Zimbabwe’s main ISP ‘TelOne’ takes down a key and critical Election website.

Zimbabwe ‘new dispensation’ narrative unraveled in just 48 hours after the election when violence erupted following the opposition’s disquiet with the results that have been announced so far.  In the process, the country’s leading ISP blocked the country’s most investigative election website-zimelection.com. This followed the ICT Minister’s threats to take down the website. In response, alleged hackers brought down the website of the Zimbabwe Election Commission. In the midst of the violence, I have been in the capital city Harare where I was investigating censorship events both through interviews and running OONI probes under the project Sub-Saharan Africa Cyber Threat Modeling Project. My findings build on my previous country analyses which can be accessed here, here and here.

Key Findings

  • Through local contacts in Zimbabwe, we llearnedthat the website of the election commission body, the Zimbabwe Electoral Commission (ZEC) was inaccessible. Further tests showed that the site hosted on a .zw domain, has been showing a “404 Not Found” error since 1 August 2018.
  • The local contacts informed us that the site of the Zimbabwe Electoral Commission (ZEC) had been blocked. com is a UK-based website run by a citizen-led organization. The website has been instrumental in encouraging citizens of Zimbabwe to vote by disseminating election-related information and news, as well as voter education. Last month, the Minister for Information Communications Technology and Cybersecurity, Mr Supa Mandiwanzira issued a statement that, in part, threatened the website for making the Zimbabwean voters’ roll available online. You can read my report that covers that issue here.
  • Network measurement data collected from OONI Probe tests suggests that TelOne (AS37204) blocked access to zimelection.com by means of TCP/IP blocking. However, the zimelection.com was accessible on other Zimbabwean networks such as Econet Wireless thus suggesting the government did not order independent ISPs to block the website. This finding also suggests the limited extent to which Zimbabwe is downloading the responsibility to censor websites on ISPs
  • When Zimbabwe held elections in 2013, we did not test the accessibility of websites therefore it is inconclusive whether the government has previously blocked websites before 2015 when we ran the first OONI tests. However, in the weeks leading up to and following Zimbabwe’s disputed 2013 election, Zimbabweans were hit by significant Internet-based attacks. Because the incident was not widely reported, it did not gain traction at all in the Internet Freedom Community. Please see our full report on the issue here.
  • Also, in the lead up to the current elections, pro-democracy groups have alleged significant information security breaches of voters’ personal data ahead of the Monday 30 July elections. Please see our previous reports here.
  • We would encourage you to closely follow OONI data on Zimbabwe and also to run OONI Probes, software designed to measure the blocking of websites.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Dynamic Data Obfuscation Ahead of Zimbabwe’s Elections

Zimbabwe’s pro-democracy groups have alleged significant information security breaches of voters’ personal data ahead of the Monday 30 July elections. While there haven’t been any reported significant network disruptions so far, nevertheless, these breaches, some of which the electoral commission has admitted pose a significant threat to privacy, expression and political participation. While two of the cases involve an alleged interference with data stored and at rest in the election commission’s servers, the other case concerns the ‘black boxing’ of the ballot paper’s security features. This lack of transparency erodes trust and confidence in biometric technology but it also frustrates the verifiability and audit of the  technical functionality especially its potential capabilities to obfuscate data. All the above developments challenge the Internet Freedom Community to reconsider the ambit of information controls particularly during key political events such as current Zimbabwe’s elections. As a number of African countries embrace biometric technology-driven elections, the community needs to adopt a broader approach to information controls that address all information security breaches. This is regardless of the fact that some of these technologies do not exclusively rely on internet transmission control protocols to transmit and store data. This article argues that such a broader approach accords with The Citizen Lab’s conceptualisation to information controls: a broad term used to define all actions that governments, the private sector, and other actors take through the Internet and other information communications technologies, for example, to secure (e.g., encryption) information for political ends.’ An acceptance of this view will lead to a more evidence-based and broader elections threat modeling. Such a modeling, based on revised indicators, would take into account a wide range of adversaries that potentially exploit vulnerabilities in decentralized technologies and also in data regardless of medium or whether such data is in transit, cloud, storage or at rest.

Zimbabwe’s alleged information security compromises

In the run-up to Zimbabwe’s 2018 elections, the main opposition party, the Movement for Democratic Alliance, supported by some local NGOs raised the following information security concerns in connection with the integrity, availability, and confidentiality of voters’ personal data:

  1. Selective access to voters’ personal data

The first complaint relates to the election commission’s refusal to give the opposition access to the voters’ roll stored in its servers on the ground that this may compromise the security of sensitive data. Subsequent to this refusal, some voters received targeted campaign text messages from the ruling ZANU PF party, leading to further allegations that the commission had selectively availed the voters’ database to the ruling party contrary to the provisions of the law which it had cited to deny the opposition the same right. The commission responded to the accusation by stating that its database was hacked. This admission contradicts its earlier claim that its database was tamper- proof. The commission’s head, Judge Chigumba had previously issued a press statement that the 2018 elections could not be rigged as the country’s voting system is “tamper-proof’ for the simple reason that the data that they collected are housed in a ‘consolidation server’. She continued, “The consolidation server contains the master server that contains all the information and we then have other servers which we are using to connect that data. Those servers have very strict protection files. They have very strict un-hackable access level passwords that are tamper-free,” For more on this issue, please read our previous analysis: Verifiability and Trust: Two Key Ingredients to a Credible Election in Zimbabwe. The currently alleged data breach draws parallels to Kenya’s elections where there were reports that individuals received texts via short messaging service (SMS) from candidates vying for various political seats during the campaign period of the elections. These SMS texts were allegedly accurate as to where the individuals were voting and to some extent, their political inclinations.

The issue of data mining for political campaigns has been topical since the revelations that Cambridge Analytica used enormous datasets of personal information from Facebook to advertise to micro-targeted voters in the U.K. and the U.S. The information had initially been obtained from Facebook through a researcher, and then reportedly sold to Cambridge Analytica. When this happened, Facebook said this practice was a violation of their terms of service, but the incident raised important questions about data protection in the age of data harvesting.

2.The integrity of voters’ biometric data

Both the opposition and NGOs raised the second allegation of gross errors and omissions, the inclusion of ‘ghost voters’ roll and a demographic distribution in the 2018 voters’ which is not consistent with the prevailing demographic models for Zimbabwe, along with precedent models from 1982 up to the 2012 censuses. This pointed to the possible manipulation of the entries on the voters’ roll.

3. Data obfuscation and black boxing

Lastly, they alleged a lack of transparency in the printing of the ballot paper and failing to fully disclose the ballot paper’s hidden technological capabilities and security features.

Some of the above issues had been raised before in Zimbabwe’s previous elections and elsewhere. During the 2013 elections, the Zimbabwean opposition had to petition the court after failing to access an electronic copy of the voters’ roll. Also, in the neighbouring Zambia, during the 2015 elections which I observed, the opposition complained about the printing of the ballot paper and a lack of transparency over its features.

Information security Implications

While some of the concerns were of a cyber-security nature, some went beyond such to encompass broader the information security field, for example, voters’ data in storage, at rest and partly on static websites but also information that is’ encrypted’ on ballot papers. While the internet freedom community in Africa has by and large focused on internet shutdowns during elections, information controls are evolving and governments are now applying them in highly dynamic ways often responding to events on the ground displaying wide-ranging motives. Also, the governments choose the technology that suits its goals and this depends on whether the data at stake is in storage, at rest, transit or in the cloud. However, in the case of Zimbabwe, a pattern is emerging: the country is gradually acquiring biometric-based technologies, sometimes outsourcing, to control when such information can be accessed and under which conditions. It may encrypt or use similar technologies to hide information that gives it an advantage. All in all, it uses information security doctrine and rule by law to cement its position.

Need for a revised threat model?

The above should inform a more accurate risk assessment and threat modeling. For instance, in Zimbabwe’s case, the risk assessment should take into account the fact that the adversaries could be “thousands of miles away or in the very next cubicle at work, or both!” Attention should not only be paid to the unknown hackers from the outside, but insiders are a much greater threat and can do far greater damage, which is likely to be the case in Zimbabwe’s current data privacy breach. Insiders already have some level of access, means, and opportunity to hack. In Kenya’s election data breach case, the hackers who compromised the voters’ data were insiders and while the consequences of their action were partly based on making a profit, their conduct also gave certain political parties an advantage.

Obfuscation: security through obscurity and the information security doctrine

In the past, the reliance on information security as a form of a data breach in Zimbabwe was based on overt militarisation and securitization of the Internet, for example, the involvement of the Israeli Nikuv collaborating with the army. However, the current allegations in Zimbabwe appear to suggest more covert embedding political intentions in technologies. First, the management of the election is mostly civilian-led and under the auspices of a respected former judge who know the importance of adhering to the rule of law. In this case, the rule of law becomes a double-edged sword since the constitution gives the election commission the mandate over election management including the technical aspects. For example, the commission has the full mandate to oversee the printing of the ballot paper. This, in turn, denies the opposition an avenue to technically test the ballot paper’s ‘encrypted’ technological capabilities and security features. This has rendered the opposition powerless and is leading it to slide into the dangerous terrain of propaganda and fake news.

Zimbabwe’s case is not novel in this regard. In 2016, the Tunisian planned to equip all ID cards with an electronic chip that stored information — a part of which would be encrypted and unknown. It had no procedural or substantive safeguards to protect the data from abuse. The New York-based Access now raised concerns that “ A “black box” ID card could be used to trample on the rights of Tunisians, granting officials access to rich data profiles that could be turned against citizens. But even if that doesn’t happen, creating a large database of this type of information would likely attract criminals and hackers seeking to exploit it. That’s not safe.”

General concerns with biometric technology deployment in Africa

According to CIPIT, the use of biometric technology in political processes, i.e. the use of peoples’ physical and behavioral characteristics to authenticate claimed identity, has swept across the African region, with other 75% of African countries adopting one form or other of biometric technology in their electoral processes. This has been necessitated in part due to the low trust majority of citizens have had with electoral management bodies and the assumptions that adopting such technologies will increase confidence and efficiency in the elections. This comes at a high cost to countries already struggling with expensive elections. Despite such costs, the adoption of biometrics has not restored the public’s trust in the electoral process, as illustrated by post-election violence and legal challenges to the results of the 2017 Kenyan elections. An unexplored implication of this techno-optimism of biometric technology in elections is the privacy aspect.

Although Kenya’s elections were fully electronic, nevertheless, Zimbabwe could still draw key lessons from Kenya as both countries legal landscape lack the protections needed to safeguard the privacy of its citizens and protect their data. “Transparency, trust, and security are key when deploying biometrics technologies. When such technologies are adopted in the absence of a strong legal framework and strict safeguards, they pose significant threats to privacy and personal security, as their application can be broadened to facilitate discrimination, social sorting, and mass surveillance. In Zimbabwe, some politically connected parties have already threatened reprisals against people who vote a certain way since they have access to biometric data and voters’ serial numbers to monitor voting patterns. Also, the varying accuracy of the technology can lead to misidentification, fraud and civic exclusion. As such, it is crucial that [African countries] review their election and referenda processes, the use of biometric technologies be understood from a privacy and security perspective” (CIPIT, 2017)

Are decentralized technologies such as blockchain the future for election security?

Blockchain has already been piloted in Sierra Leone where the national electoral commission (NEC) accredited Agora, a Swiss foundation focused on digital solutions, as an independent observer during its March 2017 election, to test its permission blockchain technology during elections. Blockchain was not used to tally the entire election but just to demonstrate blockchain capabilities. The results Agora manually entered announced by local polling station agents from 280 polling centers in Sierra Leone’s Western District on its blockchain ledger could be accessed publicly. It published the results of its blockchain count on its website. These results could be checked against those tallied by the NEC.

While it was not officially adopted by the electoral commission, there is some potential for use of decentralized technology in elections across the continent. As with cryptocurrencies such as bitcoin and ethereum, recording votes on publicly accessible ledgers in real-time could bring more transparency to electoral processes and possibly prevent electoral disputes which often follow elections on the continent. For instance, the Brazilian legislature is testing the use of the ethereum blockchain to verify signatures collected for popular petitions. In a related development, a supporter of a Chinese student’s protest was able to circumvent speech restrictions on a topic by embedding a letter into the tamper-proof Ethereum blockchain.

While nothing is fully hack- proof, blockchain is significantly more secure as transactions on blockchain are irreversible, so the information cannot be altered. Furthermore, an open-source, public, distributed computing technology, transactions can generate distributed copies of themselves within the network. However, as we point out in our previous blogs, in addition to verifiability, the management of election processes go beyond technology but trust and adherence to the rule of law. The InfoSec community should engage to encourage secure and transparent decentralized technologies as was the case in Sierra Leone. However, this is a long shot in Africa as no government is likely to use technology that leads to its defeat.

How Undermining Encryption threatens Online User Security in Africa

Encryption as in integral component of anonymity and circumvention of encryption has come under threat in an already embattled right to privacy and free expression landscape in Africa. This is evidenced by recent events in Uganda, where the government ordered telecommunication service providers to block Virtual Private Networks (VPN) applications to address social media ‘tax evasion’. The national regulator — Uganda Communications Commission — also unduly influenced Ugandans not to use VPNs arguing that the cost of such services would exceed the proposed tax. Despite the current attempts to reverse its decision, the attempt places Uganda on the list of countries that have previously taken measures to undermine encryption in Africa and elsewhere. This article examines examples of efforts to limit public access and use of encryption tools, international efforts to leverage open source and commercial encryption, international norms and standards governing encryption and recommends measures that support the use of encryption technologies.

Introduction

Uganda’s proposal raises new challenges for activists and human rights defenders in the country and potentially across Africa as their means of communication becomes a means for repression. Apart from helping activists, circumvention technologies have helped internet users in countries such as the Gambia to access social media for communication with friends and families during partial internet shutdowns and also for, girls, women and sexual minorities in East Africa to preserve their online privacy. The current regional challenge could not have come at a worse time especially given the recent decision by Google and Amazon to block “domain fronting,” which has been used by the encrypted communications app Signal. The Ugandan proposal increases the potential that the Ugandan repressive state will spy on its citizens and further clamp down on free speech beyond using it as a tool to enforce tax compliance.

Further, the attempts add Uganda to a list of African countries that have displayed an inimical attitude towards encryption and anonymity online. For instance in Tanzania with online regulations that requires internet cafes to have static IP addresses, Zimbabwe, where there were attempts to strip the anonymity of a popular blogger. Also in Zimbabwe, the regulator banned Blackberry Messengers because its encryption services undermined provisions for lawful interception under the Interceptions of Communications Act, 2007. There is also criminalisation of the use of digital and encryption tools in Ethiopia, and attempts to ban anonymous social media posts in Lesotho. In our view, the current attempts to build local mobile applications in Ethiopia and Zimbabwe are yet other attempts to roll out un-encrypted apps including those with state-approved algorithms.

Examples of efforts to limit public access and use of encryption tools

In their recent report, Citizen Lab and The Samuelson-Glushko Canadian Internet Policy and Public Interest Clinic provide a comprehensive list of efforts to limit public access and use of encryption tools, including:

· Criminalisation and encryption bans

· Censorship of encryption tools

· Limits on key strength, choice of algorithms, or use of end to end encryption

· Export controls

· Covert efforts to undermine encryption; and

· Measures that target intermediaries, for example, backdoors access.

Criminalisation and banning of encryption may be direct like in the case of Ethiopia or indirectly in Zimbabwe where the regulator banned Blackberry Messenger because of its encryption capabilities. Also, under the Interceptions of Communications Act, telecommunications services should have the ability to be intercepted. The same law also opens the door to require telecommunications providers to retain data about their customers and their communications, so that officials can access it.

Regarding censorship of circumvention tools, countries like Egypt, just like in Venezuela, routinely censor circumvention technologies. A recent OONI report says, In Egypt, ISPs seem to apply “defence in depth” tactics for network filtering by creating multiple layers of censorship that make circumvention harder. Not only were numerous circumvention tool sites (including torproject.org and psiphon.ca) blocked, but access to the Tor network appears to be blocked as well, according to the report.

Under the covert efforts, intelligence agencies can covertly weaken encryption standards and tools of general application as well as disseminate those compromised tools internationally. The agencies may be directly involved in the standard setting process for the purpose of injecting weaknesses into the very foundation of certain cryptographic tools. Governments and their agencies can then use that knowledge of the weaknesses introduced, to exploit those systems more easily. On the measures that target intermediaries, governments may not ban encryption but require intermediaries to give them access in ‘exceptional cases’. However, ‘exceptional access’ may be exploited and used for human rights violations.

International efforts to leverage Open Source and Commercial Encryption

In light of the importance of encryption in protecting individual liberties, commercial interests and national security, the Ugandan and other African governments should take technical measures to increase security and user confidence online. Encryption, either for civilian or for commercial purposes, is an essential basis for trust on the Internet; without such trust, valuable communications would not be possible. For the entire system to work, encryption software itself must be trustworthy. Users of encryption must be confident, and justifiably confident, that only those people they designate can decrypt their data.

The U.S., through the Internet Freedom Fund, has invested in programs that promote the development and use of encryption technology although such noble efforts came under scrutiny in the aftermath of the Snowden revelations. Nevertheless, U.S. government organisations such as the Open Technology Fund have done sterling work, independent from the U.S. Government, by funding the development of projects and tools such as Signal, Lantern, and Tor based on open source encryption to enable human rights activists and bloggers to exercise their human rights freely and safely online. For example, Psiphon has helped around 10 000 Iranians to access a restricted Internet. It is also popular in Ethiopia.

Similarly, the use of reliable encryption software to safeguard data is critical to many sectors and organizations, including financial services, medicine and healthcare, research and development, and other critical infrastructures around the world. Encryption-related software, including pervasive examples such as Secure Sockets Layer (SSL) and Public Key Infrastructure (PKI), is essential to online commerce and user authentication. It is part of the underpinning of current communications networks.

International norms and standards

Article 19 of the Universal Declaration of Human Rights and the International Covenant on Civil and Political Rights guarantees individuals’ right to access information “regardless of frontiers,”

Echoing these provisions, in his first report to the Human Rights Council, the Special Rapporteur on freedom of opinion and expression, David Kaye, noted that encryption and anonymity in digital communications deserve strong protection to safeguard individuals’ right to exercise their freedom of opinion and expression.

While Africa is facing a number of threats like ransomware and cryptolocker as pointed out in the Symantec Report, but also terrorism and child exploitation, laws, practices and policies that ban, restrict, or otherwise undermine encryption and anonymity — all in the name of public order or counter-terrorism significantly and disproportionate damage the rights enshrined in Article 19.

When States legitimately need access to encrypted or anonymous information, they should only seek it through a judicial process. Kaye also recommends against compelling private companies to install encryption vulnerabilities for Government access, because this would make companies’ digital networks vulnerable to criminal activity or hostile State action. The Rapporteur further recommends that States protect and promote the use of encryption as a matter of digital security.

Recommendations

The proposed move in Uganda and related practices elsewhere in Africa go against best practice towards the protection of anonymity in digital communications in light of David Kaye’s recommendations. In the digital area of mass surveillance, encryption is not a side-bar or footnote in the free expression discourse but can make the difference between life and death for journalists, bloggers and human rights defenders operating in repressive environments as was the case in Ethiopia and the Gambia before the current reforms. This also includes in democracies like Kenya where, according to Privacy International report, surveillance is a matter of life and death. In Zimbabwe, a prolific blogger used anonymity to expose government corruption.

Given its importance in free expression and preserving online confidentiality, any ban including the proposed ban on encryption and anonymity should meet the test of legality, necessity and proportionality under international law but must also, in addition, and comply with industry best practice in their application. Practices that seek to lift the cover of anonymity from bloggers who expose government corruption, including through humorous cartoons do not meet the three-pronged test.

Also, given Africa’s financial markets ‘vulnerability to cyber-attacks, weakening encryption protocols may further expose financial institutions and other critical infrastructure to cyber-attacks.

To secure liberty in the digital world, African governments and tech giants should adopt the normative recommendations outlined above and evolving evidence-based good practice, to:

· Fully support and not undermine efforts to create encryption standards;

· Not in any way subvert, undermine, weaken, or make vulnerable generally available commercial and open source software; and

· Increase the use of encryption and urge companies and civil society to do so, in order to better protect data in transit, at rest, in the cloud, and in other storage.

Main cited works.

Lex Gill, Tamir Israel, and Christopher Parsons (May 2018), “Shining a Light on the Encryption Debate. A Canadian Field Guide,” Citizen Lab and the Samuelson-Glushko Canadian Internet Policy and Public Interest Clinic < https://bit.ly/2lVGDK0>

Liberty and security in a changing world < https://bit.ly/2tHjUDo>

Human rights, encryption and anonymity in a digital age< https://bit.ly/2KNOJiw>