Why Kindiki wants IEBC servers located in Kenya

Loading Article...

For the best experience, please enable JavaScript in your browser settings.

This is to ensure the ease of access to critical data, and the monitoring and control of data in the national critical information infrastructure.

IEBC which conducts operations such as voter registration and voting is therefore key among the institutions targeted by the regulations. Others are World Coin; an iris biometric cryptocurrency project whose operations in the country were frozen over data privacy concerns.

"An owner of a critical information infrastructure shall ensure the infrastructure on which critical information is domiciled is located in Kenya," read the regulations.

In 2021, Parliament also approved the Data Protection (General) Regulations, 2021 proposed by then ICT Cabinet Secretary Joe Mucheru.

The regulations, which took effect in 2022, sought to have election servers hosted in Kenya, in a bid to give the government more control over the management of all election data.

The proposed regulations were also to help in the implementation of the Data Protection Act, which secures data from unauthorized access. The regulations specified the conduct of elections among data processing that should be done in the country.

"A data controller or data processor who processes personal data to actualize a public good shall be required to ensure that such processing is effected through a server and data centre located in Kenya," the regulations stated.

It was these regulations that jolted IEBC to deploy multiple servers for the transmission of results to the tallying centres in the 2022 elections. The main server was however still domiciled abroad.

Under the Computer Misuse and Cybercrimes Act 2018, critical infrastructure is defined as the processes, systems, facilities, technologies, networks, assets and services essential to the health, safety, security or economic well-being of Kenyans and the effective functioning of government.

The regulations currently before Parliament also list defence, education, civil administration, civil protection, public order and safety, environment, space, industry, transportation, financial services, health, food, water, ICT and energy as critical infrastructure sectors.

Institutions that however seek to have their critical information and infrastructure stored outside Kenya will be required to get approval from the National Security Council (NSC) and "shall apply to the National Computer and Cybercrime Coordination Committee headed by a Director General."

The committee will then, within 30 days, review the application to verify whether it meets the security standards provided for in the Act before proceeding to render its decision.

During its consideration of an application by the operator to have critical information located outside Kenya, the committee will also take into account whether the security measures and safeguards being applied to the information and infrastructure on which the information is contained meet the standards set out in the Act and the Regulations and "whether the information must be stored outside the geographical jurisdiction of the Republic."

Matters of national security, public interest and the nature of data stored on the infrastructure will also be taken into account.

The introduction of the regulations by the Ministry of Interior is seen as a move aimed at ensuring unquestionable credibility in the management of electoral data, the country's voter register and the transmission of election results by IEBC - which has always been a political hot potato.

Shortly after the 2022 elections, opposition leader Raila Odinga claimed Smartmatic International Holding B.V- the supplier of voting technology to IEBC - had declined to give his Azimio la Umoja coalition access to the national tallying centre (NTC) servers.

Smartmatic International Holdings B.V had entered into a legal contract with IEBC for the supply, delivery, installation, testing, commissioning, support and maintenance of the Kenya Integrated Election Management System (KIEMS).

Raila who had lodged a petition at the Supreme Court had sought a nullification of the presidential election results declared by IEBC chairman Wafula Chebukati, on the basis that they were manipulated in favour of President-Elect William Ruto.

Lawyer Phillip Murgor, representing Raila, complained that IEBC had refused to comply with the court orders by denying their agents access to all eight servers. The apex court however put the matter to rest after noting that it was satisfied with a progress report issued by IEBC to judges on compliance of their orders.

The controversial issue of access to the servers also featured prominently in 2017 during the hearing of a similar presidential election petition at the Supreme Court. Raila, through his lawyers, submitted that the IEBC refused to open its servers despite court orders.

Lawyer Paul Muite, for IEBC, revealed that IEBC's servers in the 2017 polls were hosted in France. His submissions confirmed that OT Morpho, a French company that supplied the IEBC with the KIEMS used in the 2013 and 2017 elections, was hosting IEBC's servers in France.

Raila, in his petition, argued the IT firm had aided the rigging of elections by allowing two of its employees unauthorized access to IEBC servers.

IEBC's failure to open the servers would consequently lead to the annulment of the August 8, 2017, presidential election by the apex court which also ordered a repeat election. Raila would, however, boycott the repeat elections after he claimed IEBC had failed to address issues he had presented to the electoral agency before the polls.