Ignore the arguments about the IEBC portal, IEBC has servers that can be hacked
One of the claims raised in Raila Odinga’s petition is that form 34As were manipulated. This claim is found in the affidavit by John Githongo who goes ahead to describe the process of the claimed manipulation. In the affidavit, John Githongo testifies that a young man explained to him that the presiding officers did not transmit form 34As directly to the IEBC portal, but to Kenya Kwanza’s tallying centre. At the Kenya Kwanza tallying centre, the affidavit claims, there were 56 individuals who were downloading the forms, changing some of them, and then sending those forms to the IEBC portal for everyone else to download and tally.
Loopholes in John Githongo’s affidavit have been pointed out by a number of people including myself, but there are those who state that John Githong’s affidavit cannot be trusted because it talks about at least one IEBC server that was hacked. The argument states that in this year’s presidential election the IEBC did not have servers but a public portal from where anyone could view the transmitted results, download the results in the form of form 34As, and then tally the results for himself. An example of such an argument is shown by the tweet below.
There are two problems with the IEBC portal argument: 1. It assumes that the portal isn’t hosted on any server (which could be true) and 2. It assumes that in 2017 IEBC did not have a portal from where the public could access transmitted forms.
The IEBC portal is not hosted on any server
One thing that the proponents of the portal argument fail to realise is that there are digital documents (form 34As, form 34Bs, and form 34C) that one can access by following the URL https://forms.iebc.or.ke; and that those forms exist somewhere. When they say that there is no server to be opened, I don’t know what they imagine the public gets the forms from. The forms cannot exist in “nowhere”. They must exist in some computerized storage device – whether or not that storage device is purely managed by IEBC or is managed by a third-party data centre. Whatever the case, the storage data centre (whether it is an IEBC’s in-house data centre or rented from people like Google, Microsoft, Amazon or any of the few local cloud providers), is rightly referred to as a server or servers.
The only time the IEBC portal may not be referred to as a server is if IEBC used decentralised blockchain technology for enabling peer-peer file hosting – similar to what torrent websites use for hosting their movies, series, programmes, books, and other digital documents. The torrent websites do not necessarily use blockchain technology, but cryptocurrencies do. Blockchain technology helps in authenticating a “transaction” which would help in sealing hacking loopholes. So when both peer-peer file hosting is done together with blockchain technology, then one would argue that the IEBC portal does not reside on any server. There was an expectation that IEBC would use blockchain technology for results transmission in 2022; but whether or not IEBC used that technology, or whether that technology utilized peer-peer file hosting, is something we are yet to know. What we know is that IEBC had plans to acquire multiple servers and that those servers would reside locally.
In 2017 we had an IEBC portal and a server
The reason the IEBC server is at the centre stage in this year’s presidential petition is that in 2017 the Supreme Court ordered the IEBC to open the server but it declined. If they opened the server, NASA brigade and Kenyans could have known if and how the server was accessed, and if at least one of those who had access was not authorised to access the server. We could also have known whether there were any algorithms injected into the server so as to manipulate the text data that was being received by the server and then later displayed to the public as presidential results statistics.
In 2017 the IEBC transmitted two versions of results from the polling stations – the first version was the digital copies of form 34As, and the second version was the text data indicating the votes garnered by each presidential candidate, total valid votes, total rejected votes, and total votes cast (turnout). The text version of the results allowed the IEBC to auto-aggregate the results and display them on the screen. NASA led by Raila Odinga said that the auto-aggregation of the results wasn’t reflecting the actual votes but had been interfered with by the use of an algorithm. They were able to convince the Supreme Court Judges to nullify the election based on this argument among other arguments.
Given that the server argument in 2017 made the Supreme Court nullify the presidential election, IEBC made some changes to the transmission of results. The first change they made was to localise the IEBC servers, where this year they cannot have the excuse that those attending to the server are asleep due to different time zones. Secondly, they got rid of the text data so that the only data that was transmitted from the polling stations was the image of form 34As. Thirdly, IEBC gave front-end access to the server (also known as the IEBC portal) to the entire public so that anyone capable of aggregating the results could do so, and also gave backend access of the server to political parties and the media houses so that they could do bulk downloads for own tallying.
Was the server hacked in 2022?
The changes that IEBC made specifically the decision to get rid of text data but allow anyone to download the forms and tally for themselves is what made many think that IEBC did not have a server in 2022. But as I have already mentioned, the IEBC portal from where we can all access the forms resides on some server. The question now is, did anyone hack the server? If yes, why would anyone hack the server when the images in the forms cannot be changed?
To the question of whether the images in the forms can be changed, I already demonstrated and explained how someone can download a form 34A, and then use photoshop to change the figures in the forms (see the article Doctored form 34As? The four ways the 2022 Presidential Election could have been rigged). In that article, I also mentioned that if someone targeted to change about 3000 forms (enough forms to give him around 300 thousand votes advantage), he only needed to employ 10 people who are competent with photoshop to work on the phones in a span of four days. Thus, downloading and changing the forms isn’t the problem, the problem is whether it was possible to upload the changed forms into the portal after deleting the originally transmitted forms. Technically that’s possible, but whether that was done is something we will have to wait for the Supreme Court proceedings to tell us.
