Since the end of the 2019 presidential election there has been a lot of chatter about INEC Server results, the backup of voting results that INEC had earlier planned to transmit to a central server.
Trouble began when the campaign office of the major opposition candidate alleged that they have documents they believed contain the electronically transmitted results of the 2019 presidential election. Of course, INEC have since denied the document.
However, you probably know all this by now and if you don’t Google is your friend as a lot of media organizations have extensively covered that angle.
The purpose of this article is to show why whatever was allegedly transmitted by INEC presiding officers during the election cannot be validly regarded as the result of the 2019 presidential election having failed to meet the minimum standards for authentication and validation.
In fact, I will even go as far as saying that even if the electronic transmission and e-collation of results were included in the electoral act the result in the server would still not have stood as there would still be a lot of grounds to challenge its validity.
Since, no one knows exactly how the electronic transmission of results work, I will start by describing how I believe INEC result transmission works.
My description will be based on testimonies I read from online media accounts of people who claim to have worked as INEC officials during the election. I believe that in due time INEC should provide an official description of the whole process.
My description is important because, I believe you need to know the premise upon which I am dismissing the whole electronically transmitted results. It also follows that if those premises are inaccurate, my conclusions will also be invalid.
After giving you my description of how I believe the process works, I will then show the loopholes in the process that puts to question the validity of the entire result.
For each loophole, I will make recommendations on how the process can be upgraded for a more trustworthy outcome. I will be doing this because, the purpose of this article is not just to show why the electronically transmitted result is unreliable, but to also show how it can be made better for future elections most especially the 2023 presidential election.
Imagine a world where the electronically transmitted result can stand on its own without recourse to the manually collated results.
Imagine a world where to prove you won the presidential election (or any other elective office) you do not need to go through the rigours of manually inspecting ballot papers or result forms.
All you need to do is to get a copy of INEC’s database of the results via a court order and you will have all you need to make your case.
However, for this to be possible INEC has to create an airtight data validation and authentication process that guarantees that the data that ends up in the database on the INEC server is the same as the results on the form EC8A result sheet signed by party agents at the polling units.
This in my opinion is not possible right now because of lapses in the current protocol.
Transparency – The Missing Ingredient in the Electronic Transmission (E-Collation)
No one knows for sure how INEC’s electronic transmission of voting results work. In fact, many voters never heard anything about electronic transmission of results until the alleged INEC server results surfaced. This lack of transparency is a problem.
There is a reason why voters trust the manual process. We all know how it works.
We queue up at our polling unit, select our preferred candidate on the ballot by thumb printing beside the logo of the candidate’s party. The votes are counted and entered into the result sheet and validated by party agents with their signatures.
Results of ward polling units are collated at the ward, ward results at the local government area, LGA results at the state level, and finally the state results are collated at the INEC office in Abuja to derive the result of the presidential election.
At each stage of collation, the result sheet is signed by authorized party agents for validation.
The transparency of the manual system means that we all know its limitation and each election cycle efforts are made to make the process more credible.
Before electronically transmitted results can rival the manually collated result (or at least stand on its own right), it must also match it in transparency.
When we all know the protocol used in the electronic transmission process, we can easily identify lapses in the process and make recommendations on how to improve the process. It will also increase public trust in the process.
How Electronic Transmission to INEC Server (E-Collation) Works
Only INEC knows exactly how e-collation works. What I am describing here is simply my understanding of how it works based on what I have read online.
I found this article by Premium Times very illuminating. I also read dozens of tweets by people who claim they were INEC adhoc staff during the election describing how they transmitted or attempted to transmit the results or number of accredited voters.
Based on these accounts, here is my understanding of how the INEC’s e-collation and electronic transmission was supposed to work.
After voting, the ballot is counted and entered in the form EC8A result sheet.
The completed result sheet is signed by party agents and the presiding officer for validation.
The presiding officer then opens the e-collation app on the smart card reader (SCR) and inputs the results as recorded in the duly signed form EC 8A result sheet into it and transmits it to the server. While some presiding officers said they transmitted just the number of accredited voters, others said they transmitted actual voting results.
From all accounts this transmission was done over the public internet, which means data access is required at the polling unit where the transmission should happen.
It is not clear whether party agents witnessed the entering and transmission of the result in the SCR.
The transmitted result is then received at the INEC headquarters in Abuja where it is entered into a database in the INEC server.
It is not clear how the database of the result is populated. While we have heard a lot about how the result is transmitted very little, if any has been revealed about how the data is received and entered into the database.
My guess is that there are one of two ways this could happen. My preferred approach is a scenario where the data is received and entered into the database automatically without any intervention of an INEC official except in cases where data sanitisation is required.
The second approach (which I discourage completely) is one where the results are received in the form of messages or notifications on a screen and an INEC official will have to enter the received data manually into the database.
There you have it, what I outlined above is my understanding of how e-collation works. In time, it will be great for INEC to be more open about how it works.
Now, that I have laid down how I think the e-collection process works, the coast is now clear for me to reveal what I think is wrong with this setup and why I believe it cannot be relied on as a true representation of the election result.
The Problem with INEC’s current setup and My Fixes
The main problem with the current INEC protocol is that you cannot guarantee for sure that the results transmitted, and the content of the database is the same as the scores recorded in the INEC form EC8A result sheet.
I will break things down into three sections to make my point easier to grasp. The first section will look at lapses at the polling unit end where the results were supposed to be transmitted.
The second section will consider how the results were transmitted and finally, the last section will look into the lapses at the reception and server end.
The Polling Unit
This is the most critical part of the process as any error at this stage will carry on to later stages of the process.
The problem here is the protocol for entering and transmitting the data.
While INEC (and I guess the electoral act) required that the result entered into form EC8A result sheet be signed by party agents to confirm that the process was above board and that the correct scores where entered, INEC’s protocol for e-collation has this crucial validation step missing.
This lack of validation creates a big problem for the electronically transmitted result. Without validation there is no way of being sure that the alleged transmitted result is the same as scores entered in the signed form EC 8A, except a one on one match is done between each duly signed form EC8A and its transmitted copy on INEC’s server.
If Party A got 50 votes in a polling unit and the presiding officer erroneously or intentionally enters 32 votes for the party in the SCR for transmission, the current INEC protocol for electronic transmission does not seem to have any steps for verifying that the data being transmitted is accurate.
It appears INEC saw e-collation as its private pet project (or an experiment) with the way it handled the data. The way presiding officers handled the data was even scandalous in some areas.
For example, in the Premium Times report I referenced earlier one of the presiding officers interviewed said after several failed attempts to transmit the result, due to poor network he had to pay an INEC technical support staff (RACTECH) in the local government area to help him transmit the result.
This might not sound so bad until you learn that he left the card reader with the officer and went home after the tech staff promised to upload the data.
This sounds like a security breach to me, because it means that this tech staff may actually be able to alter scores prior to transmission, that is if he transmitted it at all as all the presiding officer got from the RAC TECH personnel was a promise to transmit, he was not actually able to confirm whether the promise was kept.
In case you think this was an isolated incidence, the presiding officer narrated this event with the personal pronoun WE, which implies he was not the only one that did this.
With numerous reports of difficulty in transmission of results, it is likely that this outcome was common during the presidential election.
Therefore, given how recklessly data was handled at the polling unit level, it will be difficult for the result from e-collation to hold up in court given the numerous lapses.
This is because the question still remains without an airtight data validation procedure “How do you prove that the data transmitted is the same as the results entered in the signed form EC8A?”
INEC should upgrade the e-collation app to include a feature that enables party agents to view and sign the figures entered by the presiding officer in the card reader prior to transmission.
This new system should also be designed in such a way that any alteration of the entered results during signing (maybe because a party agent spotted an error) or after signing (maybe because an INEC official is attempting to compromise the entries) will reset the entire data validation and authentication process and require a fresh set of signatures from all party agents.
The authentication (signing) can be done using fingerprint sensor or digital pens. INEC can also introduce one-time passwords to enable party agents and presiding officer validate the result.
I also believe that the National Assembly should amend the electoral act to insist that whatever data INEC is storing, archiving, or backing-up in electronic form must be signed for validation and authentication by party agents and presiding officers.
The purpose of a backup system is defeated if you cannot guarantee that the backup is the same as the original data.
Another problem that created room for data manipulation in the electronic transmission process was that the current UX of the e-collation app seems to use synchronous communication which meant that the process required immediate response from the server. So, if it does not get an immediate response (it will usually wait a couple of seconds of course) from the server that the result was received successfully (maybe because of poor network or server down), an error message is displayed, and the data must be resent.
This setup required that the presiding officer keep actively sending the data by pressing the send button until they get a successful transmission feedback.
This created a problem because once it got late and the presiding officers were not able to successfully send the result they had to handover the equipment and bribe or beg some officials at RACTECH to help them continue attempting the result transmission, which created a loophole for corruption of the election results.
To solve this problem the UX needs to be upgraded to a one-time send process (asynchronous communication) similar to how Email, Whatsapp and other messaging apps work. When you send a message on Whatsapp, the app will not require you to resend the message if it fails to send it immediately. Instead it will store in local storage and keep resending automatically until it finally succeeds.
This is the model I believe the e-collation app should also follow. Once the presiding officer hits the send button, the app will keep resending the data every few minutes within a 24-hour period.
This ensures that even if the data is not sent immediately due to poor network, the app will keep trying in the background without any further human input until it finds a good network connection.
Based on all I have read so far about INEC’s e-collation, it is not clear what meta data is transmitted along with the election results. Most of the focus has been on the main results like score of each party, number of accredited voters, etc.
I believe that if the vision is to make the electronically transmitted result as independent as possible of the manually collated result, meta data should also be transmitted.
Meta data is data that enables you make sense of the main data. Meta data that I think should be transmitted along with main election data include:
- Political Parties that electronically signed the result at the polling unit
- Date and time the send button was pressed
- Date and time the transmission was received (this will be included at the server end)
- Device ID (of the card reader)
- Polling unit ID (Unit, Ward, LGA, State)
- and more as INEC, legislators, political parties, and civil society groups deem fit
This will ensure that for any given transmitted polling unit result, one can see a lot more information that will enable them make sense of it.
It also means that a presidential candidate challenging the results of an election, will not need to be examining all ballot papers and form EC8As. All they will need is a court order to enable them to get a dump of the result database.
The candidate’s team can then use artificial intelligence or any other form of analytics tool to comb through the data, to scan for patterns that point to malpractice.
For example, some patterns they can check for include:
- Polling unit results that were not digitally signed by their party agents
- Polling units where election results were transmitted after a suspiciously long time after close of voting (say days or after any benchmark set by INEC or political parties for the election)
- Polling units where election results were transmitted before the date of the election (say the previous day) or where election results where transmitted before the INEC suggested close of voting according to its guidelines for the election)
- Results transmitted by devices with suspicious or unknown device IDs
- Cases of multiple transmissions from a single device (using the Device ID as reference)
This will enable the candidate’s team to focus their efforts in the right direction. Such patterns may even be able to convince a judge that the candidate has enough grounds to get whatever judgement they are demanding from the court.
However, for all this to work the data will have to be authenticated at the polling unit level. This will ensure that the validity of the data is easy to determine and will give the electronically transmitted result the credibility to stand on its own.
Transmission of election results was a big problem in the 2019 presidential election. Many presiding officers reported problems with connecting to the INEC server.
The whole data validation and authentication process will amount to nothing if presiding officers cannot reliably transmit data to the server in good time.
According to online media reports, presiding officers used Wi-Fi over mobile networks for the transmission. The problem with this setup is that network coverage is poor in rural and remote areas.
Except of course the smart card reader also supports GSM networks (with 3G or 4G data), another problem with this setup is that not every presiding officer will own a smartphone capable of creating a Wi-Fi hotspot.
This might be the reason for the numerous complaints about difficulty in transmitting results. Maybe they were transmitting over the wrong network.
INEC should use satellite technology to create Wi-Fi hotspots in areas with poor, slow, and unreliable data coverage and to save cost mobile networks in areas with fast and reliable data services. The ward collation centres can be used as the centres for the Wi-Fi hotspots.
This ensures that while the presiding officers converge for ward collation, the smart card reader will sense the Wi-Fi and automatically transmit the polling unit data, which were entered, digitally signed (and the send button pressed) at the polling unit.
It is important that INEC protocol for e-collation insists that the send button on the e-collation apps is pressed at the polling unit in the presence of party agents whether or not data coverage is available at the polling unit. Once there is a send once system in the UX, this reduces the chances of result manipulation.
Reliable Wi-Fi hotspots at the ward collation centres will eliminate the hitches presiding officers face during transmission and improve the reliability of the process.
A reliable transmission process will reduce unnecessary delays that can give room for manipulation and ensure that most presiding officers will successfully transmit. Both factors will ensure the accuracy and completeness of the data.
Because what good will e-collation be if only say 50% or less of the presiding officers were able to successfully transmit the result.
Reception (INEC Server)
While we have heard a lot about INEC server, no one knows for sure how it works. This is the sketchiest part of INEC’s e-collation.
It is not clear how INEC intended to create the database of the 2019 presidential election.
Like I pointed out earlier there are two approaches INEC could have used. My preferred approach is one where the transmitted data is stored automatically into the database.
This eliminates any human intervention which could lead to manipulation of results.
The second approach is one where the results are received in form of messages and INEC officials will have to physically compile the database from the received messages.
This second approach obviously creates room for manipulation. Therefore, if INEC adopts this approach, they must include in the data reception protocol another round of validation and authentication where party agents must confirm that whatever is being manually entered into the database is exactly what was received in the message.
For the rest of this section I will assume that INEC used my preferred method of automatic data entry.
If the data was stored automatically it is also important that it is stored “as is” first before being aggregated to get ward, LGA, and state results.
Curiously, the INEC server result being circulated by supporters of the opposition candidate shows a tabulation of results by state rather than by polling unit (as results where transmitted only at the polling unit level by all accounts).
Having the result by polling unit would have made it easier to ascertain the accuracy of the INEC server result in circulation. This will simply involve taking a sample size (as little as 1000) of the polling unit results as recorded on the server and matching it with the result recorded in the form EC8A result sheets for those polling units.
Since results were transmitted at the polling unit level it will be difficult to use the aggregate scores by state to make a case.
This is why before any manual or automatic aggregation of received results to get ward results, LGA results, and state results, the original received results by polling unit must be stored “as is”.
The best UX is a hierarchically structured database where the result is threaded. The first screen (home screen) will be the aggregate score by state, but a click on any state gives a drill down by local government area, and a click on any LGA gives a drill down by ward.
Finally, a click on any ward will expand the view to show results by polling units in that particular ward. Needless to say that each result should have its meta data added.
Of course, the UX should also offer options to view by polling units (for all polling units in Nigeria), view by ward (for all wards in Nigeria), and view by LGA (for all local government areas in Nigeria).
Finally, I will now address the main reason why I think the result might be invalid at the reception and server end.
Lack of transparency. What do I mean?
For example, before the first set of polling unit result hit the INEC server was there any event where INEC verified (in the presence of party agents, civil society groups, and domestic and international observers) that the database that will house the 2019 presidential election was empty.
Is it possible that the INEC server result being paraded on social media may contain legacy data transmitted during testing and training as well as those transmitted in off-calendar state elections as INEC claims they tested e-collation in some of those state elections?
Without any confirmation of the emptiness of the database prior to the first transmission it will be difficult to vouch the authenticity of the result.
Even at the polling units on voting day one of the first things a presiding officer does before voting commences is to show prospective voters that the ballot box is empty.
The transparent design of the current INEC ballot boxes also helps in this regard.
This transparency reassures voters, political parties, election monitors, and all other stakeholders that all contestants have a level playing field and that the results counted at the end of the process will be the same as what the accredited voters chose.
There was no record of this ever happening at the INEC server level.
INEC should have an event on election day where the database that will house the presidential election is verified for emptiness.
This should happen in good time before the close of polls (so it does not interfere with result transmission) and should happen in the presence of party agents and other stakeholders.
Of course, party agents of all politically parties should sign that they were present and can confirm the emptiness of the database.
To make this process easy to manage, INEC can hire an independent auditing firm (one with a good reputation of course) to verify and certify the emptiness of the database. The party agents can then sign based on the certification of the auditors.
However, it is not only emptiness of data that should be verified.
Imagine a scenario where there is a bug in the INEC server whose only job is to strip all political parties of 20% to 50% of their votes and add the aggregate of the stripped scores to one party (probably the one that planted the bug).
Therefore, INEC server or/and database should not just be certified for emptiness of data but must also be certified to be empty of bugs.
INEC should hire a reputable security firm to certify that its server and database are empty of bugs and based on this certification party agents can sign with their seal of approval.
This process will ensure that whatever we see in the database at the close of transmission will indeed be a true reflection of the scores as transmitted at the polling units.
The lack of transparency in INEC e-collation of the 2019 presidential election makes it hard to trust the process.
If you think transparency is not a big deal the German constitutional court ruled in 2009 that electronic voting is unconstitutional if it is not transparent.
Hear the court:
“that all essential steps of an election are subject to the possibility of public scrutiny unless other constitutional interests justify an exception . . . The use of voting machines which electronically record the voters’ votes and electronically ascertain the election result only meets the constitutional requirements if the essential steps of the voting and of the ascertainment of the result can be examined reliably and without any specialist knowledge of the subject . . . The very wide-reaching effect of possible errors of the voting machines or of deliberate electoral fraud make special precautions necessary in order to safeguard the principle of the public nature of elections.”
The court also went on to say
“The legislature is not prevented from using electronic voting machines in elections if the possibility of a reliable examination of correctness, which is constitutionally prescribed, is safeguarded. A complementary examination by the voter, by the electoral bodies or the general public is possible for example with electronic voting machines in which the votes are recorded in another way beside electronic storage.”
See full judgement here (use Google Translate if you can’t read German)
So, to be clear the court is not against electronic voting, it is only saying the process must be open to public scrutiny and have a backup in case the electronic process is compromised. It also says that the process must be simple for an average person to understand.
INEC must ensure that going forward that the processes for e-collation is made transparent and even when we eventually go for full blown electronic voting that the transparency will be sustained.
INEC and security agencies like the DSS must recognise that the INEC server is a national security infrastructure and ensure that adequate security protocols are put in place to guarantee its integrity.
There is still a lot of confusion surrounding what was transmitted during the elections. While some say nothing was transmitted others say the entire result were transmitted. There are also another set of people who insist that just the number of accredited voters were transmitted.
From online media accounts, some presiding officers attest to transmitting the entire results while others claim they only transmitted the number of accredited voters.
However, no matter what was transmitted it is clear that INEC’s protocol was not transparent and does not meet the minimum requirement for data validation.
The fact that we are guessing what exactly was transmitted is an indictment on the entire e-collation process.
For e-collation (or even electronic voting) to be valid everyone (Nigerian voters) must know about it and how it works weeks (or even months) before election day.
My only interest here is to let everyone know that the challenge with e-collation is not just about the president signing the electoral act.
When the updated act is eventually signed INEC must also put in place an airtight protocol for data validation and authentication. The protocol must be made public and known by all voters prior to the election.
When we eventually adopt e-collation and e-voting we must ensure we get it right.