
Kenya Government mandates DNA-linked national ID, without data protection law - svl
https://blog.mozilla.org/netpolicy/2019/02/08/kenya-government-mandates-dna-linked-national-id-without-data-protection-law/
======
cltsang
Kenya is part of China's belt and road initiative. I wonder if this is aided
by China to lay the groundwork to push the country to be authoritarian. Just
like how ZTE helps Venezuela tighten the control of her citizens.
[https://www.reuters.com/investigates/special-
report/venezuel...](https://www.reuters.com/investigates/special-
report/venezuela-zte/)

~~~
thefounder
Or like US is helping authoritarian governments(i.e Saudi Arabia) or like US
companies (i.e Cisco?) are helping China gov to censorship its people. It's
all about the money. US is no different. Spreading freedom and democracy is
secondary for the US just like spreading communism is for China.

~~~
cltsang
I don't doubt that money is one of the major driving motives of almost
everything we do.

My point is I fail to see how your comment, regardless of its truthfullness,
adds value to the discussion.

If there already exist murderers, is it okay for you to become a murderer?

What the article suggests is without proper checks and balances in-place, the
new system could easily be used against Kenya people. And I totally agree. But
to stop it, we need to find out the root cause of the problem.

~~~
drankula3
The post adds value because it puts the China post into perspective. There's a
trend right now to make China the political Boogeyman, when the geopolitical
reality is more nuanced.

------
pjc50
> National Integrated Identity Management System (NIIMS) now requires all
> Kenyans, immigrants, and refugees to turn over their DNA, GPS coordinates of
> their residential address, retina scans, iris pattern, voice waves, and
> earlobe geometry before being issued critical identification documents.

Ouch. The full identity theft package. Probably worth comparing this with the
controversy over Aadhar, the Indian scheme.

~~~
tgb
Is any of this currently used in ID theft (other than residential location)?
Earlobe shape isn't exactly a security question. Might screw them over in the
future but hard to call this the full identity theft package.

~~~
iguy
Is "identity theft" a thing in Kenya? I mean the US meaning is tied up with
easy credit, someone else borrows money in your name, and the lender asks few
questions until too late for them. I had the impression that places like Kenya
there was very little such consumer credit available.

Edit: I guess the other meaning is things like getting a duplicate SIM card to
defeat 2FA. I'd imagine that's a problem. Can anyone comment whether such
information would make this easier?

~~~
coob
> Is "identity theft" a thing in Kenya?

Yes:

[https://www.standardmedia.co.ke/article/2001287820/phone-
use...](https://www.standardmedia.co.ke/article/2001287820/phone-users-losing-
millions-through-identity-theft)

~~~
iguy
OK, so breaking 2FA & emptying your account, rather than taking a loan.

Would the world with this system (and its inevitable leaks) be worse? What I
mean is that replacing a system where e.g. knowing someone's mother's maiden
name is enough to get you a SIM card, to one where you have to show up and
have the same earlobes... even if, err, the earlobes leak, might be better?

Or does getting a SIM card involve an inside man, in which case maybe nothing
changes?

------
johnchristopher
> The ID card is a critical document that impacts everyday life, without it,
> an individual cannot vote, purchase property, access higher education,
> obtain employment, access credit, or public health, among other fundamental
> rights.

It's the same in Belgium, France and I'd bet it's the same in any other
European Union countries.

~~~
x38iq84n
And then there are civilised countries that do not have national ID, yet their
citizens can vote, purchase property, access higher education, obtain
employment, access credit, or public health, among other fundamental rights.
Hence, national ID is clearly not necessary.

~~~
dazc
In the UK we don't have national ID but try and do anything without a passport
or driving licence.

~~~
krautsourced
Instead a weird mix of council tax bills or your last water bill's address or
such is used as identification, which is hardly any better.

~~~
DanBC
People can get an idea of what's used to prove ID and address from this list.
[https://www.gov.uk/government/publications/proof-of-
identity...](https://www.gov.uk/government/publications/proof-of-identity-
checklist/proof-of-identity-checklist)

------
bayesian_horse
The importance of DNA data to privacy is often overstated. It's not clear from
the article, but for very serious cost reasons, this "DNA data" will include a
small panel of genetic markers which are suited for identification.

It is virtually impossible to derive any health information from that data. It
may be possible to estimate a person's ethnic background (which sometimes may
be a danger in Africa) within reason. The one certain danger to privacy would
be around family relationships, which some people may want to keep hidden.

So they really need to make sure they evaluate and communicate the benefits of
this kind of data collection. To me it sounds a bit like some private vendors
sold them the kitchen sink...

------
tyingq
Great. A database that might be able to tag your ethnicity in a region with
recurring ethnic violence.

~~~
bayesian_horse
In the hands of a trustworthy government that data would actually be useful to
curb ethnic violence because you know where to deploy forces in the event
something happens.

Then again, "trustworthiness" is not exactly a strength of an average African
government so far.

~~~
brokenmachine
_> "In the hands of a trustworthy government"._

Is there such a thing as a trustworthy government?

~~~
bayesian_horse
Trustworthiness is not an absolute thing. I trust my German government pretty
far though, because I know I and my people can eventually hold them
responsible for most things. The U.S. government, in most things, I also
-mostly- trust, maybe not that far, but a lot farther than Russia or China.

And yes, I'd much rather have the NSA spy on me, than Russia and China. And
that often is the choice when choosing technologies.

------
microcolonel
> _Ethnic Discrimination Concerns: The collection of DNA is particularly
> concerning as this information can be used to identify an individual’s
> ethnic identity. Given Kenya’s history of politicization of ethnic identity,
> collecting this data in a centralized database like NIIMS could reproduce
> and exacerbate patterns of discrimination._

Imagine promoting a system so prone to abuse that you're really only one
election away from an inescapable genocide whose detractors can be silenced
perfectly.

~~~
bayesian_horse
You really don't need DNA information for a genocide. It may not even make a
genocide or racial violence worse.

After all, racism is rarely fact-based.

~~~
microcolonel
> _After all, racism is rarely fact-based._

But the impression that they know people's race, whether the DNA gathered are
used in that determination or not (I vote not, since it's more expensive than
a machete), is likely to help the case of whatever regime thinks it up.

Also, my emphasis was more on the _detractors can be silenced perfectly_ bit.
You can see the accompanying legislation coming, requiring social media and
other communications infrastructure to be authenticated with the state id.

~~~
bayesian_horse
In my opinion it is much more viable to stop a government from abusing data
than to stop the government having access to the data. Some biometric
modalities like fingerprints, DNA and face images are quite literally
"broadcast" by everyone.

In many cases, government access to certain data is not a problem if you can
trust the government. If you can't trust the government, you have a bigger
problem.

In the case of knowing who is which ethnicity and lives where in the African
context, you can easily construct a scenario where they could round up a
particular ethnicity. Or they just ask the locals.

In another scenario, if Group A is directing violence towards Group B, the
government instantly knows where to send forces to stop it.

------
KorematsuFred
Indian government is working for a framework called India Stack which they are
pitching to African countries. It is biometric linked identity that helps
government track their citizens easily while also owning the data (protection
from American companies).

------
NicoJuicy
Ouch, China will know everything of all Kenyans soon.

~~~
bayesian_horse
Not really. They could have all that biometric "data" but it yields very
little information of value. In the majority nothing blackmailable (except
maybe their children out of wedlock), and for the foreseeable future not a lot
of potential for ad targeting or ecommerce...

The problems start when you have to use that Id for things like Internet
Access etc. and the government starts censoring and actual surveillance.

~~~
acct1771
DNA is very valuable for bioweapons...

~~~
bayesian_horse
The DNA data used for biometric identification is totally worthless for
bioweapons.

Targeted bioweapons are a total oxymoron for the foreseeable future, and I
doubt you'd use microsattelite markers or even SNPs.

------
mrhappyunhappy
I feel dreadful reading these types of things. The world seems to be running
full speed into a dystopian future. Slow down, I say. Think about what you are
doing and the consequences of your actions. NSA, POTUS lowering the bar for
acceptable behavior, China monitoring, god knows what else, now this in Kenya.

~~~
beerlord
Kenya is a crime hotspot with GDP per capita of $1,500. Average IQ is 80.

I don't think people there care about privacy when they are struggling to
avoid being robbed and to put a roof over their heads. If these measures can
make Government and policing more efficient, than so be it.

------
wtmt
Since my comment is quite long, I'm putting the most important point right at
the beginning. If anyone from Kenya or with interests in Kenya is reading this
comment, please immediately take this law to court (since the article says
this law is unconstitutional). Start mass campaigns and get people to
understand and talk about it. It may probably take time to be heard, and it
may probably seem impossible to win. But learn from the grotesque blunders
that India has done with Aadhaar, and use that to fuel your fight. It would be
terrible to give up so much for hardly any gain (only the companies that take
your money to implement the system would gain, and some people in power).
India is the shameful poster child here, and there's lots to learn. Also
follow the money and see who's pushing for this (likely to be large
multinational companies that are in cahoots with those in power).

This is just a bit worse than Aadhaar, the biometric based "unique ID" that's
been bulldozed on to people in India. The Aadhaar program ran as an executive
mandate (with no legislative backing) for several years, then a poorly drafted
law was brought in and passed through subterfuge by the current ruling party
(BJP). Aadhaar is based on fingerprints and iris scan, but there are
provisions in the backing law to include DNA or other information as and when
the authority pleases.

Like this Kenyan ID, India's Aadhaar has no opt-out (the Supreme Court gave a
vague ruling last year that children should be able to opt out, but that
hasn't been implemented).

It seems like this Kenyan ID uses biometrics directly, which is how Aadhaar
also works. If your biometrics are leaked or compromised (I'm highly amused to
even write these words), then you cannot revoke the ID or get a new ID. The
concept of cancelable biometrics was not considered (Nandan Nilekani, one of
the founders of the famous/infamous Indian company Infosys, headed this ID
program, and suffice it to say that it's been a disaster in so many ways).

Like Kenya, India still does not have a data privacy law (the one drafted by a
government commission has many issues, but will become the law in the future),
but the government coerced many people to get Aadhaar through lies, deceitful
marketing and causing general panic.

Hundreds of thousands (or even millions, by now) have lost money because of
the way Aadhaar was linked to almost everything (bank accounts, phone numbers
and many more), and the government's constant coercion and panic creation for
people to get it and link it was the opportunity of a lifetime for people to
phish, scam and defraud people. The majority of the affected were/are not
digitally literate (even many educated people aren't generally digitally
literate) and are poorer and/or elderly.

Since Aadhaar was, and is continuing to be, used for government subsidies, the
failure of the poorly designed, centralized system in a country with poor
network infrastructure and a lot of inherent corruption resulted in many
deaths, including starvation deaths of small children, and disabled and/or
elderly people.

India is a place where the executive branch of the government can get away
with saying that these didn't happen (denial) or that it's collateral damage
("nothing in this world is flawless, so why bother?" is the mindset). The
courts won't intervene on their own even for such grave matters.

Over the years, people have pointed out several security flaws in the system,
but the authority in charge of Aadhaar, UIDAI, has always been in denial mode
(and still is). The reaction of UIDAI has always been to file criminal
complaints against those who show the weaknesses, instead of encouraging
responsible disclosure or acknowledging the efforts of such people.

Since the Indian judicial system is also very slow (it took more than three
years to even start hearing the cases filed by many people against this ID),
the government had it quite easy. That's why I keep using the term
"bulldozed".

Those who wanted to show the security flaws many a times refrained from doing
it themselves because of the repercussions. And that's why the biggest
opponent examining and talking about the security issues in the Aadhaar system
is a French national who goes by the name Elliot Anderson on Twitter. [1]

Even Troy Hunt pointed out many basic flaws [2], but UIDAI's response was, as
usual, denial.

Mozilla, EFF and many others have written about, and against, the Aadhaar
program.

I can go on and on, but this would then become a book (see my profile for a
little more).

[1]: [https://twitter.com/fs0c131y](https://twitter.com/fs0c131y)

[2]: [https://www.troyhunt.com/is-indias-aadhaar-system-really-
hac...](https://www.troyhunt.com/is-indias-aadhaar-system-really-hack-proof-
assessing-a-publicly-observable-security-posture/)

------
jimmykaya
In a country that has experienced tribal clashes, is one of the most corrupt
in the world (law enforcement got to be the most corrupt in the world) and on
the brink of debt slavery to China it marks the end of democracy, freedom and
human rights. If they carry on, I foresee increase in extrajudicial killings,
over taxation and eventually a Rwanda style genocide one day.

