‘Prone to hacking’: expert witness in Kenya’s Huduma Namba hearings first round
“[The National Integrated Identity Management System] thus is an archaic design compared to modern-day systems architecture and can be rightly thought of as a horse-buggy drawn by a lame horse on a digital highway. That it would fail and fall behind is a foregone conclusion,” expert witness Anand Venkatanarayanan told judges in Kenya’s High Court.
The Huduma Namba project
Kenya’s national ID scheme is back in the dock as civil rights group bring a case against a new draft bill, questioning whether the scheme is constitutional. The ‘single source of truth’ project has been up and running for several months, with millions of Kenyans (at least 37 million) already having had their biometrics captured to get a unique huduma namba or ‘service number’.
A new bill has been drafted to open up a new registration period and circumnavigate the High Court’s previous findings.
Previous court proceedings
Civil society has been outspoken and has already achieved certain interventions upheld by the High Court in advance of registration back in April. These included the stipulation that having a huduma namba is not a mandatory requirement or pre-condition for accessing government services, that data captured cannot be shared between agencies and third parties and that DNA and GPS data could not be collected as part of registration. With the Court’s permission, registration began.
Despite the High Court’s previous intervention, the government has since stated that a huduma namba will be needed for all public services. This has been added to a new draft bill, as have prison terms for failing to register.
The High Court’s three judges are now hearing from expert witnesses brought by groups that oppose aspects of the scheme and its procedures.
Privacy and the constitution
Kenya has no privacy or data protection laws to control how data collected is stored or used or who has access. Opponents argue that the scheme collects new data and links this to service provision, and tramples over rights to privacy.
Kenya Ministry of Information, Communication & Technology State Department of ICT Director of Shared Services Robert Mugo previously told Biometric Update of the great successes of the scheme once registration had begun.
A report by Open Justice summarizes the constitutional element of the legal proceedings: “The cases raise issues including the non-transparent and non-competitive manner in which the NIIMS contract was awarded, the use of a miscellaneous amendments bill to pass substantive amendments, the lack of public participation in the process, concerns over data privacy and protection, the right to information, and the risk the system could further entrench discrimination of marginalized groups in Kenya.
“The case affects the rights of all people in Kenya, while also addressing how NIIMS will disproportionately affect marginalized communities.”
Expert witnesses against
In an extremely technical series of witness cross-examinations, brought again by the Kenyan National Commission on Human Rights, the opposition have put down their case over four days.
Anand Venkatanarayanan, Indian cyber security expert and computer fraud forensic analyst and critic of India’s Aadhaar ID system, gave a damning account of the Kenyan scheme.
“In computer security, nothing is truly secure and there are only costs and benefits of hoarding data. Centralized databases such as India’s Aadhaar and NIIMS, however, hoard so much data that the cost-benefit ratio tilts definitely in favor of attackers,” said Venkatanarayanan, reported by The Star.
“NIIMS is archaic compared to the modern-day system architectures. While other countries strive to decentralize information, Kenya seems to be in a rush to do the opposite,” said Venkatanarayanan.
Beyond the courtroom
Meanwhile, Kenyans are still being urged to take advantage of mobile registration units to have their details taken while fraudsters are already sending messages to people offering to reveal the details held by NIIMs for a fee. Officials are warning not to take the bait.
Following this four-day hearing, government witnesses will come before the Court in the next round on October 2 and 3.
Article Topics
Africa | biometrics | data collection | data protection | digital identity | Huduma Namba | Kenya | National Integrated Identity Management System (NIIMS) | privacy
Comments