Kenyan Elections and Alleged Hacking: A Look at the available evidence

Introduction

On 9th August, a day after Kenyans voted in the 2017 General Election, opposition presidential candidate Raila Odinga alleged that the Independent Electoral and Boundaries Commission (IEBC) database had been hacked and an algorithm set to ensure an 11% difference in favour of incumbent President, Uhuru Kenyatta at all levels of results transmission. To back up the claims, Mr. Odinga’s political party National Super Alliance (NASA) presented a log file apparently showing the details of the hack. These claims have been repeatedly denied by the electoral commission. On 11th August, the IEBC declared Uhuru Kenyatta as the winner of the election with 54.27% of votes cast with Raila Odinga coming in second with 44.74%.

In an attempt to respond to the hacking claims, this post asks three questions: How is technology used in Kenyan elections? Was the log file presented evidence of an attack that changed the outcome of the election? How could this file have been obtained? This post audits the logs as evidence within the context of Kenyan elections ecosystem.

Hacking Claims

Context setting: Kenyan elections and Technology

Kenya’s current election technology system has its history rooted in the 2007 post-election violence. After the incumbent president, Mwai Kibaki, was hastily sworn-in after a contested election outcome, violence rocked various parts of the country, followed by retaliations that spread out for weeks. By the time an international mediation team brought the opposing sides to the negotiation table, multiple post-election violence reports documented over one thousand deaths, hundreds of thousands displaced, and property worth billions of dollars destroyed.

Following the mediation talks, the Independent Review Commission of Inquiry on the General Elections held in Kenya on 27 December 2007 (IREC) was set up, chaired by South African Judge Johann Kriegler, to examine the December 2007 Kenyan elections from various perspectives. One of the main findings of the commission was that it was impossible to establish with certainty who won the presidential election. To that end, the Kriegler Commission, as it was commonly known, prescribed ‘an effective, transparent and efficient system’ for voting in Kenyan. This guiding principle was soon adopted when, in a referendum in 2010, Kenyan voters approved a new Constitution. The Constitution of Kenya 2010 and election-related laws that followed the new Constitution (such as the Elections Act of 2011) are intended to implement the Kriegler Commission’s prescriptions.

Subsequent legislative amendments to the Elections Act as well as policy decisions by IEBC resulted in the introduction of an election management system incorporating a biometric voter registration and verification, identification, and an electronic results transmission system. Biometric-based digital registers were added to the existing print versions, printed voters’ cards were scrapped, and a digital layer was added to the physical tallying and aggregation of results. These efforts were seen as the panacea to election-related mistrust and mischief by improving the speed of the process and by including redundancies in the tallying process.

During the 2013 elections, biometric technology was used at the voter registration phase (Biometric Voter Registration – BVR) and Electronic Voter Identification (EVID), while text messaging service (SMS) was used for the Electronic Results Transmission System (RTS). On voting day (March 4, 2013), significant percentages (55% of the 952 streams sampled) of the EVID collapsed, with such failures forcing election officials to resort to manual systems. Furthermore the transmission system and the database servers failed halfway into use. The losing party Coalition for Reforms and Democracy (CORD), led by Raila Odinga, claimed that there was rigging of the election and that the technology failure was intentional and meant to allow doctoring of results through loopholes in the manual system. The Supreme Court of Kenya rejected a petition filed by CORD with the vote rigging allegations, ushering in Uhuru Kenyatta’s inauguration as the fourth president of Kenya.

It was against this background that election technology for the 2017 General Elections was cast. Several improvements were made to the system, the most important of them being incorporation of all technology elements into one system, the Kenya Integrated Election Management System (KIEMS). To improve the resilience of the hardware component, backup batteries were provided and web-service servers were used in place of the static servers to handle high traffic from IEBC and interested parties visiting their servers.

On election day, most regions reported smooth operations on voter identification and results transmission, but still some polling stations had technical issues with biometric voter identification that delayed voting. Results were relayed directly from the polling stations to the IEBC servers for broadcast. At around 4AM on 9 August 2017, NASA rejected the incoming results being streamed via the IEBC online portal, which were broadcast by television and radio stations countrywide.

At around 10AM on 9th August, Raila Odinga alleged, in a press statement dubbed ‘We Got Them’, that on election day, unknown hackers had gained access to the IEBC computer system using the credentials of the commission’s ICT manager, Chris Msando. Mr. Msando had been tortured and killed in July, just weeks before the election, although his killer(s) remain unknown. According to the press statement, using Mr. Msando’s credentials, the hackers allegedly “loaded an algorithm” that allowed them to manipulate the results being transmitted from tallying centres around the country. To back up these claims, Mr. Odinga presented to the media a log file apparently showing the details of the hack. In the next section, we look at the logs released by Mr. Odinga line by line to verify the claims of elections hacking.

Database Log Audit Findings

Along with the statement “We Got Them” NASA published 52 photographed pages which they claimed to be a log from “IEBC’s Core Server” that allegedly demonstrated manipulation of the server. They presented no evidence to show where they had retrieved the log or that the log was in fact from an IEBC server.

The log appears to be from the error log of a Microsoft database server named “MSSQL Server 2008” executed in a virtual machine [0.2Check]. To enable us to review the logs in a coherent manner, we converted the images into text using the OCR tool tesseract to produce a noisy recreation of the text file that NASA printed and photographed. Using that file we produced a timeline from a chronological order using the timestamps in the file. All links point to that file.

The resulting file contains around 1300 lines – 148 kilobytes – of time stamped warnings and errors produced from the startup and normal execution of a database server inside of a virtual machine [0.1] from 12:08 am on August 8th to 04:43 [0.2] the morning of the election. There are a few important lines included in the log that fall outside of the period and demonstrate definitely that the logs were altered before they were published [2]. A normal unaltered MSSQL Server error log would not write timestamps out of order like we observed in the original files presented to the media by NASA.

Other than the rearrangement of timestamps and several failed login attempts the log contains nothing unusual or noteworthy from a normal startup of the server. The error logs record the configuration and initialization of 54 databases [3.1], some generic system messages [3], some warnings related to poor configuration of the virtual machine [3.2] and the execution of several stored procedures [4][5].

The majority of the log lines record warnings related to the non default configuration of what is called database pragma. These lines act as a warning for the administrator about non-default, potentially problematic configurations [6] [7CITE].

There were four failed login attempts during the time period. Two appeared to use the username of Wafula Chebukati [8] [9], the IEBC Chairperson, and another Chris Msando [9] — the slain ICT Manager.

These failed logins provide the basis for the first of the NASA’s evidence-backed claims.

5) “At about 12:37 pm on the 8th of August 2017 hackers gained into our election database through the identity of Chris Msando … into the account of the Mr. Chebukati Chairperson.”

The evidence offered does not support this claim for two reasons. First the log line to which this point must reference, ostensibly the login of ‘msando’ (the conjectured account of Chris Msando), shows that the login attempt was rejected.

08/03/2017 09:05:23,Logon,Unknown,Login failed for user ‘msando’. Reason: The password of the account must be changed. [CLIENT: <local machine>]

If the login did succeed, immediately after the following line would have appeared [10 pg 18].

08/03/2017 XX:XX:XX,Logon,Unknown,Login succeeded for user ‘msando’ Connection: [Client: <local machine>]

Secondly, the timestamp of the failed login attempt indicates that it was created on August 3rd, while the timestamps of the failed login attempts for the users CheBukati [8] and chebukati [9] instead occur later after the proposed hack was stated to have occurred.

So, it is clear that these supposed logins did not occur as asserted in the press release, and the further claims that benign log lines demonstrate those errors are also untrue.

6) “They [the hackers] created errors into the IEBC Core Server (as highlighted at Page 2 of the document annexed to this statement) ..

These errors as previously mentioned are simply warnings produced by the database server [14]. The inaccurate and intentionally misleading statements continue throughout section 6, which contains the substance of NASA’s claims.

  1. a) “At 12:38 pm they introduced several progammes (xpstar.dll version 2009) to execute stored procedures in the library and the memory of the IEBC database intended to manipulate data.”

The xp_star.dll is a shared library that has been included in MSSql Server’s since 2000 [14.1] and the program that it runs, the stored procedure xp_instance_regread, finds the path on the file system where the database register is located [14.2] [14.3].

  1. b) “At 12:38 pm they loaded an algorithm which is a formula to create a percentage gap of 11 percent between our numbers in the presidential race”

There are only two other stored procedures that run at 12:38 pm, xp_qv [15.1] and xp_msver [15.2]. So the algorithm that produced this 11% difference must be one of them. According to Microsoft, the procedure xp_msver provides version information about the server [15]. The procedure xp_qv checks that the license is still valid [16] [16.1].

Thus there is nothing in the six log lines from 12:38 PM that indicates a command was executed that systematically manipulated the results stored in the database. If NASA intended to substantiate their claim, providing the volatile database files, the transaction log and database files would perhaps have been enough evidence for forensic investigators to substantiate this claim [16.3 pg 11]. Six error log lines is insufficient.

Points 6.c through 6.h all make very similar claims about database options used by the “hackers” for nefarious purposes. Each one of these claims is misleading and incorrect. Here are the five best ones:

Setting Value Documented meaning Claimed meaning
DATE_CORRELATION_OPTIMIZATION OFF Do not optimize queries that search date ranges. OFF is actually the default value. src They effectively disabled the system from detecting date and time.
AUTO_UPDATE_STATISTICS OFF Turns off a process called indexing which can speed up database performance. src This made sure that records sent from the field would not be reflecting on the system.
DISABLE_BROKER ON Turns off messaging queues for attached applications. src This was to disable the database from tracking the events happening in the database.
RECURSIVE_TRIGGERS OFF Guarantees that searches and updates to a database cannot be nested. src Switching those off ensures that the database would not keep record of anything.
AUTO_CREATE_STATISTICS ON Improves query planning by generating database indexes automatically. src .. enable their programme to traverse the database updating it with their set and desired values to avoid trace.

It is plainly visible that each of the claimed functions of these settings is imagined. The author of the press release goes on to extrapolate that these ‘malicious’ database options are then used to alter the results stored in all the other counties.

7) “Within just 12 hours, this attack on our democracy affected the Presidential Elections in all of the 47 Counties…”

As we have plainly shown, the evidence provided does not demonstrate a 12 hour attack . Further, the log does not even cover a 12 hour period. It either is a range of 3.5 hours [18.3] [18.4] or 153 hours, depending on whether or not we count the extra out of bounds lines [18.1] [18.2].

In summary, the audit suggests that the claims of hacking based on the provided log are untrue. The log and argument presented by NASA as evidence of election hacking is invalid because:

  1. NASA never demonstrated that the provided log is actually from an IEBC machine or that the IEBC uses MSSQL Server to tabulate the voting results.
  2. A normal unaltered MSSQL Server error log would not write timestamps out of order.
  3. The supposed logins did not occur and NASA’s further claims that benign log lines demonstrate those errors are untrue.
  4. The usage of the stored commands (xp_star.dll) on startup is a routine function call, not a malicious program as NASA claims.
  5. There are multiple inconsistencies between stated claims and provided evidence, like the duration of the attack and the misrepresentation of facts in sections 6c through 6h.

This however does not in any way rule out hacking, since there has been no access granted to the IEBC database or election documents for a comprehensive audit. This analysis simply states the logs presented are not proof of any hacking.

How were these logs obtained? A Hypothesis

Others have stated that the leaked documents are fabricated, and as stated above we believe that the logs have (at minimum) been altered. This warrants a theory as to how exactly the logs were obtained.

The database server seems to represent the storage of a component of an application to track the publication of the form 34A’s during the presidential election. Further, in a later statement, NASA’s claimed count of total electoral votes (8.04M for Raila Odinga, 7.7M for Uhuru Kenyatta) was disputed by the IEBC, observing that those totals from NASA neglected to count the Diaspora Vote and those of the incarcerated population.

As noted above the databases purported to be “IEBC’s Master Server” is also notably lacking a database to tabulate the results from voters uncounted from a specific county. This could be evidence that the published error log is in fact an error log from NASA’s own database and it would suggest that at least one person within NASA intentionally fabricated the published log.

Conclusions and Recommendations

Kenyan elections have explicit provision on how technology is to be used in an election, from voter registration, identification and transmission of results. Voting is manual and so is tallying. With hacking claims supposedly targeting the transmission, storage and publication of results, the fall-back to the manual paper trail is necessary.

Our preliminary analysis rules out hacking based on the evidence presented. Indeed we have postulated a hypothesis that the logs may have been fabricated, published and presented to the public. This should not be taken to mean the IEBC may not have been hacked. We are not in a position to make such a conclusion, as it requires access to the election system which we do not have. With the presidential election headed for a decision from the Supreme Court, and with NASA insisting on electronic tampering of results, the authors are of the opinion that a comprehensive audit of the system be done in a transparent manner to ensure the hacking claims are denied or confirmed from an evidence-led conversation.

As technology is increasingly integrated into election systems and processes, it is logical that election actors (in this case the IEBC, political parties, media organizations, and election observers) recruit competent ICT observers to match with the elections timeline (procurement, verification, polling and post-election phases). This will ensure technical components of the elections are adequately considered.

 

 


About the Authors

Moses Karanja is an information controls researcher at Strathmore University’s Centre for Intellectual Property and Information Technology Law (CIPIT), Kenya.

Nick Skelsey is the Lead Developer at The Hermes Center for Transparency and Digital Human Rights, Italy.

Quick Thoughts on Biometrics, General Elections and Security in Kenya

By Francis Monyango**

In 1927, Liberian opposition presidential candidate Thomas J Faulkner was confident of unseating the incumbent in the general elections. The Faulkner-led People’s Party had marshalled support from all corners of the country and across all classes of people. On Election Day, Faulkner received 9,000 votes in what was supposed to be a landslide win. In the end, Faulkner lost to the incumbent Charles D. B. King who received 243,000 votes in an election with only 15,000 registered voters! Charles D.B. King’s script has been replicated in many African states and in the year 2007, it was replicated in Kenya.

Continue reading

A Review of the Communications Authority Guidelines for Dissemination of Political SMS Text Messages and Social Media Content

By Francis Monyango**

In the run-up to the 2013 elections, Safaricom announced that it would control political messaging distributed via its network. This measure was put in place to avoid unnecessary attacks on individuals, their families and ethnic communities. The giant mobile network operator wanted to ensure that the bulk political SMS sent through its platform would not fall foul of the laws of Kenya. By publishing its own guidelines on bulk SMS of a political nature, Safaricom was working within its legal boundaries of leverage. This move was inspired by the Electoral Code of Conduct, which was part of the 2011 Elections Act that specifically prohibited hate speech in political campaigns. These guidelines were met by furor from the political class but the media peace campaigns drowned their voices.

Continue reading

Recap: Day 2 of JKUAT Conference on Protection of Intellectual Property Rights

Editor’s Note: For a recap of Day 1, please see here.

The final day of the #JKUATLawIP conference was kicked off by Shirley Genga, a law lecturer at Jomo Kenyatta University of Agriculture and Technology (JKUAT), who spoke on protecting intellectual property rights in big data with a focus on Kenya. Genga noted that in the absence of any formal legal regime for big data, the existing laws of contract as well as copyright protection will have to suffice. For a discussion of the question of IP and database rights protection, please see this blogger’s post here. Next up was James Tugee from Hamilton, Harrison & Mathews, Advocates who made a case for legislation of the right to publicity in Kenya.

Continue reading

Treatment of Cyberbullying in Kenya’s new Computer and Cybercrimes Act

By Rosine Mumanya**

Cyberbullying in Kenya is an issue that can no longer be ignored. In the digital age, some argue that not enough attention is given to this issue, until social media users who are victims of cyberbulling end up hurting themselves or even taking their own lives. In the fight against all forms of cybercrime including cyber-bullying, Kenya has been working on the Computer and Cybercrimes Bill of 2016 which was enacted in April 2017. An overview of the Bill was published previously on this blog here.

Continue reading

Recap: Day 1 of JKUAT Conference on Protection of Intellectual Property Rights

Nestled in the leafy suburbs of Karen lies Jomo Kenyatta University of Agriculture and Technology (JKUAT) School of Law on the outskirts of Nairobi. On this chilly Thursday morning of 13th July 2017, JKUAT School of Law was making history: it’s first ever law conference! The theme chosen for this inaugural conference was: “Protecting Intellectual Property Rights: Justifications, Prospects and Challenges” (the official twitter hashtag for the conference is #JKUATLawIP). In the midst of this blogger’s moment of deja-vu over CIPIT’s inaugural conference way back in 2012, the JKUAT Management kicked off the conference with welcoming remarks that immediately began to raise eyebrows.

Continue reading

Big Data and Microfinance in Kenya: Privacy Concerns in Alternative Credit Scoring Models

By Mercy King’ori**

The era of digitisation has ushered in the development of many new technologies that have improved the way in which business is undertaken. One such improvement is in the area of data. Data-driven companies are likely to be the most competitive in this current era. This has attracted efforts from the government and private sector in collecting and sharing data from various sectors. There is a lot of personally identifiable information that is collected and archived in data stores; all of which is taking place in a regulatory environment devoid of a national data protection law.

Continue reading

Renewing the Call for a National Intellectual Property Strategy in Kenya

In a recent article by Dr Isaac Rutenberg and yours truly published in the Journal of Culture, Arts and Performance (JAHAZI) here we look at Kenya’s long journey towards a national intellectual property (IP) policy and strategy. It is argued that such a policy and strategy must be aligned with development priorities and socio-economic realities of Kenya and her people. The journey begins in 2005 when World Intellectual Property Organization (WIPO) commissioned an IP audit in Kenya to assess the prevailing situation of the IP system in Kenya making findings on strengths and weaknesses that would be used to develop a national intellectual property policy and strategy. Although the final audit report was prepared and submitted by WIPO to the Kenya government in 2006, the formulation of a national IP policy and strategy has never been formally completed with the last known attempts dating back five years.

Continue reading

New CIPIT Research: An Assessment of the Evolution of Kenya’s ICT Law and Policy Framework

An article by CIPIT researchers Dr. Isaac Rutenberg, Douglas Gichuki and Arthur Gwagwa titled: “Historical Antecedents and Paradoxes that Shaped Kenya’s Contemporary Information and Communication Technology Policies” has recently been published in the Harvard Africa Policy Journal available here. In the article, the authors retrace Kenya’s 5 decade long journey from independence to its present ‘Silicon Savannah’ status. Through an analysis of legislative and policy reforms in the area of information and communication technology (ICT), the authors argue that although Kenya has come a long way in introducing liberal market reforms that have immensely benefited the technology sector, policy challenges remain. In particular, the authors note as signs of relapse the passing of certain laws and introduced measures that restrict civil liberties, ostensibly as anti-terrorism measures, as well as to diffuse ethnic tensions.

Continue reading

“Making” Knowledge for Innovation and Development: Researching Kenyan Makerspaces

Kenya’s vibrant technology sector is known for its innovations in software. The successes of M-PESA, a widely used mobile money transfer platform, and Ushahidi, a global crowdsourcing mapping app, has drawn international attention to the Kenyan startup scene. Supporting the startup scene are a number of tech hubs, incubators, and accelerators.

Software, however, can only be as innovative as the hardware it runs on. A growing network of makerspaces are training Kenyan innovators in the knowledge and skills to manufacture disruptive hardware solutions. What is the story of makerspaces in Kenya? What supports are available for hardware-based innovators? How effective are these makerspaces at promoting innovation? What methods are innovators using to share and protect their ideas?

Continue reading