HOSTING RESULTS ON NBA PORTAL OPENS SYSTEM TO MANIPULATION
NUMBER OF UNDELIVERED NOTICES IS STAGGERING BY ANY PARAMETER
I DON’T BELIEVE PORTAL CAN SEND 5 NOTICES TO A VOTER
IT’S LAUGHABLE TO BLAME DND FOR UNDELIVERED NOTICES
Dr. Dominic Ehiwe is a Consultant in digital forensics & open source intelligence as well as an investigator for software, technology and intellectual rights violations. He works in the domain of information security, project management and quality control and assurance. He is Managing Partner of EON-Peace Consult Limited, a digital forensic investigation, information security consulting and IP rights violation investigation and litigation support services provider. He is also Executive Partner with ENSOPAR Forensic & Partners, a tax, audit and forensic accounting practice.
He is a certified Software Analysis & Forensic Engineering (SAFE, USA) software & tech intellectual property violation investigator, litigation support consultant and expert witness. Ehiwe has an Advanced Diploma in Forensic Accounting & Criminal Intelligence (FACI) from the University of Lagos, Nigeria. A member of Computer Forensic Institute of Nigeria, Ehiwe facilitates part-time a fully hands-on digital forensics investigation training course with the Institute of Advanced Forensics (IAF) in collaboration with the University of Lagos (UNILAG). He also serves as a resource person with the Nigeria Institute of Advanced Legal Studies (NIALS) and presents at conferences.
Ehiwe received a doctorate degree in Computer Science, Management Information Systems specialization (Ph.D MIS) from Babcock University and a Master’s degree in Computing from Birmingham City University, England in 2014. Earlier in 2006, he received a Bachelor’s degree in Economics (Statistics Major) from the University of Abuja. He has participated in many professional trainings and received several certifications in Information technology, project and risk management.
In this interview with EMEKA NWADIOKE, he speaks on the recent NBA Elections and the controversies that have trailed the elections.
Please tell us briefly about yourself.
I am Dr. Dominic Ehiwe. I practice as a Consultant in digital forensics & open source intelligence as well as an investigator for software & technology and intellectual rights violation.
Before the NBA Elections, you had an interactive session with a group of lawyers under the aegis of LEGAL TORCHBEARERS where you set out the key requirements to ensure that the 2020 NBA Election was free, fair, credible and transparent. Can you give us a brief recap of those requirements?
The session was a discussion about online voting and ways to ensure security and guarantee the integrity of the votes cast. We had discussed some key requirements. These measures include:
• Have a unique means of identifying every vote cast.
• Have a stakeholder agreed list of requirements that meets your need as a body and by which you measure the outcome.
• Ensure people do not vote more than once from a single device (This is possible to achieve)
• The system and process should cater for multiple levels of authorization to avoid a single individual hijacking the results.
• There should be mock trial of the election platform so you know what to expect during the real exercise.
• Have a process in place by which the results are auditable.
How would you rate ELECTIONBUDDY an election software provider?
To be candid, I know nothing about the service provider besides what you and I read about them online. Besides, I only knew who the provider was when one of your colleagues told me the election had held and the results published. I learnt it is a company based in the US. Hearing it’s a US based company, I checked to know more about the provider and see what information is available about their services. I did note though there is no form of contact information on their site detailing location information and other basic info one would expect of a service provider located in the US. To me, such businesses can be located anywhere and claim a different geographical location.
At the close of ballot, out of the 29,636 eligible voters, 18,256 or 62% ballots were submitted while 15,234 notices were declared as “undeliverable.” What is your view on this statistics?
I was sent the link to the results via WhatsApp and the first thing I noticed was the figure indicated as undeliverable notices. I recall showing my spouse the details on my phone and her first question was were these phone numbers or email addresses not verified before the votes were cast? That number is staggering by whatever parameter you choose to look at or rate it. Moreover, at that point I didn’t have much information about how verification for the exercise was done but I knew that figure would raise questions about the process.
Given that there were 29,636 eligible voters, will you consider that 28,525 emails and 17,887 SMS are adequate?
My thought is why this disparity between the Email and SMS figures sent to eligible voters? I do not expect members of your community with valid emails not to have valid mobile numbers as well. I do not know if some of you submitted emails only and others phone numbers which may likely account for this disparity. Also, the question is, did those to vote not know the exercise was to hold and have their mobile lines switched on to receive notifications about the exercise? Perhaps, the organizers can provide better answers to these if there is any justification for the differences. In addition, supposing I receive both email and SMS notification as someone eligible to vote, what gets counted for me if I go ahead to vote using both medium? But as I said the service provider or organizers can better explain this.
The results of the election were migrated to NBA server (https://go.nigerianbar.org.ng/Results) at some point in the election. What is your opinion on this?
This is interesting to note. I would expect any form of migration be done after and not during the exercise. Besides, one would need to review the NBA server logs to be able to confirm at what point data was migrated or shared between your systems and that of the service provider. However, from a security perspective, I would expect such migration to be after the exercise. I say this from a data security and assurance perspective. If any foul play was to take place, it could have been achieved when the records are in the systems of the party with ulterior motives. That being said, I would like to leave it at simply saying I perhaps would expect to see more relevant information to make better judgement.
Is the fact that evidence of voting was not received by the voter either via email or SMS of any consequence?
This I believe is part of the requirements that should have been verified before the exercise. In my session with your colleagues on the forum, I had mentioned the need to have a stakeholder agreed list of requirements. I feel strongly this should have been part of the checks and balance criteria to judge the transparency of an exercise like this.
The candidates allege lack of information regarding the Service Provider and the Election portal. Is this a valid charge?
This is a red flag that should have been addressed. Perhaps a mock trial of the election system could have been conducted. I believe the organizing body could have arranged for an exercise like this involving select representatives of all stakeholders. A body like the NBA could work something out, I like to hope. While there are no perfect elections or systems anywhere, more visibility about the service provider and their platform would have helped.
The election management body (ECNBA) did not reveal the election software provider to the candidates. The candidates did not also witness a test run of the election portal. What is your view on this?
To me, this is unacceptable? It paints the picture of something to hide. I leave it at that.
A presidential candidate in the elections alleged that the service provider was unable to deliver 14,000 notices to prospective voters 13 hours after the commencement of the Election. If true, is this sufficient to invalidate the election?
This raises questions about the integrity of the process. It raises concerns about how voters were verified for the exercise and those whose votes are returned as valid? From an observer point of view, I like to know what notices were given to members about the process to carry everyone along. However, about invalidating the election, I had advised your colleagues about having the rules by which invalidating the process is to be done or pursued. My opinion aligns with what your body agreed on this.
There are questions around the authenticity of the voters’ register. However, the Electoral Committee states that the use of a ‘unique identifier’ such as each voter’s Supreme Court Number made manipulation or over voting impossible. How true is this, moreso as the Supreme Court Number is largely in the public domain?
Having a unique identifier is insufficient. What is the essence of a unique identifier if I can vote multiple times? One needs to know in detail the security measures put in place to prevent people from voting more than once or using invalid or non-existing SCN to vote. Are you able to tell that the service provider’s platform validates the SCN of your members? These are questions that should have been asked and answered.
The final voters’ register used for the Election was released by the Electoral Committee about five (5) hours to the election. Is this sufficient to invalidate the register or the election?
This is laughable. If that is the case, I am confident to answer in the affirmative. Five hours? To verify accuracy of the records in 5 hours? For a body like yours?
A case of data diddling has been alleged, as especially the presidential candidates were said to have maintained the same percentage of votes relative to each other and the total votes cast throughout the election. It is alleged that the system was programmed to distribute votes at either +1 or –1, and that statistically, the voting result showed no randomness. What is your view on this?
I believe an independent auditing of the configurations agreed and set on the systems can show the real picture about this. I still like to stress that more visibility of the whole process would have helped. I also recall advising your forum colleagues on the need to have security professionals review the platform of the service provider. Perhaps, the election committee can tell you more about what checks were carried out.
About 38% of eligible voters could not cast their ballots as they did not receive voting links. How significant is this figure in an electronic voting system?
Very significant. This is close to half the number of eligible voters. This is significant enough to skew the results in a particular direction given the circumstances at play or engineered by anyone willing to achieve pre-defined objectives.
The NBA states that the 15,234 “undelivered notices” represent aggregate of undeliverable notices that were sent to each Verified Voter through the two notification channels – SMS and emails. It also represents the aggregate number of blasts of such notices to each of the affected Verified Voter. It states that there was a minimum of 5 blasts of notices to each voter or an aggregate 10 undeliverable notices, made up of 5 SMS and 5 e-mails – but did not represent the number of persons whose notices were not delivered. What is your view on this?
I do not believe the service provider runs an application system capable or configured to do this. I know the standard number of retry notifications application servers or services send is at most 2 to 3 notifications. One would need to see the service level agreement agreed with the provider to confirm this. Also, there are server logs that should show the number of notices sent. But to say five notices for that number of recipients begs for justification.
Do you agree with NBA’s assertion that the inability to deliver notices to voters was not attributable to the Election Platform, but to NBA’s poor database and the activation of DND in some voters’ mobile phones?
It is laughable to mention DND on mobile phones of members of a body looking forward to vote in an election. Did these people stop receiving messages before the election or had DND set for notices from the NBA prior to the exercise? Like I said, what was communicated to members prior to the election? How much sensitization was done about the whole process and what, as stakeholders, everyone had to do to achieve a fair exercise?
Do you agree with NBA’s view that the election was free, fair and credible because the link to each voter was unique and non-transferable, and it was also not possible to vote more than once using a single link?
Besides unique link and non-transferability of the link to vote, can we attest to a case of non-eligible or non-existing members not having participated in the election? The vote records are available somewhere. When in doubt, I believe further review should be possible to clarify the doubts where necessary.
Given what you know about the election, will you consider it as free, fair, credible and transparent, and why?
Based on what I know and have read from your members about the verification process and how the exercise was conducted, it leaves much to be desired in terms of credibility. I believe the organizers know this as well.
What are your suggestions for future NBA elections?
Be better organized and transparent. Involve relevant stakeholders in the process. Thank you.
Copyright 2020 CITY LAWYER. Please send emails to email@example.com. Join us on Facebook at https://web.facebook.com/City-Lawyer-Magazine-434937936684320 and on TWITTER at https://twitter.com/CityLawyerMag All materials available on this Website are protected by copyright, trade mark and other proprietary and intellectual property laws. You may not use any of our intellectual property rights without our express written consent or attribution to www.citylawyermag.com. However, you are permitted to print or save to your individual PC, tablet or storage extracts from this Website for your own personal non-commercial use.