It is undeniable that the Azimio presidential petition has raised weighty IT issues. What is also self-evident is the judicial panel will need more than a little steering in matters technology. To that end, John Walubengo, CISA, CDPSE, (OGW), ICT Lecturer, Multimedia University of Kenya, Consulting Data Protection Officer (DPO) Ajua and Trustee at KICTAnet, former Industrial Engineer Dr Joseph Sevilla, the Director, @iLabAfrica and @iBizAfrica, and Martin Mirero, the CTO at up and rising start-up Ajua, have stepped up as proposed Amici Curiae (Friends of the Court).
Filed on 28 August and broken into segments with technical opinions, the petition brings into focus the need for the legal and tech communities to play well, fast, and together beyond digitisation and into partnership territory. A most curious state of affairs for professions each governed by its own peculiar language and code. But, with barely a fortnight to reach a verdict, the timelines, as the petition notes, are incredibly strict.
Inclusive of the trios CVs and accomplishments, it also presents their expert opinions. Beginning with the identification of the technological aspects of IEBC’s electoral system, (the Biometric Voter Registration – (BVR), the Electronic Voter Identifier (EVID), the Results Transmission System (RTS), and The Logs, they illustrate the workflow as stated by the Independent Electoral and Boundaries Commission (IEBC) across platforms, while making general observations on publicly available IEBC technical documentation.
They make a note that while IEBC shared the finer details as to how the election system works with political parties, they now needed to break down said aspects of the Kenya Integrated Election Management System (KIEMS) to the public and to ICT professionals. In the process, they would have to air what is possible versus what is not possible with regard to hacking.
While identifying possible attack areas, the petition supposes that by presenting server logs as digital evidence, “the Chain of Custody” – a legal phrase that refers to the order in which items presented as evidence have been handled during the investigation of a case – “… is a critical component in digital forensic science.” Said Chain of Custody is what underscores the admissibility of digital evidence in court by raising critical questions such as how and where said evidence was sourced from, who carried out the extraction, and how it was all secured.
Evidence must be in its original, tamper-free state. Proof that an item has been properly handled through an unbroken chain of custody is required for it to be legally accepted as evidence in court. The three recommend that the court appoint a special IT audit team to “ascertain and report back on some of the contested areas regarding the technical aspects of the KIEMS.”
A technical review of John Githongo’s affidavit, allowed in court, is broken down as are those from Commissioner Justus Nyang’anya, Cybersecurity Consultant Raymond Bett, Entrepreneur Eric Kitetu, and Election Coordinator Moses Sunkuli. Acknowledging that “no system is 100 per cent secure,” they say “… any system, including IEBC servers, can potentially be compromised.” What counts are the systems IEBC put in place “to record the events around the compromise in what is known as “server logs.”
Conclusively, the petition states “no tangible technical evidence has been presented to indicate proof of hacking.” Citing hacking as something that is always a possibility, it could be that the digital logs presented to Azimio may have been faulty, irrelevant, or lacked an accompanying Chain of Custody log report.
The triptych’s recommendations for the Supreme Court are as follows:
- To order a sample of polling station KIEMS Kit logs for review of Form34A as transmitted against the time said form was logged into the server
- Appoint a special ICT expert team that will revert to the Supreme Court on certain contested technical areas in relation to KIEMS
- Allow the expert team to look into any number of issues surrounding, but not limited to, the authentication of privileged user accounts, privileged users, the integrity of the databases, active directory, domain controllers, and all security devices controlling access to the server environment, administration, and transmission formats for Form34A (jpeg vs pdf).
The proceedings seem to be attracting quite a number of interested parties intent on becoming Friends of the Court for a cross-section of reasons. The Law Society of Kenya (LSK), Farmers Party, and former presidential candidate Waihiga Mwaure all tossed their hats into that ring. Meanwhile, the case chugs along.