The integrity of Ghana’s electoral process relies not only on fair and transparent voting practices but also on the secure management of voter data. Recent findings have exposed a critical vulnerability in the Electoral Commission's (EC) web-based voter verification system. This flaw enables unrestricted, anonymous access to sensitive voter information, including full names, dates of birth, polling stations, and photographs, without any form of authentication. Simply put anyone anywhere in the world with internet access can retrieve personal voter data without identifying themselves, creating significant risks to voter privacy and data security. 

The Vulnerability Explained The flaw in the EC’s system, known as Insecure Direct Object Reference (IDOR), occurs when applications allow unauthorised users to access private data by manipulating object (data) references such as voter registration numbers without proper checks. In the EC’s system, entering a valid voter registration number grants access to an individual’s personal information, with no verification to confirm the identity or intent of the enquirer. 

Compounding the issue is a design flaw - the system includes a button that allows users to make additional queries with minimal effort, enabling repeated, automated, or large-scale data access. This lack of basic security awareness not only invites exploitation but also highlights systemic lapses in the EC’s cybersecurity protocols. 

Differences Between Restricted and Unfettered Access While Ghanaian law mandates public exhibition of the voter register, such access is typically restricted and controlled. During voter exhibitions: 

• Access is physical and requires individuals to visit designated centres. 
• Political party agents are granted access to the register under strict guidelines and oversight. 
• The EC can identify those who are given restricted access 
• Any queries regarding another individual’s voter details are documented, allowing for accountability. 

In stark contrast, the EC’s web-based system enables unfettered, anonymous access to the same voter information: 

• Users can retrieve data from any location without oversight or monitoring. 
• Unlike controlled access given to political agents, there is no audit trail or mechanism for the EC to identify who accessed the system and for what purpose. 
• This undermines the very controls intended to protect voter data during exhibition exercises. 

The result is a complete breakdown of voter data security, eroding the trust carefully built through restricted and regulated access during official processes. 

Implications of the Flaw 

The consequences of this IDOR vulnerability are severe and far-reaching: 

1. Privacy Violations: Unrestricted access breaches voters' constitutional right to privacy and contravenes the Data Protection Act, 2012 (Act 843). 
2. Identity Theft Risks: Exposure of detailed personal information—including photographs and dates of birth—can facilitate identity theft and financial fraud. 
3. Targeted Attacks: Cybercriminals and scammers can exploit this data for phishing schemes, social engineering, and targeted harassment. 
4. Mass Data Harvesting: The lack of authentication and security controls allows automated tools to scrape large amounts of voter data effortlessly. 
5. Erosion of Trust: Such lapses undermine public confidence in the EC’s ability to manage sensitive electoral data securely. 

A Comparison to Financial Institutions To fully grasp the seriousness of this vulnerability, consider the standards upheld in the financial sector. An ATM that does not require a PIN or a Mobile Money App that allows transactions without authentication would be regarded as grossly negligent. Any telecommunications company or bank deploying such a flawed system would face lawsuits, regulatory fines, and irreparable damage to its reputation, likely resulting in financial collapse. 

The EC’s deployment of a similarly unsecured system for handling sensitive voter data reflects a shocking disregard for cybersecurity best practices and sets a dangerous precedent. 

The Baffling Timing of Deployment Even more concerning is the timing of this system’s deployment. The web-based voter verification system appeared after the 2024 elections when its utility would have been minimal. Verification systems are most relevant before elections to help voters confirm their registration details and polling stations. Deploying the system post-election and leaving it vulnerable raises serious questions about its purpose, oversight, and the rationale behind such a decision. 

Potential for Spoofing and Scams This vulnerability also exposes voters to potential spoofing attacks and scams. For instance, a similar issue previously emerged when the EC's SMS-based verification system was active, leading to a typosquatting incident where a single typographical error (71151# instead of 711*51#*) redirected users to what appeared to be a financial services application. Such incidents demonstrate how malicious actors can exploit weaknesses in system design to mislead the public. 

By failing to secure the web-based system, the EC risks similar attacks, where fake applications or websites could impersonate the EC’s platform to harvest personal voter data or launch scams. 

The EC's Inaction Despite Presidential Intervention What makes this situation even more alarming is the EC's consistent refusal to act, even after multiple attempts to alert them to these vulnerabilities. In August 2024, I wrote to the EC to report a possible breach of personal voter data following an unsolicited campaign message. Despite follow-up letters and a formal intervention from the Office of the President, the EC failed to acknowledge or address the concerns. 

The fact that these issues persist while personal voter data remains exposed online raises serious questions about the EC’s commitment to safeguarding the data it collects. If an institution as critical as the EC cannot take decisive action even after a presidential referral, what confidence can voters have in its ability to secure their information or conduct elections with integrity? 

Call to Action To protect voter data and restore public trust, the following actions must be taken urgently: 

• Disable the Vulnerable System: The EC must take immediate steps to prevent further unauthorised access to voter data by shutting down the compromised system. 
• Conduct a Full Security Audit: A comprehensive audit of all EC systems must be undertaken to identify and remediate other potential vulnerabilities. 
• Implement Robust Security Measures: Authentication protocols, rate-limiting mechanisms, encryption, and detailed audit trails must be implemented to prevent similar incidents. 
• Inform and Protect Voters: The EC must publicly acknowledge this issue, notify affected voters, and provide clear guidance on safeguarding their personal information. 

Conclusion The secure handling of voter data is fundamental to the integrity of our electoral process. The EC’s web-based voter verification system not only compromises this principle but also exposes voters to significant risks. Immediate action is required to disable the system, address systemic cybersecurity lapses, and reassure the public that their data is secure. 

The time for accountability and reform is now. Our democracy cannot afford continued lapses in data protection and security.

*******

The writer is a cybersecurity researcher.