Kenya Government mandates DNA-linked national ID, without data protection law
https://blog.mozilla.org/netpolicy/2019/02/08/kenya-government-mandates-dna-... Last month, the Kenya Parliament passed a seriously concerning amendment to the country’s national ID law, making Kenya home to the most privacy-invasive national ID system in the world. The rebranded, National Integrated Identity Management System (NIIMS) now requires all Kenyans, immigrants, and refugees to turn over their DNA, GPS coordinates of their residential address, retina scans, iris pattern, voice waves, and earlobe geometry before being issued critical identification documents. NIIMS will consolidate information contained in other government agency databases and generate a unique identification number known as Huduma Namba. It is hard to see how this system comports with the right to privacy articulated in Article 31 of the Kenyan Constitution. It is deeply troubling that these amendments passed without public debate, and were approved even as a data protection bill which would designate DNA and biometrics as sensitive data is pending. Before these amendments, in order to issue the National ID Card (ID), the government only required name, date and place of birth, place of residence, and postal address. The ID card is a critical document that impacts everyday life, without it, an individual cannot vote, purchase property, access higher education, obtain employment, access credit, or public health, among other fundamental rights. Mozilla strongly believes that that no digital ID system should be implemented without strong privacy and data protection legislation. The proposed Data Protection Bill of 2018 which Parliament is likely to consider next month, is a strong and thorough framework that contains provisions relating to data minimization as well as collection and purpose limitation. If NIIMS is implemented, it will be in conflict with these provisions, and more importantly in conflict with Article 31 of the Constitution, which specifically protects the right to privacy. Proponents of NIIMS claim that the system provides a number of benefits, such as accurate delivery of government services. These arguments also seem to conflate legal and digital identity. Legal ID used to certify one’s identity through basic data about one’s personhood (such as your name and the date and place of your birth) is a commendable goal. It is one of the United Nations Sustainable Development Goals 16.9 that aims “to provide legal identity for all, including birth registration by 2030”. However, it is important to remember this objective can be met in several ways. “Digital ID” systems, and especially those that involve sensitive biometrics or DNA, are not a necessary means of verifying identity, and in practice raise significant privacy and security concerns. The choice of whether to opt for a digital ID let alone a biometric ID therefore should be closely scrutinized by governments in light of these risks, rather than uncritically accepted as beneficial. Security Concerns: The centralized nature of NIIMS creates massive security vulnerabilities. It could become a honeypot for malicious actors and identity thieves who can exploit other identifying information linked to stolen biometric data. The amendment is unclear on how the government will establish and institute strong security measures required for the protection of such a sensitive database. If there’s a breach, it’s not as if your DNA or retina can be reset like a password or token. Surveillance Concerns: By centralizing a tremendous amount of sensitive data in a government database, NIIMS creates an opportunity for mass surveillance by the State. Not only is the collection of biometrics incredibly invasive, but gathering this data combined with transaction logs of where ID is used could substantially reduce anonymity. This is all the more worrying considering Kenya’s history of extralegal surveillance and intelligence sharing. Ethnic Discrimination Concerns: The collection of DNA is particularly concerning as this information can be used to identify an individual’s ethnic identity. Given Kenya’s history of politicization of ethnic identity, collecting this data in a centralized database like NIIMS could reproduce and exacerbate patterns of discrimination. The process was not constitutional Kenya’s constitution requires public input before any new law can be adopted. No public discussions were conducted for this amendment. It was offered for parliamentary debate under “Miscellaneous” amendments, which exempted it from procedures and scrutiny that would have required introduction as a substantive bill and corresponding public debate. The Kenyan government must not implement this system without sufficient public debate and meaningful engagement to determine how such a system should be implemented if at all. The proposed law does not provide people with the opportunity to opt in or out of giving their sensitive and precise data. The Constitution requires that all Kenyans be granted identification. However, if an individual were to refuse to turn over their DNA or other sensitive information to the State, as they should have the right to do, they could risk not being issued their identity or citizenship documents. Such a denial would contravene Articles 12, 13, and 14 of the Constitution. Opting out of this system should not be used to discriminate or exclude any individual from accessing essential public services and exercising their fundamental rights. Individuals must be in full control of their digital identities with the right to object to processing and use and withdraw consent. These aspects of control and choice are essential to empowering individuals in the deployment of their digital identities. Therefore policy and technical decisions must take into account systems that allow individuals to identify themselves rather than the system identifying them. Mozilla urges the government of Kenya to suspend the implementation of NIIMS and we hope Kenyan members of parliament will act swiftly to pass the Data Protection Bill of 2018.
Misinformation galore. To each his/her own though. On Wed, 13 Feb 2019 at 15:11, Alice Munyua via kictanet < kictanet@lists.kictanet.or.ke> wrote:
https://blog.mozilla.org/netpolicy/2019/02/08/kenya-government-mandates-dna-...
Last month, the Kenya Parliament passed a seriously concerning amendment to the country’s national ID law, making Kenya home to the most privacy-invasive national ID system in the world. The rebranded, National Integrated Identity Management System (NIIMS) now requires all Kenyans, immigrants, and refugees to turn over their DNA, GPS coordinates of their residential address, retina scans, iris pattern, voice waves, and earlobe geometry before being issued critical identification documents. NIIMS will consolidate information contained in other government agency databases and generate a unique identification number known as Huduma Namba.
It is hard to see how this system comports with the right to privacy articulated in Article 31 of the Kenyan Constitution. It is deeply troubling that these amendments passed without public debate, and were approved even as a data protection bill which would designate DNA and biometrics as sensitive data is pending.
Before these amendments, in order to issue the National ID Card (ID), the government only required name, date and place of birth, place of residence, and postal address. The ID card is a critical document that impacts everyday life, without it, an individual cannot vote, purchase property, access higher education, obtain employment, access credit, or public health, among other fundamental rights.
Mozilla strongly believes that that no digital ID system should be implemented without strong privacy and data protection legislation. The proposed Data Protection Bill of 2018 which Parliament is likely to consider next month, is a strong and thorough framework that contains provisions relating to data minimization as well as collection and purpose limitation. If NIIMS is implemented, it will be in conflict with these provisions, and more importantly in conflict with Article 31 of the Constitution, which specifically protects the right to privacy.
Proponents of NIIMS claim that the system provides a number of benefits, such as accurate delivery of government services. These arguments also seem to conflate legal and digital identity. Legal ID used to certify one’s identity through basic data about one’s personhood (such as your name and the date and place of your birth) is a commendable goal. It is one of the United Nations Sustainable Development Goals 16.9 that aims “to provide legal identity for all, including birth registration by 2030”. However, it is important to remember this objective can be met in several ways. “Digital ID” systems, and especially those that involve sensitive biometrics or DNA, are not a necessary means of verifying identity, and in practice raise significant privacy and security concerns. The choice of whether to opt for a digital ID let alone a biometric ID therefore should be closely scrutinized by governments in light of these risks, rather than uncritically accepted as beneficial.
Security Concerns: The centralized nature of NIIMS creates massive security vulnerabilities. It could become a honeypot for malicious actors and identity thieves who can exploit other identifying information linked to stolen biometric data. The amendment is unclear on how the government will establish and institute strong security measures required for the protection of such a sensitive database. If there’s a breach, it’s not as if your DNA or retina can be reset like a password or token. Surveillance Concerns: By centralizing a tremendous amount of sensitive data in a government database, NIIMS creates an opportunity for mass surveillance by the State. Not only is the collection of biometrics incredibly invasive, but gathering this data combined with transaction logs of where ID is used could substantially reduce anonymity. This is all the more worrying considering Kenya’s history of extralegal surveillance and intelligence sharing. Ethnic Discrimination Concerns: The collection of DNA is particularly concerning as this information can be used to identify an individual’s ethnic identity. Given Kenya’s history of politicization of ethnic identity, collecting this data in a centralized database like NIIMS could reproduce and exacerbate patterns of discrimination.
The process was not constitutional
Kenya’s constitution requires public input before any new law can be adopted. No public discussions were conducted for this amendment. It was offered for parliamentary debate under “Miscellaneous” amendments, which exempted it from procedures and scrutiny that would have required introduction as a substantive bill and corresponding public debate. The Kenyan government must not implement this system without sufficient public debate and meaningful engagement to determine how such a system should be implemented if at all.
The proposed law does not provide people with the opportunity to opt in or out of giving their sensitive and precise data. The Constitution requires that all Kenyans be granted identification. However, if an individual were to refuse to turn over their DNA or other sensitive information to the State, as they should have the right to do, they could risk not being issued their identity or citizenship documents. Such a denial would contravene Articles 12, 13, and 14 of the Constitution.
Opting out of this system should not be used to discriminate or exclude any individual from accessing essential public services and exercising their fundamental rights.
Individuals must be in full control of their digital identities with the right to object to processing and use and withdraw consent. These aspects of control and choice are essential to empowering individuals in the deployment of their digital identities. Therefore policy and technical decisions must take into account systems that allow individuals to identify themselves rather than the system identifying them.
Mozilla urges the government of Kenya to suspend the implementation of NIIMS and we hope Kenyan members of parliament will act swiftly to pass the Data Protection Bill of 2018.
_______________________________________________ kictanet mailing list kictanet@lists.kictanet.or.ke https://lists.kictanet.or.ke/mailman/listinfo/kictanet Twitter: http://twitter.com/kictanet Facebook: https://www.facebook.com/KICTANet/
Unsubscribe or change your options at https://lists.kictanet.or.ke/mailman/options/kictanet/eshuchi.richard%40gmai...
The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development.
KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.
-- Regards, *Eshuchi Richard*
All- As part of our efforts to expand engagement with the academic community and to create more awareness of and engagement related to content policy development and enforcement, Facebook has developed the “Content Policy Research Initiative” to support external research. The research topic areas of focus for these meetings and the call for proposals (found here<https://research.fb.com/programs/research-awards/proposals/content-policy-research-on-social-media-platforms-request-for-proposals/>) are focused on: * Defining and moderating hateful content * Preventing offline harm from dangerous organizations/groups Details on the call for proposals: · Proposals should be between $50-100K (USD) and executed over 12 months · Proposals should be 2-3 pages are due by March 15<x-apple-data-detectors://12> · It is open to applicants worldwide from academic and/or research institutions that are eligible for research funding (this means it means many think tanks and some civil society groups may be eligible) · The call is global and we are striving for a geographic and topical diversity · Emerging Scholars are encouraged to apply We are especially keen to receive proposals from across Africa, so I’m eager to help facilitate this. Do let me know if there are any questions.
Dear Listers, It is my hope that interested African government agencies, researchers and institutions will recognize that content safety management is now an existential issue for this > $10 Billion Revenue company (with ~$164 Billion market cap) due to its own failure to foresee or mitigate the problem during early stages. I believe that Facebook has certain structural deficiencies (which I will outline below) that African Government agencies, academic institutions and researchers can use as a basis for their own negotiating leverage- and such high-value leverage should not be thrown away (unless we are not serious about ending poverty). The key point being that no offer/invitation by billion dollar MNCs should be accepted at face value without a proper understanding of the real direct/imputed commercial value of the research being proposed / invited; The company's top decision-makers should, IMO, be invited to sit at the table with government, institutional and researcher representatives to make a proper and more meaningful offer. Facebook structural deficiencies: - The company reportedly has very poor diversity ratios for a globally operating company that is very powerful in Africa (i.e. they have only ~1% black employees worldwide in technical roles, and less than 2% in management - mostly African Americans or naturalized immigrants I believe). Therefore the company has very little understanding of - or tangible commitment to - Africa. This lack of multicultural diversity is turning out to be a major strategic blunder for them as it potentially has implications on their long-term commercial viability in grossly underrepresented areas e.g. Africa. What they are now looking for, with respect to Africa, can only be obtained in Africa. This is very important. RECOMMENDATION for African Researchers / institutions: Do not share your unique local cultural knowledge and insights for PEANUTS, or one-time gains (whereas the requesting company will benefit for many decades or more). The company should pay both the researchers and the institutions a proper premium that reflects the real long term value of the local and cultural insights being offered - and the probable fact that they probably cannot obtain such insights anywhere else on this planet. Smart institutions (and/or government agencies) will also request for a perpetual royalties clause (fixed amount or ratio) for whatever findings gets implemented - and a long term ability to claim (>20 years) to help fund ongoing research in other areas (or to incubate small businesses). - I believe the company only has one office in Africa (Johannesburg) representing all of Africa's 1.2 BILLION people (guessing ~<30 staff mostly low level, but the company can give clearer picture). It also appears like the top roles for Africa operate from their UK Office, effectively denying African governments PAYE taxes and economic gains of locally based employees. Because the decision makers are not based here, it is hard for them to genuinely empathise with local issues. Contrast with at least 3 offices, estimated > 1,000 high quality jobs in India (+ ~>5,000 Non-resident Indians in the US) and meaningful partnerships with India's Indigenous IT consulting companies which I would estimate to be worth hundreds of millions in US dollars. I believe Facebook can give more precise numbers if requested. Its plans for Nairobi's "moderation center" does not appear to involve setting up a proper registered presence- in accordance with provisions of the Companies Act (the way Google and Microsoft have done) as it appears to be a wholly outsourced and strictly low level arrangement, to create dirty jobs that could impose a huge long-term health and safety burden for the country. My guess is that the primary motivator for what appears to be their current potentially illegal business operation in Kenya (i.e. they are selling ads in Kenya on behalf of local businesses but don't seem to be registered locally e.g. contrary to requirements for registration of foreign companies in section 974 of the Companies Act) is aggressive tax avoidance because the company has enough resources to do the right thing. Meanwhile thousands of our highly skilled Technology graduates are jobless. RECOMMENDATION for African Researchers / institutions: Silicon Valley companies, like Facebook, should be asked to show meaningful commitment to Africa by establishing at least one locally staffed engineering, support and management office in each of the different economic blocks (SADC / ECOWAS / EAC etc) and to start paying local taxes in the chosen host country. They should offer high quality and regular internships to our computer science students in universities. - The company reportedly relies on addiction technology to boost engagement, retention and ad revenues. To mitigate the consequences, the company should commit to funding the establishment and operation of at least one regional mental health research center in each economic block to host researchers from African Universities on a rotating and collaborative basis. Social media firms should also contribute funds annually to an attention resource diversion compensation kitty in each African country - which can be used to finance tax subsidies to compensate local employers (especially SMEs) whose employees' attention has been stolen / grabbed by addiction algorithms during work hours without consent from the employer. They also need to fund a diversion of attention from intellectual pursuits compensation kitty to help fund solutions to the long term macro-economic problems created when learner's attention are grabbed by the use of addiction forming algorithms. Companies that use addiction technology should also be requested to finance the set up and operation of world-class technology addiction rehabilitation centers in each and every African country (for both minors and adults). They should also pay additional sin tax - like tobacco and alcohol companies to fund health sector initiatives. Image does not put food on the table. We need to start insisting that foreign companies offer tangible, meaningful and genuine win-win commercial and social engagement in Africa (incidentally the world's 8th largest economy by GDP). I leave you with a proverb: If you want people to buy your cows, do not give them milk for free (or for peanuts).. Thinking loud. Share widely to stimulate some good debates across the continent. :-) Brgds, Patrick A. M. Maina[Independent Public Policy Analyst - Indigenous Innovations] On Wednesday, February 13, 2019, 7:49:34 PM GMT+3, Ebele Okobi via kictanet <kictanet@lists.kictanet.or.ke> wrote: All- As part of our efforts to expand engagement with the academic community and to create more awareness of and engagement related to content policy development and enforcement, Facebook has developed the “Content Policy Research Initiative” to support external research. The research topic areas of focus for these meetings and the call for proposals (found here) are focused on: - Defining and moderating hateful content - Preventing offline harm from dangerous organizations/groups Details on the call for proposals: · Proposals should be between $50-100K (USD) and executed over 12 months · Proposals should be 2-3 pages are due by March 15 · It is open to applicants worldwide from academic and/or research institutions that are eligible for research funding (this means it means many think tanks and some civil society groups may be eligible) · The call is global and we are striving for a geographic and topical diversity · Emerging Scholars are encouraged to apply We are especially keen to receive proposals from across Africa, so I’m eager to help facilitate this. Do let me know if there are any questions. _______________________________________________ kictanet mailing list kictanet@lists.kictanet.or.ke https://lists.kictanet.or.ke/mailman/listinfo/kictanet Twitter: http://twitter.com/kictanet Facebook: https://www.facebook.com/KICTANet/ Unsubscribe or change your options at https://lists.kictanet.or.ke/mailman/options/kictanet/pmaina2000%40yahoo.com The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development. KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.
Any data driven research especially on Africa is highly welcomed. This is a good move from Facebook. I hope one of the research comes from the continent On Wed, Feb 13, 2019, 11:59 PM Patrick A. M. Maina via kictanet < kictanet@lists.kictanet.or.ke wrote:
Dear Listers,
It is my hope that interested African government agencies, researchers and institutions will recognize that *content safety management is now an existential issue for this > $10 Billion Revenue company (with ~$164 Billion market cap)* due to its own failure to foresee or mitigate the problem during early stages.
I believe that Facebook has certain *structural deficiencies* (which I will outline below) that African Government agencies, academic institutions and researchers can use as a basis for their own *negotiating leverage* - and such *high-value leverage should not be thrown away* (unless we are not serious about ending poverty).
The key point being that *no offer/invitation by billion dollar MNCs should be accepted at face value* without a proper understanding of the *real *direct/imputed *commercial value of the research* being proposed / invited;
The company's top decision-makers should, IMO, be invited to *sit at the table* with government, institutional and researcher representatives to make a *proper *and more * meaningful* offer.
*Facebook structural deficiencies:*
1. The company reportedly has* very poor diversity ratios* for a globally operating company that is very powerful in *Africa *(i.e. they have only* ~1% black* *employees *worldwide in technical roles, and less than 2% in management - mostly *African Americans* or *naturalized immigrants *I believe). Therefore the company has *very little understanding* *of - or tangible commitment to - Africa*.
This lack of multicultural diversity is turning out to be a *major strategic blunder* for them as it potentially has implications on their long-term commercial viability in grossly underrepresented areas e.g. Africa.
What they are now looking for, with respect to Africa, *can only be obtained in Africa*. This is very important.
*RECOMMENDATION for African Researchers / institutions:* Do not share your unique local cultural knowledge and insights *for PEANUTS*, or *one-time gains *(whereas the requesting company will benefit for many decades or more).
The company should pay *both *the *researchers* and *the institutions* a *proper premium* that reflects the *real long term value* of the local and cultural insights being offered - and the probable fact that they probably cannot obtain such insights *anywhere else on this planet*.
Smart institutions (and/or government agencies) will also request for a *perpetual royalties clause* (fixed amount or ratio) for whatever findings gets implemented - and a long term ability to claim (>20 years) to help fund ongoing research in other areas (or to incubate small businesses).
2. I believe the company only has *one office in Africa* (Johannesburg) representing all of Africa's *1.2 BILLION people *(guessing *~<30 staff* mostly low level, but the company can give clearer picture). It also appears like the *top roles for Africa* operate from their UK Office, effectively denying African governments *PAYE taxes *and *economic gains* of locally based employees. Because the decision makers are not based here, it is hard for them to genuinely empathise with local issues.
Contrast with at least *3 offices,* estimated *> 1,000 high quality jobs *in *India* (+ ~>5,000 Non-resident Indians in the US) and meaningful partnerships with *India's Indigenous IT consulting companies *which I would estimate to be worth *hundreds of millions in US dollars*. I believe Facebook can give more precise numbers if requested.
Its plans for Nairobi's "moderation center" does not appear to involve setting up a *proper registered presence* - in accordance with provisions of the *Companies Act* (the way Google and Microsoft have done) as it appears to be a wholly outsourced and strictly low level arrangement, to create *dirty jobs* that could impose a *huge long-term health and safety burden* for the country.
My guess is that the primary motivator for what appears to be their current *potentially illegal business *operation in Kenya (i.e. they are *selling ads* in Kenya on behalf of *local businesses* but don't seem to be registered locally e.g. contrary to requirements for registration of foreign companies in* section 974* of the *Companies Act*) is *aggressive tax avoidance* because the company has enough resources to do the right thing.
*Meanwhile thousands of our highly skilled Technology graduates are jobless.*
*RECOMMENDATION for African Researchers / institutions:* Silicon Valley companies, like Facebook, should be asked to show *meaningful commitment to Africa* by establishing *at least one* locally staffed* engineering, support *and *management office* in *each *of the different* economic blocks* (SADC / ECOWAS / EAC etc) and to *start paying local taxes *in the chosen host country*. *They should offer high quality and regular internships to our computer science students in universities.
3. The company reportedly relies on *addiction technology* to boost engagement, retention and ad revenues.
To mitigate the consequences, the company should commit to *funding *the establishment and operation of at least one *regional mental health research center* in each economic block to host researchers from African Universities on a rotating and collaborative basis.
Social media firms should also *contribute funds annually* to an *attention resource diversion compensation kitty *in each African country - which can be used to finance tax subsidies to *compensate local employers* (especially SMEs) whose *employees' attention* has been stolen / grabbed by *addiction* *algorithms* during work hours without consent from the employer.
They also need to fund a *diversion of attention from intellectual pursuits compensation kitty* to help fund solutions to the *long term macro-economic problems *created when learner's attention are grabbed by the use of addiction forming algorithms.
Companies that use addiction technology should also be requested to finance the set up and operation of *world-class* *technology addiction rehabilitation centers *in each and every African country (for both minors and adults). They should also pay a*dditional sin tax* - like tobacco and alcohol companies to fund health sector initiatives.
Image does not put food on the table. We need to start insisting that foreign companies offer *tangible*, *meaningful *and *genuine win-win *commercial and social engagement in Africa (incidentally the world's 8th largest economy by GDP).
I leave you with a proverb: *If you want people to buy your cows, do not give them milk for free (or for peanuts).. *
Thinking loud. Share widely to stimulate some good debates across the continent. :-)
Brgds,
Patrick A. M. Maina [Independent Public Policy Analyst - Indigenous Innovations]
On Wednesday, February 13, 2019, 7:49:34 PM GMT+3, Ebele Okobi via kictanet <kictanet@lists.kictanet.or.ke> wrote:
All-
As part of our efforts to expand engagement with the academic community and to create more awareness of and engagement related to content policy development and enforcement, Facebook has developed the “Content Policy Research Initiative” to support external research. The research topic areas of focus for these meetings and the call for proposals (found here <https://research.fb.com/programs/research-awards/proposals/content-policy-research-on-social-media-platforms-request-for-proposals/>) are focused on:
- Defining and moderating hateful content - Preventing offline harm from dangerous organizations/groups
Details on the call for proposals:
· Proposals should be between $50-100K (USD) and executed over 12 months
· Proposals should be 2-3 pages are due by March 15
· It is open to applicants worldwide from academic and/or research institutions that are eligible for research funding (this means it means many think tanks and some civil society groups may be eligible)
· The call is global and we are striving for a geographic and topical diversity
· Emerging Scholars are encouraged to apply
We are especially keen to receive proposals from across Africa, so I’m eager to help facilitate this. Do let me know if there are any questions.
_______________________________________________ kictanet mailing list kictanet@lists.kictanet.or.ke https://lists.kictanet.or.ke/mailman/listinfo/kictanet Twitter: http://twitter.com/kictanet Facebook: https://www.facebook.com/KICTANet/
Unsubscribe or change your options at https://lists.kictanet.or.ke/mailman/options/kictanet/pmaina2000%40yahoo.com
The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development.
KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications. _______________________________________________ kictanet mailing list kictanet@lists.kictanet.or.ke https://lists.kictanet.or.ke/mailman/listinfo/kictanet Twitter: http://twitter.com/kictanet Facebook: https://www.facebook.com/KICTANet/
Unsubscribe or change your options at https://lists.kictanet.or.ke/mailman/options/kictanet/kivuva%40transworldafr...
The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development.
KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.
Listers, Came across this presentation on NIIMS. It seems that the implementation does not envisage privacy. It is all from a traditional security and technology as a solution perspective. Of course there are many other questions such as how this will be integrated with existing and recently collected biometric data such as the voter register, passport and immigration data. Security should also include protection of our society's long term goals. We should have started with the data protection law. And even then, collection of DNA is a really big deal. Should we not discuss how it shall be done, by whom, for what purpose etc before ? Regards Il giorno mer 13 feb 2019 alle ore 19:11 Eshuchi Richard via kictanet < kictanet@lists.kictanet.or.ke> ha scritto:
Misinformation galore.
To each his/her own though.
On Wed, 13 Feb 2019 at 15:11, Alice Munyua via kictanet < kictanet@lists.kictanet.or.ke> wrote:
https://blog.mozilla.org/netpolicy/2019/02/08/kenya-government-mandates-dna-...
Last month, the Kenya Parliament passed a seriously concerning amendment to the country’s national ID law, making Kenya home to the most privacy-invasive national ID system in the world. The rebranded, National Integrated Identity Management System (NIIMS) now requires all Kenyans, immigrants, and refugees to turn over their DNA, GPS coordinates of their residential address, retina scans, iris pattern, voice waves, and earlobe geometry before being issued critical identification documents. NIIMS will consolidate information contained in other government agency databases and generate a unique identification number known as Huduma Namba.
It is hard to see how this system comports with the right to privacy articulated in Article 31 of the Kenyan Constitution. It is deeply troubling that these amendments passed without public debate, and were approved even as a data protection bill which would designate DNA and biometrics as sensitive data is pending.
Before these amendments, in order to issue the National ID Card (ID), the government only required name, date and place of birth, place of residence, and postal address. The ID card is a critical document that impacts everyday life, without it, an individual cannot vote, purchase property, access higher education, obtain employment, access credit, or public health, among other fundamental rights.
Mozilla strongly believes that that no digital ID system should be implemented without strong privacy and data protection legislation. The proposed Data Protection Bill of 2018 which Parliament is likely to consider next month, is a strong and thorough framework that contains provisions relating to data minimization as well as collection and purpose limitation. If NIIMS is implemented, it will be in conflict with these provisions, and more importantly in conflict with Article 31 of the Constitution, which specifically protects the right to privacy.
Proponents of NIIMS claim that the system provides a number of benefits, such as accurate delivery of government services. These arguments also seem to conflate legal and digital identity. Legal ID used to certify one’s identity through basic data about one’s personhood (such as your name and the date and place of your birth) is a commendable goal. It is one of the United Nations Sustainable Development Goals 16.9 that aims “to provide legal identity for all, including birth registration by 2030”. However, it is important to remember this objective can be met in several ways. “Digital ID” systems, and especially those that involve sensitive biometrics or DNA, are not a necessary means of verifying identity, and in practice raise significant privacy and security concerns. The choice of whether to opt for a digital ID let alone a biometric ID therefore should be closely scrutinized by governments in light of these risks, rather than uncritically accepted as beneficial.
Security Concerns: The centralized nature of NIIMS creates massive security vulnerabilities. It could become a honeypot for malicious actors and identity thieves who can exploit other identifying information linked to stolen biometric data. The amendment is unclear on how the government will establish and institute strong security measures required for the protection of such a sensitive database. If there’s a breach, it’s not as if your DNA or retina can be reset like a password or token. Surveillance Concerns: By centralizing a tremendous amount of sensitive data in a government database, NIIMS creates an opportunity for mass surveillance by the State. Not only is the collection of biometrics incredibly invasive, but gathering this data combined with transaction logs of where ID is used could substantially reduce anonymity. This is all the more worrying considering Kenya’s history of extralegal surveillance and intelligence sharing. Ethnic Discrimination Concerns: The collection of DNA is particularly concerning as this information can be used to identify an individual’s ethnic identity. Given Kenya’s history of politicization of ethnic identity, collecting this data in a centralized database like NIIMS could reproduce and exacerbate patterns of discrimination.
The process was not constitutional
Kenya’s constitution requires public input before any new law can be adopted. No public discussions were conducted for this amendment. It was offered for parliamentary debate under “Miscellaneous” amendments, which exempted it from procedures and scrutiny that would have required introduction as a substantive bill and corresponding public debate. The Kenyan government must not implement this system without sufficient public debate and meaningful engagement to determine how such a system should be implemented if at all.
The proposed law does not provide people with the opportunity to opt in or out of giving their sensitive and precise data. The Constitution requires that all Kenyans be granted identification. However, if an individual were to refuse to turn over their DNA or other sensitive information to the State, as they should have the right to do, they could risk not being issued their identity or citizenship documents. Such a denial would contravene Articles 12, 13, and 14 of the Constitution.
Opting out of this system should not be used to discriminate or exclude any individual from accessing essential public services and exercising their fundamental rights.
Individuals must be in full control of their digital identities with the right to object to processing and use and withdraw consent. These aspects of control and choice are essential to empowering individuals in the deployment of their digital identities. Therefore policy and technical decisions must take into account systems that allow individuals to identify themselves rather than the system identifying them.
Mozilla urges the government of Kenya to suspend the implementation of NIIMS and we hope Kenyan members of parliament will act swiftly to pass the Data Protection Bill of 2018.
_______________________________________________ kictanet mailing list kictanet@lists.kictanet.or.ke https://lists.kictanet.or.ke/mailman/listinfo/kictanet Twitter: http://twitter.com/kictanet Facebook: https://www.facebook.com/KICTANet/
Unsubscribe or change your options at https://lists.kictanet.or.ke/mailman/options/kictanet/eshuchi.richard%40gmai...
The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development.
KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.
-- Regards, *Eshuchi Richard* _______________________________________________ kictanet mailing list kictanet@lists.kictanet.or.ke https://lists.kictanet.or.ke/mailman/listinfo/kictanet Twitter: http://twitter.com/kictanet Facebook: https://www.facebook.com/KICTANet/
Unsubscribe or change your options at https://lists.kictanet.or.ke/mailman/options/kictanet/nmutungu%40gmail.com
The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development.
KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.
-- Grace Mutung'u Skype: gracebomu @Bomu PGP ID : 0x33A3450F
Hi Grace, Many thanks for the NIIMS presentation. I agree there is need for more engagement on this issue otherwise as things stand and with the all due respect to the governments best interests. NIIMS will be Omtata'd. Regards On Thu, 14 Feb 2019 06:34 Grace Bomu via kictanet < kictanet@lists.kictanet.or.ke wrote:
Listers, Came across this presentation on NIIMS. It seems that the implementation does not envisage privacy. It is all from a traditional security and technology as a solution perspective.
Of course there are many other questions such as how this will be integrated with existing and recently collected biometric data such as the voter register, passport and immigration data.
Security should also include protection of our society's long term goals. We should have started with the data protection law. And even then, collection of DNA is a really big deal. Should we not discuss how it shall be done, by whom, for what purpose etc before ?
Regards
Il giorno mer 13 feb 2019 alle ore 19:11 Eshuchi Richard via kictanet < kictanet@lists.kictanet.or.ke> ha scritto:
Misinformation galore.
To each his/her own though.
On Wed, 13 Feb 2019 at 15:11, Alice Munyua via kictanet < kictanet@lists.kictanet.or.ke> wrote:
https://blog.mozilla.org/netpolicy/2019/02/08/kenya-government-mandates-dna-...
Last month, the Kenya Parliament passed a seriously concerning amendment to the country’s national ID law, making Kenya home to the most privacy-invasive national ID system in the world. The rebranded, National Integrated Identity Management System (NIIMS) now requires all Kenyans, immigrants, and refugees to turn over their DNA, GPS coordinates of their residential address, retina scans, iris pattern, voice waves, and earlobe geometry before being issued critical identification documents. NIIMS will consolidate information contained in other government agency databases and generate a unique identification number known as Huduma Namba.
It is hard to see how this system comports with the right to privacy articulated in Article 31 of the Kenyan Constitution. It is deeply troubling that these amendments passed without public debate, and were approved even as a data protection bill which would designate DNA and biometrics as sensitive data is pending.
Before these amendments, in order to issue the National ID Card (ID), the government only required name, date and place of birth, place of residence, and postal address. The ID card is a critical document that impacts everyday life, without it, an individual cannot vote, purchase property, access higher education, obtain employment, access credit, or public health, among other fundamental rights.
Mozilla strongly believes that that no digital ID system should be implemented without strong privacy and data protection legislation. The proposed Data Protection Bill of 2018 which Parliament is likely to consider next month, is a strong and thorough framework that contains provisions relating to data minimization as well as collection and purpose limitation. If NIIMS is implemented, it will be in conflict with these provisions, and more importantly in conflict with Article 31 of the Constitution, which specifically protects the right to privacy.
Proponents of NIIMS claim that the system provides a number of benefits, such as accurate delivery of government services. These arguments also seem to conflate legal and digital identity. Legal ID used to certify one’s identity through basic data about one’s personhood (such as your name and the date and place of your birth) is a commendable goal. It is one of the United Nations Sustainable Development Goals 16.9 that aims “to provide legal identity for all, including birth registration by 2030”. However, it is important to remember this objective can be met in several ways. “Digital ID” systems, and especially those that involve sensitive biometrics or DNA, are not a necessary means of verifying identity, and in practice raise significant privacy and security concerns. The choice of whether to opt for a digital ID let alone a biometric ID therefore should be closely scrutinized by governments in light of these risks, rather than uncritically accepted as beneficial.
Security Concerns: The centralized nature of NIIMS creates massive security vulnerabilities. It could become a honeypot for malicious actors and identity thieves who can exploit other identifying information linked to stolen biometric data. The amendment is unclear on how the government will establish and institute strong security measures required for the protection of such a sensitive database. If there’s a breach, it’s not as if your DNA or retina can be reset like a password or token. Surveillance Concerns: By centralizing a tremendous amount of sensitive data in a government database, NIIMS creates an opportunity for mass surveillance by the State. Not only is the collection of biometrics incredibly invasive, but gathering this data combined with transaction logs of where ID is used could substantially reduce anonymity. This is all the more worrying considering Kenya’s history of extralegal surveillance and intelligence sharing. Ethnic Discrimination Concerns: The collection of DNA is particularly concerning as this information can be used to identify an individual’s ethnic identity. Given Kenya’s history of politicization of ethnic identity, collecting this data in a centralized database like NIIMS could reproduce and exacerbate patterns of discrimination.
The process was not constitutional
Kenya’s constitution requires public input before any new law can be adopted. No public discussions were conducted for this amendment. It was offered for parliamentary debate under “Miscellaneous” amendments, which exempted it from procedures and scrutiny that would have required introduction as a substantive bill and corresponding public debate. The Kenyan government must not implement this system without sufficient public debate and meaningful engagement to determine how such a system should be implemented if at all.
The proposed law does not provide people with the opportunity to opt in or out of giving their sensitive and precise data. The Constitution requires that all Kenyans be granted identification. However, if an individual were to refuse to turn over their DNA or other sensitive information to the State, as they should have the right to do, they could risk not being issued their identity or citizenship documents. Such a denial would contravene Articles 12, 13, and 14 of the Constitution.
Opting out of this system should not be used to discriminate or exclude any individual from accessing essential public services and exercising their fundamental rights.
Individuals must be in full control of their digital identities with the right to object to processing and use and withdraw consent. These aspects of control and choice are essential to empowering individuals in the deployment of their digital identities. Therefore policy and technical decisions must take into account systems that allow individuals to identify themselves rather than the system identifying them.
Mozilla urges the government of Kenya to suspend the implementation of NIIMS and we hope Kenyan members of parliament will act swiftly to pass the Data Protection Bill of 2018.
_______________________________________________ kictanet mailing list kictanet@lists.kictanet.or.ke https://lists.kictanet.or.ke/mailman/listinfo/kictanet Twitter: http://twitter.com/kictanet Facebook: https://www.facebook.com/KICTANet/
Unsubscribe or change your options at https://lists.kictanet.or.ke/mailman/options/kictanet/eshuchi.richard%40gmai...
The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development.
KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.
-- Regards, *Eshuchi Richard* _______________________________________________ kictanet mailing list kictanet@lists.kictanet.or.ke https://lists.kictanet.or.ke/mailman/listinfo/kictanet Twitter: http://twitter.com/kictanet Facebook: https://www.facebook.com/KICTANet/
Unsubscribe or change your options at https://lists.kictanet.or.ke/mailman/options/kictanet/nmutungu%40gmail.com
The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development.
KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.
-- Grace Mutung'u Skype: gracebomu @Bomu PGP ID : 0x33A3450F
_______________________________________________ kictanet mailing list kictanet@lists.kictanet.or.ke https://lists.kictanet.or.ke/mailman/listinfo/kictanet Twitter: http://twitter.com/kictanet Facebook: https://www.facebook.com/KICTANet/
Unsubscribe or change your options at https://lists.kictanet.or.ke/mailman/options/kictanet/otieno.barrack%40gmail...
The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development.
KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.
Listers, On NIIMS, I believe the intentions are noble but the solution chosen hints at limited cybersecurity awareness in our national security / defense sector - which is a bit worrying. I don't know if the teams involved considered the risks of concentrating that kind of *internationally valuable* data... In our current world, NIIMS will (guaranteed) attract and literally *invite* a deluge of the most sophisticated cyber-attacks from all sorts of places (including: untraceable state sponsored actors, international criminal networks, local corruption networks teaming up with international criminals etc)... The reasoning behind this is the fact that the amount of resources expended towards cyber-crime are directly proportional to the perceived value of the anticipated payoff. Hmm.. Just how valuable is an entire country's biometric ID and GPS linked database? What are the implications for the country if that kind of data falls into the wrong hands (or if the systems are infiltrated by some kind of ransom-ware with the help of insider collusion)? Can NIIMS be protected? No chance. State sponsored intrusion uses low-level attack vectors (e.g. chip-level trojans / backdoors or DBEngine / OS / Driver level backdoors etc introduced at OEM level (sometimes without the OEM company itself being aware); such risks cannot be defended against unless you make - i.e. design and build, not just assemble - your own critical ICT components and have full control of your supply chain. At his time, Kenya does not have, but can develop if it wishes - the indigenous technical capacity, to protect and defend such a super-high-value database. Can the protection be outsourced (e.g. to friendly countries)? Yes, but at what cost? By doing so, Kenya (and any African country that adopts such tech without first developing indigenous capabilities) will technically be relinquishing whatever *national sovereignty* it currently has. This is because the government will have to place 100% reliance and faith on the *benevolent intentions* and *altruistic protection* of a technologically advanced supplier partner state (typically the hardware and OS manufacturer's originating country)... and that is not a problem that can be solved by component diversification (because then its a free for all), we will have little choice but to choose a coloniser to help us "protect" our national data (I think there are only three credible options: US, China or Russia). Looks like a tricky and unwise position for a non-aligned country/region to place itself in. Do we really want to checkmate ourselves geo-politically? I urge our government to consider setting up Holistic Analysis Units in each Ministry (and even at county levels) to examine policies / proposals / ideas across multiple subject domains and identify non-obvious factors such as the risks of unintended consequences (to facilitate more robust decisions and outcomes). Good intentions do not always yield the intended positive outcomes; they can make the problem worse. Will criminals and terrorists sign up to NIIMS? Can the government prevent insider corruption networks from selling or corrupting the data for a fee? Instead of solving identity problems NIIMS could lead to the creation of very complex and sophisticated identity crimes. In fact the original problems might never get solved (yet we will have introduced new problems and costly challenges). Perhaps, at some point in future, an idea like NIIMS could make sense. Right now, I don't think it does. Good day,Patrick. On Thursday, February 14, 2019, 8:46:39 AM GMT+3, Grace Bomu via kictanet <kictanet@lists.kictanet.or.ke> wrote: Listers, Came across this presentation on NIIMS. It seems that the implementation does not envisage privacy. It is all from a traditional security and technology as a solution perspective. Of course there are many other questions such as how this will be integrated with existing and recently collected biometric data such as the voter register, passport and immigration data. Security should also include protection of our society's long term goals. We should have started with the data protection law. And even then, collection of DNA is a really big deal. Should we not discuss how it shall be done, by whom, for what purpose etc before ? Regards Il giorno mer 13 feb 2019 alle ore 19:11 Eshuchi Richard via kictanet <kictanet@lists.kictanet.or.ke> ha scritto: Misinformation galore. To each his/her own though. On Wed, 13 Feb 2019 at 15:11, Alice Munyua via kictanet <kictanet@lists.kictanet.or.ke> wrote: https://blog.mozilla.org/netpolicy/2019/02/08/kenya-government-mandates-dna-... Last month, the Kenya Parliament passed a seriously concerning amendment to the country’s national ID law, making Kenya home to the most privacy-invasive national ID system in the world. The rebranded, National Integrated Identity Management System (NIIMS) now requires all Kenyans, immigrants, and refugees to turn over their DNA, GPS coordinates of their residential address, retina scans, iris pattern, voice waves, and earlobe geometry before being issued critical identification documents. NIIMS will consolidate information contained in other government agency databases and generate a unique identification number known as Huduma Namba. It is hard to see how this system comports with the right to privacy articulated in Article 31 of the Kenyan Constitution. It is deeply troubling that these amendments passed without public debate, and were approved even as a data protection bill which would designate DNA and biometrics as sensitive data is pending. Before these amendments, in order to issue the National ID Card (ID), the government only required name, date and place of birth, place of residence, and postal address. The ID card is a critical document that impacts everyday life, without it, an individual cannot vote, purchase property, access higher education, obtain employment, access credit, or public health, among other fundamental rights. Mozilla strongly believes that that no digital ID system should be implemented without strong privacy and data protection legislation. The proposed Data Protection Bill of 2018 which Parliament is likely to consider next month, is a strong and thorough framework that contains provisions relating to data minimization as well as collection and purpose limitation. If NIIMS is implemented, it will be in conflict with these provisions, and more importantly in conflict with Article 31 of the Constitution, which specifically protects the right to privacy. Proponents of NIIMS claim that the system provides a number of benefits, such as accurate delivery of government services. These arguments also seem to conflate legal and digital identity. Legal ID used to certify one’s identity through basic data about one’s personhood (such as your name and the date and place of your birth) is a commendable goal. It is one of the United Nations Sustainable Development Goals 16.9 that aims “to provide legal identity for all, including birth registration by 2030”. However, it is important to remember this objective can be met in several ways. “Digital ID” systems, and especially those that involve sensitive biometrics or DNA, are not a necessary means of verifying identity, and in practice raise significant privacy and security concerns. The choice of whether to opt for a digital ID let alone a biometric ID therefore should be closely scrutinized by governments in light of these risks, rather than uncritically accepted as beneficial. Security Concerns: The centralized nature of NIIMS creates massive security vulnerabilities. It could become a honeypot for malicious actors and identity thieves who can exploit other identifying information linked to stolen biometric data. The amendment is unclear on how the government will establish and institute strong security measures required for the protection of such a sensitive database. If there’s a breach, it’s not as if your DNA or retina can be reset like a password or token. Surveillance Concerns: By centralizing a tremendous amount of sensitive data in a government database, NIIMS creates an opportunity for mass surveillance by the State. Not only is the collection of biometrics incredibly invasive, but gathering this data combined with transaction logs of where ID is used could substantially reduce anonymity. This is all the more worrying considering Kenya’s history of extralegal surveillance and intelligence sharing. Ethnic Discrimination Concerns: The collection of DNA is particularly concerning as this information can be used to identify an individual’s ethnic identity. Given Kenya’s history of politicization of ethnic identity, collecting this data in a centralized database like NIIMS could reproduce and exacerbate patterns of discrimination. The process was not constitutional Kenya’s constitution requires public input before any new law can be adopted. No public discussions were conducted for this amendment. It was offered for parliamentary debate under “Miscellaneous” amendments, which exempted it from procedures and scrutiny that would have required introduction as a substantive bill and corresponding public debate. The Kenyan government must not implement this system without sufficient public debate and meaningful engagement to determine how such a system should be implemented if at all. The proposed law does not provide people with the opportunity to opt in or out of giving their sensitive and precise data. The Constitution requires that all Kenyans be granted identification. However, if an individual were to refuse to turn over their DNA or other sensitive information to the State, as they should have the right to do, they could risk not being issued their identity or citizenship documents. Such a denial would contravene Articles 12, 13, and 14 of the Constitution. Opting out of this system should not be used to discriminate or exclude any individual from accessing essential public services and exercising their fundamental rights. Individuals must be in full control of their digital identities with the right to object to processing and use and withdraw consent. These aspects of control and choice are essential to empowering individuals in the deployment of their digital identities. Therefore policy and technical decisions must take into account systems that allow individuals to identify themselves rather than the system identifying them. Mozilla urges the government of Kenya to suspend the implementation of NIIMS and we hope Kenyan members of parliament will act swiftly to pass the Data Protection Bill of 2018. _______________________________________________ kictanet mailing list kictanet@lists.kictanet.or.ke https://lists.kictanet.or.ke/mailman/listinfo/kictanet Twitter: http://twitter.com/kictanet Facebook: https://www.facebook.com/KICTANet/ Unsubscribe or change your options at https://lists.kictanet.or.ke/mailman/options/kictanet/eshuchi.richard%40gmai... The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development. KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications. -- Regards,Eshuchi Richard_______________________________________________ kictanet mailing list kictanet@lists.kictanet.or.ke https://lists.kictanet.or.ke/mailman/listinfo/kictanet Twitter: http://twitter.com/kictanet Facebook: https://www.facebook.com/KICTANet/ Unsubscribe or change your options at https://lists.kictanet.or.ke/mailman/options/kictanet/nmutungu%40gmail.com The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development. KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications. -- Grace Mutung'u Skype: gracebomu @Bomu PGP ID : 0x33A3450F _______________________________________________ kictanet mailing list kictanet@lists.kictanet.or.ke https://lists.kictanet.or.ke/mailman/listinfo/kictanet Twitter: http://twitter.com/kictanet Facebook: https://www.facebook.com/KICTANet/ Unsubscribe or change your options at https://lists.kictanet.or.ke/mailman/options/kictanet/pmaina2000%40yahoo.com The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development. KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.
Well, the restricted Tender has already been awarded to OT Morpho. With a weak policy and legal framework for Cybersecurity and privacy, it's unfortunate that the project is proceeding at full steam ahead. In other news, it's not surprising that the cost has shot up from the initial 3 billion to 6 billion. God save Kenya. https://www.businessdailyafrica.com/economy/IEBC-contractor-gets-Sh6bn-deal-... https://www.google.com/amp/s/www.businessdailyafrica.com/economy/Biometric-I... On Thu, 14 Feb 2019, 17:46 Patrick A. M. Maina via kictanet, < kictanet@lists.kictanet.or.ke> wrote:
Listers,
On NIIMS, I believe the intentions are noble but the solution chosen hints at limited *cybersecurity awareness* in our national security / defense sector - which is a bit worrying.
I don't know if the teams involved considered the risks of concentrating that kind of *internationally valuable* data... In our current world, NIIMS will (guaranteed) *attract *and literally **invite** a deluge of *the most sophisticated cyber-attacks* from all sorts of places (including: untraceable state sponsored actors, international criminal networks, local corruption networks teaming up with international criminals etc)...
The reasoning behind this is the fact that the amount of *resources *expended towards cyber-crime are *directly proportional* to the perceived *value of the anticipated payoff*.
Hmm.. Just how valuable is an entire country's biometric ID and GPS linked database? What are the implications for the country if that kind of data falls into the wrong hands (or if the systems are infiltrated by some kind of ransom-ware with the help of insider collusion)?
*Can NIIMS be protected? *
No chance. *State sponsored intrusion* uses low-level attack vectors (e.g. *chip-level trojans* / *backdoors *or *DBEngine */ *OS / Driver level* backdoors etc introduced at* OEM level* (sometimes without the OEM company itself being aware); such risks cannot be defended against unless you make - i.e. design and build, not just assemble - your own critical ICT components and have full control of your supply chain.
At his time, Kenya does not have, but can develop if it wishes - the *indigenous technical capacity,* to protect and defend such a *super-high-value database.*
*Can the protection be outsourced (e.g. to friendly countries)? *
Yes, but *at what cost**?* By doing so, Kenya (and any African country that adopts such tech without first developing indigenous capabilities) will technically be relinquishing whatever **national sovereignty** it currently has. This is because the government will have to place *100% reliance* and *faith *on the *benevolent intentions* and *altruistic protection* of a technologically advanced *supplier partner state* (typically the hardware and OS manufacturer's originating country)... and that is not a problem that can be solved by component diversification (because then its a free for all), we will have little choice but to *choose a coloniser* to help us "protect" our national data (I think there are only three credible options: US, China or Russia). Looks like a tricky and unwise position for a non-aligned country/region to place itself in. Do we really want to checkmate ourselves geo-politically?
I urge our government to consider setting up *Holistic Analysis Units* in each Ministry (and even at county levels) to examine policies / proposals / ideas across *multiple subject domains* and identify *non-obvious factors *such as the risks of *unintended consequences* (to facilitate more robust decisions and outcomes). Good intentions do not always yield the intended positive outcomes; they can make the problem worse.
Will criminals and terrorists sign up to NIIMS? Can the government prevent insider corruption networks from selling or corrupting the data for a fee? Instead of solving identity problems NIIMS could lead to the creation of very complex and sophisticated identity crimes. In fact the original problems might never get solved (yet we will have introduced new problems and costly challenges).
Perhaps, at some point in future, an idea like NIIMS could make sense. Right now, I don't think it does.
Good day, Patrick.
On Thursday, February 14, 2019, 8:46:39 AM GMT+3, Grace Bomu via kictanet < kictanet@lists.kictanet.or.ke> wrote:
Listers, Came across this presentation on NIIMS. It seems that the implementation does not envisage privacy. It is all from a traditional security and technology as a solution perspective.
Of course there are many other questions such as how this will be integrated with existing and recently collected biometric data such as the voter register, passport and immigration data.
Security should also include protection of our society's long term goals. We should have started with the data protection law. And even then, collection of DNA is a really big deal. Should we not discuss how it shall be done, by whom, for what purpose etc before ?
Regards
Il giorno mer 13 feb 2019 alle ore 19:11 Eshuchi Richard via kictanet < kictanet@lists.kictanet.or.ke> ha scritto:
Misinformation galore.
To each his/her own though.
On Wed, 13 Feb 2019 at 15:11, Alice Munyua via kictanet < kictanet@lists.kictanet.or.ke> wrote:
https://blog.mozilla.org/netpolicy/2019/02/08/kenya-government-mandates-dna-...
Last month, the Kenya Parliament passed a seriously concerning amendment to the country’s national ID law, making Kenya home to the most privacy-invasive national ID system in the world. The rebranded, National Integrated Identity Management System (NIIMS) now requires all Kenyans, immigrants, and refugees to turn over their DNA, GPS coordinates of their residential address, retina scans, iris pattern, voice waves, and earlobe geometry before being issued critical identification documents. NIIMS will consolidate information contained in other government agency databases and generate a unique identification number known as Huduma Namba.
It is hard to see how this system comports with the right to privacy articulated in Article 31 of the Kenyan Constitution. It is deeply troubling that these amendments passed without public debate, and were approved even as a data protection bill which would designate DNA and biometrics as sensitive data is pending.
Before these amendments, in order to issue the National ID Card (ID), the government only required name, date and place of birth, place of residence, and postal address. The ID card is a critical document that impacts everyday life, without it, an individual cannot vote, purchase property, access higher education, obtain employment, access credit, or public health, among other fundamental rights.
Mozilla strongly believes that that no digital ID system should be implemented without strong privacy and data protection legislation. The proposed Data Protection Bill of 2018 which Parliament is likely to consider next month, is a strong and thorough framework that contains provisions relating to data minimization as well as collection and purpose limitation. If NIIMS is implemented, it will be in conflict with these provisions, and more importantly in conflict with Article 31 of the Constitution, which specifically protects the right to privacy.
Proponents of NIIMS claim that the system provides a number of benefits, such as accurate delivery of government services. These arguments also seem to conflate legal and digital identity. Legal ID used to certify one’s identity through basic data about one’s personhood (such as your name and the date and place of your birth) is a commendable goal. It is one of the United Nations Sustainable Development Goals 16.9 that aims “to provide legal identity for all, including birth registration by 2030”. However, it is important to remember this objective can be met in several ways. “Digital ID” systems, and especially those that involve sensitive biometrics or DNA, are not a necessary means of verifying identity, and in practice raise significant privacy and security concerns. The choice of whether to opt for a digital ID let alone a biometric ID therefore should be closely scrutinized by governments in light of these risks, rather than uncritically accepted as beneficial.
Security Concerns: The centralized nature of NIIMS creates massive security vulnerabilities. It could become a honeypot for malicious actors and identity thieves who can exploit other identifying information linked to stolen biometric data. The amendment is unclear on how the government will establish and institute strong security measures required for the protection of such a sensitive database. If there’s a breach, it’s not as if your DNA or retina can be reset like a password or token. Surveillance Concerns: By centralizing a tremendous amount of sensitive data in a government database, NIIMS creates an opportunity for mass surveillance by the State. Not only is the collection of biometrics incredibly invasive, but gathering this data combined with transaction logs of where ID is used could substantially reduce anonymity. This is all the more worrying considering Kenya’s history of extralegal surveillance and intelligence sharing. Ethnic Discrimination Concerns: The collection of DNA is particularly concerning as this information can be used to identify an individual’s ethnic identity. Given Kenya’s history of politicization of ethnic identity, collecting this data in a centralized database like NIIMS could reproduce and exacerbate patterns of discrimination.
The process was not constitutional
Kenya’s constitution requires public input before any new law can be adopted. No public discussions were conducted for this amendment. It was offered for parliamentary debate under “Miscellaneous” amendments, which exempted it from procedures and scrutiny that would have required introduction as a substantive bill and corresponding public debate. The Kenyan government must not implement this system without sufficient public debate and meaningful engagement to determine how such a system should be implemented if at all.
The proposed law does not provide people with the opportunity to opt in or out of giving their sensitive and precise data. The Constitution requires that all Kenyans be granted identification. However, if an individual were to refuse to turn over their DNA or other sensitive information to the State, as they should have the right to do, they could risk not being issued their identity or citizenship documents. Such a denial would contravene Articles 12, 13, and 14 of the Constitution.
Opting out of this system should not be used to discriminate or exclude any individual from accessing essential public services and exercising their fundamental rights.
Individuals must be in full control of their digital identities with the right to object to processing and use and withdraw consent. These aspects of control and choice are essential to empowering individuals in the deployment of their digital identities. Therefore policy and technical decisions must take into account systems that allow individuals to identify themselves rather than the system identifying them.
Mozilla urges the government of Kenya to suspend the implementation of NIIMS and we hope Kenyan members of parliament will act swiftly to pass the Data Protection Bill of 2018.
_______________________________________________ kictanet mailing list kictanet@lists.kictanet.or.ke https://lists.kictanet.or.ke/mailman/listinfo/kictanet Twitter: http://twitter.com/kictanet Facebook: https://www.facebook.com/KICTANet/
Unsubscribe or change your options at https://lists.kictanet.or.ke/mailman/options/kictanet/eshuchi.richard%40gmai...
The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development.
KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.
-- Regards, *Eshuchi Richard* _______________________________________________ kictanet mailing list kictanet@lists.kictanet.or.ke https://lists.kictanet.or.ke/mailman/listinfo/kictanet Twitter: http://twitter.com/kictanet Facebook: https://www.facebook.com/KICTANet/
Unsubscribe or change your options at https://lists.kictanet.or.ke/mailman/options/kictanet/nmutungu%40gmail.com
The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development.
KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.
-- Grace Mutung'u Skype: gracebomu @Bomu PGP ID : 0x33A3450F
_______________________________________________ kictanet mailing list kictanet@lists.kictanet.or.ke https://lists.kictanet.or.ke/mailman/listinfo/kictanet Twitter: http://twitter.com/kictanet Facebook: https://www.facebook.com/KICTANet/
Unsubscribe or change your options at https://lists.kictanet.or.ke/mailman/options/kictanet/pmaina2000%40yahoo.com
The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development.
KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications. _______________________________________________ kictanet mailing list kictanet@lists.kictanet.or.ke https://lists.kictanet.or.ke/mailman/listinfo/kictanet Twitter: http://twitter.com/kictanet Facebook: https://www.facebook.com/KICTANet/
Unsubscribe or change your options at https://lists.kictanet.or.ke/mailman/options/kictanet/vkapiyo%40gmail.com
The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development.
KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.
participants (8)
-
Alice Munyua -
Barrack Otieno -
Ebele Okobi -
Eshuchi Richard -
Grace Bomu -
Mwendwa Kivuva -
Patrick A. M. Maina -
Victor Kapiyo