Opinions of Friday, 2 December 2011

Columnist: Amponsah, John

A Close Look at Biometric Registration in Ghana

By John Amponsah

This article seeks to address some important issues surrounding biometric registration in Ghana ahead of the 2012 elections. I noticed that most of the recent media articles surrounding this issue have so far not taken the discussion into the technical arena. It is important for us to discuss Ghana's biometric registration drive not only on the political level but also on the technical level since the very issue of biometric registration is technical in nature. It is my hope that this article will make a contribution in this direction.

WHAT IS BIOMETRIC REGISTRATION?

Biometric registration involves collecting biometric data such as finger prints and facial scans of individuals for the purposes of identification. Biometric data for identification can be used in a number of contexts. For the purposes of this paper, we are talking about registering voters prior to the 2012 elections in Ghana. Dr Kwadwo Afari-Gyan of Ghana's EC has indicated that biometric registration is different from biometric/e-voting. The two subjects, although different, are still somewhat related. In both cases, biometric data of voters is used for personal identification. In the case of biometric registration, the voter is only identified on the basis of their biometric data. Identified voters then proceed to cast their paper ballot. With biometric/e-voting, voters are first scanned and identified after which they electronically choose which candidate to vote for. So in essence biometric/e-voting incorporates both identification and voting while biometric registration is only for the purposes of identification.

WHY THE CALL FOR BIOMETRIC VERIFICATION?

In simple terms, biometric verification is meant to provide an extra layer of proof that registered voters are who they say they are. Verification can be done by encoding biometric data onto a voter's card in barcode form, RFID (Radio Frequency Identification) form as is found in many bank cards and electronic passports today or in some other form. On Election Day, after a voter is scanned in, the information on their voter card can then be read to verify that the voter holding the card is the same individual who registered under the name in the database corresponding to the name and information on the voter card. This is how it is meant to work in theory.

On a recent news bulletin on GTV, viewers were told that biometric registration is meant to curtail the registration problems which cropped up in the 2008 elections. Various opposition politicians have commented on the need for biometric verification. The clergy have also done so. Most Reverend Charles Palmer Buckle and Most Reverend Dr Joseph Osei Bonsu added their voices to this call. Individuals such as Andy Awuni of the Centre for Freedom and Accuracy also added their voices.

Much as I agree that biometric verification can (in theory) increase transparency in the forthcoming 2012 elections and much as I agree with Dr Afari-Gyan that biometric verification will not necessarily curtail election violence in instances where these machines were to malfunction, I think we should also concentrate on discussing biometric registration as an issue in and of itself to see what the implications are for decisions the EC has made for all of Ghana.

THERE IS A DEEPER ISSUE TO BE ADDRESSED

In October of this year, the Alliance for Accountable Governance (AFAG) had a press conference in which they seemed to denounce the choice made by Ghana's EC to award the private consortium STL/HSB/Genkey the contract to provide the country with biometric verification equipment because (according to the AFAG), the equipment being provided by this group did not have the US NIST (National Institute for Science and Technology) certification. Also AFAG hinted that the product being offered by STL/HSB/Genkey has not yet been tested in any national elections. While I may agree with the second point AFAG makes, Genkey states on their website that their product has the ANSI/NIST-ITL 1-2007 certification. So unless this is untrue, it appears that Genkey's product has NIST certification.

So what is the deeper issue which I would like to draw attention to? It is this: although on rare occasions cryptographic systems are broken by finding a way around the mathematics, those who often break into cryptographic systems do so by finding a flaw in the implementation of the system and not in the theoretical basis of the algorithms. So it is not just about the kind of cryptography being used by the biometric registration system but more importantly about what the system is doing, from data capture to data encryption to data storage and data retrieval.

The deeper issue is that with proprietary systems, it is impossible (at least legally) to independently check what the system is actually doing at each step of the process. This should be a cause for concern when such a proprietary system is used in an election.

ARE BIOMETRIC REGISTRATION MACHINES SAFE FROM TAMPERING?

One important problem crops up whether we are dealing with biometric/e-voting or with biometric registration. It is that users of such a system are not aware of what the system is actually doing on the software and hardware levels. This is not convenient for elections, where probity and accountability are paramount in order to increase the chances of having a transparent election. When you are not aware of what the software is doing, even with the most sophisticated encryption protocols there is still a chance that data can be falsified. If you have a situation where both hardware and software specifications are proprietary then there is no probity and accountability in the event that the system is hacked by an external party.

Last year, five computer scientists from Germany published a paper entitled "Handwriting Biometric Hash Attack: A Genetic Algorithm for User Interaction for Raw Data Reconstruction" in which they show that some BioHASH algorithms are theoretically vulnerable to raw data reconstruction. What this means is that theoretically it is possible for the data obtained by using some BioHASH algorithms to be falsified. In an election scenario, this could mean that it is possible for a subject/voter to have their biometric raw data collected but falsified somewhere along the process between data capture to data encryption. This will then affect the whole system, regardless of which secure encryption algorithms are being used.

Let us consider for a moment what could happen if a closed source (proprietary) system were to be compromised and subsequently abused. Speaking hypothetically, let us just say that for example some external/foreign government, institution or interest group with the necessary available personnel and technological resources decided for whatever reason(s) to take it upon themselves to influence the fate of one of Ghana's elections, where proprietary software and hardware systems were being used. With or without the knowledge the of vendor(s) of the hardware and software, it may be possible to have voters rejected when they show up on election day. The main point of vulnerability is the software that controls the machines. We know that raw data can be variable enough to be influenced. It is (theoretically) possible to have the original data changed. Even with verification (i.e. holding an identity card of some sort) an individual may still find their biometric data missing on the system if their scan does not register with any data recorded on the system. At that point, should the fate of this citizen/voter be left to the discretion of election officials? What if such a person is not allowed to vote even if he/she has an ID card? What if this happened in particular regions around the country in a significant enough way to influence the election? Will that mean new elections will have to be held? It may be too late by then.

Allow me to be more specific to show how one possible hack can be done to compromise the proprietary system such as the one the EC has chosen for Ghana's 2012 election registration. Let us say a fingerprint is scanned on one of those proprietary machines. The BioHASH algorithms register the biometric data however because of allowances for variability; very slight changes are made to the original data. These changes are very slight but slight enough to cause error in future fingerprint scans since those future scans will not match what is recorded. The original scan is then encrypted and put into RFID or barcode form on a voter card to be used for verification on Election Day while the slightly altered biometric data scan is encrypted and saved into the database as the scan of the individual. Say the software has a way of altering data on the basis of which regions individuals register in and the process is done randomly enough within the region(s) to 'spread out' the 'error'. This will mean that there will be individuals walking around with original biometric data on their bodies and on their voters' cards but slightly altered biometric data on the database. On Election Day, when such an individual shows up to get identified, the voter's card will say one thing while the database says another thing. Some region(s) could have in totalled, say, 50,000 “random” cases of failed verification cases. As we know from the 2008 election, this many votes can make a difference. All of this could be done on the software level. Although I am describing this as a hypothetical situation, it can actually be done. In a proprietary system, this cannot be checked. In an open source system, electoral officers together with independent interest groups can check the code to make sure it does exactly what it says it does BEFORE biometric registration starts.

So compromising system integrity during biometric registration is potentially more serious of a problem than lack of biometric verification. Open source systems greatly reduce the chances of this happening while close source systems greatly increase the chance of this happening. It is in the same spirit that transparent boxes are used at elections instead of opaque ones. Open source systems can be thought of as being 'transparent' while closed source/proprietary systems can be thought of as being 'opaque'. This analogy is in fact very accurate.

GENKEY VERSUS ALTERNATIVES SUCH AS OPENVR

The solution is to choose an open source system over a proprietary one. Open source means that computer code can be accessed by any expert to ascertain exactly what hardware and software are doing. Using an open source system does not mean that there is a 100% chance of securing a system. It does however mean that system audits on software and hardware levels can take place. It also means that independent checking/examination of the biometric verification software can occur prior to the actual verification exercise. This means more probity and accountability and more power to the people. After all, voting is about having the people express their power of choice.

If anyone is in doubt as to whether open source biometric registration can actually work in practice, they should listen to this. Nigeria recently had an election. Before their election the Nigerians also opted to employ biometric registration. However unlike Ghana's EC, Nigerian scientists, knowing the dangers of proprietary systems, decided to build an open source system from scratch. This system is called OpenVR (stands for Open Voters' Registration). The system was tested on 73 million Nigerian voters with voter cards (that is 8 times as many voters in Ghana's 2008 election). The Nigerian scientists who built this system have provided it completely free of charge (in the spirit of open source software) for other African countries to use if they choose to execute biometric registration. What is more, OpenVR also runs on an African version of the Linux/Unix operating system called Ubuntu, which is a very stable operating system and is also completely free of charge. All the major research and development for OpenVR has already been done by Nigerian scientists. Because it is open source, anyone with the expertise can examine the source code to determine its merits. There is also the fact that it has been tested, it works! Any African country which chooses to use OpenVR can have their scientists take this source code and use it as it is or adapt it to the needs of their country. All that has to be purchased is the requisite hardware for data acquisition and even this can be open source as well. So the open source option is very real.

W hat the Nigerians demonstrated is an understanding of the real dangers of choosing expensive, closed source (proprietary) systems and a move to avoid such dangers. There is no way that Ghana's EC is not aware of OpenVR. That the EC chose an expensive, proprietary system with no possibility of accountability and which has apparently not been tested in a national election over an African solution which has been tested, which is stable and above all, which is totally free of charge to me shows a certain mentality. We do not always have to run to Westerners for solutions to African challenges. Had the EC chosen to use an open source system, the source code could be verified by not only the EC but by independent Ghanaian scientists and indeed by anyone in the world who has the expertise. By buying a proprietary system from a private corporate consortium, the EC has given away the power and right of Ghanaians to take that much more control and ownership of our forthcoming elections, one in which electronic registration is being experimented with for the first time. A system like OpenVR has been tested, it works. During Nigeria's election, the system was stable for 21 days. What is more, these African scientists are providing the already developed software complete free of charge for anyone who wants to study or use it. Ghana's EC has instead chosen to go the expensive and “opaque box” way which will be even more expensive now that the EC will have to buy Genkey's Biometric Verification system which most likely comes at a separate exorbitant price. This tells me that either Ghana's EC is not aware of the real dangers proprietary systems pose to probity and accountability in elections or they have chosen to ignore these dangers. I invite the EC of Ghana to respond to this if they deem such a statement inaccurate.

As to why the Nigerians chose to go the open source route, they have this to say, "Essentially, for INEC, this meant complete freedom from proprietary software and vendor lock-ins, [which] is something that has left many institutions and other government bodies with a bitter after-taste in their mouth. It also meant that there were no hidden backdoors, no quick hacks “just make it work mentality” and that they could get independent resources at any point in time to run a peer-review of the entire software – architecture, source code and implementation. Now that's complete control." (Source: http://lagosgtug.blogspot.com/2011/05/openvr-story-behind-story.html)

To me, this is beautiful. Incredible! This is similar to the original spirit that led to the building of Unix-based internet systems and those true computer enthusiasts who believe in a cause (bettering humanity) other than money and profit. The Nigerians should be commended for taking this level of control of their election.

In an attempt to learn more about the OpenVR system built by the Nigerian scientists, I got in touch with Femi Taiwo, the lead software developer of OpenVR. These are some of his words in response to some questions I posed:

“Yes it is an open source project, however the code is NOT yet available on [sourceforge.net] It will be in about two months when we have finished implementing the additional features we decided are important to ensure we have a well-rounded system. The idea was and still is, to be able to support as many devices as we can, regardless of vendor. The self-configuration tool comes with tons of drivers for the different devices and interfaces. The biggest thought process went into logistics - e.g Printing 13million pages is no small feat. Distributing the right amount of materials to the right places at the right time. Collating and verifying results after the elections. And ensuring data integrity and minimizing data loss. [Other] African countries have expressed serious interest because of the success of the process here in Nigeria. While each country has it's own unique environment and processes, a number of things remain standard and that forms the core of OpenVR: Voters should be able to register, using their biometrics, and be able to register only once without unlawful dis-enfranchisement allowed. Equally, all the data must be centrally accessible at the end of the process. The system must be expandable and re-usable for future exercises. That is OpenVR.”

I think the Nigerians got the right spirit in opting to go with an indigenous system. Once again, we do not always have to look to the West for solutions. It may be that Ghana may not have had the resources available to Nigeria for such a project but in this case the system has already been developed, tested and fielded and is being provided totally free of charge with no proprietary entanglements. That is a good deal. The Genkey system to my knowledge has not been tested in a national registration exercise. Because OpenVR is open source, Ghanaian scientists could take the code and adapt it, even possibly improve on it. I am full of admiration for what these Nigerian scientists have done. I think this is definitely one case where Nigerians have shown that they can shine.

CONCLUSION

I have been saying for a while now that when it comes to using any form of electronic means in elections, open source solutions are perhaps the only way to maximize the chances of transparency. Historical precedence has shown us that machines running closed source (proprietary) software have produced strange behaviour in the elections of some countries. Ghana cannot afford to make a mistake with any of our elections, it has to be right each time and especially now that we are venturing into employing electronic means. As citizens, we need to make sure that the EC takes these concerns into consideration for their decisions affect us all.

As it stands now, the fate of the entire election process and indeed the democratic and social well-being of our nation have been placed in the hands of the equipment of a private corporate consortium whose software and hardware is inscrutable. There is no probity and accountability in this situation. In the event of future election trouble resulting from 'malfunctioning' registration equipment, the corporate consortium will be protected by international laws; any sophisticated usurpers will execute their malice and slip away untraced while the people of Ghana will be left to take care of any mess generated from such an ill-fated event (God forbid). This is the possible danger we face. Can we as Ghanaians put our faith, hope and trust in such an arrangement? It will appear that the EC has decided for us all.