Government Moves to Have IEBC’s Servers Hosted Locally
The Independent Electoral and Boundaries Commission (IEBC) is among the government agencies that will be required to have its servers hosted locally if proposed regulations come into force.
The Computer Misuse and Cybercrimes (Critical Information Infrastructure and Cybercrime Management) Regulations, 2024 provide for the localization of the country’s critical information. The IEBC conducts critical operations that include voter registration and voting.
“An owner of critical information infrastructure shall ensure that the information is located in Kenya,” the proposed regulations state.
However, an owner of a critical information infrastructure who intends to have it located outside Kenya “shall apply to the National Computer and Cybercrime Coordination Committee” headed by a Director-General.
The committee shall then review the application and verify if it meets the security standards provided for in the Act, and shall issue its decision within 30 days of receipt of the application.
The regulations currently under public consultation are critical to the implementation of the Computer Misuse and Cybercrimes Act.
In considering a request for critical information to be located outside Kenya, the committee may scrutinize whether the security measures and safeguards applied to it meet the standards set out in the Act.
If approved in its current form, this will address fears and allegations that the IEBC has previously allowed unauthorized access to its election servers to manipulate stored data – election results.
However, the regulations are designed to ensure that only authorized individuals have immediate access to critical information infrastructure in the event of a cybersecurity incident or during a compliance audit.
The regulations will serve to supplement the Data Protection (General) Regulations, which have been in draft form for more than two years, to protect against unauthorized access in the implementation of the Data Protection Act.
“A data controller or data processor who processes personal data to achieve a public good shall ensure that such processing is carried out through a server and data center located in Kenya,” the proposed regulation states.
Under the Data Protection Act, which came into force on November 8, 2019, IEBC is both a data controller and a data processor. A data controller because it is the custodian of the voters’ role, and a processor because it uses the voters’ role in conducting elections in the country. The law further categorizes a voter register as personal data.
The management of electoral data, the voter register, and the transmission of election results – has always been a contentious issue in the country’s electoral history.
For example, during the hearing of the 2017 presidential election petition at the Supreme Court, the IEBC refused to open its servers despite court orders.
At one point, Mr Paul Muite, acting for IEBC in the petition, confirmed to the court that IEBC’s servers in the 2017 polls were hosted in France and that it would take some time to open them.
At the time, OT Morpho, a French company that supplied the IEBC with the Kenya Integrated Election Management System (Kiems) used in the 2013 and 2017 elections, was hosting IEBC’s servers in France.
The IEBC’s failure to open the servers was one of the reasons the Supreme Court nullified the results of the August 8, 2017
presidential election. The court ordered that a fresh, fair, and credible presidential election be held on October 26, 2017.
However, on October 15, 2017, then Nasa presidential candidate Raila Odinga gave the IEBC conditions that he wanted to be met before he could participate in the fresh election.
Mr Odinga’s list of demands included the relocation of the IEBC server from France to Kenya.
However, the IEBC’s failure to meet this demand led to Mr Odinga boycotting the repeat presidential election because he was not guaranteed a fair and credible process.
ALSO READ:
- How not to make a mistake when choosing the best bookmaker in Kenya
- Understanding Gatwiri’s Cause of Death: Unraveling Positional Asphyxiation
- KRA Rules Out Tax Relief on SHIF Deductions
- Understanding Why Married Women Cheat: Common Reasons Behind Infidelity
- Violence Erupts in Mozambique: Three Killed, 66 Injured in Protests Over Disputed Election
The boycott negatively affected the image of the IEBC and the credibility of the election results.
Earlier, on September 8, 2017, Mr Odinga had written a protest letter to the French Embassy in Nairobi, requesting the French government to investigate OT Morpho for rigging the system in the August 2017 elections.
Mr. Odinga alleged that the Paris-based IT firm was complicit and conspired to subvert the will of Kenyans by allowing its two employees to gain unauthorized access to IEBC servers.
He wanted the French embassy to prevail by preventing the two officers from interfering in Kenya’s elections.
The regulations also list 15 other critical infrastructure sectors. They are defense, education, civil administration, civil protection, public order and safety, environment, space, industry, transportation, financial services, health, food, water, ICT and energy.
Government Moves to Have IEBC’s Servers Hosted Locally
