IMANI Alert: The “Fake Transparency” of the Electoral Commission

By Justice Dzido On Nov 23, 2020

Beware the Transparency Bin

In the last few weeks, the propaganda and PR machinery of the Electoral Commission have been in overdrive. The central theme being pushed is “transparency”. Having hired sleek PR agencies and sidelined the career public servants in its communications department, the new management of the Electoral Commission (EC) has been churning out non-stop messaging meant to convince us all that it is the most transparent organisation on Earth since Adam and Eve found fig-leaves to cover their nakedness.

The latest episode of this PR-driven “transparency binge” is the decision to dump the national voters register into the public domain without preamble or clear policy. In the new flash and bling of EC communications, this is supposed to be the crowning evidence of their trustworthiness.

Far from being reassuring, such conduct reveals the EC to be impulsive, focused on bling over substance, and given to distraction and diversionary tactics even as the real issues of accountability continue to be ignored by this highly non-transparent organisation.

Reckless Data Dump

Firstly, the EC has no business dumping citizen data into the public without safeguards. The fact that the law allows them to publish the voter register does not mean that they should exercise that discretion without due regard for best practice in citizen data management. If it is true that the copies of the voter register shared with the political parties have not traditionally come with explicit agreements barring the parties from abuse of that data and further publishing without approval and safeguards, then such measures are long overdue.

But if this was a law-abiding country, the EC would simply have ensured that the parties register as data processors with the Data Protection Commission and abide by the law in their use of the disclosures.

Be that as it may, to proceed to unleash a data dump in this environment of poor compliance is to worsen the situation considerably.

In any serious jurisdiction, the “open register” – the version of the voters roll accessible to everyone – includes opt-out arrangements and other safeguards to prevent abuse (see the UK’s model here: https://www.gov.uk/electoral-register/opt-out-of-the-open-register).

In the US, awareness of the problems of voter data abuse (see: https://uscert.cisa.gov/ncas/tips/ST16-001) has led to many states implementing safeguards that reduce the risks of micro-targeting and identity fraud, whilst assuring individual voters of their right to opt-out of open registers.

As usual, following a now established pattern, members of the ruling party for the most part enthusiastically support this safeguard-less and policy-less data dump, whilst opposition party members almost universally condemn it.

But we should be guided first and foremost by what is sound and sensible, not what partisan-motivated commentators choose to highlight.

No Need to Facilitate Automated Micro-targeting

The Electoral Commission’s decision to make it easy for people to build a database of voter ID cards linked to polling stations adds little value to the process of ensuring transparency. If someone has a need to know the voter ID number of another person, there should be a process to establish that need and a means to restrict the knowledge to that need only in the classic “need to know” fashion.

The Voter ID card linked to the age, name and polling station of an individual is much too similar to the KYC profile of most people held at the banks, telcos and utility companies in this country for it to receive anything other than standard data security protection.

There is no reason to make it easy for people to scoop the data and automate its use for microtargeting, a situation more likely to facilitate abusive political telemarketing than to empower citizens.

Poor Choice of Technology Standard As if this wanton display of carelessness is not enough, the EC then decided to use Google Drive to manage the online publication process to the shock of many IT governance experts.

It is widely known that personal identifiable data is not adequately protected in Google Drive
(see sample thinking: https://help.uis.cam.ac.uk/service/collaboration/g-suite/google-datasecurity). Much worse when that identifiable data is also supposed to be government managed data. To use a standard GSuite license without the necessary certifications not only to store, but also to distribute, and enable redistribution, of Government of Ghana data in a Google Drive folder is the height of irresponsibility.

It is trite knowledge that basic GSuite services are not part of Google’s better-defended and more compliant Government Cloud service (a related conversation is the susceptibility of this entry-level service to data corruption due to unsophisticated access configurations for administrators – see a different but nonetheless illuminating discussion:

https://info.summit7systems.com/blog/compliance-decisions-platforms-part-1-doesgoogle-g-suite-meet-dfars-nist-and-itar-security-requirements).

The EC seriously needs to watch it. This incessant need to PR its way out of its credibility issues is bound to have serious repercussions in this country.

2. The Real Transparency Issues

The more worrying thing is the diversionary and distractive nature of these types of poorly thought through efforts to hoodwink the public about the EC’s actual conduct.

Instead of reckless data dumping masquerading as “transparency in governance”, we would like to draw the EC’s attention to its many unaddressed procurement and spending problems, where much accountability, and dare we add, transparency, shall be much better appreciated.

Tens of Millions of Dollars Worth of Hardware

In the leadup to the registration exercise in late June, the EC refused to address multiple requests to account for the millions of dollars spent on literally brand new equipment, some bought and delivered as recently as 2018 and 2019.

When the EC was caught out blatantly lying about not having refreshed or replaced its equipment since 2011, it simply retreated into its shell and refused to engage with the very solid and irrebuttable facts about the monies it had spent in very large quantities to buy equipment that it was refusing to acknowledge that it had.

Now that it has succeeded in bulldozing its way through to spend roughly $150 million on new equipment and the logistics of a brand new registration exercise, can it tell the people of Ghana where the previously delivered equipment bought with over $60 million of Ghana’s money can be found? Are they going to be auctioned? When? On what terms? When is the EC going to subject itself to a proper asset audit?

Heavily Overpriced Biometric Software

The EC decided to buy its biometric validation software (including its “ABIS” platform) from a Lithuanian company called Neurotechnology.

The Neurotechnology MegaMatcher Accelerator version of the software that the EC acquired has been used in places like Venezuela for similar registration exercises. In Venezuela, the total number of registered persons is 18 million.

The rated capacity of the software however is as high as 1.2 billion individual fingerprints or faces/irises, which it can process at a rate of 100 million per second modally. In simple terms, the technology has more than enough
capacity for Ghana’s needs.

Based on extensive MegaMatcher Accelerator documentation we have studied, including interactions with former Neurotechnology integrators, we have reconstructed an ideal architecture for processing 20 million biometric units on a 6-node cluster, with parallels and spares.

The node setup was architected according to the MegaMatcher Accelerator recommended unit configuration:
• 2 x Intel Xeon processor E5-2680 v4 (14 cores, 35M cache, 2.4 GHz);
• 4 x NVIDIA TITAN X GPU units;
• 1024 GB RAM (16 x HPE 64GB 4Rx4 PC4-2400T-L) – for three biometric engines;
• 2x HPE 400GB SATA 6G Write Intensive (2.5”) SC SSD;
• 4 x HP ML350 Gen9 Graphic Card Support Kit;
• HPE iLO Advanced lic.
• 4x HPE 800W Flex Slot Platinum Hot Plug Power Supply Kit.

We selected the Extreme license editions for 10 fingerprints and matching face scenario and ramped up expected performance way above what would be needed in the Ghanaian case. We also threw in all the hardware components, though the EC billed Ghana separately for a datacenter. Finally, we benchmarked everything against the results from the vendor’s own dynamic project cost estimator here: https://www.neurotechnology.com/productadvisor.html

The result was a price for a multi-license contract that came to $400,000. Bear in mind that we had tripled requirements in some cases.

But let us not quibble about that. The key point here is this: how much did the EC bill this country for the Neurotechnology software? A whopping GHS 18,619,374.17. That is to say $3.2 million.

Under no circumstances should anyone pay $3.2 million for an ABIS solution designed for even a 100 million people within the use context of biometric de-duplication and verification for elections.

If the EC really wants to play the transparency game, we dare its officials to release all the information on the UAB – Neurotechnology contract and publish the license information and configurations that yielded $3.2 million. We insist that the ABIS solution should not have cost Ghana more than $400,000 in an honest procurement exercise.

The lies about cutting ties With STL

Throughout the debate about the propriety of buying new equipment and compiling a new register, the EC sought to dump all the blame on why it cannot use the existing equipment
on alleged sharp practices and poor conduct on the part of STL. The impression was created
that large amounts of money had been saved by terminating the STL contract in late 2018
(refresher: https://imaniafrica.org/wpcontent/uploads/2020/03/IMANI_Q__A_EC_Propaganda_Vaccination_March_13_2020-
FINAL.pdf).

As late as May 2020, STL was still billing the EC for services and deliveries. On the 19th of that month, ahead of the fraught registration exercise, an amount of GHS499,611 were invoiced for services by the same company that has been demonised for months as being responsible for a dastardly state of affairs at the electoral management body.

This mirrors a bill for more than GHS445,000 delivered by STL to the EC in October 2019 just ahead of the District Level Elections.

In simple terms, when IMANI accused the EC of still using equipment that it claimed was outmoded, we had far stronger grounding than just the audiovisual evidence.

The EC should exhibit its newfound transparency by explaining to the whole country why it has continued to pay STL millions of Ghana Cedis despite having publicly announced that it has terminated its services and is no longer using any of the equipment it supplied in the past.

We are not done with the EC Campaign

We have more damning information about the dangerous and depraved ways the current EC management is spending Ghana’s money. As we have stated repeatedly, our campaign for true transparency and accountability, especially in financial dealings, at the EC is a long-term one.

IMANI is dogged, relentless and committed in this struggle to see the EC account to the good people of Ghana and, by doing so, to restore the trust that it has dissipated by its naked lies and procurement abuses.

It is very much in the interest of the EC’s enablers and advisors to counsel it to embrace true transparency and accountability. Because everyday that they substitute sham theatrics for the real thing, they deplete valuable trust that would be so essential in maintaining the peace and steadiness of our democratic experiment should another highly competitive election bring us close to the tensions we saw in 2008.