In our previous article, we highlighted the key challenges facing Kenya’s electoral integrity that are posed by the increased digitisation of election systems and the electioneering process. From cybersecurity risks to harms occasioned by human conduct on social networking platforms, there are various factors that could undermine the credibility of elections in the digital age. In this article, we review some of the measures adopted to mitigate the potential for such harms in the context of the upcoming elections.
Since the 2017 general election, there have been numerous changes to the legal framework applicable to the use of technology in different contexts. Some notable changes within the context of elections are the enactment of the Computer Misuse and Cybercrimes Act, 2018 (CMCA) as well as the Data Protection Act, 2019 (DPA), and the operationalisation of the Data Commissioner’s office. The effect of these changes is already being felt—the Data Commissioner was recently called into action following numerous complaints by citizens that they were registered as members of political parties without their knowledge or consent. In response, the Data Commissioner consulted with the Office of the Registrar of Political Parties and directed it to establish an opt-out mechanism that has since been implemented. However, a recent report authored for the Mozilla Foundation chronicled the practice of disinformation for hire; the use of social media influencers by political actors to spread false or misleading content on their opponents is common despite the provisions of the CMCA criminalising such conduct. This suggests that the existing measures taken may be insufficient.
Recalling some of the major challenges Kenya faced in the 2017 general election, we outline the key developments that have since taken place and highlight their potential impact on the integrity of the election administration system and the practice of electioneering online.
Integrity of the election administration system
The Elections Act mandates the Independent Electoral and Boundaries Commission (IEBC) to establish and maintain an electronic system for voter registration and identification and the transmission of results. Further, the Elections (Technology) Regulations outline how the IEBC is required to administer this system and the safeguards that they are required to put in place. They set out the principles that ought to guide the IEBC in data handling and storage. In 2017, the IEBC’s administration of the election system came under the microscope due to a series of unfortunate events, pointing, at best, to ineptitude.
During the 2017 election cycle, the IEBC debuted the Kenya Integrated Management System (KIEMS), billing it as a solution to the credibility issues that had previously plagued electoral processes. KIEMS uses electronic voter identification and transmission of tabulated results through mobile devices stationed at each polling centre. The server support and underlying IT for KIEMS was provided by French-based firm, OT-Morpho (later, IDEMIA). According to the then opposition, IDEMIA was contracted under dubious conditions and, from the start, was part of a fraudulent scheme to subvert the election process. Despite assurances from the IEBC on the credibility of its system, several occurrences cast significant doubts over the elections. For one, a week prior to the elections, the IEBC’s ICT manager in charge of the KIEMS—Chris Msando—was found murdered shortly after appearing on a news segment assuring Kenyans of the integrity of KIEMS and his centrality to the security of the system. To date, the circumstances of his death are not clear, and no one has been charged.
Secondly, during the elections, the transmission of results was hampered by poor connectivity, with approximately 11,155 polling stations out of the total 40,883 lacking sufficient network coverage. At some point, the tallying of results was briefly interrupted. All these factors were relied on by the petitioners in the 2017 presidential election petition, and this led to the Supreme Court calling into question the integrity of the servers used to facilitate the transmission and storage of the election results. Perhaps the most notable occurrence in the discussions on OT-Morpho’s involvement in the election was the IEBC indicating that it was unable to provide access to the election servers due to the time difference between Kenya and France. In its eventual judgment, the Supreme Court found that there were several irregularities plaguing the electronic transmission system and this contributed to its decision to annul the election. After the nullification of the elections, one of the IEBC’s commissioners fled the country, the CEO was terminated and, citing a lack of faith in the chairman, three other commissioners resigned. These positions, including that of the late Chris Msando, have since been filled. It is notable that the chairperson remains in office, despite the debacles of 2017.
Reeling from the events of the 2017 election, the IEBC conducted a post-election evaluation exercise in 2019 to inform its strategic approach to the 2022 elections. This process not only informed the legislative amendments that the IEBC has recently supported in parliament such as the Election (Amendment) Bill, 2021, but also the preparation of the IEBC’s ICT capacity. Based on the evaluation, the IEBC has acquired a primary and secondary data centre in Kenya and has put in place a Joint Technical Committee with the Communications Authority to map out the network coverage challenges.
However, there are significant challenges facing the IEBC. While the IEBC has moved away from IDEMIA, its procurement of Smartmatic International Holding B.V. is currently being challenged by one of the other contenders for the contract, Risk Africa Innovatis. This is not the first time Risk Africa Innovatis has challenged the IEBC’s procurement of a biometric service provider. In 2017, it challenged the procurement of IDEMIA on similar bases as its current challenge of Smartmatic’s award. Among these challenges, is that Smartmatic International Holding B.V. has been adversely mentioned in the Philippines, Venezuela, Uganda, Nigeria, and the USA over its credibility. While Risk Africa Innovatis is a Kenyan-owned company, Smartmatic is a multinational initially incorporated in the US by several Venezuelan nationals. In several elections it administered in Venezuela, the Philippines, and the United States, Smartmatic faced controversy over the integrity of its systems as well as its links to the Venezuelan government (in particular, alleged pay-outs to high-ranking government officials). For example, in Venezuela, independent election monitors concluded that it was likely that electronic election fraud had been committed in the 2004 presidential recall referendum administered by Smartmatic. Following adverse media coverage, Smartmatic undertook an internal restructuring that obfuscated its true ownership using what the US State Department described as a “web of holding companies in the Netherlands and Barbados”. Interestingly, Smartmatic supplied the biometric voting machines for Uganda’s recent 2021 elections, not exactly a ringing endorsement.
Smartmatic International Holding B.V. has been adversely mentioned in the Philippines, Venezuela, Uganda, Nigeria, and the USA over its credibility.
Beyond this, the IEBC’s procurement process seems to be off to a rocky start. For one, the delay in procuring Smartmatic’s services means that Kenyans may not get an opportunity to scrutinise the register of voters despite being legally entitled to do so. Further, the IEBC is also facing a legal challenge in respect of its procurement of Inform P Lykos Holdings for the printing of ballot papers. The Public Procurement Review Board nullified both awards to Inform P Lykos and Smartmatic but its decision has since been challenged at the High Court. The IEBC proceeded to sign contracts with both, citing the urgency of the election and the absence of an injunction from the High Court preventing it from contracting the two entities during the pendency of the appeal. When one considers that there are five years between election cycles, it is staggering that the IEBC would find itself in this position.
Certain of the broader issues facing the elections administration system have since been addressed by several legislative developments, principally the enactment of the DPA and the operationalisation of the Data Commissioner’s office. Supplementing the Elections (Technology) Regulations, the DPA and its accompanying regulations layer onto the IEBC’s obligations with respect to data collection, handling, and storage. These obligations have further been clarified by the Data Commissioner in a recently issued Guidance Note for Electoral Purposes. For example, the IEBC’s collection of voter registration information must be based on consent, and it must implement data protection mechanisms within the design of its systems. To ensure this is done, the Data Commissioner advises that a Data Protection Impact Assessment (DPIA) should be conducted by the IEBC and other election stakeholders such as the Registrar of Political Parties, who handle voter data, ahead of the elections.
For clarity a DPIA is required where personal data processing operations are likely to pose a risk to the rights of data subjects (in this case, voters). It guides risk mitigation efforts which should be undertaken by the person collecting and processing personal data, or whether such collection and processing should happen in the first place. A failure to conduct a DPIA resulted in the High Court’s recent revocation of the roll out of the Huduma Cards under the National Integrated Identity Management System. If the IEBC fails to conduct a DPIA, it is likely that this failure will feature either in the resulting election petitions or in court action prior to the elections. With respect to the storage of personal data, the general regulations issued under the DPA specify that the IEBC’s processing of personal data should be through a server located in Kenya, or the IEBC should at least maintain a copy of the server locally. This seems to be a nod to 2017 Supreme Court Judgement annulling the presidential election, which took issue with the unavailability of the IEBC’s servers.
In 2018, the CMCA was also enacted to provide for computer system-related offences such as unauthorised access or hacking. The CMCA established a National Computer and Cybercrimes Coordination Committee (referred to as NC4) which is tasked with coordinating the state’s response to cybercrime. Recently, the Cabinet Secretary for Interior and Coordination of National Government, who sits on the NC4, designated various parts of the country’s telecommunications infrastructure (including data centres and systems used to manage elections) as critical infrastructure under the CMCA. With this designation, the telecommunications infrastructure will benefit from enhanced security and scrutiny from the NC4, and any attempts to infiltrate or damage such infrastructure would attract criminal penalties under the CMCA. While this designation was linked to recent attacks on telecommunication masts and power grid, its link to the upcoming election is clear—the IEBC relies on telecommunication service providers to transmit results to its cloud servers. If compromised, the outcome of the election may be adversely impacted.
Electioneering on social media
The same measures that were adopted to bolster the integrity of the election administration system also serve to safeguard against the harms occasioned by the conduct of political actors on social media. In 2017, several media outlets reported that the now infamous Cambridge Analytica—a self-proclaimed political consultancy firm—was active in Kenya, offering services to various parties. According to Cambridge Analytica, its service offering included profiling online audiences based on regular demographics (for example age and gender) as well as personality. For the purposes of this profiling, personality is discerned from the audiences’ conduct on social media—the content which they consume, the individuals they interact with and other data points. Once audiences were profiled, political actors would be able to differentiate the messaging used based on the type of audience being targeted (in other words, to conduct microtargeting). Often, this messaging would include false or misleading information. To facilitate microtargeting, Cambridge Analytica would require large amounts of personal data. In the aftermath of the 2016 US elections, it was revealed that Cambridge Analytica harvested the personal data of millions of people through Facebook. Based on reports of its involvement in Kenya’s election, it is not clear whether Cambridge Analytica facilitated microtargeting or simply designed campaign communications strategy. However, what is clear is that it harvested Kenyans’ personal data through surveys.
This seems to be a nod to 2017 Supreme Court Judgement annulling the presidential election, which took issue with the unavailability of the IEBC’s servers.
Since the Cambridge Analytica scandal, Kenya has enacted the DPA and CMCA that are ostensibly expected to reduce the likelihood of microtargeting and other forms of harmful social media activity in the context of the elections. The access to and use of personal data is central to political campaigning in the digital age. Prior to the enactment of the DPA, this practice was largely unregulated. Political actors were able to obtain voters’ personal data from the publicly available voters’ register and the party member list that is available to parties through the ORPP. Their activities in processing this data for purposes of generating targeted messaging were also largely unsupervised. Save for the guidelines jointly issued by the National Cohesion and Integration Commission and the Communications Authority on bulk messaging and social media communications (NCIC-CA Guidelines), political actors were basically free to determine how to craft their messaging and target audiences. While the NCIC-CA Guidelines brought in a measure of transparency by requiring the source of political messaging to be disclosed within the body of the message, this is limited to communications disseminated through licenced telecommunications service providers.
The provisions of the DPA would serve to limit potential for microtargeting campaigns by raising the barriers to accessing personal data and increasing the scrutiny over political actors’ handling of personal data. For example, under the regulations issued under the DPA, entities involved in electioneering are required to register with the Data Commissioner, whether or not they qualify for an exemption. Further, the electorate whose data is being collected would be able to exercise rights against political actors and these entities such as requiring them to delete their personal data or refrain from processing it in the first place. Without the ability to freely collect and process personal data, and with the threat of legal action against them, it is arguable that political actors would be less likely to engage in these practices in the coming elections. However, this would largely depend on the role played by the Data Commissioner. For example, one would expect the Data Commissioner to spring into action in light of a recent acknowledgment by the IEBC that illegal transfers of voters were undertaken on its electronic voter register.
Aside from being reliant on the proactivity of the Data Commissioner, the efficacy of the data protection law framework in relation to microtargeting campaigns is limited by provisions of election laws. While the collection of personal data by the IEBC or ORPP is initially based on consent, once collected, these entities’ subsequent processing operations are provided for in statute and as such are not subject to further consent or the exercise of certain rights by the electorate. For example, the publication of the voter register cannot be stopped by a data subject due to its provision in law. One may only be able to request minimisation of unnecessary data such as contact information. Once published, this voter register would be accessible to political actors who may use the information gathered to engage in microtargeting.
In relation to the nature of campaign messaging shared through social media, the CMCA criminalises the spread of misleading or false content. This is in addition to the criminalisation of hate speech already contained in the National Cohesion and Integration Act. To date, the provisions of the CMCA relating to the spread of misleading or false content have only been invoked in politically charged contexts and in a seemingly selective manner. For example, while a blogger was charged with this offence under the CMCA for spreading alarming information regarding COVID-19, a Member of Parliament was not charged for what was effectively the same offence. Despite this law being in place for nearly three years, it has not been implemented in instances where researchers have identified specific social media accounts that are engaged in disinformation-for-hire campaigns.
Once published, this voter register would be accessible to political actors who may use the information gathered to engage in microtargeting.
Aside from this, there are other shortcomings with this approach. For one, the use of criminal sanctions to limit the types of speech people engage in is generally discouraged due to the risk posed to the freedom of expression that is crucial in healthy democracies. Further, the nature of online speech is often incompatible with traditional law enforcement mechanisms and, therefore, detecting and prosecuting such offences is bound to be difficult. The state may find itself responding disproportionately to situations where harmful content is being spread online, such as by shutting down internet access. Instead of criminalising certain speech, a few democracies have recently turned to codes of conduct that govern the conduct of political actors online. The most notable of these is the Election Pledge developed by the Transatlantic Commission on Election Integrity. Recognising that healthy political engagement online is primarily driven by political actors, the Election Pledge attempts to have these actors publicly and voluntarily commit to above board conduct such as avoiding the spread of mis-and disinformation, avoiding the spread of hate speech, and using personal data appropriately.
The nature of online speech is often incompatible with traditional law enforcement mechanisms and, therefore, detecting and prosecuting such offences is bound to be difficult.
All in all, a number of steps have been taken that in principle should improve the legal framework applicable to elections as they are conducted in the digital age. However, fundamental concerns remain with regard to the procurement of the IEBC’s ICT procurement and its internal capability. At its core, the conduct of the IEBC and political actors involved in the electoral process will determine the credibility of the process. The IEBC has not yet discharged its mandate of establishing in the public mind how it will avoid the debacles of 2017. Aside from this, the steps taken to safeguard the electorate from practices such as microtargeting seem limited by the provisions of election laws and the proactivity of sector regulators such as the Data Commissioner and the Communications Authority will play a significant role in setting the tone for political actors. In our next article, we will shine a spotlight on the IEBC and consider its readiness to conduct this election in a transparent, credible and lawful manner.
–
This article was authored in collaboration with the Kofi Annan Foundation whose electoral integrity programme is supported by the United Nations Democracy Fund.
