Impact of Military-Led Information Controls on Democracy: Anatomy of Zimbabwe Coup

by Arthur Gwagwa**

The Zimbabwean military’s re-framing of its recent coup as a constitutionally-mandated power transfer, rather than an illegal seizure of power, is a clear example of the impact that authority-led information manipulation has on the public during popular uprisings. In the case of Zimbabwe, rather than cutting access to information and communication, the military allowed information to flow freely online, but carefully controlled the discourse and opinions expressed in the public space. Crucially, it used soft power to project an image of harmonious civilian-military relations, which was key to ensuring local and global acceptance of the coup.

Continue reading

Internet Service Providers to be Enlisted in Fight Against Piracy in Kenya

By Mercy Mutemi**

The world over, copyright owners have resigned to the reality that is it is now harder to protect their copyright over the internet in the age of the BitTorrent network, indexing sites and streaming sites. Indeed legislation is in place recognizing and protecting the economic and moral rights of authors, yet enforcing such protection remains elusive. It is no wonder then that countries are looking to ISPs to uphold copyright protection given the key role they play in availability of content.  Kenya has not been left behind- the recently published Copyright (Amendment) Bill, 2017 is set to co-opt ISPs in the fight against piracy.

The Bill is available online here.

Continue reading

Internet Speed Throttling Surrounding Repeat Election?

On the eve of the fresh presidential elections in Kenya, Internet users reported slow Internet speeds while accessing social media and streaming platforms.1 Network performance fluctuates, especially when more subscribers come online, for example during major events. That ISPs have the capability to discretely throttle their users’ bandwidth is no secret, justified as de-congesting the network or for pressing clients towards more expensive plans, a major contention of the net neutrality principle. Throttling has also been used to control information during political processes. There are documented instances of throttling being used to limit the exchange of multimedia over social media during protests across the world.2 In Kenya, if the claims made on the eve of elections were to be confirmed, they would amount to limitations of freedom of speech online, a right entrenched in Article 33 of the Constitution.  

Continue reading

A Review of the Computer and Cybercrimes Bill, 2017: Offenses

By Francis Monyango

The question of how prepared Kenya is to deal with cybercrimes can no longer be wished away. Cybercrimes not only cause damage; they leave their victims embarrassed and for corporates, their reputations tarnished . Hence, not so many incidences are reported by the victims. To address this issue, the National Assembly Majority Leader Hon. Aden Duale sponsored the Computer and Cybercrimes Bill in June, 2017. It is a major improvement from the two cybercrime bills that were published by Senate and the National Assembly last year.

Continue reading

Is Kenya Ready for Unique Identifiers? Part I

By Francis Monyango

It is reported that some 1.6 million students have registered to sit for the Kenya Certificate of Primary Education (KCPE) and Kenya Certificate of Secondary Education (KCSE) examinations in October 2017. As always, preparations for these examinations involves stringent security measures to curb cheating. Beyond cheating, forgery of academic degree certificates and other official documents is also on the rise. To fight this vice, the government has put various measures in place, the latest being introducing a six- character Unique Personal Identifier (UPI). This UPI will be linked to an electronic database with the educational records of all individuals from primary school up to university level. Other than blocking exam cheats and fake certificate fraudsters, the UPI will also be used to curb the theft of public funds by eliminating ‘ghost’ teachers and inflated student enrollment figures.

Continue reading

Kenyan Elections and Alleged Hacking: A Look at the available evidence


On 9th August, a day after Kenyans voted in the 2017 General Election, opposition presidential candidate Raila Odinga alleged that the Independent Electoral and Boundaries Commission (IEBC) database had been hacked and an algorithm set to ensure an 11% difference in favour of incumbent President, Uhuru Kenyatta at all levels of results transmission. To back up the claims, Mr. Odinga’s political party National Super Alliance (NASA) presented a log file apparently showing the details of the hack. These claims have been repeatedly denied by the electoral commission. On 11th August, the IEBC declared Uhuru Kenyatta as the winner of the election with 54.27% of votes cast with Raila Odinga coming in second with 44.74%.

In an attempt to respond to the hacking claims, this post asks three questions: How is technology used in Kenyan elections? Was the log file presented evidence of an attack that changed the outcome of the election? How could this file have been obtained? This post audits the logs as evidence within the context of Kenyan elections ecosystem.

Hacking Claims

Context setting: Kenyan elections and Technology

Kenya’s current election technology system has its history rooted in the 2007 post-election violence. After the incumbent president, Mwai Kibaki, was hastily sworn-in after a contested election outcome, violence rocked various parts of the country, followed by retaliations that spread out for weeks. By the time an international mediation team brought the opposing sides to the negotiation table, multiple post-election violence reports documented over one thousand deaths, hundreds of thousands displaced, and property worth billions of dollars destroyed.

Following the mediation talks, the Independent Review Commission of Inquiry on the General Elections held in Kenya on 27 December 2007 (IREC) was set up, chaired by South African Judge Johann Kriegler, to examine the December 2007 Kenyan elections from various perspectives. One of the main findings of the commission was that it was impossible to establish with certainty who won the presidential election. To that end, the Kriegler Commission, as it was commonly known, prescribed ‘an effective, transparent and efficient system’ for voting in Kenyan. This guiding principle was soon adopted when, in a referendum in 2010, Kenyan voters approved a new Constitution. The Constitution of Kenya 2010 and election-related laws that followed the new Constitution (such as the Elections Act of 2011) are intended to implement the Kriegler Commission’s prescriptions.

Subsequent legislative amendments to the Elections Act as well as policy decisions by IEBC resulted in the introduction of an election management system incorporating a biometric voter registration and verification, identification, and an electronic results transmission system. Biometric-based digital registers were added to the existing print versions, printed voters’ cards were scrapped, and a digital layer was added to the physical tallying and aggregation of results. These efforts were seen as the panacea to election-related mistrust and mischief by improving the speed of the process and by including redundancies in the tallying process.

During the 2013 elections, biometric technology was used at the voter registration phase (Biometric Voter Registration – BVR) and Electronic Voter Identification (EVID), while text messaging service (SMS) was used for the Electronic Results Transmission System (RTS). On voting day (March 4, 2013), significant percentages (55% of the 952 streams sampled) of the EVID collapsed, with such failures forcing election officials to resort to manual systems. Furthermore the transmission system and the database servers failed halfway into use. The losing party Coalition for Reforms and Democracy (CORD), led by Raila Odinga, claimed that there was rigging of the election and that the technology failure was intentional and meant to allow doctoring of results through loopholes in the manual system. The Supreme Court of Kenya rejected a petition filed by CORD with the vote rigging allegations, ushering in Uhuru Kenyatta’s inauguration as the fourth president of Kenya.

It was against this background that election technology for the 2017 General Elections was cast. Several improvements were made to the system, the most important of them being incorporation of all technology elements into one system, the Kenya Integrated Election Management System (KIEMS). To improve the resilience of the hardware component, backup batteries were provided and web-service servers were used in place of the static servers to handle high traffic from IEBC and interested parties visiting their servers.

On election day, most regions reported smooth operations on voter identification and results transmission, but still some polling stations had technical issues with biometric voter identification that delayed voting. Results were relayed directly from the polling stations to the IEBC servers for broadcast. At around 4AM on 9 August 2017, NASA rejected the incoming results being streamed via the IEBC online portal, which were broadcast by television and radio stations countrywide.

At around 10AM on 9th August, Raila Odinga alleged, in a press statement dubbed ‘We Got Them’, that on election day, unknown hackers had gained access to the IEBC computer system using the credentials of the commission’s ICT manager, Chris Msando. Mr. Msando had been tortured and killed in July, just weeks before the election, although his killer(s) remain unknown. According to the press statement, using Mr. Msando’s credentials, the hackers allegedly “loaded an algorithm” that allowed them to manipulate the results being transmitted from tallying centres around the country. To back up these claims, Mr. Odinga presented to the media a log file apparently showing the details of the hack. In the next section, we look at the logs released by Mr. Odinga line by line to verify the claims of elections hacking.

Database Log Audit Findings

Along with the statement “We Got Them” NASA published 52 photographed pages which they claimed to be a log from “IEBC’s Core Server” that allegedly demonstrated manipulation of the server. They presented no evidence to show where they had retrieved the log or that the log was in fact from an IEBC server.

The log appears to be from the error log of a Microsoft database server named “MSSQL Server 2008” executed in a virtual machine [0.2Check]. To enable us to review the logs in a coherent manner, we converted the images into text using the OCR tool tesseract to produce a noisy recreation of the text file that NASA printed and photographed. Using that file we produced a timeline from a chronological order using the timestamps in the file. All links point to that file.

The resulting file contains around 1300 lines – 148 kilobytes – of time stamped warnings and errors produced from the startup and normal execution of a database server inside of a virtual machine [0.1] from 12:08 am on August 8th to 04:43 [0.2] the morning of the election. There are a few important lines included in the log that fall outside of the period and demonstrate definitely that the logs were altered before they were published [2]. A normal unaltered MSSQL Server error log would not write timestamps out of order like we observed in the original files presented to the media by NASA.

Other than the rearrangement of timestamps and several failed login attempts the log contains nothing unusual or noteworthy from a normal startup of the server. The error logs record the configuration and initialization of 54 databases [3.1], some generic system messages [3], some warnings related to poor configuration of the virtual machine [3.2] and the execution of several stored procedures [4][5].

The majority of the log lines record warnings related to the non default configuration of what is called database pragma. These lines act as a warning for the administrator about non-default, potentially problematic configurations [6] [7CITE].

There were four failed login attempts during the time period. Two appeared to use the username of Wafula Chebukati [8] [9], the IEBC Chairperson, and another Chris Msando [9] — the slain ICT Manager.

These failed logins provide the basis for the first of the NASA’s evidence-backed claims.

5) “At about 12:37 pm on the 8th of August 2017 hackers gained into our election database through the identity of Chris Msando … into the account of the Mr. Chebukati Chairperson.”

The evidence offered does not support this claim for two reasons. First the log line to which this point must reference, ostensibly the login of ‘msando’ (the conjectured account of Chris Msando), shows that the login attempt was rejected.

08/03/2017 09:05:23,Logon,Unknown,Login failed for user ‘msando’. Reason: The password of the account must be changed. [CLIENT: <local machine>]

If the login did succeed, immediately after the following line would have appeared [10 pg 18].

08/03/2017 XX:XX:XX,Logon,Unknown,Login succeeded for user ‘msando’ Connection: [Client: <local machine>]

Secondly, the timestamp of the failed login attempt indicates that it was created on August 3rd, while the timestamps of the failed login attempts for the users CheBukati [8] and chebukati [9] instead occur later after the proposed hack was stated to have occurred.

So, it is clear that these supposed logins did not occur as asserted in the press release, and the further claims that benign log lines demonstrate those errors are also untrue.

6) “They [the hackers] created errors into the IEBC Core Server (as highlighted at Page 2 of the document annexed to this statement) ..

These errors as previously mentioned are simply warnings produced by the database server [14]. The inaccurate and intentionally misleading statements continue throughout section 6, which contains the substance of NASA’s claims.

  1. a) “At 12:38 pm they introduced several progammes (xpstar.dll version 2009) to execute stored procedures in the library and the memory of the IEBC database intended to manipulate data.”

The xp_star.dll is a shared library that has been included in MSSql Server’s since 2000 [14.1] and the program that it runs, the stored procedure xp_instance_regread, finds the path on the file system where the database register is located [14.2] [14.3].

  1. b) “At 12:38 pm they loaded an algorithm which is a formula to create a percentage gap of 11 percent between our numbers in the presidential race”

There are only two other stored procedures that run at 12:38 pm, xp_qv [15.1] and xp_msver [15.2]. So the algorithm that produced this 11% difference must be one of them. According to Microsoft, the procedure xp_msver provides version information about the server [15]. The procedure xp_qv checks that the license is still valid [16] [16.1].

Thus there is nothing in the six log lines from 12:38 PM that indicates a command was executed that systematically manipulated the results stored in the database. If NASA intended to substantiate their claim, providing the volatile database files, the transaction log and database files would perhaps have been enough evidence for forensic investigators to substantiate this claim [16.3 pg 11]. Six error log lines is insufficient.

Points 6.c through 6.h all make very similar claims about database options used by the “hackers” for nefarious purposes. Each one of these claims is misleading and incorrect. Here are the five best ones:

Setting Value Documented meaning Claimed meaning
DATE_CORRELATION_OPTIMIZATION OFF Do not optimize queries that search date ranges. OFF is actually the default value. src They effectively disabled the system from detecting date and time.
AUTO_UPDATE_STATISTICS OFF Turns off a process called indexing which can speed up database performance. src This made sure that records sent from the field would not be reflecting on the system.
DISABLE_BROKER ON Turns off messaging queues for attached applications. src This was to disable the database from tracking the events happening in the database.
RECURSIVE_TRIGGERS OFF Guarantees that searches and updates to a database cannot be nested. src Switching those off ensures that the database would not keep record of anything.
AUTO_CREATE_STATISTICS ON Improves query planning by generating database indexes automatically. src .. enable their programme to traverse the database updating it with their set and desired values to avoid trace.

It is plainly visible that each of the claimed functions of these settings is imagined. The author of the press release goes on to extrapolate that these ‘malicious’ database options are then used to alter the results stored in all the other counties.

7) “Within just 12 hours, this attack on our democracy affected the Presidential Elections in all of the 47 Counties…”

As we have plainly shown, the evidence provided does not demonstrate a 12 hour attack . Further, the log does not even cover a 12 hour period. It either is a range of 3.5 hours [18.3] [18.4] or 153 hours, depending on whether or not we count the extra out of bounds lines [18.1] [18.2].

In summary, the audit suggests that the claims of hacking based on the provided log are untrue. The log and argument presented by NASA as evidence of election hacking is invalid because:

  1. NASA never demonstrated that the provided log is actually from an IEBC machine or that the IEBC uses MSSQL Server to tabulate the voting results.
  2. A normal unaltered MSSQL Server error log would not write timestamps out of order.
  3. The supposed logins did not occur and NASA’s further claims that benign log lines demonstrate those errors are untrue.
  4. The usage of the stored commands (xp_star.dll) on startup is a routine function call, not a malicious program as NASA claims.
  5. There are multiple inconsistencies between stated claims and provided evidence, like the duration of the attack and the misrepresentation of facts in sections 6c through 6h.

This however does not in any way rule out hacking, since there has been no access granted to the IEBC database or election documents for a comprehensive audit. This analysis simply states the logs presented are not proof of any hacking.

How were these logs obtained? A Hypothesis

Others have stated that the leaked documents are fabricated, and as stated above we believe that the logs have (at minimum) been altered. This warrants a theory as to how exactly the logs were obtained.

The database server seems to represent the storage of a component of an application to track the publication of the form 34A’s during the presidential election. Further, in a later statement, NASA’s claimed count of total electoral votes (8.04M for Raila Odinga, 7.7M for Uhuru Kenyatta) was disputed by the IEBC, observing that those totals from NASA neglected to count the Diaspora Vote and those of the incarcerated population.

As noted above the databases purported to be “IEBC’s Master Server” is also notably lacking a database to tabulate the results from voters uncounted from a specific county. This could be evidence that the published error log is in fact an error log from NASA’s own database and it would suggest that at least one person within NASA intentionally fabricated the published log.

Conclusions and Recommendations

Kenyan elections have explicit provision on how technology is to be used in an election, from voter registration, identification and transmission of results. Voting is manual and so is tallying. With hacking claims supposedly targeting the transmission, storage and publication of results, the fall-back to the manual paper trail is necessary.

Our preliminary analysis rules out hacking based on the evidence presented. Indeed we have postulated a hypothesis that the logs may have been fabricated, published and presented to the public. This should not be taken to mean the IEBC may not have been hacked. We are not in a position to make such a conclusion, as it requires access to the election system which we do not have. With the presidential election headed for a decision from the Supreme Court, and with NASA insisting on electronic tampering of results, the authors are of the opinion that a comprehensive audit of the system be done in a transparent manner to ensure the hacking claims are denied or confirmed from an evidence-led conversation.

As technology is increasingly integrated into election systems and processes, it is logical that election actors (in this case the IEBC, political parties, media organizations, and election observers) recruit competent ICT observers to match with the elections timeline (procurement, verification, polling and post-election phases). This will ensure technical components of the elections are adequately considered.



About the Authors

Moses Karanja is an information controls researcher at Strathmore University’s Centre for Intellectual Property and Information Technology Law (CIPIT), Kenya.

Nick Skelsey is the Lead Developer at The Hermes Center for Transparency and Digital Human Rights, Italy.

Quick Thoughts on Biometrics, General Elections and Security in Kenya

By Francis Monyango**

In 1927, Liberian opposition presidential candidate Thomas J Faulkner was confident of unseating the incumbent in the general elections. The Faulkner-led People’s Party had marshalled support from all corners of the country and across all classes of people. On Election Day, Faulkner received 9,000 votes in what was supposed to be a landslide win. In the end, Faulkner lost to the incumbent Charles D. B. King who received 243,000 votes in an election with only 15,000 registered voters! Charles D.B. King’s script has been replicated in many African states and in the year 2007, it was replicated in Kenya.

Continue reading

A Review of the Communications Authority Guidelines for Dissemination of Political SMS Text Messages and Social Media Content

By Francis Monyango**

In the run-up to the 2013 elections, Safaricom announced that it would control political messaging distributed via its network. This measure was put in place to avoid unnecessary attacks on individuals, their families and ethnic communities. The giant mobile network operator wanted to ensure that the bulk political SMS sent through its platform would not fall foul of the laws of Kenya. By publishing its own guidelines on bulk SMS of a political nature, Safaricom was working within its legal boundaries of leverage. This move was inspired by the Electoral Code of Conduct, which was part of the 2011 Elections Act that specifically prohibited hate speech in political campaigns. These guidelines were met by furor from the political class but the media peace campaigns drowned their voices.

Continue reading

Recap: Day 2 of JKUAT Conference on Protection of Intellectual Property Rights

Editor’s Note: For a recap of Day 1, please see here.

The final day of the #JKUATLawIP conference was kicked off by Shirley Genga, a law lecturer at Jomo Kenyatta University of Agriculture and Technology (JKUAT), who spoke on protecting intellectual property rights in big data with a focus on Kenya. Genga noted that in the absence of any formal legal regime for big data, the existing laws of contract as well as copyright protection will have to suffice. For a discussion of the question of IP and database rights protection, please see this blogger’s post here. Next up was James Tugee from Hamilton, Harrison & Mathews, Advocates who made a case for legislation of the right to publicity in Kenya.

Continue reading

Treatment of Cyberbullying in Kenya’s new Computer and Cybercrimes Act

By Rosine Mumanya**

Cyberbullying in Kenya is an issue that can no longer be ignored. In the digital age, some argue that not enough attention is given to this issue, until social media users who are victims of cyberbulling end up hurting themselves or even taking their own lives. In the fight against all forms of cybercrime including cyber-bullying, Kenya has been working on the Computer and Cybercrimes Bill of 2016 which was enacted in April 2017. An overview of the Bill was published previously on this blog here.

Continue reading