Hard questions Huduma Namba needs to tackle

Residents are registered for Huduma Namba at Mombasa Huduma Centre on May 15, 2019. PHOTO | FILE | NATION MEDIA GROUP

What you need to know:

  • It would be totally unwise and irresponsible to give the benefit of doubt to a foreign supplier when it comes to handling sensitive national data.
  • Given the sensitivity of data collected in Huduma, all Huduma Namba staff should be required to attend mandatory information security training and obtain security clearance prior to their assignment.

The recent Huduma Namba mass registration continues to ignite debate on the government’s approach and security of the personal data collected.

Initial concerns arose from the apparent rush to launch the registration before a comprehensive legal framework was established.

International best practices recommend that the collection and holding of personal data must be regulated by law, which must also provide an effective remedy for individuals whose privacy may be violated.

Accordingly, the Huduma Bill, introduced in July this year, should have preceded the mass registration.

The bill does not expressly state whether Huduma Namba will supersede or co-exist with the Integrated Population Registration System since the two have similar objectives.

Although the bill proposes seemingly hefty financial penalties for various offences, it does not provide remedies for acts violating the rights to privacy granted by Article 31(c) of the Constitution.

CUSTODIAN

It is unclear why the initial Huduma Namba registration was created under the National Registration Bureau (NRB) instead of the more recent Kenya Citizens and Foreign Nationals Management Service Act (KCFNMSA).

Incidentally, the Huduma Bill also proposes to repeal the KCFNMSA, a statute that was hardly implemented despite being put in place by the 2010 Constitution.

Neither the board envisaged by the said Act nor the Director-General was appointed. It is not clear which agency will be the custodian of the records collected under Huduma Namba.

The KCFNMSA Board was meant to be independent from the Interior ministry, both in terms of decision making and legal personality.

Furthermore, the bill curiously vests all responsibility for its implementation on the Principal Secretary; presumably the author of the bill in the first place.

SECURITY FACTORS

Why would the Interior Principal Secretary be so keen in administering the database of Kenyans’ personal details to the exclusion of everyone else?

Why was KCFNMSA, developed by the Commission on the Implementation of the Constitution, not implemented since its enactment more than eight years ago?

It is standard practice that security factors should be considered in evaluating and selecting technology vendors. This is done to provide assurance that the supplied technology products function as intended.

It is public knowledge that the hardware components for Huduma Namba were single-sourced from IDEMIA Public Security & Identity, a French company with a seemingly enviable flair for clinching lucrative government contracts without breaking a sweat.

Unsurprisingly, national security concerns have recently prompted some Western governments to restrict the deployment of some foreign-supplied technologies in their critical national infrastructure.

CERTIFICATION
In the case of Huduma, the creation of a centralised database of the country’s resident population, with their biometric data, creates a potential goldmine for hackers, including nation-state actors, which necessitates extra due diligence against the foreign supplier.

The use of custom hardware can introduce new security risks that must be extensively investigated and mitigated.

So far, there has been no public disclosure as to whether the custom Huduma devices went through any rigorous independent security testing and certification.

It would be totally unwise and irresponsible to give the benefit of doubt to a foreign supplier when it comes to handling sensitive national data.

At a minimum, the vendor should have provided evidence of certification, issued by a competent third-party authority, for their technology against known security standards, and the government should have publicly disclosed such information in its rejoinders to criticisms of the process.

RIGHT TO INFORMATION

The software, too, ought to have been independently and openly tested.

The public deserves to know what factors were considered in selecting the vendor, as well as whether and how the obligations of the parties regarding identity theft liability, ownership, control of and access to personal data were addressed.

This is especially critical given that biometrics, once compromised, unlike PINs and passwords, cannot be replaced or changed.

Furthermore, the recent move by Parliament to bar the vendor from doing business in Kenya, if ratified, could have serious implications. If new vulnerabilities are discovered in their hardware, who will fix them?

The Huduma Bill proposes to have every government agency to verify individuals’ foundational data against the Huduma database.

This means that different agencies will somehow have to be linked to the database to facilitate retrieval of their customers’ details for the discharge of their functions.

The transmission of information between different agencies increases the threat landscape of the overall system, which must be addressed.

TRAINING
For instance, potential hackers could target weaknesses in the underlying communications protocols, or in their implementation, to expose or corrupt sensitive data.

As global trends show, no system, interface or platform can be completely insulated from cyberattacks, even for systems that are otherwise not directly networked or exposed to the internet.

Given the sensitivity of data collected in Huduma, in addition to hardening the infrastructure, all Huduma Namba staff and those from other agencies handling national personal data should be required to attend mandatory information security training and obtain security clearance prior to their assignment.

The combination of such technical and administrative measures will reduce the attack surface and minimise the risk of accidental or malicious compromise of the system by internal or external agents, including nation-state actors with different motives and capabilities.

RESOLVE BITING ISSUES

There might have been a better approach to implementing Huduma Namba registration in a way that meaningfully engages the public to educate them on the purpose and functionality of the system, and how it protects their data.

But all is not lost. The government could suspend the implementation to resolve some of the emerging concerns, by inviting key stakeholders to openly discuss relevant issues and agreeing on how to work together going forward. This could unlock the present impasse.
The writer is an independent elections and cybersecurity consultant.