InfoSec Advisory with Del Aden
From both sides of the aisle, we’ve heard a consistent drumbeat about the importance of citizen participation in the upcoming Presidential elections. Maximum voter participation is vital to our democracy, yet citizens may unwittingly be putting their own privacy at risk when they register to vote.
The issue at stake: A google drive link emerged on Friday, November 20, which displayed details of the over 17,029,981 registered voters in Ghana. The voters Full Names were grouped according to polling centres, constituencies and regions with corresponding details of age and ID number, among others.
Clearly, sections of Ghanaians are not happy with the publication of their personal details on Google Drive by the Electoral Commission (EC) of Ghana. This is an election year, and we are just two weeks to election and no statutory body in Ghana or organization is busier than the EC.
At the heart of all this stands the question of how personal data on individual voters is being processed, and whether or not it is done so legally and ethically. Familiar data protection questions are now injected into this heated debate about democratic practices and the future of democracy.
There are divided opinions on whether it is right for the EC to publish the Voters Register December 2020 on their website and Google Drive which is now available to the entire world. Another section of the citizenry has also raised privacy concerns with regards to the publication of their full names, locations (region, district, polling station) details of individuals.
This issue must be looked at from different angles to establish the way forward and the corrective measures, if any, that needs to be taken to guide the EC in future operations.
Potential Consequences of Voters list Publication on Google Drive
This issue may be trivialized if we do not assess the full impact and the unintended consequences of the publication made available on the EC’s website and Google Drive.
First off, many people do not give out their age easily because of the social stigmatization that comes with age in our part of the world; however, our birthday are commonly known because we do celebrate them. Now combining somebody’s age as provided on the Voters Register with their birthday will reveal the person’s date of birth. This is simple mathematics.
So many people have used their date of birth as passwords for online systems and knowing this can lead to impersonation and breach of the right of access. A lot of systems require date of birth to reset passwords. Now people with criminal intent who may have access to people’s usernames or emails can easily use this information to reset passwords.
Secondly, the display of region, district and polling stations will lead to the tracking of people to their homes. People register at polling stations within their vicinity hence asking for people’s name to locate their homes will be very easy to do.
Cybercriminals can capitalize on this to unleash reputational harm to individuals. They have access to people’s full name, their date of birth (by putting together the person’s age and birthday), their location, gender, etc. This is valuable information in the world of cybersecurity and can become a huge resource to cybercriminals.
The personal data made available via the available publication, can have unimagined and unprecedented cybersecurity consequences. A lot of systems can be breached, and personal reputation damaged because of this.
Is it wrong for the EC to publish the Voters Register?
Is it wrong for the EC to publish the Voters Register on their website and Google Drive with the following details: Region, District, Constituency, Polling Station Name and Polling Station Code, Full Name, Voter’s ID No, Age, etc?
Well, in my opinion, the EC have acted legally and within its constitutional mandate to publish the certified Voter’s Register on their website and by extension on Google Drive. It is no doubt that the EC is mandated to publish the Voters Register. CI 126 and CI 91 gives powers to the EC to publish the details of Ghanaians on the certified Voters Register. The details to publish is also clearly stated.
But did the EC breach the privacy of Ghanaians?
The main issue of concern to Ghanaians is whether the publication of the Voters Register have breached the privacy of Ghanaians. Although the EC is mandated and has acted rightly, does the publication on its website and on Google Drive raise any privacy concerns that must be addressed in future?
The name, location and age are personal data and is protected by law. The protection of personal data is what warranted the enactment of Act 843 and subsequent establishment of a Commission to ensure the privacy of Ghanaians are protected, i.e. the Ghana Data Protection Commission (DPC).
Consequently, the role of the DPC is to protect the privacy of the individual and personal data by regulating the processing of personal information, and by this, it means that the Data Protection Commission (DPC) has the constitutional power to regulate how the personal data of Ghanaians are collected, processed, and disclosed. Let us also be mindful of the fact that Act 843, exempts some statutory bodies from the application of the Act. Act 843 does not clearly exempt the EC from the application of the Act.
Act 843 Article 77(5) states: Where the Commission finds that the processing by a data controller is contrary to the provisions of this Act, the Commission shall issue an information notice to the data controller specifying the contravention and give the data controller notice to cease processing personal data.
This is where the determination by the Data Protection Commission is very crucial. Has the EC in carrying out its constitutionally mandated duty contravened any part of the privacy acts? Ghanaians needs answers to this for clarity. If the DPC makes a determination that the publication of the Voters Register has some privacy and cybersecurity implications that could harm the individual or breach their privacy, then in conjunction the EC, the DPC may provide some guidelines to ensure that in publishing the Voters Register, the personal data published will ensure the privacy of all Ghanaians.
Voter lists prepared after the registration process are commonly made available to political parties and may be inspected by the public. This increases public confidence in election integrity and ensures that the process is transparent. However, making personal information public may raise issues concerning privacy rights. Different countries have adopted various solutions to this problem; For example:
· New Zealand has an “unpublished roll.” This is a special list of persons whose safety may be jeopardized by public disclosure of their address.
· In Canada, Privacy Commissioner has the right to verify how information in the National Register is collected, stored, updated and used. Only registered political parties, members of Parliament and candidates have access to the names and addresses of voters.
· In the United Kingdom, the information about voters contained in the published list is very limited. Finally, another way to deal with the privacy issue is not to release the voters list at all. This is the approach chosen in Denmark, where the electoral register is not published or accessible to the public or political parties.
In conclusion, voter’s registration is vital to Ghanaian democracy, and we need more, not fewer, citizens voting. Consequently, the mission of the Electoral Commission is to advance the course of democracy and good governance for enhanced development of Ghana by institutionalizing free, fair and transparent elections to the acceptance of all stakeholders.
It is therefore imperative that the Data Protection Commission (DPC) and the Electoral Commission (EC) of Ghana come together to discuss the implications of such details in the Voters Register publications. Both the EC and Data Protection Commission are mandated to work in the interest of Ghanaians.
About the Author
Del Aden is a UK based Enterprise Solution Architect and InfoSec Evangelist. Currently, Del Aden focuses on helping customers prevent security breaches, implement Digital Transformation and advice on Business Continuity Strategies and Exercises. In addition, Del also provides security education to businesses and consumers by distilling complex security topics into actionable advice. Contact: [email protected] | WhatsApp:+44 7973 623 624 | Web: www.delta3.co