Hacker News new | past | comments | ask | show | jobs | submit login
Kenya Government mandates DNA-linked national ID, without data protection law (blog.mozilla.org)
109 points by svl 38 days ago | hide | past | web | favorite | 46 comments

Kenya is part of China's belt and road initiative. I wonder if this is aided by China to lay the groundwork to push the country to be authoritarian. Just like how ZTE helps Venezuela tighten the control of her citizens. https://www.reuters.com/investigates/special-report/venezuel...

Or like US is helping authoritarian governments(i.e Saudi Arabia) or like US companies (i.e Cisco?) are helping China gov to censorship its people. It's all about the money. US is no different. Spreading freedom and democracy is secondary for the US just like spreading communism is for China.

I don't doubt that money is one of the major driving motives of almost everything we do.

My point is I fail to see how your comment, regardless of its truthfullness, adds value to the discussion.

If there already exist murderers, is it okay for you to become a murderer?

What the article suggests is without proper checks and balances in-place, the new system could easily be used against Kenya people. And I totally agree. But to stop it, we need to find out the root cause of the problem.

The post adds value because it puts the China post into perspective. There's a trend right now to make China the political Boogeyman, when the geopolitical reality is more nuanced.

It's worth pointing out that in the Snowden documents the NSA refers to surveillance of biometrics in African elections as something it was targetting. It was one of the parts I was surprised that didn't get more attention.

The big exception is that trade with China has vastly benefited these countries and continues to benefit. US political aspirations on other hand have destroyed south american countries and middle east.

Authoritarian governments are a strictly better alternative to the current conditions in many societies. Some form of government is better than completely feudal civil war. Who can today say that Saddam Hussein was worse for Iraq than the current US led mess the country has been into ? More people have died, more children dead, more women raped and more wealth destroyed for US attempts to throw away dictator and put democracy in order.

All the changes come with a price. U.S had its own civil war. Compare South Korea with North Korea.

I believe the Iraq story went so bad because the invasion was based on a lie so once Saddam was killed there was nothing left to do(based on the initial plan). Even so in the long run it might prove to be a good thing for Iraq.

As far as I'm concerned all dictators must die. People have the right to be free. We should just make sure the price is not too high and take more responsability to handle things once the top dog is put down.

Iraq and most of the middle east was already is a big mess. Look at the rate of illiteracy in Afganistan. These people live in tribes. They execut/ed people in public markets. You can't expect them to organize themselves as soon as the ruler is out. They need leadership and infrastructure(i.e education, jobs) that the U.S never planned to provide.

Yes, everything bad that happens is just like something bad the US did. Not only are they the same, but two wrongs also make a right.

> National Integrated Identity Management System (NIIMS) now requires all Kenyans, immigrants, and refugees to turn over their DNA, GPS coordinates of their residential address, retina scans, iris pattern, voice waves, and earlobe geometry before being issued critical identification documents.

Ouch. The full identity theft package. Probably worth comparing this with the controversy over Aadhar, the Indian scheme.

Is any of this currently used in ID theft (other than residential location)? Earlobe shape isn't exactly a security question. Might screw them over in the future but hard to call this the full identity theft package.

Is "identity theft" a thing in Kenya? I mean the US meaning is tied up with easy credit, someone else borrows money in your name, and the lender asks few questions until too late for them. I had the impression that places like Kenya there was very little such consumer credit available.

Edit: I guess the other meaning is things like getting a duplicate SIM card to defeat 2FA. I'd imagine that's a problem. Can anyone comment whether such information would make this easier?

> Is "identity theft" a thing in Kenya?



OK, so breaking 2FA & emptying your account, rather than taking a loan.

Would the world with this system (and its inevitable leaks) be worse? What I mean is that replacing a system where e.g. knowing someone's mother's maiden name is enough to get you a SIM card, to one where you have to show up and have the same earlobes... even if, err, the earlobes leak, might be better?

Or does getting a SIM card involve an inside man, in which case maybe nothing changes?

Yes. An example is telco market leader Safaricom.co.ke that rolled out 'voice as password'. Keep in mind most Kenyan transactions these days are in mobile money.

Well, this system would decrease the risk of identity theft because you can't get an ID issued without getting scanned/examined.

It would be a bit stupid to base an identification system, like that of a bank or credit card or whatever, on earlobe shape or Iris alone. But in combination with other factors it might be quite secure.

I think Earlobe shape can be used for identification in video footage. Iris scans only if you have a really good camera and a lot of luck. Otherwise it's really hard.

I assume the idea is that you need to produce a number of these for a new card. I hope IDs would be cryptography signed by gov officer (so fake ID generators are caught over time), and revokable if lost or stolen (one valid id at a time).

Oddly, no mention of fingerprints.

> The ID card is a critical document that impacts everyday life, without it, an individual cannot vote, purchase property, access higher education, obtain employment, access credit, or public health, among other fundamental rights.

It's the same in Belgium, France and I'd bet it's the same in any other European Union countries.

Is your DNA embedded into your ID?

No. But neither is the ADN of Kenyan citizens so far.

The quote is from a longer paragraph about the use of ID card. We use ID card for that too in the EU as a proxy for identification verification. The author seems to imply is bad per se. Hence my remark.

We also have laws and activists to fight governments willing to associate those IDs with DNA, iris record, health, etc.

But those data have nothing to do with your legal existence and your ability to prove it.

FTR: I hope Kenyans will find a way to resist their government's move to associate such data with their ID.

And then there are civilised countries that do not have national ID, yet their citizens can vote, purchase property, access higher education, obtain employment, access credit, or public health, among other fundamental rights. Hence, national ID is clearly not necessary.

The absence of national ID just means that a substitute, tat was not designed for this purpose (such as a driver's license), is used instead. This introduces its own set of problems as illustrated by this video on voter registration in the US : https://www.youtube.com/watch?v=Hd5Qs0fc_I0

The UK now has half of this: you have to prove your right of residence in order to rent property, and you have to prove your right to work in order to work, but there isn't a national ID system to enable that.

(The decision that people can't "vote, purchase property, access higher education, obtain employment, access credit, or public health, among other fundamental rights" without ID is a political one, it's not necessarily intrinsically required)

In the UK we don't have national ID but try and do anything without a passport or driving licence.

Instead a weird mix of council tax bills or your last water bill's address or such is used as identification, which is hardly any better.

People can get an idea of what's used to prove ID and address from this list. https://www.gov.uk/government/publications/proof-of-identity...

What ? What makes you think such a flawed reasoning would convince anyone ?

You can not 'officially' buy a sim card in a lot of european countries; the impact this has on criminality/terroism is probably negligable though?

The importance of DNA data to privacy is often overstated. It's not clear from the article, but for very serious cost reasons, this "DNA data" will include a small panel of genetic markers which are suited for identification.

It is virtually impossible to derive any health information from that data. It may be possible to estimate a person's ethnic background (which sometimes may be a danger in Africa) within reason. The one certain danger to privacy would be around family relationships, which some people may want to keep hidden.

So they really need to make sure they evaluate and communicate the benefits of this kind of data collection. To me it sounds a bit like some private vendors sold them the kitchen sink...

Great. A database that might be able to tag your ethnicity in a region with recurring ethnic violence.

In the hands of a trustworthy government that data would actually be useful to curb ethnic violence because you know where to deploy forces in the event something happens.

Then again, "trustworthiness" is not exactly a strength of an average African government so far.

>"In the hands of a trustworthy government".

Is there such a thing as a trustworthy government?

Trustworthiness is not an absolute thing. I trust my German government pretty far though, because I know I and my people can eventually hold them responsible for most things. The U.S. government, in most things, I also -mostly- trust, maybe not that far, but a lot farther than Russia or China.

And yes, I'd much rather have the NSA spy on me, than Russia and China. And that often is the choice when choosing technologies.

> Ethnic Discrimination Concerns: The collection of DNA is particularly concerning as this information can be used to identify an individual’s ethnic identity. Given Kenya’s history of politicization of ethnic identity, collecting this data in a centralized database like NIIMS could reproduce and exacerbate patterns of discrimination.

Imagine promoting a system so prone to abuse that you're really only one election away from an inescapable genocide whose detractors can be silenced perfectly.

You really don't need DNA information for a genocide. It may not even make a genocide or racial violence worse.

After all, racism is rarely fact-based.

> After all, racism is rarely fact-based.

But the impression that they know people's race, whether the DNA gathered are used in that determination or not (I vote not, since it's more expensive than a machete), is likely to help the case of whatever regime thinks it up.

Also, my emphasis was more on the detractors can be silenced perfectly bit. You can see the accompanying legislation coming, requiring social media and other communications infrastructure to be authenticated with the state id.

In my opinion it is much more viable to stop a government from abusing data than to stop the government having access to the data. Some biometric modalities like fingerprints, DNA and face images are quite literally "broadcast" by everyone.

In many cases, government access to certain data is not a problem if you can trust the government. If you can't trust the government, you have a bigger problem.

In the case of knowing who is which ethnicity and lives where in the African context, you can easily construct a scenario where they could round up a particular ethnicity. Or they just ask the locals.

In another scenario, if Group A is directing violence towards Group B, the government instantly knows where to send forces to stop it.

Indian government is working for a framework called India Stack which they are pitching to African countries. It is biometric linked identity that helps government track their citizens easily while also owning the data (protection from American companies).

Ouch, China will know everything of all Kenyans soon.

Not really. They could have all that biometric "data" but it yields very little information of value. In the majority nothing blackmailable (except maybe their children out of wedlock), and for the foreseeable future not a lot of potential for ad targeting or ecommerce...

The problems start when you have to use that Id for things like Internet Access etc. and the government starts censoring and actual surveillance.

DNA is very valuable for bioweapons...

The DNA data used for biometric identification is totally worthless for bioweapons.

Targeted bioweapons are a total oxymoron for the foreseeable future, and I doubt you'd use microsattelite markers or even SNPs.

I feel dreadful reading these types of things. The world seems to be running full speed into a dystopian future. Slow down, I say. Think about what you are doing and the consequences of your actions. NSA, POTUS lowering the bar for acceptable behavior, China monitoring, god knows what else, now this in Kenya.

Kenya is a crime hotspot with GDP per capita of $1,500. Average IQ is 80.

I don't think people there care about privacy when they are struggling to avoid being robbed and to put a roof over their heads. If these measures can make Government and policing more efficient, than so be it.

Since my comment is quite long, I'm putting the most important point right at the beginning. If anyone from Kenya or with interests in Kenya is reading this comment, please immediately take this law to court (since the article says this law is unconstitutional). Start mass campaigns and get people to understand and talk about it. It may probably take time to be heard, and it may probably seem impossible to win. But learn from the grotesque blunders that India has done with Aadhaar, and use that to fuel your fight. It would be terrible to give up so much for hardly any gain (only the companies that take your money to implement the system would gain, and some people in power). India is the shameful poster child here, and there's lots to learn. Also follow the money and see who's pushing for this (likely to be large multinational companies that are in cahoots with those in power).

This is just a bit worse than Aadhaar, the biometric based "unique ID" that's been bulldozed on to people in India. The Aadhaar program ran as an executive mandate (with no legislative backing) for several years, then a poorly drafted law was brought in and passed through subterfuge by the current ruling party (BJP). Aadhaar is based on fingerprints and iris scan, but there are provisions in the backing law to include DNA or other information as and when the authority pleases.

Like this Kenyan ID, India's Aadhaar has no opt-out (the Supreme Court gave a vague ruling last year that children should be able to opt out, but that hasn't been implemented).

It seems like this Kenyan ID uses biometrics directly, which is how Aadhaar also works. If your biometrics are leaked or compromised (I'm highly amused to even write these words), then you cannot revoke the ID or get a new ID. The concept of cancelable biometrics was not considered (Nandan Nilekani, one of the founders of the famous/infamous Indian company Infosys, headed this ID program, and suffice it to say that it's been a disaster in so many ways).

Like Kenya, India still does not have a data privacy law (the one drafted by a government commission has many issues, but will become the law in the future), but the government coerced many people to get Aadhaar through lies, deceitful marketing and causing general panic.

Hundreds of thousands (or even millions, by now) have lost money because of the way Aadhaar was linked to almost everything (bank accounts, phone numbers and many more), and the government's constant coercion and panic creation for people to get it and link it was the opportunity of a lifetime for people to phish, scam and defraud people. The majority of the affected were/are not digitally literate (even many educated people aren't generally digitally literate) and are poorer and/or elderly.

Since Aadhaar was, and is continuing to be, used for government subsidies, the failure of the poorly designed, centralized system in a country with poor network infrastructure and a lot of inherent corruption resulted in many deaths, including starvation deaths of small children, and disabled and/or elderly people.

India is a place where the executive branch of the government can get away with saying that these didn't happen (denial) or that it's collateral damage ("nothing in this world is flawless, so why bother?" is the mindset). The courts won't intervene on their own even for such grave matters.

Over the years, people have pointed out several security flaws in the system, but the authority in charge of Aadhaar, UIDAI, has always been in denial mode (and still is). The reaction of UIDAI has always been to file criminal complaints against those who show the weaknesses, instead of encouraging responsible disclosure or acknowledging the efforts of such people.

Since the Indian judicial system is also very slow (it took more than three years to even start hearing the cases filed by many people against this ID), the government had it quite easy. That's why I keep using the term "bulldozed".

Those who wanted to show the security flaws many a times refrained from doing it themselves because of the repercussions. And that's why the biggest opponent examining and talking about the security issues in the Aadhaar system is a French national who goes by the name Elliot Anderson on Twitter. [1]

Even Troy Hunt pointed out many basic flaws [2], but UIDAI's response was, as usual, denial.

Mozilla, EFF and many others have written about, and against, the Aadhaar program.

I can go on and on, but this would then become a book (see my profile for a little more).

[1]: https://twitter.com/fs0c131y

[2]: https://www.troyhunt.com/is-indias-aadhaar-system-really-hac...

In a country that has experienced tribal clashes, is one of the most corrupt in the world (law enforcement got to be the most corrupt in the world) and on the brink of debt slavery to China it marks the end of democracy, freedom and human rights. If they carry on, I foresee increase in extrajudicial killings, over taxation and eventually a Rwanda style genocide one day.

Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact