The relevance of data in today’s world cannot be understated.
Let us imagine that personal data attributes of ourselves are Christmas goodies (maybe an analogy too low), three of these attributes belonging to about 17 million Ghanaian data subjects were published by the Electoral Commission of Ghana, that is about 51 million records available in no less way than on a portable data format (pdf) files with geo-location aggregated folders sitting on a Google drive with opened publicly downloadable access provided you have the link.
That was quite alarming, indeed it was!
This was the event that characterized the weekend of 19th to 22nd November 2020 when the data controller in the name of the Electoral Commission of Ghana (EC) decided that under the Public Elections (Registration of Voters) Regulations, 2016 CI 91, a Constitutional Instrument that required them to published voters’ register by providing in the said law that where after the register has been certified it shall be published in the manner determined by the Commission and shall replace any existing voters register.
It further went on to state that the Commission shall make available a certified copy of the register to the registered political parties and any other person that the Commission considers necessary not later than twenty-one days after the register has been certified. This the EC did under the description 2020 final voters register name list in a Google Drive with opened publicly downloadable access.
The public outcry that greeted this very act of the exercise of the EC’s discretion to publish the name list of Ghanaian voters in such a manner was overwhelming and rightly so, from WhatsApp groups to Facebook, Twitter and LinkedIn thread post and later to radio and TV shows with different panelist, the narrative was that the EC had breached the privacy laws of the country.
Others said it (EC) had no such right to engage in the publication in such a manner as it has exhibited.
There was also a school of thought which suggested that the EC was lawful in its authorized mandate (without consequences) and also, the writer whose position was that the EC’s act was technically flawed and leads to direct and indirect risk of the data subject.
Albeit, this was exercised under a law mandating the publication and finding solace under the exemptions provided by the Data Protection Act 2012 (Act 843).
The EC in a quick response pulled the data down and later remove the access link as well.
According to Joy 99.7FM a reputable radio station in Ghana, on their Super Morning Show on 23rd and 24th November respectively stated that the EC has indicated it had pulled down the records because it intends to do some modification before uploading it again.
Indeed the writer confirms that the data has been removed from the Google Drive. Where does this lead us? Lawful or unlawful? Are there any inherent risk to the 17million data subjects involved?
The writer is motivated to produce this piece on hindsight, having paid particular attention to the said exemption provision and this changes my position on the legality of the publication by the EC.
The law under which the publication was purportedly made, seeks to foster transparency in the electoral process of Ghana, a matter of grave public interest and concern.
The law itself was not oblivious of the impact the electoral process may have on the political and economic stability of the country, hence, it made provision for the EC to certify the voter’s register after determination of the claims and objections (regulation 27(1) of C.I 91) and then gave a detailed procedure for the verification process under sub-regulation (2) and proceeded to sub-regulations (3) and (4) granting express powers to the EC in the following manner;
“(3) After the register has been certified it shall be published in the manner determined by the Commission and shall replace any existing voters register.
(4) The Commission shall make available a certified copy of the register to the registered political parties and any other person that the Commission considers necessary not later than twenty-one days after the register has been certified.”
It is imperative to acknowledge that the EC under the said sub-regulation (3) could publish the certified register in a “manner determined by the Commission.”
This obviously is an exercise left to the discretion of the EC for reasons which may include but obviously without limitation to the exercise of the discretion in accordance to the 1992 Constitution of Ghana, the existence of any requirements under other laws that the said act may be subject to, administrative capabilities, technical proficiency and appropriateness of the publication as required.
In addition to the manner so determined it has also been argued that the EC can leverage on the exemption clauses under Act 843, specifically section 63(2) which provided that;
(2) The processing of personal data is exempt from the subject information provisions of this Act if it is for the discharge of a function conferred by or under an enactment on
(b) a local government authority,
(c) the administration of public health or public financing of health care, prevention, control of disease and the monitoring and eradication of disease.
A careful reading of the provision above clarifies that the exemption is limited to what the law called “subject information provisions” and this is defined under section 96 Act 843 as follows;
“subject information provisions” means the provisions under this Act which deal with the right of a data subject to access information from a data controller.
According to Ian J. Lloyd in his book, Information Technology Law, the Professor discussed that; a broad range of statutory agencies engaged in regulatory task are provided with exemptions from the subject information provision to the extent that compliance with these would prejudice the attainment of their purpose.
He went on to say at page 126 that, in addition to the named agencies under the Data Protection Act 1998 of the United Kingdom, exemptions is also offered to those performing relevant functions which are designed to protect against specific risk.
The term “relevant functions” is defined to encompass functions conferred by statute, performed by the Crown, ministers, government departments or ‘any other function’ which is of public nature and is exercised in the public interest.
In perusing Data Protection Act 2012 of Ghana which has similar provisions as the Data Protection Act 1998 of the United Kingdom, most of the exemption provisions exempt the data controller from complying with one or two sets of provisions set out in the Act (sections 60 – 74).
The two sets of provisions are the ‘subject information provisions’ and the ‘non-disclosure provisions’.
The subject information provisions basically includes the fair processing requirement of the first principle in the case of Ghana, Accountability and the right of subject access which is exercised through data subject participation.
If the exemption exempts the data controller from the subject information provisions, then the data controller does not have to provide fair processing information or respond to subject access requests.
Other than the exemptions in Act 843, there are no other exemptions which can apply to the subject information provisions, i.e. no other law can supersede these rights and again it is imperative to highlight the importance for any data controller leveraging on the this exemptions to still ensure that all other principles of the Data Protection Act are complied with, including data security safeguards.
It is, therefore, without any doubt that the exemption granted the EC by virtue of its regulatory position is limited to the principles of accountability and data subject participation which invariably means all the other six (6) principles are clearly still in force in all data processing activities which (includes publication) of the EC and, therefore, the exercise of its discretion under C.I 91 cannot be at variance with the Data Protection Act that seeks to protect the 17million data subjects in this specific case, save for the specific exemption provided.
It’s time to pull the plug and the legal discussions and give the much relevant technical considerations to the manner in which the information was published, a manner the writer views as technically flawed and which leads to both direct and indirect risk to the estimated 17 million data subjects concerned.
The publication for the records was about 22gb in size and could take roughly about 00:31:29 on 100 Mbit/s over a Local Area Network and 07:17:27 over a 7,2 Mbit/s Turbo 3G.
The dataset consisted of full names, polling station code, age and Voter ID number which is a unique identifier on the card, the data was aggregated under polling stations and further collated under folders names with the Constituencies of the data subjects.
It is a rich database for the geo-location referencing. Such information is relevant for anchoring (reference point) to stage various attacks which may include Identity theft, social engineering and data selling.
The data published will allow for age demography analysis which can be used to analyzed age groups with varied interest like access to technology (i.e. phone with internet connection at the least), frequent use of social media and heavy digital foot prints that can facilitate profiling based on pictures taken with geo-tagging, birthdays shared online, alumni, mutual friends, hangouts, post and comments among others and all these profiling and web scrapped data can be used to enrich the published data for attacks mentioned in the previous paragraph.
The age-demographic profiling can also help to determine vulnerable persons within the old-age brackets, pensioners and potential pensioners.
For the purposes of ID theft, the data is the direct content of the Voter’s ID card which makes duplication highly feasible and being both a foundational and functional ID in many ways as the case may require, it leaves attacks in the form of ID impersonation to the mercy of the verification mechanisms employed at the service point; in this case where a photo verification is required an attack may be thwarted but where the verification is basic as to just confirm that the ID is from the issuer then the card details exposed will suffice, this risk is multiplied to 17million data subjects.
Another attack indicated earlier could be social engineering which is the use of deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes.
It may happen through various mediums; phishing (emails), smishing (SMS), vishing (voice mails or messages) and baiting. Attackers can leverage on the current data published as an anchor and begin profiling targets out of it, with careful scrutiny additional data points can be built to include phone numbers, email addresses, social media accounts for messaging and delivering attack baits or malware; the writer admits this form of attack will be an indirect consequence of the publication.
Finally the potential of data selling is also high, let’s face it; we have an estimated 17 million data subjects with relevant data attributes that matches to their Voter ID, delivered on a silver platter by no less an institution than the ID issuer and data controller; it is too relevant to ignore if you are into the dark-side of data selling, scrapping the data into an interactive database with Application Programming Interfaces (APIs) to grant access for a fee less what the controller may have charged will definitely be brisk business for the interested persons. This is the risk reality of the EC’s actions.
The verdict of the writer from the discussions so far is that the Electoral Commission did not only flout the law by going beyond the express provisions of the exemption rules under the Data Protection Act for which their enabling C.I 91 was to operate within by virtue of the personal data involved, it has also as demonstrated earlier in this article exposed the data subjects to immediate and potential future risk when it disregarded the appropriate security safeguards it could have employed in its publication.
In the future the Electoral Commission may want to consider a searchable database with an intuitive easy to access front-end for data subjects to access their information, employing the minimality and data security safeguard principles among others including the sharing of their data protection policy that governs the said publication.
The Data Protection Commission of Ghana, must seize this opportunity to start work on providing the much needed directives and guidelines required for data subjects, practitioners and industry to exercise their rights and obligations in accordance with best practice; it is a call at the right time as the ecosystem is gradually maturing from fin-tech, software development, human resource management right up to regulatory bodies exercising their mandates under law.
For data subjects that may be wondering what the safeguards should be from here, it will call for vigilance especially where voter ID verification is involved by anonymous 3rd parties, it also important to apply the privacy and security settings on especially social media and other online platforms to limit that ability of an attacker to do deep-trace profiling of data subjects.
Hopefully we may not have such an avalanche of data rain again. Well I can’t bet on that.
Desmond is the Founder & Lead Consultant at Information Security Architects Ltd (Rapid7 Gold Partners) in Ghana with over a decade and a half of industry expertise in cyber & information security and data protection. He has led major enterprise projects for cybersecurity maturity assessments, privacy program development, and impact assessments for Tier-1 banks and enterprise-level organizations in Ghana, Liberia & Nigeria.