The court is now in session - follow us for live tweets as @yussufugas continues his cross examination of the government expert witness #NIIMS #HudumaNamba
@yussufugas Respondent confirms that the remaining three #GOK witnesses will be available on 2nd and 3rd. Mr Kibicho hopes to testify on the 2nd.
@yussufugas The court states that they expect to finish with the two #GOK expert witnesses today, even if the court will have to sit late
@yussufugas @yussufugas continues his cross examination of Government witness Mr Omwenga
He establishes that Mr Omwenga has registered for a #HudumaNamba with his national ID card
He establishes that Mr Omwenga has registered for a #HudumaNamba with his national ID card
@yussufugas Mr Omwenga affirms that a system that would not allow some Kenyans to enroll for #HudumaNamba because lacking national ID that would be unfair
@yussufugas Yussuf asks about the witness's familiarity with cost/benefit analyses - Mr Omwenga confirms that costs must be weighed on one hand and benefits weighed on the other hand to come to an informed decision on the value of a system
@yussufugas "You would agree that you have not adduced any evidence in your affidavit or otherwise, showing the numbers comparing the cost and benefits of the #NIIMS system" - Mr Omwenga confirms that he has not
@yussufugas Mr Omwenga agrees that the Kenyan tax payer is a major stakeholder in the #NIIMS system and should have information about the cost and benefits of the system
@yussufugas Regarding the #NIIMS system architecture, Mr Omwenga has stated that information is an asset and that "a well-informed citizenry is necessary to a #democracy"
@yussufugas "Would you agree that a system that seeks more and more data on you, should clarify to you as a citizen something about its design and architecture? Would this be useful to enhance trust?" - Mr Omwenga says that this would depend on the context #NIIMS #HudumaNamba
@yussufugas "As a government expert, have you tendered any evidence about the design and architecture of #NIIMS?" - "No"
@yussufugas Mr Omwenga affirms that DNA could be used as one of the metrics used to increase certainty for #NIIMS authentication. Yussuf highlights the concerns around that kind of data collection
@yussufugas Yussuf has concluded his cross examination of the witness. Mr Awele, representing 2nd petitioner @thekhrc begins his cross-examination of Mr Omwenga
@yussufugas @thekhrc Mr Omwenga is questioned regarding his background in data protection and security of personal information and affirms that he understands why protecting this kind of data is important
@yussufugas @thekhrc As a consultant for the Ministry of Health, Mr Omwenga has worked on system architecture relating to the privacy of health records
@yussufugas @thekhrc Summarizing his understanding of the issues petitions before the Court, Mr Omwenga states "there were quite a number in relation to the possible accuracy of the system; centralization; security; open-source & closed system. Basically a number of things I have tried to respond to"
@yussufugas @thekhrc Mr Omwenga says that he agrees that "because data can be misused" the petitioners concerns that a unique #HudumaNamba will increase risks of compromise unless certain concerns raised in the petition are addressed
@yussufugas @thekhrc "I would say #NIIMS is a composite of identification data that had already been collected before" - Mr Awele highlights that the witness's affidavit states that existing systems are partial and disjointed and that therefore new info is collected for #HudumaNamba
@yussufugas @thekhrc The witness states now that no fresh data is collected for #NIIIMS and that they are collecting data that already exists out there
@yussufugas @thekhrc "Do we have an existing database or register of biometrics?" - "I think we have many" - "fingerprints and face"
Mr Awele establishes that the definition of biometrics as applied here includes information that has not been previously gathered by #GOK for any system
Mr Awele establishes that the definition of biometrics as applied here includes information that has not been previously gathered by #GOK for any system
@yussufugas @thekhrc "Would you agree that the framework of #NIIMS is collecting, processing and storing of collected data" and that it is then used for certain purposes - Mr Omwenga agrees
@yussufugas @thekhrc "Is #NIIMS as conceptualized in existing law appropriate or sufficient to perform the functions for which it has been created?" - Mr Omwenga states that he does not have the relevant knowledge of the legal framework as a non-lawyer
@yussufugas @thekhrc Regarding the #NIIMS system architecture, the witness states "if that advice that I gave [was applied], I would have confidence but as to how it was implemented, I can not answer"
@yussufugas @thekhrc Asked about the Government Enterprise Architecture report, Mr Omwenga states that it is a management tool that helps the institution in question to chart its path towards digitization - he confirms that in creating such he gave recommendations on best practices and standards
@yussufugas @thekhrc "The architecture that you propose recommends that all the technical ICT services for the execution of government business processes are defined through legislation, policy and a strategy" - "Yes"
@yussufugas @thekhrc Mr Omwenga says that a legal framework is important for a system such as #NIIMS because in ICT systems "context is key"
@yussufugas @thekhrc The #GOK witness confirms that it is "important to align [#NIIMS] with existing law and policy"
@yussufugas @thekhrc Mr Omwenga confirms that he recommended the creation of a unique identifier and that this is why his advice on #NIIMS was sought
@yussufugas @thekhrc "It is your recommendation that systems must be secure, correct?" - "In this particular case, the government has to secure its systems"
@yussufugas @thekhrc The witness confirms that security controls should be "compliant with pre-defined security policies" and that "levels of security should be relative to the risk and harm that would result from loss or modification"
@yussufugas @thekhrc "Why should the systems be pre-defined in security policies?" - "I would say that it a question of access to data and who has a right to have access to that data and for what reason"
@yussufugas @thekhrc "Do you agree that [the information collected in #NIIMS] is sensitive personal information" - "not entirely" - "do you agree that some of it is? - "Yes"
@yussufugas @thekhrc "Do you agree that it would be advisable to have different levels of security depending on the nature of the data you hold?" - "Yes"
@yussufugas @thekhrc "And do you agree that to ensure the data controller is adhering to the standards it would be important to know what steps are taken to provide those levels of security" - "Not really; your implementation plans can be kept secure"
@yussufugas @thekhrc Asked whether pre-defining the security policies on #NIIMS would resolve the petitioners concerns, the witness states that it probably would and that he has not seen any such policies
@yussufugas @thekhrc The witness had stated that concerns about data security were not brought up before because there was confidence about how the data was stored but on further questioning agrees that this assumption is unfounded #NIIMS #HudumaNamba
@yussufugas @thekhrc Regarding the possibility of loss of personal data in #NIIMS, @thekhrc counsel asks the witness whether he thinks that the only risk is commercial exploitation - Mr Omwenga affirms that there are also other risks
@yussufugas @thekhrc Mr Awele asks the witness to read provisions from the #GDPR regarding the protection of sensitive data, especially as it relates to children's data and certain biographical information
@yussufugas @thekhrc Mr Omwenga agrees that the #GDPR is the rationale for his recommendations regarding data protection and privacy on #NIIMS
@yussufugas @thekhrc "Do you know of the security measures that the administrator of #NIIMS has put in place to ensure the personal data provided is secure and cannot be used for unauthorized purposes?" - "I cannot answer that question. I give advice. It's the client's decision whether to take it"
@yussufugas @thekhrc Asked whether #NIIMS database is encrypted, Mr Omwenga states that he would assume that as common practice it is.
He agrees that there are different types of encryption that mean different levels of security.
He agrees that there are different types of encryption that mean different levels of security.
@yussufugas @thekhrc Do you know the current recommended encryption standards in the industry for the kind of info collected in #NIIMS? - That's a question of context
@yussufugas @thekhrc Asked what encryption he would recommend for information collected such as DNA, the witness states that the correct answer is not a blanket answer as an oversecured system would affect performance
@yussufugas @thekhrc Asked whether #GOK should disregard the cost and aim for the most secure encryption system to secure the personal information in #NIIMS, Mr Omwenga says not necessarily
@yussufugas @thekhrc Having asked the witness to re-visit some of his submissions, Mr Awele asks whether a "reasonable encryption standard" would be in everyone's best interest. Mr Omwenga agrees
@yussufugas @thekhrc "Do you know the encryption standard the #GOK has employed for data collected under #NIIMS?" - "No"
@yussufugas @thekhrc "You have recommended that collected data should be confidential and that privacy cannot be guaranteed by technical standards only, correct?" - "Yes, in general when you're looking at security, you are better off looking from a 360 perspective"
@yussufugas @thekhrc "Are you aware of any regulation or policy that sets out the standards in relation to confidentiality in #NIIMS?" - "I have heard about secrecy acts....and it's general practice"
Mr Awele emphasizes that a legal provision alone does not prevent unauthorized disclosure
Mr Awele emphasizes that a legal provision alone does not prevent unauthorized disclosure
@yussufugas @thekhrc Mr Omwenga agrees that since "the fact of a law doesn't necessarily stop crime", certain technical standards need to be put in place #NIIMS #HudumaNamba
@yussufugas @thekhrc Mr Awele is questioning the government witness on procurement and vendor neutrality
@yussufugas @thekhrc Mr Omwenga explains that #GOK "has disparate and disjointed data on your identity" and that the "government which should have been operating as a unit" is therefore trying to create an interoperable system with #NIIMS
@yussufugas @thekhrc "Do you agree that the Ministry of Interior is accountable to the people of Kenya?" - Mr Omwenga agrees that it is
@yussufugas @thekhrc Mr Omwenga is asked about transparency frameworks and states that he is not an expert on this. Mr Awele says this can be dealt with in submissions
@yussufugas @thekhrc "To whom do you believe the standards for measurement and audit of the security of ICT should be acceptable; the controller of the owner of the data?" - "I think to both: to all the stakeholders involved"
@yussufugas @thekhrc Mr Omwenga agrees that there is a level of opaqueness as to what these standards really are in #NIIMS
@yussufugas @thekhrc "You should be able to track the activities of the people inside the system. So it is fairly important for you to figure out where the breach has started if there has been a breach"
@yussufugas @thekhrc "Are you aware of any publicly available information on the audit standards for the #NIIMS?" - "I would say no" - "but you recommended this" - "Yes"
@yussufugas @thekhrc Mr Omwenga states that laying out the entire security blueprint is not good practice for a system that you want to be secure
@yussufugas @thekhrc "Are you saying that if you create standards against a system such as #NIIMS should at all times be measured that would compromise the system?" - "If you are not disclosing details that would be acceptable"
@yussufugas @thekhrc Mr Awele points Mr Omwenga to his statement in which he claimed the government should have "unfettered discretion" to frame their population register
@yussufugas @thekhrc Mr Awele establishes that the #NIIMS data capture form is the source of the information in the population register
@yussufugas @thekhrc Mr Awele establishes that there is no biometric data sought in the #NIIMS data capture form other than fingerprints
@yussufugas @thekhrc 'Would you agree therefore, based on your affidavit, [in which you say that it is impossible to prove identity without sufficient biometric information] that fingerprints are sufficient for the purposes of #NIIMS?" - "well I did not design this"
@yussufugas @thekhrc Mr Awele follows up and Mr Omwenga affirms that based on the data capture form for now the government is only collecting fingerprints but that for a more deterministic system, you would need more data to achieve a "single source of truth" with #NIIMS
@yussufugas @thekhrc Mr Omwenga confirms that #GOK can in future collect further information and data including DNA for #NIIMS should they think it necessary
@yussufugas @thekhrc "Do you know whether you have a right to request the government to erase your information once obtained [for #NIIMS] and to be forgotten?" - "I am not aware"
@yussufugas @thekhrc Mr Awele is now questioning the government expert on the centralized but federated nature of #NIIMS which he calls "neither entirely centralized or decentralized"
@yussufugas @thekhrc "Assuming #NIIMS is centralized, would you agree that it is not entirely safe from breaches" - "yes, no system is perfect"
@yussufugas @thekhrc Mr Omwenga says that there are systems that can keep the centralized and functional databases apart. He states "I have recommended it and I don't know if the client follows that" confirming that he does not know what #NIIMS design actually looks like
@yussufugas @thekhrc "You would agree that based on your technical expertise it is easier for you to understand what #NIIMS is" - "Yes" - "So you would agree that not everyone here enjoys the same privileges as you" - "Yes"
@yussufugas @thekhrc Mr Awele establishes that #NIIMS was developed with input from various #GOK agencies, including the Ministry of Interior - Mr Omwenga affirms that this is good practice and that Mr Kibicho, the principal secretary of the Ministry of the Interior, is the administrator
@yussufugas @thekhrc "In your opinion, would you agree that it would be necessary for purposes of transparency and accountability to ensure that #NIIMS performs the functions for which it was created?" Mr Awele asks and adds that it would be best practice to have an independent oversight body
@yussufugas @thekhrc "Is [an independent oversight body] good practice?" - "Yes I would say checks and balances are good"
@yussufugas @thekhrc "If today the personal info you have provided for a #HudumaNamba was to be processed by an unauthorized person and shared with a foreign state or commercial entity, do you know if #NIIMS would notify you of a breach?" - "I wouldn't know whether it does that"
@yussufugas @thekhrc "How would the layman know of an unauthorized access or use of data in #NIIMS?" - Mr Omwenga evades the question and speaks to lawful government use and data access
@yussufugas @thekhrc "Would you want to be notified [of unauthorized use by a third party]" - "I would want to" - "Do you know if #NIIMS has capabilities of letting you know?" - "I don't know"
@yussufugas @thekhrc Mr Awele asks whether the Ministry of Interior, as the administrator of the #NIIMS, is likely to inform a user of their granting unlawful access to a third party
The respondent objects to counsel asking the witness to speculate
Mr A says he is asking for the expert opinion
The respondent objects to counsel asking the witness to speculate
Mr A says he is asking for the expert opinion
@yussufugas @thekhrc The respondent states that the expertise of the witness does not extend to the reading of minds. Mr Awele says he will drop the question
@yussufugas @thekhrc Mr Awele has concluded his questioning of Mr Omwenga. The respondent will take about an hour for re-examination.
The Court is adjourning for an hour and will sit again at 2:30
The Court is adjourning for an hour and will sit again at 2:30
