostly affected the Kikuyu people. The reality is that this elite cabal that was again composed of influential civil servants, rich business people and powerful politicians was an informal lobby group that sought to campaign for the hated ruling party KANU and for President Moi in Central Province.
Then, as now, one of the constant figures in these formations has been S.K. Macharia; he belonged to the CPDSG just as he now belongs to the MKF. As with the CPDSG then, the MKF is a lobby group primarily concerned with the survival of its business interests.
William Kabogo, the first governor of Kiambu County who is seeking to reclaim his seat in 2022, wrote on his twitter handle: “If you care to know Mt Kenya Foundation specializes on fundraising but the big question is do the funds go to the intended purpose? Your guess is as god as mine. Caveat emptor.”
Among the MKF membership is Mutuma Nkanata, the foundation’s coordinator who is also the CEO of the NGO Coordination Board—the regulatory board for NGOs in Kenya. He is also the Chairman of Kirimara Sports; a Meru-based sports development organisation.
Another member is the former Kenya Revenue Authority (KRA) boss Michael Waweru. Waweru was appointed commissioner-general of KRA in 2003 by Kibaki. His contract ended in 2012. An accountant by profession, he was the managing partner at Ernst & Young (EY) – East Africa until 2002.
Also in MKF is Peter Munga, founding chairman of Equity Bank group and one of its largest shareholders. Munga is also a shareholder at Britam, the financial services conglomerate, and a founder of the Pioneer Group of Schools.
MKF member Titus Ibui is the chairman of Lamu Port South Sudan, Ethiopia, Transport Corridor Development Authority (LAPSSET), a regional infrastructure partnership between Ethiopia, Kenya and South Sudan. Ibui is also the vice chairman of Kenya Leather Council and founder and executive director of Bell Industries Ltd., an agri-business and health solutions company.
Zamara Group chairman, politician and former MP Dennis Waweru is also an MKF member, as is businessman Wilfred Murungi, owner of Mastermind Tobacco Kenya (MTK).
During one of the Raila meetings organised by MKF on 28 September 2021, communications director Joe Murimi said, “The Tuesday (September) meeting between MKF and Mr Odinga is also with a view to coordinating resource allocation and setting priorities for the region’s economic turn-around ahead of 2022. We’re listening to all presidential contenders and our interests as a region are way bigger than only the position of a deputy president.” The foundation had previously met with Raila in June 2022.
Some of the personalities in the June meeting included President Uhuru’ influential maternal uncle, former Catholic priest George Muhoho, Media mogul Macharia and former Kenya Chamber of Commerce vice chairman, James Mureu.
At the meeting, Macharia claimed that it was President Uhuru Kenyatta who made overtures to Raila Odinga. “I’m saying that handshake, we ask him (Uhuru) to leave it in good hands so that it can continue. We believe President Uhuru will leave this country in good hands, the hands he went looking for.”
At that meeting Nyandarua County governor Francis Kimemia confessed that the Kikuyu political class had peddled falsehoods against Raila. “Our work was to tarnish Raila’s name, but now we must change that narrative and tell our people that that was politics then. He asked the class to help undo the lies.”
Two months ago, in April 2022, campaigning in his own Nyandarua County, Kimemia changed his tune, insinuating that President Uhuru had not kept his promise on developments projects in Nyandarua. I called my friend Njenga from Rurii location, to find out was going on with governor Kimemia. “Kimemia was told by the people in no uncertain terms that campaigning for Azimio would take him nowhere, so he got the drift, changed tune and started bashing President Uhuru.”
As MKF makes a tactical retreat in its support for Azimio, it is not only Kimemia who has changed his tune; many of the politicians from the Azimio camp seeking elective posts in Mt Kenya are careful not to mention Azimio or even Raila’s name in their campaign rallies.
IEBC Up to Its Usual Mischief
With less than two months to go before Kenya’s general election, the credibility of the Independent Electoral and Boundaries Commission (IEBC) is on the line.
The Independent Electoral and Boundaries Commission (IEBC) was playing by the rulebook when it received the presidential nomination papers of Walter Mongare alias Nyambane. But no sooner did candidate Jimi Wanjigi of the Safina Party show up than Mongare’s papers were quickly rescinded.
The commission, which is mandated to oversee the forthcoming general election, has been in the spotlight and under intense scrutiny from Kenyans and the world since bungling the 2017 presidential election.
The electoral commission’s credibility and trustworthiness have remained wanting, to say the least; the body does not inspire confidence and, indeed, few Kenyans trust it. Even less believe it will midwife the forthcoming presidential election successfully, a bad place for the IEBC to be.
The results of the two 2017 presidential elections are still shrouded in controversy and mystery largely because of the commission’s ineptitude, but the less said about the 2017 general election, which is still fresh in the minds of some, the better.
Fast forward to 2022 and the commission is again in the spotlight; with only 55 days remaining, the IEBC’s credibility and modus operandi are under scrutiny. How it delivers the general election will tell whether any lessons have been learned, especially concerning the presidential election, which, if not handled with the utmost transparency, may result in ugly scenes.
That the IEBC would still be in the grip of shadowy mandarins seeking to influence, in particular, the outcome of the results of the presidential election would be nothing new; the history of electoral bodies in this country, whether pre- or post- the 2010 constitution, is replete with cases of external interference. The Jimi Wanjigi-IEBC saga is a clear indication that the IEBC has yet to rid itself of its penchant for bad behaviour. This is a bad omen.
On receiving the papers of the Safina Party’s candidate, the IEBC chairman and presidential election returning officer Wafula Chebukati prevaricated, seeming to interpret the law when on 6 June 2013 he told Wanjigi, who appeared before him, that he did not possess a university degree.
That the IEBC would still be in the grip of shadowy mandarins seeking to influence, in particular, the outcome of the results of the presidential election would be nothing new.
The matter of what is a degree and what constitutes a university education had already been interpreted by the High Court as law, as illustrated below, a law that the IEBC has been using for the last nine years. In 2013, Justices Isaac Lenaola and E.K.O. Ogola ably demonstrated the application of the said legal statutes and gave an interpretation of the 2010 constitution and the election act, insofar as possession of a university degree is concerned.
In the case of Janet Ndago Mbete vs IEBC and Hassan Joho Petition No. 116 of 2013, the commission cleared the 3rd respondent (Hassan Joho) based on the completion letter from the university and defended the position in court as proof that the 3rd respondent had indeed received a university education. It therefore boggles the mind when Chebukati purports to say that both Jimi Wanjigi and Walter Mongare (an afterthought) do not possess university degrees.
In fact, in recognising and applying the law properly, the commission had indeed accepted and cleared Mongare’s presidential candidacy based on university letters that showed that he had completed his studies. This it did by communicating and confirming that he had met all the statutory requirements. So, why did Chebukati annul his earlier decision, which clearly came as an afterthought?
The revocation of Mongare’s clearance by Chebukati followed in the wake of Wanjigi’s complaint to the IEBC that he was being discriminated against. Is it not the case that once a candidate has been cleared by the returning officer Chebukati has no powers to quash the nomination unless through a judicial process?
Ten days after the March 4 general election, on 15 March 2013, High Court judge Isaac Lenaola in his substantive ruling quoted from the Blacks Law Dictionary, 8th Edition, which defines a degree as; “a title conferred on a graduate of a school, college, or university either after the completion of required studies or in honour of special achievements.” The judge also quoted from the Concise Oxford Dictionary, 10th Edition, which defines a degree as; “an academic rank conferred by a college or university after examination and or after completion of a course, or conferred as an honour.”
Summing up his argument, Judge Lenaola said, “I am therefore in agreement with the 3rd respondent that a degree is not a physical connotation, but a process whose pinnacle is the graduation. Indeed, the Concise Oxford Dictionary, 10th Edition defines a graduate as one who has ‘successfully completed a degree’ and a graduand as ‘person who is about to receive an academic degree’. It is therefore clear to me that, the graduation ceremony cannot be used as measure to determine whether one had a degree or not. In my view what matters is that a person has attended school, undertaken the studies envisaged and has passed all the requisite exams for the conferment of the degree. Having found as above, I am satisfied that the 3rd respondent holds the qualifications envisaged by Section 22 (2) of the Elections Act.”
The revocation of Mongare’s clearance by Chebukati followed in the wake of Wanjigi’s complaint to the IEBC that he was being discriminated against.
In a related ruling delivered before the 4 March 2013 elections, on 13 February 2013, Judge E.K.O Ogola made very much the same argument as Judge Lenaola in the case of Mable Muruli vs the Independent Electoral and Boundaries Commission.
“The issue for this court is then to determine whether or not after a person has successfully gone through the process leading to acquisition of a degree, he is qualified under section 22 (2) of the Act even when no physical certificate has been conferred. In my judgement, the respondent that is the (IEBC) has made very superficial interpretation of section 22 (2) of the Election Act. In my view, a certificate is merely a confirmation of what is already in existence. The petitioner (Mabel Muruli) has successfully completed the course programme. That programme has been acknowledged by the Commission of Higher Education (. . .) and the respondent has no option but to admit the petitioner to the relevant candidacy.”
Judge Ogola in his wisdom also said that, “there are many circumstances where people have been admitted to employment or to further study course on the basis of what they have proved to have achieved even when the graduation and certification is yet to take place. For the respondent to flagrantly disregard this peculiar position is to arrogantly violate the rights of the petitioner and it is the duty of this court to restore the same.”
As far as the Election Act goes this law has never been appealed, hence it is binding to both the respondents and the IEBC. Chebukati, therefore, cannot purport to change the law on a whim, otherwise he will be operating outside of the law.
Jimi Wanjigi’s case, like many other complainants’ cases, went before the IEBC’s Dispute Tribunal Committee at Milimani Courts. However, on 17 June 2022 the Tribunal upheld the earlier decision and did not clear him to run for the country’s top seat.
Road to 9/8: Risks Posed by Digitisation of Electoral Processes
This is the third of a series of articles that discuss some of the major issues at stake, and the roles played by various institutions in safeguarding the integrity of the August 2022 general election.
In our previous article, we highlighted the key challenges facing Kenya’s electoral integrity that are posed by the increased digitisation of election systems and the electioneering process. From cybersecurity risks to harms occasioned by human conduct on social networking platforms, there are various factors that could undermine the credibility of elections in the digital age. In this article, we review some of the measures adopted to mitigate the potential for such harms in the context of the upcoming elections.
Since the 2017 general election, there have been numerous changes to the legal framework applicable to the use of technology in different contexts. Some notable changes within the context of elections are the enactment of the Computer Misuse and Cybercrimes Act, 2018 (CMCA) as well as the Data Protection Act, 2019 (DPA), and the operationalisation of the Data Commissioner’s office. The effect of these changes is already being felt—the Data Commissioner was recently called into action following numerous complaints by citizens that they were registered as members of political parties without their knowledge or consent. In response, the Data Commissioner consulted with the Office of the Registrar of Political Parties and directed it to establish an opt-out mechanism that has since been implemented. However, a recent report authored for the Mozilla Foundation chronicled the practice of disinformation for hire; the use of social media influencers by political actors to spread false or misleading content on their opponents is common despite the provisions of the CMCA criminalising such conduct. This suggests that the existing measures taken may be insufficient.
Recalling some of the major challenges Kenya faced in the 2017 general election, we outline the key developments that have since taken place and highlight their potential impact on the integrity of the election administration system and the practice of electioneering online.
Integrity of the election administration system
The Elections Act mandates the Independent Electoral and Boundaries Commission (IEBC) to establish and maintain an electronic system for voter registration and identification and the transmission of results. Further, the Elections (Technology) Regulations outline how the IEBC is required to administer this system and the safeguards that they are required to put in place. They set out the principles that ought to guide the IEBC in data handling and storage. In 2017, the IEBC’s administration of the election system came under the microscope due to a series of unfortunate events, pointing, at best, to ineptitude.
During the 2017 election cycle, the IEBC debuted the Kenya Integrated Management System (KIEMS), billing it as a solution to the credibility issues that had previously plagued electoral processes. KIEMS uses electronic voter identification and transmission of tabulated results through mobile devices stationed at each polling centre. The server support and underlying IT for KIEMS was provided by French-based firm, OT-Morpho (later, IDEMIA). According to the then opposition, IDEMIA was contracted under dubious conditions and, from the start, was part of a fraudulent scheme to subvert the election process. Despite assurances from the IEBC on the credibility of its system, several occurrences cast significant doubts over the elections. For one, a week prior to the elections, the IEBC’s ICT manager in charge of the KIEMS—Chris Msando—was found murdered shortly after appearing on a news segment assuring Kenyans of the integrity of KIEMS and his centrality to the security of the system. To date, the circumstances of his death are not clear, and no one has been charged.
Secondly, during the elections, the transmission of results was hampered by poor connectivity, with approximately 11,155 polling stations out of the total 40,883 lacking sufficient network coverage. At some point, the tallying of results was briefly interrupted. All these factors were relied on by the petitioners in the 2017 presidential election petition, and this led to the Supreme Court calling into question the integrity of the servers used to facilitate the transmission and storage of the election results. Perhaps the most notable occurrence in the discussions on OT-Morpho’s involvement in the election was the IEBC indicating that it was unable to provide access to the election servers due to the time difference between Kenya and France. In its eventual judgment, the Supreme Court found that there were several irregularities plaguing the electronic transmission system and this contributed to its decision to annul the election. After the nullification of the elections, one of the IEBC’s commissioners fled the country, the CEO was terminated and, citing a lack of faith in the chairman, three other commissioners resigned. These positions, including that of the late Chris Msando, have since been filled. It is notable that the chairperson remains in office, despite the debacles of 2017.
Reeling from the events of the 2017 election, the IEBC conducted a post-election evaluation exercise in 2019 to inform its strategic approach to the 2022 elections. This process not only informed the legislative amendments that the IEBC has recently supported in parliament such as the Election (Amendment) Bill, 2021, but also the preparation of the IEBC’s ICT capacity. Based on the evaluation, the IEBC has acquired a primary and secondary data centre in Kenya and has put in place a Joint Technical Committee with the Communications Authority to map out the network coverage challenges.
However, there are significant challenges facing the IEBC. While the IEBC has moved away from IDEMIA, its procurement of Smartmatic International Holding B.V. is currently being challenged by one of the other contenders for the contract, Risk Africa Innovatis. This is not the first time Risk Africa Innovatis has challenged the IEBC’s procurement of a biometric service provider. In 2017, it challenged the procurement of IDEMIA on similar bases as its current challenge of Smartmatic’s award. Among these challenges, is that Smartmatic International Holding B.V. has been adversely mentioned in the Philippines, Venezuela, Uganda, Nigeria, and the USA over its credibility. While Risk Africa Innovatis is a Kenyan-owned company, Smartmatic is a multinational initially incorporated in the US by several Venezuelan nationals. In several elections it administered in Venezuela, the Philippines, and the United States, Smartmatic faced controversy over the integrity of its systems as well as its links to the Venezuelan government (in particular, alleged pay-outs to high-ranking government officials). For example, in Venezuela, independent election monitors concluded that it was likely that electronic election fraud had been committed in the 2004 presidential recall referendum administered by Smartmatic. Following adverse media coverage, Smartmatic undertook an internal restructuring that obfuscated its true ownership using what the US State Department described as a “web of holding companies in the Netherlands and Barbados”. Interestingly, Smartmatic supplied the biometric voting machines for Uganda’s recent 2021 elections, not exactly a ringing endorsement.
Smartmatic International Holding B.V. has been adversely mentioned in the Philippines, Venezuela, Uganda, Nigeria, and the USA over its credibility.
Beyond this, the IEBC’s procurement process seems to be off to a rocky start. For one, the delay in procuring Smartmatic’s services means that Kenyans may not get an opportunity to scrutinise the register of voters despite being legally entitled to do so. Further, the IEBC is also facing a legal challenge in respect of its procurement of Inform P Lykos Holdings for the printing of ballot papers. The Public Procurement Review Board nullified both awards to Inform P Lykos and Smartmatic but its decision has since been challenged at the High Court. The IEBC proceeded to sign contracts with both, citing the urgency of the election and the absence of an injunction from the High Court preventing it from contracting the two entities during the pendency of the appeal. When one considers that there are five years between election cycles, it is staggering that the IEBC would find itself in this position.
Certain of the broader issues facing the elections administration system have since been addressed by several legislative developments, principally the enactment of the DPA and the operationalisation of the Data Commissioner’s office. Supplementing the Elections (Technology) Regulations, the DPA and its accompanying regulations layer onto the IEBC’s obligations with respect to data collection, handling, and storage. These obligations have further been clarified by the Data Commissioner in a recently issued Guidance Note for Electoral Purposes. For example, the IEBC’s collection of voter registration information must be based on consent, and it must implement data protection mechanisms within the design of its systems. To ensure this is done, the Data Commissioner advises that a Data Protection Impact Assessment (DPIA) should be conducted by the IEBC and other election stakeholders such as the Registrar of Political Parties, who handle voter data, ahead of the elections.
For clarity a DPIA is required where personal data processing operations are likely to pose a risk to the rights of data subjects (in this case, voters). It guides risk mitigation efforts which should be undertaken by the person collecting and processing personal data, or whether such collection and processing should happen in the first place. A failure to conduct a DPIA resulted in the High Court’s recent revocation of the roll out of the Huduma Cards under the National Integrated Identity Management System. If the IEBC fails to conduct a DPIA, it is likely that this failure will feature either in the resulting election petitions or in court action prior to the elections. With respect to the storage of personal data, the general regulations issued under the DPA specify that the IEBC’s processing of personal data should be through a server located in Kenya, or the IEBC should at least maintain a copy of the server locally. This seems to be a nod to 2017 Supreme Court Judgement annulling the presidential election, which took issue with the unavailability of the IEBC’s servers.
In 2018, the CMCA was also enacted to provide for computer system-related offences such as unauthorised access or hacking. The CMCA established a National Computer and Cybercrimes Coordination Committee (referred to as NC4) which is tasked with coordinating the state’s response to cybercrime. Recently, the Cabinet Secretary for Interior and Coordination of National Government, who sits on the NC4, designated various parts of the country’s telecommunications infrastructure (including data centres and systems used to manage elections) as critical infrastructure under the CMCA. With this designation, the telecommunications infrastructure will benefit from enhanced security and scrutiny from the NC4, and any attempts to infiltrate or damage such infrastructure would attract criminal penalties under the CMCA. While this designation was linked to recent attacks on telecommunication masts and power grid, its link to the upcoming election is clear—the IEBC relies on telecommunication service providers to transmit results to its cloud servers. If compromised, the outcome of the election may be adversely impacted.
Electioneering on social media
The same measures that were adopted to bolster the integrity of the election administration system also serve to safeguard against the harms occasioned by the conduct of political actors on social media. In 2017, several media outlets reported that the now infamous Cambridge Analytica—a self-proclaimed political consultancy firm—was active in Kenya, offering services to various parties. According to Cambridge Analytica, its service offering included profiling online audiences based on regular demographics (for example age and gender) as well as personality. For the purposes of this profiling, personality is discerned from the audiences’ conduct on social media—the content which they consume, the individuals they interact with and other data points. Once audiences were profiled, political actors would be able to differentiate the messaging used based on the type of audience being targeted (in other words, to conduct microtargeting). Often, this messaging would include false or misleading information. To facilitate microtargeting, Cambridge Analytica would require large amounts of personal data. In the aftermath of the 2016 US elections, it was revealed that Cambridge Analytica harvested the personal data of millions of people through Facebook. Based on reports of its involvement in Kenya’s election, it is not clear whether Cambridge Analytica facilitated microtargeting or simply designed campaign communications strategy. However, what is clear is that it harvested Kenyans’ personal data through surveys.
This seems to be a nod to 2017 Supreme Court Judgement annulling the presidential election, which took issue with the unavailability of the IEBC’s servers.
Since the Cambridge Analytica scandal, Kenya has enacted the DPA and CMCA that are ostensibly expected to reduce the likelihood of microtargeting and other forms of harmful social media activity in the context of the elections. The access to and use of personal data is central to political campaigning in the digital age. Prior to the enactment of the DPA, this practice was largely unregulated. Political actors were able to obtain voters’ personal data from the publicly available voters’ register and the party member list that is available to parties through the ORPP. Their activities in processing this data for purposes of generating targeted messaging were also largely unsupervised. Save for the guidelines jointly issued by the National Cohesion and Integration Commission and the Communications Authority on bulk messaging and social media communications (NCIC-CA Guidelines), political actors were basically free to determine how to craft their messaging and target audiences. While the NCIC-CA Guidelines brought in a measure of transparency by requiring the source of political messaging to be disclosed within the body of the message, this is limited to communications disseminated through licenced telecommunications service providers.
The provisions of the DPA would serve to limit potential for microtargeting campaigns by raising the barriers to accessing personal data and increasing the scrutiny over political actors’ handling of personal data. For example, under the regulations issued under the DPA, entities involved in electioneering are required to register with the Data Commissioner, whether or not they qualify for an exemption. Further, the electorate whose data is being collected would be able to exercise rights against political actors and these entities such as requiring them to delete their personal data or refrain from processing it in the first place. Without the ability to freely collect and process personal data, and with the threat of legal action against them, it is arguable that political actors would be less likely to engage in these practices in the coming elections. However, this would largely depend on the role played by the Data Commissioner. For example, one would expect the Data Commissioner to spring into action in light of a recent acknowledgment by the IEBC that illegal transfers of voters were undertaken on its electronic voter register.
Aside from being reliant on the proactivity of the Data Commissioner, the efficacy of the data protection law framework in relation to microtargeting campaigns is limited by provisions of election laws. While the collection of personal data by the IEBC or ORPP is initially based on consent, once collected, these entities’ subsequent processing operations are provided for in statute and as such are not subject to further consent or the exercise of certain rights by the electorate. For example, the publication of the voter register cannot be stopped by a data subject due to its provision in law. One may only be able to request minimisation of unnecessary data such as contact information. Once published, this voter register would be accessible to political actors who may use the information gathered to engage in microtargeting.
In relation to the nature of campaign messaging shared through social media, the CMCA criminalises the spread of misleading or false content. This is in addition to the criminalisation of hate speech already contained in the National Cohesion and Integration Act. To date, the provisions of the CMCA relating to the spread of misleading or false content have only been invoked in politically charged contexts and in a seemingly selective manner. For example, while a blogger was charged with this offence under the CMCA for spreading alarming information regarding COVID-19, a Member of Parliament was not charged for what was effectively the same offence. Despite this law being in place for nearly three years, it has not been implemented in instances where researchers have identified specific social media accounts that are engaged in disinformation-for-hire campaigns.
Once published, this voter register would be accessible to political actors who may use the information gathered to engage in microtargeting.
Aside from this, there are other shortcomings with this approach. For one, the use of criminal sanctions to limit the types of speech people engage in is generally discouraged due to the risk posed to the freedom of expression that is crucial in healthy democracies. Further, the nature of online speech is often incompatible with traditional law enforcement mechanisms and, therefore, detecting and prosecuting such offences is bound to be difficult. The state may find itself responding disproportionately to situations where harmful content is being spread online, such as by shutting down internet access. Instead of criminalising certain speech, a few democracies have recently turned to codes of conduct that govern the conduct of political actors online. The most notable of these is the Election Pledge developed by the Transatlantic Commission on Election Integrity. Recognising that healthy political engagement online is primarily driven by political actors, the Election Pledge attempts to have these actors publicly and voluntarily commit to above board conduct such as avoiding the spread of mis-and disinformation, avoiding the spread of hate speech, and using personal data appropriately.
The nature of online speech is often incompatible with traditional law enforcement mechanisms and, therefore, detecting and prosecuting such offences is bound to be difficult.
All in all, a number of steps have been taken that in principle should improve the legal framework applicable to elections as they are conducted in the digital age. However, fundamental concerns remain with regard to the procurement of the IEBC’s ICT procurement and its internal capability. At its core, the conduct of the IEBC and political actors involved in the electoral process will determine the credibility of the process. The IEBC has not yet discharged its mandate of establishing in the public mind how it will avoid the debacles of 2017. Aside from this, the steps taken to safeguard the electorate from practices such as microtargeting seem limited by the provisions of election laws and the proactivity of sector regulators such as the Data Commissioner and the Communications Authority will play a significant role in setting the tone for political actors. In our next article, we will shine a spotlight on the IEBC and consider its readiness to conduct this election in a transparent, credible and lawful manner.
This article was authored in collaboration with the Kofi Annan Foundation whose electoral integrity programme is supported by the United Nations Democracy Fund.
Culture2 weeks ago
The Changing Face of Kisii as Smallholder Agriculture Wanes
Long Reads2 weeks ago
No More Camp: Confident Despite Contradictions
Long Reads2 weeks ago
Growing Up With Jaramogi: Some Radical Memories
Long Reads6 days ago
Genocide: The Weapon Used to Keep Ethiopia Intact
Politics2 weeks ago
The Post-colonial Kenyan State: The Thorn in Our Flesh
Op-Eds2 weeks ago
IEBC Up to Its Usual Mischief
Long Reads2 weeks ago
Dust to Ashes: Cremating Christians in Kenya
Long Reads2 weeks ago
Democratization, Welfarism and African Underdevelopment