State bought bogus system for Huduma number listing

**Anand Venkatanatayanan, an expert in cyber security, testifying at the High Court yesterday.** [Standard]

The Government spent Sh6 billion on an archaic system to capture and store data collected from millions of Kenyans.

In a case filed to challenge the project dubbed Huduma number, an expert witness, Anand Venkatanatayanan, told the High Court that Kenyans have no guarantee that their information, including personal emails, are secure under National Integrated Identity System (NIIMS).

Anand cited changes in human being, the system giving two different results to the same person and failure by a similar project, Aadhaar, in India and hoarding information at one place as among reasons Kenyans would not benefit from the expensive project.

Instead, the project will be a honey-pot to hackers who want to milk millions from the Government, the witness told justices Pauline Nyamweya, Weldon Korir and Mumbi Ngugi.

"It is axiomatic in computer security that nothing is truly secure and there are only costs and benefits of hoarding data. Centralised databases such as Aadhaar and NIIMS, however, hoard so much data that the cost benefit ratio tilts definitely in favour of attackers," he claimed.

Anand, an expert in cyber security and computer fraud forensic analysis, has worked for 21 years.

He was testifying on behalf of Nubian community who have challenged the viability of the Huduma number project.

According to the witness, the infrastructure behind Huduma number system is bound to fail protection and will be prone to leaks.

While other countries are decentralising information as a way of securing information, he said, Kenya is in a rush to do the opposite, centralising.

The witness claims that Kenya has a similar system as that of India Aadhaar and which has had numerous leaks.

"NIIMS thus is an archaic design compared to modern day system architectures and can be thought of a horse-bungee drawn by a lame horse on the digital highway. That it would fail and would fall behind is the foregone conclusion," testified Anand.

The court heard that no law adopted after data collections can cure anomalies in the system and possible hacks.

President Uhuru Kenyatta in April, this year, launch the programme in Machakos. It was meant to capture among other things biometrics, identification documents – passport number, Kenya Revenue Authority (KRA) pin number, national ID, NHIF and NSSF and personal emails among others.

The judges were told that collecting personal data was unnecessary and would not help in taming, among other things, falsified registration, duplication and ease of Government services.

Anand disputed that NIIMS would capture unique features of each person, saying that there is nothing in logarithm that would help eliminate resemblance between one person from another or a person forging documents.

The witness argued that humans tend to change overtime, hence uniqueness of a person change as they age.

"A foundation assumption underlying the logic of NIIMS system is that by using biometrics, we can be assured that no duplicate ID will be issued. Biometrics are fallible and cannot be relied on as unique identifiers for the purpose of deduplication," he argued.

Anand said that both Kenyan and India's systems were offered by OT Morpho, a company contracted to carry out 2017 Kenya's election.

He said that test results of India's system reveal that claims of the system eliminating duplication were exaggerated.

According to the witness, there were cases of people who were given dublicate IDs after some time despite being in India Aadhaar.

"It would hence result to the same outcome – and endevour would pose a massive risk to personal security and privacy of Kenyans without demonstrable benefits. Further, it would create national security risks to Kenya which would be impossible to mitigate," he said.

The court heard that Aadhaar data has leaked countless times.

He claims that biometric authentication can only succeed if the features taken cannot change out of asking other things, work and exposure, sickness and ageing.

Anand testified:" For this to succeed all the time, an important pre-condition exists – the condition of immortality or in other words, individual's chosen biometric parameters do not change across their entire lifetime. This is of course not true for both the iris and fingerprints," he testified.

The court heard that digital data can be easily used to profile persons.

Anand told judges that overtime, other people or the State can profile children and can use information hoarded to manupulate their behavior in one way or another.

Another witness told the court that Kenyans have a reason to fear NIIMS as the centralised information could be used for 'modern day colonisation'.

According to Grace Mutung'u, the technology used is sourced from other countries hence no guarantee that information given would not be used while asserting power.

"Everybody is being transformed into data and we do not have control over it. We depend on countries that are able and there is importation of technology and philosophy. That could also lead to centralisation of power as a person who has that data has power over the others," testified Mutung'u, adding that "data is the new oil."

The Government has disputed the claims saying that the system is encrypted such that everything is secure.

It claimed that NIIMS is a digital register and was centralising information held by its different agencies.

Mutung'u testified that there was no opportunity to correct inaccuracies captured by the machines and there was guarantee that the collected data would be used only when it is required.

"We don't know how long the data will be stored," Mutung'u who is an IT expert and a lawyer testified.

The case continues today.