The Controversial Decision to Outsource Liberia’s Biometric Voting Data to China: A Big Cybersecurity Risk
By Marcus T. Blamoh
With the national elections fast approaching (October 2023), Liberia’s National Election Commission (NEC) announced that they are awarding the biometric voter registration system contract to a Chinese’ company-EKEMP. The announcement was criticized by many, including the Liberian Senate. Many believed that a local company subject to Liberia’s bylaws deserved the contract. Awarding the contract to a foreign company instead of a local one raises serious cybersecurity concerns regarding Democracy, Data Privacy, Data Protection, and national security.
It is important to underscore that biometrics involves the use of physical or behavioral characteristics to identify an individual. It is done through fingerprinting, iris scanning, or voice recognition. Biometric data is acquired through special devices designed to capture this information. The data is then stored in a database for identification purposes. Furthermore, a core policy one should be cognizant of is the General Data Privacy Regulation (GDPR). It is a set of regulations that member states of the European Union must implement to protect the privacy of digital data. The regulation applies to any company that processes or intends to process individuals’ data within the E.U. For example, if a Liberian company, ABC, decides to conduct business in Europe, company ABC is subject to GDPR. The law is designed to protect data subject rights. It is because the GDPR sets out strict rules about how companies must handle this very important data. Many countries, including the United States, have adopted and rebranded this Data Privacy Regulation into various laws, including U.S. Privacy Act, HIPPA, GLBA, COPPA, CCPA, and MDPA.
The Case of Liberia NEC vs. EKEMP
Firstly, it is commendable that the Government of Liberia has initiated the process of biometrics in its national elections. It will help to ensure that the process is more secure, faster, and more effective. However, there are some actions to dive deeper into before proceeding with this decision. NEC should implement some controls, guardrails, and cybersecurity best practices to process and maintain this highly sensitive data securely. Information security should be the number one priority. Questions like, will data collection, processing, and protection be done in Liberia or China? Is one-way coding implemented to protect the biometric templates from being reverse-engineered and reconstructed? Which database is going to store the data? Where is the location of the storage, Liberia or China? Are background checks performed on the personnel handling the data? What happens if there is a data breach? Is China answerable to the Laws of Liberia? These are essential questions that require objective and vivid answers.
For starters, it is essential to note that a country’s voting database is a critical piece of infrastructure. By outsourcing it to a foreign company, Liberians are simply handing over control of their democracy to another country. This is a huge security risk, as there is no guarantee that the Chinese company will safeguard Liberia’s data appropriately. In fact, given the current tensions between China and the U.S., it is not unreasonable to believe that they could use this data to their advantage. China is notoriously known for its cyber espionage activities. In the past, they have been caught exfiltrating and stealing sensitive information from other countries. There is no reason to believe they would not try to do the same in Liberia. Given the importance of the election, NEC must find a more trustworthy provider for the biometric voter registration system. A Liberian-owned and trusted technology company that is subject to the laws of Liberia is highly recommended. Anything less could jeopardize the entire process, resulting in a rigged election, and the exfiltration of data.
Furthermore, it is much easier to follow up with a local company in case things go wrong. For instance, if the data is mishandled or leaked, the government will hold the local company accountable and demand answers. A local company, bound by local laws and the GDPR, would be the best option for this contract. Although China enforced the Personal Information Protection Law (PIPL) by adopting some of the concepts from GDPR, they also left out some important phases that make doing business with a Chinese company very challenging. For example, EKEMP does not provide any policy regarding clients’ privacy on its website or in a public press release. It is much harder to follow up with such a foreign company as they are only subject to Chinese laws.
Even though NEC has defended its decision, stating that they do not want a repeat of what companies did the printing. Nevertheless, the Public Procurements and Concessions Commission (PPCC) has not stopped blaming the Chairperson of the NEC, Madam Davidetta Browne Lansanah for her continuous preference for EKEMP International. According to PPCC Executive Director, NEC’s insistence on awarding the contract to EKEMP International goes against the commission’s recommendations. The executive director stated that NEC should have heeded the PPCC’s advice to open the bidding process to other companies to get the best possible deal for Liberia. The director also warned that if NEC does not change its course, it could put Liberia at risk of being unable to hold a free and fair election. Senator Tokpa has also spoken out against NEC’s decision, saying it is “unacceptable” and puts Liberia’s democracy at risk. Hon. Tokpa has called on NEC to reconsider its decision, open the bidding process to other companies, and stop gambling with the safety of Liberia’s democracy and the country’s autonomy.
Conclusively, there are several reasons why the decision to award this contract to a Chinese company not only endangers Liberia’s nascent democracy, but it puts national security at a higher risk! Chinese companies are highly controlled by the laws of China, and the processing, storage, and retrieval of Liberia’s critical data are questionable. Awarding such a contract to a Liberia-based company comes with many cybersecurity controls, safeguards, and best practices that will promote privacy, advance democracy, and contribute to national security.
I would like to use this opportunity to call on the National Security Agency (NSA) to follow up on this decision as it poses a serious threat to national security. Secondly, I would like to call on the Lawmakers of Liberia to establish a Data Privacy Law for the regulation of ministries and agencies regarding the collection, use, storage, and disclosure of personal information. Most importantly, an urgent call to the President of Liberia to establish Liberia’s Cybersecurity Agency to promote, develop, and regulate cybersecurity activities in Liberia.
About the Author
Marcus T. Blamoh
Marcus is the founder of Valsal Information Security Group in Liberia, and a seasoned Cybersecurity expert with 25 years of IT experience. He has spent the last seven years protecting the information assets of various fortune 500 companies in Europe and the United States. Marcus is very passionate about cybersecurity in Liberia and his vision is to use cybersecurity to inspire, motivate, and train Liberians in protecting themselves and the nation’s most critical infrastructures. Marcus holds a master’s degree in Cybersecurity from Saint Leo’s University, USA; and a series of Certifications including Certified Information System Auditor (CISA), Certified Ethical Hacker (CEH), and others from Cisco, CompTIA and CISA.