Opinions of Tuesday, 13 August 2024

Columnist: Alolga Akata-Pore, former soldier and cybersecurity researcher

The risk to ballot secrecy in the 2024 elections

Alolga Akata-Pore Alolga Akata-Pore

...The unnecessary and costly misapplication of biometric technology and its threats to democracy

Biometric Enrolment and Verification Devices (Biometric Devices) have been deployed in some developing countries including Ghana supposedly to enhance data security and voter confidence in elections. However, in more advanced democracies, biometric technology is predominantly used for criminal investigations and law enforcement, rather than for electoral purposes. While biometric devices have the potential to curb identity fraud, their use in elections presents significant challenges, including technical failures, data breaches, and high implementation costs. Biometric devices also expose the electoral process to additional risks, such as exploitation by hackers or compromised electoral officials seeking to manipulate outcomes in favour of specific candidates or parties.

Moreover, biometric devices raise significant concerns regarding discrimination against certain groups and have the potential to compromise the secret-ballot principle particularly due to the way the Electoral Commission (EC) has integrated these devices into the electoral process. International certification standards for biometric devices, primarily set by the FBI in the USA, underscore their role in criminal justice rather than in electoral systems, which is evident in most mature democracies. This article delves into these issues, highlighting the complexities involved while briefly touching upon potential mitigations to maintain conciseness.

Why Ghana and not the USA, UK, Russia and China? Why not all the EU countries?

Countries recognized as models of democracy, such as the UK, the US, Canada, and Australia, do not use biometric devices in elections. The list of countries which do not use biometrics in their electoral processes also include China, all the twenty-seven (27) EU countries, Russia, New Zealand and Vietnam. These nations rely on traditional and well-established electoral processes that have proven to be effective and secure over time. This raises questions about the necessity and effectiveness of biometric devices in enhancing electoral integrity and casts doubt on the reasons Ghana and other developing countries continue to use biometric devices in their elections.

It is notable that the Supreme Court of Ghana was not petitioned in any of the five elections held between 1992 and 2008, when biometric enrolment and verification devices (Biometric Devices) were not in use. However, since the introduction of biometric devices in 2012, two (2012,2020) out of the three elections have had to be resolved in the supreme court. While it is not suggested that biometric devices are directly responsible for the supreme court interventions, it is important to acknowledge that the introduction of biometric devices did not deliver the anticipated benefits of increased trust, integrity, and confidence in the electoral process, benefits that might have made Supreme Court petitions unnecessary.

Where is the logic?

Consider this: The Electoral Commission (EC) initially uses well-established methods used in mature democracies such as photo IDs (passports and driving licenses) and vouching by relatives to verify the identity of individuals registering for the first time. However, once a voter’s biometric data is enrolled in the electoral register, the EC shifts to relying primarily on biometric verification for subsequent checks. Yet, when biometric devices fail or are unavailable, the EC promptly resorts to the original non-biometric methods of verification. This inconsistency suggests that the traditional non-biometric system used by all mature democracies without exception was valid all along. What a waste of money and effort!

How Can a Voter Verify their Biometric Data?

Moreover when a voter is first enrolled on the biometric electoral register, they are asked to visually verify their personal information, such as the spelling of their name, address, and date of birth. However, they cannot verify the accuracy of their biometric data. No one can recognise their biometric data when presented to them. Only the EC's enrolment officer, using their specialized biometric device, can assess the correctness of this data. Then on polling day, it is solely the EC official and the biometric devices which decide whether a voter has been properly verified. This exclusive authority leaves voters with no means to challenge or contest a wrongful rejection. This lack of oversight and transparency undermines the fairness of the verification process and can erode trust in the electoral system. Expecting voters to confirm data they cannot fully verify specifically their biometric information is unreasonable and effectively amounts to asking them to 'sign on the dotted line' without fully understanding what they are endorsing.

High Costs and Limited Benefits

Deploying biometric devices in elections incurs substantial costs, including significant upfront expenses for the devices, consultancy, infrastructure, and ongoing maintenance. According to IMANI and confirmed by the Ghana Procurement Agency (ppa.gov.gh), the cost of the biometric system comprising Gemalto’s CABIS 7, Integrated Biometrics’ Kojak devices, and Laxton’s portable device kitbags exceeds one million dollars ($1,000,000). IMANI has also questioned the integrity of the procurement of EC assets of which biometric devices are well represented. In my view, the costbenefit ratio does not justify their use, particularly when the perceived advantages can be achieved through other, more cost-effective means of computerization. For example, digitized voter registers and enhanced administrative procedures can effectively prevent double voting and impersonation without the high costs associated with biometric devices.

Benefits Attributed to Biometric Devices are benefits of Computerization

The perceived advantages of biometric devices such as enhanced identification, faster voting processes, and increased voter confidence are largely benefits of computerization rather than biometric technology itself. Computerized systems can streamline voter registration, verification, and results tallying effectively without relying on biometric data. These systems can also mitigate various forms of fraud, including multiple voting and voter impersonation, through robust digital checks and sheer vigilance on the part of EC staff.
Biometric Devices cannot deter corrupt EC officials nor detect foreigners or underage voters
Moreover, the integrity of elections is fundamentally shaped by the behaviour and attitudes of the Electoral Commission (EC) officials overseeing the process, rather than the technology used. The effectiveness of any piece of technology especially computers or their ilk of equipment can be undermined in their deployment.

While the EC appears focused on using biometric devices to prevent fraud by voters, it has not addressed how these devices will counteract fraudulent actions by its own staff. Although biometric devices can, with proper implementation, prevent issues such as multiple voting and impersonation, a critical question remains: How do these devices prevent compromised EC officials from engaging in practices like ballot stuffing, vote suppression, double registration, or allowing impersonation? This situation is comparable to a bank employing armed guards at the front entrance to deter robbers while neglecting to secure the rear entrance and failing to implement internal surveillance to prevent staff from accessing cash vaults.

Additionally, Olugbemiga S. Afolabi, in his 2020 article, "Biometric Technologies, Electoral Fraud, and the Management of Elections in Nigeria and Zimbabwe," observes that, "…the inability to detect foreigners and underage voters also limited the effectiveness of Biometric technology as an anti-electoral fraud measure…". This raises a crucial question: If a voter is verified by a biometric device kit at the polling station, how likely is it that an observer (independent, political agent or EC official) will be able to prevent that voter from casting their ballot even if they suspect that the voter is underage or a foreigner? This issue is exacerbated by the potential for collusion by corrupt EC officials, underscoring that biometric devices are primarily targeted at voters and not the EC staff or the electoral processes.

The Insertion Attack vulnerability

In my view, there is a scenario in which biometric devices can assist compromised EC staff in manipulating our elections.

Various organizations, including the National Identification Authority (NIA), Telecommunications companies (telcos), and some banks, capture the same data elements required by the EC using identical equipment (such as the Kojak FAP60) and adhering to the ISO 19794 (parts 1-13) standards established by the FBI and ISO respectively. Often, these entities capture more data attributes than the EC requires. This presents a risk, as corrupt EC officials could source data from these organizations and exploit a type of cyber-attack known as an insertion attack, where established controls are bypassed, and unauthorized data is inserted into the EC database. Once the core data including biometrics is inserted, Voter Cards can then be printed for the illegally inserted voters. The attack is complete when a voter has both their Ghana Card and Voter card issued to them by corrupt NIA and EC officials. The attack would occur before the voter roll is printed for verification by voters and political agents of the political parties.

Interestingly, political party agents are more interested in who the EC registers, but not who the NIA registers because their agents, if vigilante, can to some extent verify who a Ghanaian is, lives in a particular area and how old they are. They can however not verify the validity of who gets registered by the NIA as the NIA registers allcomers including foreigners. It is therefore possible for registrations to take place in the NIA which are intended for the EC database.

The NIA and EC have a formal agreement allowing the EC to verify its records against those of the NIA. While the specific scope of this agreement is not fully clear, I will be very surprised if it does not include a future plan to refresh the whole of the EC database with extracted NIA data when the NIA confirms it has registered all eligible Ghanaians. For now, a compromised staff member within the NIA could potentially extract records which are not present in the EC’s database such as those of foreigners and feed them into an insertion attack by an EC official. Notably, the EC does not require voter nationality information, as all registered voters must be Ghanaian. This implies that any NIA data extracted for use by the EC would not include nationality details of the subjects.

Readers may note that I have not asserted nor suggested that this scenario is practiced. However, I invite the reader to consider its technical plausibility, in the current digitization refrain touted by both political parties and the willingness of potentially compromised EC and NIA officials to carry it out in the context of our very partisan politics, in a year when cyber-attack-tools aided by AI copilots of various types are at their finest and our section of the planet is fuelled by a high-tensioned and palpable quest for geopolitical influence by external powerful entities.

I worry about nation-state attacks, but Ghana too is a nation-state!
Defences against this scenario include the deployment of continuous monitoring, logging, analysis and reporting tools on both NIA and EC systems. The thorough vetting of staff, employed without protocol lists, but purely on merit is also a must. However, at the top of my list of defence mechanisms is the establishment of an ‘elections risk task force’ to study and act on all suggested avenues of the exploitation of the EC’s processes and database. I suggest the involvement of the Honourable Speaker of Parliament, the NPP, NDC, the CDS, the IGP and CSOs as members.

Weaponizing the advantages of biometric devices

The biometric device kit, which includes a fingerprint scanner, camera, printer, battery, USB sticks, signature pad, and more, is housed in a highly portable and rugged device kitbag. This kitbag, similar in form to a cabin bag for air travel, is lightweight and boasts an industry-standard IP67 rating for ingress protection, indicating a high level of durability. According to the Ghana Procurement Agency's website (ppa.gov.gh), this kitbag is supplied by the reputable UK company, Laxton.

The kit’s portability and ruggedness make it well-suited for the Electoral Commission’s voter enrolment tasks (https://www.laxton.com/biometric-registration-kits/). Its compact design allows it to be transported easily by foot, road, boat, or air. With an optional portable solar panel, the kit can operate for up to eight hours on a single battery charge, accommodating a significant number of voter registrations in one session. It requires minimal setup space and can be assembled on various surfaces, from the bonnet or the open tailgate of a Toyota Hilux pickup truck to any flat surface like a centre table in a living room. Only the fingerprint scanner and camera need to be stable and level during use.

While the portability of this kit offers significant advantages, it also presents opportunities for misuse by corrupt officials. Its ease of setup makes it susceptible to theft or loss, an issue that, for instance, occurred in Ghana in 2024. The kit's mobility allows it to be placed in various locations, such as prisons, hospitals, or border towns, and could even be transported on flights for unauthorized diaspora registrations who can then take advantage of the proxy vote system. Moreover, it may facilitate unofficial continuous voter registration efforts throughout the country. The EC should recognize that, rather than preventing misconduct, these biometric devices could inadvertently enable the very misdeeds they are designed to prevent.

Adjusting False Rejection and False Acceptance Rates

Biometric devices come equipped with configuration options that can adjust the precision of verification processes. This feature allows for fine-tuning the balance between false rejections (where genuine voters are incorrectly denied) and false acceptances (where ineligible voters are incorrectly approved). Corrupt Electoral Commission (EC) officials could exploit this capability to manipulate the enrolment or verification processes. By altering the reference threshold settings, officials can make the system more stringent or lenient, potentially benefiting certain geographic areas while disadvantaging others.

For instance, fingerprints can vary slightly between enrolment and voting day, particularly for individuals in professions that damage their fingerprints. The ability to adjust the sensitivity of biometric devices means that the threshold for matching can be set to either require exact matches or accept a broader range of variations. This flexibility, while necessary to accommodate natural fingerprint variations, can be misused to skew results in favour of specific regions or groups, thereby undermining the fairness of the electoral process.

Vulnerabilities and Security Concerns

Biometric data is inherently sensitive and, once compromised, cannot be changed. You cannot change your biometric data, but you can change any other non-biometric data if needs be. Several high-profile breaches, such as India's Aadhaar database (2018) breach, the US Office of Personnel Management (2015) compromised system, Clearview AI (face recognition 2020), 23AndMe (DNA data 2021), Ghana’s missing or stolen biometric devices (2024) and Biostar2 data breach (2019) have exposed the vulnerabilities associated with storing biometric devices and data. In elections, these breaches could lead to significant privacy violations and loss of voter trust and ultimately result in a subverted election.

My Personal Experience: After registering as a voter during the May 2024 limited registration exercise in Ghana, I received an unsolicited election campaign text message on the phone number I provided to the Electoral Commission (EC). The message, purportedly from Dr. Bawumia, not only urged me to vote for him and the NPP but also accurately mentioned the NPP parliamentary candidate for my constituency. This raises serious concerns about a potential breach of the EC's database.

Interestingly, while I used similar personal information for my Ghana Card and mobile phone registrations, I never received unsolicited messages from any political party. However, the message from the said Dr. Bawumia arrived within six days of my voter registration with the EC. This incident highlights the serious risk of data breaches, especially since compromised biometric data, like fingerprints or facial features, cannot be altered without complex and costly medical procedures.

The fact that Dr. Bawumia now has access to voters' full names, addresses, phone numbers, and biometric data is profoundly unfair to other parties who haven’t obtained this illegal copy of the EC’s data. This is especially concerning for those who have recently turned eighteen and are registering to vote for the first time, as their biometric data could be misused for years or even decades. The potential for criminal gangs including deviant groups to abuse this data, particularly if there are security breaches in Bawumia’s systems, is a serious concern that warrants deep reflection. This urgency prompted me to address these critical issues.

Inadvertent Unfairness and Equity Issues

The use of Biometric Devices can unintentionally disadvantage certain groups, particularly in areas with inadequate infrastructure or among populations that have not been thoroughly tested with these devices. To address such concerns, Brazil, for example has adopted a gradual biometric enrolment process. Despite introducing biometrics in 2008 (four years before Ghana), Brazil's enrolment has only reached approximately 70% as of 2023. This approach allows for a mix of biometric and nonbiometric methods for voter registration and verification, unlike Ghana's system, which mandates biometric enrolment and primarily biometric verification.

In my view, Ghana’s Electoral Commission (EC) does not engage with citizens as their clients in the same way that the EC’s equivalent in Brazil (TSE) does. Instead, Ghanaian citizens are expected to endure significant challenges to register and vote, including navigating difficult terrain and bearing transportation costs, sometimes using okada motorcycles or bicycles to reach EC centres.

The EC has a responsibility to proactively reach out to all citizens and facilitate their participation in the electoral process. Its primary role should be to ensure that every Ghanaian adult can exercise their democratic right to vote without facing undue obstacles. Failure to address these barriers or to make the registration and voting process accessible is effectively discriminatory and undermines democratic participation.

In my view, engaging with the Electoral Commission (EC) can be an unpleasant experience when citizens are subjected to the same invasive treatment reserved for suspected criminals under investigation. When individuals merely wish to register or vote, being treated in this manner is not only distressing but also undermines trust in the process. Such an approach risks creating barriers for voters, potentially deterring them from participating in essential electoral procedures and compromising the integrity of the democratic process.

Unfairness also affects voters in manual labour professions. Individuals engaged in activities such as hairdressing, fishing, construction, farming, and mechanical work may suffer from damaged fingerprints, making it difficult to provide accurate biometric data for enrolment and verification. Similarly, those who work in fish-smoking may have burns or damage to their skin, affecting both fingerprint and facial biometric data.

There are also some of our citizens who are unfortunately limbless and must face indignities in their biometric enrolment. While manufacturers, including those supplying the EC’s equipment, have integrated sophisticated algorithms to address these issues, challenges remain.

Deliberate Discrimination, Supreme Data advantage

When malicious insiders exploit tools like USB keys within the EC’s equipment to share voters' contact details with select parties while withholding them from others, they create a significant and unfair advantage for those receiving the data. This information enables targeted campaigns that can manipulate young voters with tailored messages or enticing offers, such as scholarships or financial incentives. Additionally, it could facilitate the creation and dissemination of deepfake videos or false narratives designed to tarnish the reputation of political opponents, thereby distorting public perception
and influencing election outcomes. My personal experience described elsewhere in this article is a case point.

Moreover, parties can use detailed voter profiles to craft highly personalized attack ads that exploit individual fears or biases, increasing their effectiveness. Malicious actors might use voter contact details to orchestrate phishing scams, tricking individuals into divulging further personal information or even contributing to fraudulent activities. With targeted messaging, parties could persuade voters to support specific policies or candidates, potentially swaying undecided voters or altering their voting preferences through misinformation. If specific voter groups are targeted with disinformation campaigns designed to discourage voting or spread false information about polling places, it could lead to decreased voter turnout and undermine the credibility of the election process.

These examples underscore the serious implications of unauthorized access to voter information, made easier with the use of biometric devices which integrate the use of USB keys, thus highlighting the need for robust security measures to safeguard against such abuses and ensure a fair electoral process.

Furthermore, inequities can also arise when certain areas experience a disproportionate number of faulty devices or power outages on election day or enrolment period. These situations often result in delays as backup devices are deployed or alternative power sources are sought, leading to extended voting hours and potential difficulties. As there is a perennial and public suspicion that areas which are thought to be opposition party strongholds suffer more device failures than areas thought to be government party strongholds, the issue of unfairness with biometric devices is further complicated and accentuated and directly contributes to the disenfranchisement of some voters and hence unfair electoral outcomes. I have also read reports which indicate that in Nigeria (2015) and Ghana (2012) device failures occurred more at polling stations which did not have independent observers. No direct causal relationship was reported, but it is interesting and worth further study and analysis.

It is indeed welcome that, the Electoral Commission (EC) often extends registration periods and voting times to compensate for delays caused by power outages or malfunctioning devices. However, these extended hours often coincide with periods of fatigue among observers, whose tired eyes and strained legs can increase the risk of errors and lapses in vigilance. This diminished oversight can create opportunities for potential impersonation and manipulation of vote counting, undermining the integrity of the electoral process.

Your Ballot is Not that Secret

The use of biometric devices in the voting process poses significant risks to the secrecy of the ballot and could potentially facilitate abuses of power. In Ghana, voters are required to place their thumbprints on the ballot paper to indicate their choice, and the counterfoil of the ballot paper bears the same serial number as the ballot itself. These two factors together can directly link a voter to their choice, thereby compromising ballot secrecy.

With scanners with resolutions with just 500dpi which is the FBI FAP60 standard, it is possible to extract and compare biometric indicators from the thumbprint against those in the voter roll, enabling rapid identification of the voter. This process could be facilitated by a compromised EC official with the necessary permissions or by a hacker with unauthorized access who gains access to both the ballot papers and the EC's systems. In tightly contested elections, this capability could lead to targeted bribery or coercion, particularly if voters are identified as opposing a candidate in a stronghold.

The way the EC uses biometric devices significantly reduces the time needed to link a voter’s choice to their identity, raising serious concerns about the potential breach of ballot secrecy. This situation is alarming as it presents a significant safety hazard to voters.

In contrast, countries like Brazil and India, where biometrics are also used, have implemented systems where voters make their choice by touching a screen displaying their preferred candidate. Similarly, Uganda offers voters the option of either placing a tick or a thumbprint, thus making it clear that the thumbprint is not used for tracking purposes. Given Ghana's slightly higher literacy rate compared to Uganda, the mandatory thumbprint requirement raises questions.

The EC should provide transparency regarding the purpose of this mandatory requirement for a thumpbprint. If it is not intended for tracking purposes, the EC should clarify why such data is collected. The assumption is that if the EC collects thumbprints linked to voter choices, it must have a specific and justifiable use for this data.

Application and System Logs and Debriefing after ‘Advance To Contact’ Logs in computer systems serve as a crucial record of system activities, capturing events such as power-ups, logins, logouts, and details of data access and modifications. These logs include information on what was accessed, from where, using which device, and what actions were performed, including data views and changes. The Thales-Gemalto CABIS7 system is equipped with comprehensive logging capabilities. Provided that logging remains enabled, and logs are not tampered with, it is possible to analyse these records to detect unauthorized access or alterations.

As it is challenging to erase all traces of unauthorized access (hacking), it is generally feasible to uncover such activities through detailed log analysis. Therefore, the Electoral Commission (EC) must ensure that logging is consistently active and that logs are regularly reviewed and reported on. Retention periods of these logs should also be for a minimum of two election cycles so that historical analysis could be undertaken if required. Log analysis should be conducted transparently, and the results shared with key stakeholders like the NPP, NDC, the National Cyber Security Authority, Cyber Crime Unit (Police) and the NCA.

The EC should establish a dedicated cyber unit to continuously monitor and test its systems for malware, including persistent threats. Engaging cybersecurity firms for adversary simulation exercises, similar to military "Advance to Contact" drills, can provide valuable insights into potential vulnerabilities, the tactics and techniques or modus operandi (MO) of adversaries and with post exercise debriefing can improve defensive measures.

Transparency in reporting detected cyber incidents, even if they are unsuccessful attempts, is essential. Such reporting not only invites support from the cybersecurity community for assistance with incident analysis and recovery but also educates the public and raises awareness of the challenges the EC faces in the digital realm. This, in my view is good PR for the EC. Additionally, the Audit Service is responsible for conducting and reporting on all public bodies and this should include the EC.

Conclusion

The deployment of biometric devices in elections, though promoted as a means to bolster security and voter confidence, has proven to be both costly and problematic. In advanced democracies, such technology is primarily used for criminal investigations rather than electoral purposes, suggesting that biometric devices might not be as essential for ensuring electoral integrity as often claimed.

In Ghana, the introduction of biometric devices has brought about several challenges, including technical failures, high costs, and vulnerabilities to data breaches and potential manipulation. Despite their sophisticated features, these devices have not substantially enhanced electoral outcomes or public trust. Concerns about compromising ballot secrecy, potential misuse, and the lack of clear advantages compared to traditional methods cast significant doubt on their necessity.

Countries with well-established democratic systems, including the USA, UK, China,
Russia, and EU member states, manage elections effectively without biometric devices. This raises critical questions about why Ghana continues to rely on such technology despite its associated risks and the absence of clear, tangible benefits. The inconsistency in verification methods and the difficulties in ensuring accurate and fair biometric data further undermine the rationale for their use.

In this article I have raised issues which suggest a need for a thorough reassessment of the role biometric devices play in our elections. Rather than investing in expensive and complex technology that may not address fundamental issues of electoral integrity, it would be more prudent to focus on enhancing traditional methods and strengthening administrative oversight. Prioritizing transparency, improving procedural rigour, and addressing underlying issues of fairness and accessibility should be central to safeguarding the democratic process.

In conclusion, the current use of biometric devices in our elections appears to be both an unnecessary and costly misapplication of technology. It fails to deliver the anticipated benefits and poses significant risks to the fairness and integrity of our electoral system. A thorough re-evaluation of this approach, with a focus on proven and cost-effective methods, is essential to ensure our elections uphold to the highest standards of integrity and public trust.

The Electoral Commission (EC) has a crucial responsibility to ensure fair and trustworthy elections in 2024. It is imperative for the EC to avoid exacerbating tensions and prevent any descent into violence during or after the elections. This starts with achieving the highest levels of transparency in its processes and providing clear justifications for the use of biometric devices. While the EC should continue with efforts to prevent individual voter fraud, it must also scrutinize its own procedures and address the potential risks posed by malicious insiders.

The actions of compromised officials could undermine the electoral process and result in a scenario reminiscent of the turmoil experienced in Liberia, Sierra Leone, Ivory Coast, Kenya, Bangladesh, and Sri Lanka. Violence may take different forms each time it occurs, but the outcomes are consistently dire: chaos, disruption, destruction and the tragic loss of lives. To prevent such risks and protect the democratic process, it is crucial to ensure rigorous oversight and transparency. We must guard against the possible subversion of our democracy with manipulative tactics that exploit dubious 'rules of the game.'

Our two main parties, the NPP and the NDC who have a symbiotic relationship, alongside the Honourable Speaker of Parliament, bear a crucial responsibility to the people of Ghana. For the sake of our nation's integrity and the fragile peace we so value, it is imperative that they collaborate to address potential threats. One pressing concern is the Electoral Commission's questionable and potentially hazardous use of biometric devices in our elections. The parties must unite to scrutinize and rectify these practices, ensuring that our democratic processes remain transparent and secure.