Iraq held its parliamentary elections on May 12, 2018, to elect a 329-member Council of Representatives. The Independent High Electoral Commission in Iraq (IHEC) decided to use an electronic voting system that integrates the collection of biometric data for the authentication of identity. This opened up new risks for human rights. First, it is not clear what will happen to the biometric data that has been collected from registered voters, nor how it will be secured. Second, the use of an electronic voting system itself raises questions about the integrity of the vote. After the system was used, authorities ordered a manual recount, citing serious manipulation of the results.
What system did Iraq use to vote?
In September 2013, the IHEC Board of Commissioners decided to implement an automated voter registration system, and in September 2017, the same Board chose to introduce electronic voting and results transmission system that was then used for the May 12 elections. The Board rented a satellite to transfer voter data from 45,000 polling stations across Iraq to the National Center in Baghdad. They also introduced, for the first time, electronic devices for counting ballots, in order to speed up the announcement of results.
When and why did Iraq decide to use biometric ID cards for voting?
On April 29, 2018, IHEC launched a campaign called, “Your card today is your voice tomorrow,” to push full adoption of biometric card technology in the electronic voting system. Local universities supported the campaign to encourage the younger generation and students to register for elections. The rationale for the use of biometrics was to prevent fraud and improve the accuracy of the voter list.
What this meant in practical terms is that IHEC would prepare special electronic biometric cards containing a chip and then store the personal data of the voters.
In 2017, the IHEC asked citizens to head to their local registration centers for the purpose of registering their biometric data. The data collected included all 10 fingerprints, iris scans, a sample of the person’s voice, a personal photo, and other personal data, such as the individual’s name, date of birth, and address. All of the data were stored in a chip-enabled card that is specifically dedicated to voting.
What are the human rights and security risks of using these systems?
The use and storage of biometric data can open a number of security risks, and without proper safeguards for the use of digital ID systems, they can also endanger human rights. In this case, there a number of important questions that need answers. It is not clear who is responsible for saving these data, nor where it is stored. Who has the right to access it? Is it possible to hack and exploit this personal information? Will it be destroyed after elections are held?
According to the head of the IHEC, Riadh Al-Badran, a voter “must not waste his card and keep it, although there is no specific decision on its use for other purposes.”
Civil society in Iraq has nevertheless expressed legitimate concerns about the use of these biometric cards. Would the personal data be accessible to, or even sold, to major international companies? Is the database secure, or will it be an attractive target for hackers — exposing people to the risk of identity theft?
Despite the IHEC claims that a breach or piracy was “not possible,” there have been reports of sabotage, which has led to a manual re-counting of the vote, and has raised serious concerns about the use of biometric IDs and electronic voting in Iraq. Article 17 of the Iraqi Constitution states that everyone has the right to personal privacy, not contrary to the rights of others and public morality. Yet there is no evidence to show the biometric data collected has been destroyed, nor proof that the database is now sufficiently secure.
Why did Iraq cancel the use of the biometric cards?
Only days after the election, Prime Minister Haider al-Abadi announced that there had been serious attempts at fraud and falsification of results. Despite the Commission’s assertion that e-voting was 100% successful, the Iraqi Parliament ordered a manual recount of all ballots, and fired the electoral commission members who oversaw the process. The Parliament passed a law mandating a nationwide manual recount of votes and suspending IHEC’s nine-member board.
Iraqis have expressed their anger over the incident on social media, with many arguing that there are multiple corruption cases related to elections and that biometric-enabled e-voting was a waste of public money and an excuse for the manipulation of personal data.
What happens now?
Iraqi authorities have yet to announce the official election results. So far, they haven’t provided any statement concerning the biometric data that was collected over the last six months. No one knows what the next steps will be to keep the lives and personal data of Iraqi citizens private and secured.
Access Now is deeply concerned about the risks facing Iraqis’ fundamental right to privacy especially given the threats we see in the country today — where bad actors may be able to purchase, sell, and use these personal data in extremely harmful ways. If a government has this kind of personal data in a database and does not take steps to delete it or show that it is being kept secure, privacy is not protected, and neither are the other human rights that privacy enables.