Day 6 of hearings in the #HudumaNamba #NIIMS case - proceedings yet to begin
Today will start with cross-examination of PS ICT Jerome Ochieng
Remembering back to a few weeks ago...
#HudumaNamba
The judges have entered the court room and proceedings are beginning for today #HudumaNamba
PS ICT Jerome Ochieng has been sworn in and is being introduced by counsel for respondents
He signed five affidavits in the case
#HudumaNamba
Cross-examination will now begin, led by counsel for the 1st petitioners @waikwawanyoike
The witness will be also be cross-examined by counsel for the 2nd petitioners
#HudumaNamba
@waikwawanyoike Counsel @waikwawanyoike starts by asking the PS ICT about his educational background
The PS has a Masters in Information Engineering and other training and work experience related to ICT
#HudumaNamba
@waikwawanyoike Counsel clarifies PS now stands for Principal Secretary under the law
The witness also clarifies the Ministry has two PS roles - PS for ICT and PS for Broadcasting
#HudumaNamba
@waikwawanyoike Counsel is asking if the PS ICT understands #NIIMS fairly well
The PS agrees
The PS ICT is part of the Inter-ministerial Committee for #HudumaNamba
@waikwawanyoike Counsel asks if the PS ICT is in charge of the intellectual work of #HudumaNamba and the PS agrees
Counsel asks when the work to build the system began
PS says this year in January or February, but preparations started earlier
@waikwawanyoike Counsel refers to a letter dated May 2018 in which the PS invited people to a meeting on #NIIMS
Counsel: Would you agree with me that the start of development of NIIMS goes back to May 2018?
PS ICT: I would not agree, I commit to my answer
#HudumaNamba
@waikwawanyoike Counsel: Would you agree considerations of NIIMS went back to May 2018?
PS ICT: Before that - Jan or Feb 2018
Counsel: Where is the data?
PS ICT: It is in Kenya
#HudumaNamba
@waikwawanyoike Counsel: Is it in individual files or the master database?
PS ICT: It's in a database
Counsel: Yesterday PS Interior Kibicho said you have not started analyzing the data - is that correct?
PS ICT: Correct
#HudumaNamba
@waikwawanyoike Counsel: But you are in a position to do it, if the court allows?
PS ICT: Yes
Counsel: You have developed the algorithm for de-duplication?
PS ICT: Yes
#HudumaNamba
@waikwawanyoike Counsel: Was the software developed in Kenya, by Kenyans?
PS ICT: Yes
Counsel asks if industry standard is to do modeling or to develop a prototype for such a system
PS ICT doesn't agree
#HudumaNamba
@waikwawanyoike Counsel: Have you done any tests?
PS ICT: Yes
Counsel: In the tests, it would include for example a penetration test to check the security of the system?
PS ICT: Yes
#HudumaNamba
@waikwawanyoike Counsel: Would you also check if the system can de-duplicate? Some analysis early on to see if the system has integrity?
PS ICT: Yes
Counsel: Reports of this analysis would be generated to be shared with you and Eng. Kibicho?
PS ICT: Yes
#HudumaNamba
@waikwawanyoike Counsel: Part of the petitioners' complaint is that you may have developed a system that may compromise the right to citizenship, especially for the Nubians? Do you know there is a complaint on nationality?
PS ICT: I have heard of it
#HudumaNamba
@waikwawanyoike Counsel: Do you know part of the fear about exclusion is related to the system you might be using?
PS ICT: Yes
Counsel: Do you know part of the fear of the petitioners is that the system may not be able to protect right to privacy?
PS ICT: Yes
#HudumaNamba
@waikwawanyoike Counsel: I assume you did tests that the algorithm can scale?
PS ICT: Yes
Counsel: Have you provided to this court any results from any of the tests you might have performed?
PS ICT: No
#HudumaNamba
@waikwawanyoike Counsel: Have you provided any evidence that when you tested the system that it passed?
PS ICT: No
Counsel: You know of Idemia?
PS ICT: Yes
Counsel: You procured 31500 kits from Idemia?
PS ICT: OT-Morpho
Counsel: Yes, and they have become Idemia, correct?
PS ICT: Yes
@waikwawanyoike Counsel: When did you engage OT Morpho?
PS ICT: Can't remember date exactly
Counsel: Rough estimate?
PS ICT: Early 2018
#HudumaNamba
@waikwawanyoike Counsel: You engaged OT Morpho in early 2018, of course the registration didn't start until 2019, correct?
PS ICT: Yes, April 2019
Counsel: When was contract for the kits?
PS ICT: Procuring entity was Ministry of Interior, though in partnership, but want to refer to docs
@waikwawanyoike Counsel: I understand from your affidavit you cleaned the kits for any back-end applications?
PS ICT: Yes
Counsel: Do you remember when that happened?
#HudumaNamba
@waikwawanyoike PS ICT: Around March or April 2019 before the exercise for enumeration started
Counsel: So just before enumeration?
PS ICT: Yes
Counsel: Working backwards, any estimate on when you got into agreement w/OT Morpho?
PS ICT: That would take me to around end of 2018
#HudumaNamba
@waikwawanyoike Counsel: How many companies did you consider for the kits supply?
PS ICT: 3
Counsel: Was it a public, competitive bid?
PS ICT: It was restricted
Counsel: Have you provided court with evidence related to the bidding process?
#HudumaNamba
@waikwawanyoike PS ICT: Not in my affidavit, but I would assume Ministry of Interior, the procuring entity, did
Counsel: But you're not aware if they did?
PS ICT: No
Counsel: Apart from supply of the kits, what have you engaged OT Morpho to do?
PS ICT: Nothing
#HudumaNamba
@waikwawanyoike Counsel asks if "single source" means because it's one place you can go for reliable data - PS ICT confirms
Counsel: Would you agree that the more data you have, the more reliable the single source idea would be?
PS ICT: Yes
#HudumaNamba
@waikwawanyoike Counsel: Would you agree the govt has analogized the need for this data to oil?
PS ICT: Yes
Counsel: Reads from affidavit "Personal data is a critical resource that drives economic growth in this century as oil did in the past"
PS ICT: Correct
#HudumaNamba
@waikwawanyoike Counsel: You are aware there is a #HudumaBill2019?
PS ICT: Yes
Counsel: At a public forum on the bill, you made a statement that "data is the new oil"?
PS ICT: I did
#HudumaNamba
@waikwawanyoike Counsel: That day you weren't speaking as Mr. Ochieng but as govt - is that the position of the Government of Kenya?
PS ICT: It is an international position
Counsel: And Kenya has adopted that position?
PS ICT: Yes
#HudumaNamba
@waikwawanyoike Counsel: Do you think we can analogize personal data with oil?
PS ICT: Yes
#HudumaNamba
@waikwawanyoike Counsel: I understand the Ministry conducted a SWOT analysis, and you have included it in your documents?
PS ICT: Yes
Counsel: You did this with UNICEF?
PS ICT: Yes
#HudumaNamba
@waikwawanyoike Counsel: I understand the initial motivation was to investigate the best way to have universal birth registration with a unique identifier from birth?
PS ICT: Yes
Counsel refers to Estonia example
#HudumaNamba
@waikwawanyoike Counsel: If Kenya was to achieve a universal civil registration where we allocate each child a unique identifier, we would be quite ahead in terms of identification of citizens?
PS ICT: Yes
#HudumaNamba
@waikwawanyoike Counsel: Would you agree this analysis goes slightly beyond that concept and starts to talk about #NIIMS?
PS ICT: Yes
Counsel: Did they overstep?
PS ICT: No
#HudumaNamba
@waikwawanyoike Counsel: Was part of the concept of #NIIMS inspired by the SWOT?
PS ICT: Part of it, yes
Counsel: Has govt done any cost-benefit analysis comparing universal birth reg vs. #NIIMS as it's designed now?
PS ICT: Not that I'm aware
#HudumaNamba
@waikwawanyoike Counsel: Has govt done any cost-benefit analysis on #NIIMS?
PS ICT: Not that I'm aware
#HudumaNamba
@waikwawanyoike Counsel refers to a table within the SWOT analysis where it lists a number of countries used in benchmarking
Counsel: Would you agree that the only groups that were involved in developing the SWOT were govt officers and UNICEF officials?
PS ICT: No
#HudumaNamba
@waikwawanyoike Counsel: On pg85, do you see the name of an individual not associated w/the Ministry or UNICEF?
PS ICT: Yes
Counsel: That would be the consultant related to doing the SWOT?
PS affirms
Counsel: Beyond consultant, anyone not associated with the Ministry or UNICEF?
PS ICT; No
@waikwawanyoike The counsel refers to another section of the report and asks if there it indicates any involvement of people not associated with the Ministry or UNICEF - the PS confirms there are none.
Counsel: You are familiar with mandate of @HakiKNCHR to monitor rights?
PS ICT: Yes
@waikwawanyoike @HakiKNCHR Counsel: Do you see anywhere in this methodology where an officer from @HakiKNCHR was involved?
PS ICT: No
Counsel: Any independent office that you can recognize?
PS ICT: No
#HudumaNamba
@waikwawanyoike @HakiKNCHR Counsel asks if there is any indication of any non-governmental body being involved in the analysis other than UNICEF. The PS ICT responds there was and it's implied.
#HudumaNamba
@waikwawanyoike @HakiKNCHR Counsel moves questioning to the Data Protection Policy, which the PS confirms falls under his Ministry
Counsel confirms that the reason the PS included the policy in his documents is that the concerns of petitioners might be addressed by the policy
#HudumaNamba
@waikwawanyoike @HakiKNCHR Counsel: Have you provided the court any evidence who was involved in the development of the Data Protection Policy?
PS ICT: No
#dataprotectionke #HudumaNamba
@waikwawanyoike @HakiKNCHR Counsel refers to statements from PS Interior yesterday that policy precedes law, such as a Data Protection Policy coming before a Data Protection Law
PS ICT affirms
Counsel: Is there a #NIIMS policy?
PS ICT: No
#HudumaNamba
@waikwawanyoike @HakiKNCHR Counsel asks PS ICT to read from PS Interior's affidavit re: lack of linkages between databases has led to inefficiency
PS ICT is asked if he agrees with PS Kibicho's statement and if it was a primary motivation for #NIIMS - he agrees
#HudumaNamba
@waikwawanyoike @HakiKNCHR Counsel refers to the list of benefits of #NIIMS in the PS Interior's affidavit and asks if the PS ICT has the same understanding of the benefits
The PS ICT does agree
#HudumaNamba
@waikwawanyoike @HakiKNCHR Counsel refers to the "institutions and benefits that stand to benefit greatly" from implementation of #NIIMS, as listed by PS Interior
Counsel: Do you take any issue with the institutions listed here, including the judiciary and county governments?
PS ICT: No
#HudumaNamba
@waikwawanyoike @HakiKNCHR Counsel: Do you agree county governments would benefit in delivery of services?
PS ICT: Yes
Counsel: The services they are delegated under the constitution?
PS ICT: Yes
#HudumaNamba
@waikwawanyoike @HakiKNCHR Counsel: Do you agree they would benefit through being able to interact with #NIIMS?
PS ICT: Yes
#HudumaNamba
@waikwawanyoike @HakiKNCHR Counsel now refers to the affidavit of the PS ICT where he addresses harmonization of databases
Counsel: Would you agree this is a watershed moment for Kenya? Kenya will achieve quite a big thing through #HudumaNamba?
PS ICT: Yes, I would agree
@waikwawanyoike @HakiKNCHR Counsel: So this is not a minor thing?
PS ICT: No it's not
Counsel: Is there an identification crisis in Kenya today?
PS ICT: There is
Counsel: Is govt able to function, given the identification crisis?
PS ICT: Yes, w/challenges
#HudumaNamba
@waikwawanyoike @HakiKNCHR Counsel: This crisis goes back quite a bit, doesn't it? According to you, at least back to 1989?
PS ICT: Yes
Counsel: Given how long we have had this crisis, would you agree it's important to ensure any system created is credible?
PS ICT: Yes
#HudumaNamba
@waikwawanyoike @HakiKNCHR Counsel: Would a credible system take the rights of Kenyan citizens and non-citizens seriously?
PS ICT: Yes
Counsel: Would you agree that if it look a little longer to create a system that would protect rights, it would be worth it?
PS ICT: No
#HudumaNamba #NIIMS
@waikwawanyoike @HakiKNCHR Counsel: You are saying we are in such a rush to have #HudumaNamba... would we collapse in the next month or two?
PS ICT: Anytime
@waikwawanyoike @HakiKNCHR Counsel: So we don’t have time to consider alternatives?
PS ICT: Yes
Counsel: So our fate is #HudumaNamba?
PS ICT: Yes
@waikwawanyoike @HakiKNCHR Counsel: IS there a law that establishes #NIIMS?
PS ICT: We do not have a NIIMS law, but NIIMS is based on a “couple of other acts”
Counsel: But you are aware the one Act that specifically talks about NIIMS is the Reg of Persons Act, as amended?
PS ICT: Yes
#HudumaNamba
@waikwawanyoike @HakiKNCHR Counsel asks and the PS ICT confirms there is no other law that talks about #NIIMS beyond the Registration of Persons Act, only an Executive Order
#HudumaNamba
@waikwawanyoike @HakiKNCHR The counsel is now asking about the understanding of the PS ICT on rule of law - including that source of power of govt comes from law, any action of govt must be regulated by law - the PS ICT agrees
#HudumaNamba #RuleOfLaw
@waikwawanyoike @HakiKNCHR Counsel: Is there a law establishing #HudumaNamba?
PS ICT: The law that establishes #NIIMS
Counsel: That's not my question - is there a law that establishes Huduma Namba?
PS ICT: Reg of Persons Act, section 9A
#HudumaNamba
@waikwawanyoike @HakiKNCHR Counsel: What does 9A establish?
PS ICT: National Integrated Identity Management System
Counsel: Does it mention #HudumaNamba?
PS ICT: No
Counsel: Is there any law that mentions Huduma Namba?
PS ICT: No
@waikwawanyoike @HakiKNCHR Counsel walks PS ICT through the Swahili words for National - Integrated - Identity - Management - System
PS ICT agrees with the translation
Counsel: So how did you go from #NIIMS to #HudumaNamba?
PS ICT: A communication concept - we were aware of education level of Kenyans
@waikwawanyoike @HakiKNCHR Counsel: It's the communication concept that advised to use the name #HudumaNamba?
PS ICT: Yes
Counsel: Would you say many Kenyans would not understand taifa or kitaifa is national?
PS ICT: Maybe 50%
@waikwawanyoike @HakiKNCHR Counsel: Kitambulisho?
PS ICT: That would be maybe less than 30%
Counsel: Who would know..
PS ICT: Who would *not* understand
Counsel: And how many would understand mfumo?
PS ICT: Maybe 90%
#HudumaNamba
@waikwawanyoike @HakiKNCHR Counsel refers to the data capture form where at the bottom is says "Huduma Namba registration is mandatory according to section 9A of the Reg of Persons Act"
PS ICT affirms it says that
Counsel: This form is for #HudumaNamba?
PS ICT: Yes
@waikwawanyoike @HakiKNCHR Counsel: It's not for #NIIMS?
PS ICT: Yes
Counsel: So the exercise you have been carrying out is not a section 9A exercise?
PS ICT: It is not
#HudumaNamba
@waikwawanyoike @HakiKNCHR Counsel: Is there anywhere in this form where there is any mention of #NIIMS?
PS ICT: No
Counsel: You said #HudumaNamba is a communications concept?
PS ICT: Yes
Counsel: Did you choose #HudumaNamba to engage in a campaign of deception?
PS ICT: I would not agree
@waikwawanyoike @HakiKNCHR Counsel: Would you agree you called it #HudumaNamba so that Kenyans would believe they would get benefits? Part of the reason you labeled the process a Huduma process was so Kenyans would understand they would get benefits?
PS ICT: Yes
@waikwawanyoike @HakiKNCHR Counsel: Do you think your govt cares about law?
PS ICT: It does
#HudumaNamba
@waikwawanyoike @HakiKNCHR Counsel refers to where the PS ICT discusses DNA in his affadavit and asks if he has seen Malombe's affidavit about the implication of DNA - the PS has not
#HudumaNamba
@waikwawanyoike @HakiKNCHR Counsel understands from the affidavit that the govt is not collecting information about DNA or GPS - and confirms with the PS ICT that this was a decision made by the committee
Counsel asks about separation of powers - parliament makes the law, executive implements - PS affirms
@waikwawanyoike @HakiKNCHR Counsel confirms the PS's understanding that the executive cannot choose which part of the law to implement
Counsel: Do you understand that if you wanted to collect DNA, you would not need to go back to Parliament to do that?
PS affirms this is true
#HudumaNamba
@waikwawanyoike @HakiKNCHR Counsel points to the PS ICT's affidavit where he addresses the advantage of DNA for identification purposes - PS ICT agrees with the statement
Counsel: It would be legal for the Kenyan government to require DNA or GPS from its people?
PS ICT: Yes
#HudumaNamba #NIIMS
@waikwawanyoike @HakiKNCHR Counsel now referring to where the PS ICT has discussed data protection, including the Data Protection Bill, in his affidavit - and confirms the PS refers to the Bill because it might respond to some concerns of the petitioners
#HudumaNamba
@waikwawanyoike @HakiKNCHR Counsel asks if the position of the PS ICT is there are already adequate laws on data protection, surveillance, etc. - the PS does believe there are
Counsel confirms one of those is the Access to Information Act
#HudumaNamba #RTI #AccessToInformation
@waikwawanyoike @HakiKNCHR Counsel gives the PS ICT a copy of the Access to Information Act and asks him to read the long title of the Act
"An Act of Parliament ot give effect to Article 35 of the Constitution"... giving CAJ oversight...
@waikwawanyoike @HakiKNCHR Counsel confirms the PS refers to the Kenya Information and Communications Act and again asks him to read the long title
PS ICT reads - counsel asks if he agrees the law is about purposes related to the institutions listed in the long title and the PS ICT agrees
#HudumaNamba
@waikwawanyoike @HakiKNCHR Counsel also gives PS ICT a copy of the Cyber Crimes Act
PS ICT reads: "to provide for offenses related to computer systems" including timely detection, response, and investigation of computer & cyber crimes
#HudumaNamba
@waikwawanyoike @HakiKNCHR Counsel: In your opinion, that Act is fully in force?
PS ICT: Yes
Counsel: Are you aware a significant # of provisions of that Act have been suspended by the court?
PS ICT: I'm aware
Counsel: Are you aware the AG tried to have suspension lifted and on Oct 1 the court refused?
@waikwawanyoike @HakiKNCHR Counsel: Are you aware part of the reason the AG wanted the suspension lifted is that because it makes it hard to implement some provisions of KICA that you point to?
PS ICT: Yes
#HudumaNamba
@waikwawanyoike @HakiKNCHR Counsel @waikwawanyoike now refers to where the PS ICT addressed the Data Protection Bill in his affidavit & confirms the PS knows the petitioners are concerned about Article 31 of the Constitution - specifically Article 31(c) & 31(d)
#HudumaNamba
@waikwawanyoike @HakiKNCHR PS ICT is asked to read the long title and ask if it's fair that this bill is to give effect to Articles 31(c) and (d) of the Constitution
PS affirms
PS is asked if he knows of any law specifically designed to give effect to Article 31(c) & d
PS responds "As a layman, no"
@waikwawanyoike @HakiKNCHR Counsel: As a govt officer?
PS ICT: No
Counsel: Do you know of any law that creates the Data Protection Commissioner you seek to create under this bill?
PS ICT: No
Counsel: Any law that specifically regulates work of a data controller & processor?
PS ICT: No
#HudumaNamba
@waikwawanyoike @HakiKNCHR Counsel continues to question whether there are any laws in force that do what the Ministry of ICT intends to achieve through section 5 & 6 of the Data Protection Bill
#HudumaNamba
@waikwawanyoike @HakiKNCHR PS ICT points to the Access to Information Act for one of the provisions
#HudumaNamba
@waikwawanyoike @HakiKNCHR Counsel refers to testimony of PS Interior on documents required for registration
Counsel: In your view is it possible to register for #HudumaNamba w/out an ID as an adult or birth cert as a child?
PS ICT: Yes
#HudumaNamba
@waikwawanyoike @HakiKNCHR Counsel refers again to the data capture form, and PS ICT affirms part of the information required for citizenship is an ID number
PS ICT clarifies "it is mandatory to have an ID number for registration"
Counsel: So if you don't have an ID, you can't register?
PS ICT: Correct
@waikwawanyoike @HakiKNCHR Counsel confirms PS ICT understands part of the petitioner's complaint is that people without IDs would not be able to register for #HudumaNamba
PS ICT is aware that is part of the complaint and confirms someone without an ID would not be able to register
#NIIMS
@waikwawanyoike @HakiKNCHR Counsel: Are you familiar with the concept of "exclusion by design" -that you can design a system that excludes certain categories of people? Is that a possibility?
Counsel rephrases: When you design a system, can the system filter & disaggregate different categories of people?
@waikwawanyoike @HakiKNCHR PS: Yes
Counsel: #HudumaNamba has that ability, right?
PS: Yes
@waikwawanyoike @HakiKNCHR Counsel asks if people could register without an ID whether the system would label that person as a non-citizen
PS ICT says it would
#HudumaNamba
@waikwawanyoike @HakiKNCHR Counsel goes to PS Interior Kibicho's affidavit, which contains a training manual on #NIIMS
PS ICT reads "indicate the ID number of the person you are registering if the person is over 18 and has a national ID; if the person is over 18 & does not have mark "xx""
#HudumaNamba
@waikwawanyoike @HakiKNCHR Counsel: Would you still not agree the system could mark a Kenyan as a non-citizen?
PS ICT: I would still not agree
#HudumaNamba
@waikwawanyoike @HakiKNCHR Counsel: One thing the system will help with, maybe especially for security officers, is to see where a person has interacted with a system from?
PS ICT: Yes
Counsel: So if you interacted w/system at NHIF HQ, they could tell from the system?
PS ICT: No, not this system
@waikwawanyoike @HakiKNCHR Counsel: Does the system require someone to do verification before getting a service?
PS ICT: No
Counsel: Was my understanding wrong from PS Kibicho that a traffic officer can check your details?
PS ICT: That is possible
#HudumaNamba
@waikwawanyoike @HakiKNCHR Counsel: You are aware of metadata & logs?
PS ICT: Yes
Counsel: When verification happens, is some metadata left?
PS ICT: Yes
Counsel: A log showing interaction between Waikwa & police
PS ICT: Officer xyz interacted with ID number # and got this return
#HudumaNamba
@waikwawanyoike @HakiKNCHR Counsel: And the log would show where that interaction happened?
PS ICT: Yes
#HudumaNamba #NIIMS
@waikwawanyoike @HakiKNCHR Counsel: Is there a specific rule, regulation, or law that speaks to how metadata from #NIIMS should be handled?
PS ICT: Yes
Counsel: Specific to NIIMS?
PS ICT: Specific to data - metadata is data - that would be Access to Info Act
#HudumaNamba
@waikwawanyoike @HakiKNCHR Counsel: Does Access to Info Act specify how long govt should keep metadata?
PS ICT: Yes
Counsel: Are you aware of the section?
PS ICT: No
#HudumaNamba
@waikwawanyoike @HakiKNCHR Counsel: Any law that specifies how often govt should purge metadata generated via #NIIMS?
PS ICT: Yes - Access to Info Act
Counsel: Do you know the section?
PS ICT: No
#HudumaNamba
@waikwawanyoike @HakiKNCHR Counsel: where are the servers for de-duplication for #NIIMS?
PS ICT: They are in Kenya
Counsel: Kibicho said it was built locally, largely under your Ministry & guidance
PS ICT: Yes
#HudumaNamba
@waikwawanyoike @HakiKNCHR Counsel refers to testimony of witness Brian Omwenga - that he said the system could be changed or tweaked.
Counsel: Would you agree with him?
PS ICT: Yes
#HudumaNamba
@waikwawanyoike @HakiKNCHR Counsel refers to testimony of PS Interior that the only reason the govt hasn't been use the data is b/c of court orders
PS ICT affirms
PS ICT confirms NIIMS is a "hybrid" - centralized & decentralized, but with interlinkages between functional & master database
#HudumaNamba
@waikwawanyoike @HakiKNCHR PS ICT says link between two functional databases not possible
Counsel refers to PS Interior's statement that total cost may amount to 9B - main cost for enumerators & kits - PS ICT confirms
#HudumaNamba
@waikwawanyoike @HakiKNCHR Counsel: Are you aware the petitioners are not opposed to digitization per se?
PS ICT: I am not aware
Counsel: I'm informing you that they are not opposed
PS ICT: That's good news
#HudumaNamba
@waikwawanyoike @HakiKNCHR Counsel: Petitioners concerned that the system as designed in a way that could exclude people (we talked about nationality) & may also cause a breach of right to privacy. Are you aware of that?
PS ICT: Yes
#HudumaNamba
@waikwawanyoike @HakiKNCHR Counsel: Witness Anand said one way to deal with that would be a decentralized system that has silos. Is that a way to deal with breaches?
PS ICT: I disagree
Counsel: He also mentioned to protect privacy, it is good to put minimal data in the master database?
PS ICT disagrees
@waikwawanyoike @HakiKNCHR Counsel: So your opinion is to put as much information as possible in the master database?
PS ICT: And secure it
#HudumaNamba #NIIMS
@waikwawanyoike @HakiKNCHR Counsel refers to Estonia - that the data there is in the chip and needs a password for it to be released, as opposed to in Kenya where the data will be in the central database, accessed via biometrics
PS ICT affirms
#HudumaNamba
@waikwawanyoike @HakiKNCHR Counsel: If the court ordered #NIIMS to be decentralized with minimal data in the master database, would you comply?
PS ICT: If it was an order of the court
Counsel: And it would be a software issue, which would be done by Kenyans?
PS ICT: Yes
#HudumaNamba
@waikwawanyoike @HakiKNCHR Counsel: If the court ordered you to store only the minimal information needed for identification in the master database, would you comply?
PS ICT: Yes
Counsel: It's technically possible to do that?
PS ICT: Possible it is
#HudumaNamba
@waikwawanyoike @HakiKNCHR Counsel @waikwawanyoike for the 1st petitioners @NubianRights has no further questions
Cross-examination now goes to @Awelejack representing the 2nd petitioners @thekhrc - he indicates he will need about one hour
#HudumaNamba
@waikwawanyoike @HakiKNCHR @Awelejack @thekhrc Counsel Awele refers to PS ICT's replying affidavit to the petition of @thekhrc
Awele asks PS ICT if he knows Kenya has had in the past registration systems for persons in Kenya
PS ICT confirms he knows
#HudumaNamba
@waikwawanyoike @HakiKNCHR @Awelejack @thekhrc Counsel Awele asks PS ICT to briefly state what's different about #NIIMS
PS ICT refers to passports, NRB, CRS & that all these databases sit in isolation; main objective of NIIMS is a single database that can collate existing identification databases and a Kenyan would have 1 #
@waikwawanyoike @HakiKNCHR @Awelejack @thekhrc PS ICT continues that the number would cross-reference existing identification systems
New born children would have the number from cradle to grave
But we're going a step further and including digital biometric data
#HudumaNamba
@waikwawanyoike @HakiKNCHR @Awelejack @thekhrc PS ICT is asked to confirm which biometrics - he says fingerprints and facial recognition via photograph
He refers to the definition of biometrics in the law, which includes many other attributes - "digital human aspects" of an individual
#HudumaNamba
@waikwawanyoike @HakiKNCHR @Awelejack @thekhrc Counsel Awele asks if the objective of #NIIMS to reduce aspects of a person to digital form and automate it
PS confirms
#HudumaNamba
@waikwawanyoike @HakiKNCHR @Awelejack @thekhrc Counsel asks if the information is sensitive and the PS ICT agrees
Counsel asks if PS understands once that information leaves you, it can be manipulated for other purposes
PS ICT: Yes, it *can*
#HudumaNamba
@waikwawanyoike @HakiKNCHR @Awelejack @thekhrc PS ICT is asked if the reason for updating the Reg of Persons Act to collect biometrics is because of the uniqueness, and the PS agrees that's the reason
#HudumaNamba
@waikwawanyoike @HakiKNCHR @Awelejack @thekhrc Counsel: Was your Ministry the lead Ministry in the conceptualization and development of #NIIMS?
PS ICT confirms
Counsel: Do you understand the main concerns of the petitions?
PS ICT: Yes
#HudumaNamba
@waikwawanyoike @HakiKNCHR @Awelejack @thekhrc Counsel: Can you summarize the main concerns?
PS ICT: My understanding is their concerns are on issues relating to privacy of their data and security of their data
#HudumaNamba
@waikwawanyoike @HakiKNCHR @Awelejack @thekhrc Counsel asks when the system was ready for deployment and the PS ICT says it was ready this year, under development last year
#HudumaNamba
@waikwawanyoike @HakiKNCHR @Awelejack @thekhrc Counsel refers to the #NIIMS training manual in Kibicho's affidavit and asks what year the manual was developed
PS ICT: 2018
Counsel: If NIIMS was developed & operationalized this year, on what basis was this manual created?
#HudumaNamba
@waikwawanyoike @HakiKNCHR @Awelejack @thekhrc PS ICT: The process of development of NIIMS was not an event, you asked me when it was implemented
Counsel: I asked when it was operationalized and when it was developed
PS ICT: Development was a process, started 2018
Counsel: You said it was completed in 2019
#HudumaNamba
@waikwawanyoike @HakiKNCHR @Awelejack @thekhrc PS ICT: Manual on the basis of whatever was being developed
Counsel: Do you understand #NIIMS was established pursuant to an Act of Parliament?
PS ICT: Yes
Counsel: When did ti come into effect?
PS ICT unsure
Counsel: President assented to law on Dec 31, 2018
#HudumaNamba
@waikwawanyoike @HakiKNCHR @Awelejack @thekhrc Counsel: So NIIMS was developed prior to the law?
PS ICT: The beginning of the development
#HudumaNamba
@waikwawanyoike @HakiKNCHR @Awelejack @thekhrc Counsel: What were the guiding principles for the development of the system? Was there a law, a policy, principles?
PS ICT: Registration was it - Registration Persons, Registration something
Counsel: The one assented to in Dec 2018?
PS ICT: Yes, Reg. of Persons
#HudumaNamba
@waikwawanyoike @HakiKNCHR @Awelejack @thekhrc The PS ICT explains that #NIIMS has a three-tiered system
First layer: data
Second layer: applications
Third layer: user access, and there are three levels of users
#HudumaNamba
@waikwawanyoike @HakiKNCHR @Awelejack @thekhrc Counsel: Where did you get this information from?
PS: Technical knowledge
Counsel: Is there anywhere else we can access this info?
PS: Go to Google, search for client server systems architecture
#HudumaNamba
@waikwawanyoike @HakiKNCHR @Awelejack @thekhrc Counsel: So you are saying the architecture of NIIMS is provided for in your website?
PS: No, it’s based on a technical design
Counsel: So you designed the system?
PS: Yes
#HudumaNamba
@waikwawanyoike @HakiKNCHR @Awelejack @thekhrc Counsel: Do you have publicly available information on the design?
PS: No
Counsel: Why?
PS: For security
#HudumaNamba
@waikwawanyoike @HakiKNCHR @Awelejack @thekhrc Counsel asks why - given what PS Interior Kibicho said about penetration tests and the Ministry has its own hackers - the govt can't share more about the design
PS ICT says because you don't want to give external hackers knowledge of the architecture to start with
#HudumaNamba
@waikwawanyoike @HakiKNCHR @Awelejack @thekhrc Counsel asks the PS whose data is in NIIMS - he confirms it's the citizens' data
Counsel asks whether the public should believe their data is secure without having more information
PS ICT says the Ministry has been entrusted with the data
#HudumaNamba
@waikwawanyoike @HakiKNCHR @Awelejack @thekhrc Counsel refers to information in a government affidavit - PS ICT confirms it's the Estonia system architecture
Counsel: How did your team get that information?
PS ICT: Two possibilities - either via a visit or it's online
#HudumaNamba
@waikwawanyoike @HakiKNCHR @Awelejack @thekhrc Counsel asks if Estonia would have provided the architecture to them if it was prejudicial to the system - why is #NIIMS so special that you can't give us the same information without suffering prejudice?
PS ICT: I responded about the source code - wasn't that the question
@waikwawanyoike @HakiKNCHR @Awelejack @thekhrc Counsel clarifies that he had asked, given the data is encryption, why can't the architecture be sahred
PS ICT: As PS ICT I would still insist we cannot share that architecture
#HudumaNamba
@waikwawanyoike @HakiKNCHR @Awelejack @thekhrc Counsel: Are you aware of report from Brian Omwenga?
PS ICT: Yes
Counsel: Did you adopt that report formally?
PS ICT: Report not adopted, just guidelines
#HudumaNamba
@waikwawanyoike @HakiKNCHR @Awelejack @thekhrc Counsel: Have you sought to implement any of those guidelines?
PS ICT: For purposes of development, it's research information
#HudumaNamba
@waikwawanyoike @HakiKNCHR @Awelejack @thekhrc Counsel: One of the things Mr. Omwenga recommended is open standards -do you agree?
PS ICT: Yes
Counsel: he also recommends pre-defined security policies, do you agree?
PS ICT: Policies developed & published
Counsel: Published - so good for the public to know?
PS ICT: Yes
@waikwawanyoike @HakiKNCHR @Awelejack @thekhrc Counsel: To what extend does #NIIMS comply with these recommendations?
PS ICT: We have not published our security policies
Counsel confirms that while PS ICT thinks the recommendations are good, the govt has not implemented them
#HudumaNamba
@waikwawanyoike @HakiKNCHR @Awelejack @thekhrc PS ICT says the govt needs to shield itself - once the documentation is online, you don't know to what extent it goes
#HudumaNamba #NIIMS #dataprotection
@waikwawanyoike @HakiKNCHR @Awelejack @thekhrc Counsel: If industry standard is to expose system to improve it, why don't you?
PS: For hackers, this is their daily bread & butter, they would know where to look - it's good, because they are my people - "ethical hackers"
#HudumaNamba
@waikwawanyoike @HakiKNCHR @Awelejack @thekhrc Counsel: So these people earn their monthly paychecks from you?
PS: Yes
Counsel: Do you think that makes them objective, compared to someone external?
PS: Yes - most objective, because if breach I would go back to them
Counsel: Worst that would happen?
PS: Would be fired
@waikwawanyoike @HakiKNCHR @Awelejack @thekhrc Counsel refers to McKinsey report, which PS ICT has not read in full though he produced it for court
PS ICT reads from report on need for law to guard against challenges of #digitalidentity #digitalID - user adoption will accelerate if provides value, trust, & protects privacy
@waikwawanyoike @HakiKNCHR @Awelejack @thekhrc PS ICT reads from another report - "the govt recognizes that this protection is an essential element in maintaining public trust in entities managing personal data"
#HudumaNamba #NIIMS
@waikwawanyoike @HakiKNCHR @Awelejack @thekhrc Counsel: Your expert Mr. Omwenga, the McKinsey report, & data protection policy all recommend public information on how data is safeguarded - please explain how #NIIMS has complied
PS ICT: Awareness before data capture process, there was a lot of publicity on what NIIMS is about
@waikwawanyoike @HakiKNCHR @Awelejack @thekhrc ....Awareness also on what data capture form intended to do and the benefits
Counsel: On the system - any publicly information on how the data is held?
PS ICT: When we read McKinsey's information he's talking about building public trust - we inform public why we collect data
@waikwawanyoike @HakiKNCHR @Awelejack @thekhrc "How the data will help you as a citizen, that bit we did" says PS
Counsel: Did you explain to them risks from collection of the information and how risks would be mitigated?
PS ICT: Didn't go to that extent - if I give mzee explanation about hacking, what sense it would make
@waikwawanyoike @HakiKNCHR @Awelejack @thekhrc Counsel: So you didn't share this information based on literacy levels?
PS ICT: In terms of communcations, citizens want to know what govt will do for them - the benefits
Counsel: That is the only info you should provide to citizens?
PS ICT: That is priority #1
#HudumaNamba
@waikwawanyoike @HakiKNCHR @Awelejack @thekhrc Counsel: Do you think you need to provide info on when personal data might be at risk?
PS ICT: That would have been addressed
Counsel: Was it?
PS ICT: No
#HudumaNamba
@waikwawanyoike @HakiKNCHR @Awelejack @thekhrc Counsel has PS ICT read a report in support of his submissions - the report says an advanced system must have high standards for safe data storage
Counsel: Would you say NIIMS meets standards?
PS ICT: Yes
Counsel: With publicly available information we can use to benchmark?
@waikwawanyoike @HakiKNCHR @Awelejack @thekhrc PS ICT says it's not public because of security
Counsel ask if the data should be given voluntarily
PS ICT confirms that no one was forced
Counsel asks if he knows the law makes it an offence not to provide information required?
PS ICT is aware
#HudumaNamba
@waikwawanyoike @HakiKNCHR @Awelejack @thekhrc Counsel asks if PS ICT is aware based on the law that establishes NIIMS police can arrest someone without a warrant for refusing to give information
PS ICT says he is aware, but refers to the court orders that prevented mandatory registration
#HudumaNamba
@waikwawanyoike @HakiKNCHR @Awelejack @thekhrc Counsel: Without a law, you cannot enforce what's in the Data Protection Policy?
PS ICT: Data Protection Policy goes beyond NIIMS
Counsel: But it includes NIIMS
PS agrees
#HudumaNamba
@waikwawanyoike @HakiKNCHR @Awelejack @thekhrc Counsel: Without inter-operability regulations, would it be hard to enforce policy?
PS ICT: It wouldn't hard
Counsel: What would guide sharing of data between agencies?
PS ICT: Controlled at the systems level - you may not even require a law, we can control who sees what data
@waikwawanyoike @HakiKNCHR @Awelejack @thekhrc Counsel: Are these regulations within your Ministry?
PS ICT: Yes
Counsel: Are they publicly available?
PS ICT: No
#HudumaNamba
@waikwawanyoike @HakiKNCHR @Awelejack @thekhrc Counsel: Do you think if you made these regulations public, it would be easier to allay the fears of the petitioners?
PS ICT: It depends
Counsel: On what?
PS ICT: I have no guarantee that if I give you regulations you will be satisfied
#HudumaNamba
@waikwawanyoike @HakiKNCHR @Awelejack @thekhrc Counsel: Do you need a guarantee? So according to you, you feel sharing those regulations would be of no use to members of the public?
PS ICT: I don't think so
#HudumaNamba
@waikwawanyoike @HakiKNCHR @Awelejack @thekhrc Counsel refers to data capture form and the PS confirms it was created by the Inter-ministerial Taskforce under Registration of Persons Act
Counsel: Does it allow you to collect biometrics other than fingerprints and a photo?
PS ICT: Form only talks about fingerprints & photo
@waikwawanyoike @HakiKNCHR @Awelejack @thekhrc PS ICT confirms he doesn't know if the form is anchored on regulations
Counsel asks if the Inter-ministerial committee could sit and develop a different form - PS ICT confirms
PS ICT also confirms the committee could ask for other biometrics under law & it doesn't worry him
@waikwawanyoike @HakiKNCHR @Awelejack @thekhrc Counsel asks if govt has independent means of assessing system against best standards
PS ICT says could engage an external auditor
Counsel asks on what basis - PS ICT says if someone asked them to
Counsel asks on what basis they might ask - PS ICT doesn't know
#HudumaNamba
@waikwawanyoike @HakiKNCHR @Awelejack @thekhrc Counsel asks if PS ICT knows the specific government agency or office with custody of the kits
PS ICT says it's the Ministry of Interior
Counsel asks which officers
PS ICT says officers in the Ministry of Interior
#HudumaNamba
@waikwawanyoike @HakiKNCHR @Awelejack @thekhrc Counsel asks for the titles of the officers
PS ICT says "the kits are stored in a store at the Ministry of Interior"
#HudumaNamba #NIIMS
@waikwawanyoike @HakiKNCHR @Awelejack @thekhrc Counsel asks if data is misused, are there means by which the NIIMS administrator would be held to account
PS ICT: The law
Counsel: Architecture, regulations not public - how would members of the public know if info wrongly used?
PS ICT: Right now your ID data sits somewhere
@waikwawanyoike @HakiKNCHR @Awelejack @thekhrc PS ICT: How would you know?
Counsel: You explained you have these registers, but you want NIIMS so it's consolidated with biometric capabilities - nature of information collected in the past is not as sensitive as now, which is biometrics - you as a person
#HudumaNamba
@waikwawanyoike @HakiKNCHR @Awelejack @thekhrc Counsel: How would I know?
PS ICT: You wouldn't
Counsel: Any independent means of assessing administrator?
PS ICT: Independent audit
Counsel: On what basis
PS ICT: If someone asks
Counsel: No law?
PS ICT: Access to Info Act
@waikwawanyoike @HakiKNCHR @Awelejack @thekhrc Counsel: Any specific provision - any provision specific to NIIMS?
PS ICT: No
Counsel: Do you agree if we had an independent office with oversight of administrator, it would be better than 30 million Kenyans requesting for audits now and then?
PS ICT: I agree
#HudumaNamba
@waikwawanyoike @HakiKNCHR @Awelejack @thekhrc Counsel confirms the PS ICT said the data belongs to the person who provided the data, but the data impact assessment is internal and not made public - he asks: do you find it absurd?
PS ICT: I don't
#HudumaNamba
Counsel refers to GPS data
PS says GPS is like an address
Counsel asks: what assurance public has that govt not using tech that can locate them?
PS: By providing them the information
#HudumaNamba
Counsel asks if the govt says it doesn't need all the other biometric info, would it be fair to have all other biometrics expunged from the law?
PS ICT wouldn't recommend that
Counsel asks if govt would like it to be there for their purposes in the future
#HudumaNamba
PS ICT says tech changes and may need other biometrics in the future, better to leave it in law rather than go through Parliamentary process again to amend the law
#HudumaNamba
Cross-examination of PS ICT has concluded
Re-examination will begin at 3:15pm after a break
#HudumaNamba
Court had resumed
The judges are starting with a mention for petition 163 of 2019 - led by @OkiyaOmtatah on the Statute Law Misc. Amendments Act of 2018
The hearing in that case is scheduled for October 15th
Proceedings are now back to the #HudumaNamba case - starting with re-examination of PS ICT Ochieng
Dr. Nyaudi ready to cross examine
PS: Jerome Ochieng
Dr. Nyaudi how does niims work?
PS : the idea of having single source of truth comes from 1989 to make sure all the information is brought together
We are suppose to come up with a system that has a single source of truth
Which is reffered to as #HudumaNumber
We have five steps:
System analysis
Planning and designing of the system
Coding the system and development
Systems resisting where you expose the Systme to all sorts of threats
Deployment and employment of the system.
Maintenance of the system
@MarthaKarua interjects that the witness is beginning to describe the architecture while on the re-examining he was unable to explain
PS: our system has encryption as a basis of security
The idea behind encryption is about security of the system
Mr waikwa asked whether you developed a prototype before the #NIIMS did you undertake the tests ?
There are records that some of the tests were taken
Including 15 counties which include 40 sub counties
During the test a lot of vulnerability were undiscovered and they were taken back through programming and cording
Is the #NIIMS system centralized?
PS: The data base is centralized but the users are decentralized.
Example is the users eg kra can Only access data regarding KRA while NHIF can only access information about NHIF
KRA cannot look at other agencies data
You said the procurers was restricted why?
PS: for security reasons we were not allowed to share with the public
OTmorpho was awarded the tender of supplying of the equipments only while the systems were designed by Kenyans within the country.
Jerome is asked about Data protection policy 2019. Did the data protection policy proceed the development of #NIIMS ?
Based on cabinet memo all the stakeholders were involved
We have to go through internal processes before the memo is passed. The preparation started way earlier
Counsel: what is one of the functions of #HudumaNamba
PS: To ensure the reservation and protection of data and security
Affidavit of eng. Kibicho in one sentence he says the benefits of #niims project. Do you confirm the benefits ? PS: yes I do
How would the institutions on para 44 benefit from the system PS it would be based on access rights on the data that they are responsible for
Would these functions being used by the institutions cause any data risk ? PS: No
Which countries have you used for bench marking ?
Estonia would be the best though there are some countries we did bench mark back in 2015
The use of the word #HudumaNamba was it meant to make Kenyans to register ? That Wright #HudumaNamba you won’t get services ?
PS: No that was not the intention
Can one register without an ID card ?
PS: yes one can be able to register for #HudumaNamba and will be marked as XX
Would this be exclusion by design ?
PS : no
Counsel: Mr. waikwa made a statement that the petitioners are not opposed to the system.
With your knowledge of #niims can you tell us that the #niims system guarantees the privacy and protection of all citizens?
PS: Yes I can assure all Kenyans that data and privacy is secure
But all systems are always in cognizant of attack. But our ministry is always there to safeguard these threats
Share this Scrolly Tale with your friends.
A Scrolly Tale is a new way to read Twitter threads with a more visually immersive experience.
Discover more beautiful Scrolly Tales like this.