South Africa


Election 2019: IEC and Information Regulator must prepare for possible social media manipulation

Information regulator, Pantsy Tlakula (Supplied)

South Africans will be voting in 2019 in what promises to be one of the most hotly-contested national elections. As has been shown in the US, UK and other parts of the world, social media and fake news can be manipulated by those who wish to influence an outcome. Will the IEC and the Information Regulator be up to the job? We asked them.

In light of the announcement of the hacking and holding to ransom of the server of the Liberty Group on Sunday, issues of South Africa’s cybersecurity have been once again highlighted.

South Africans have had first-hand experience with the suffocating embrace, the disorientation and the chipping away at truth that fake news and social media attacks can have on the political landscape.

It was the British PR and “reputation management” firm, Bell Pottinger, contracted by the Gupta family, supposedly to manage their Oakbay account, which helped place the rhetoric of “white monopoly capital” in ANCYL president Collen Maine’s mouth.

It was Bell Pottinger’s Victoria Geoghegan who attempted to buff and salvage Gupta associate Duduzane Zuma’s slight reputation in the country. The firm’s strategy, after many public rebuttals and denials, was finally exposed in a string of emails between Geoghegan, Zuma, and various other players in the State Capture feeding frenzy under Jacob Zuma’s overtly permissive open-purse watch.

Bell Pottinger, after years of acting across the globe with impunity, had its reputation so tarnished through its collaboration with Zuma and the Gupta family, that the firm collapsed before going into administration. This was as a direct result of exposure in the #GuptaLeaks of Bell Pottinger’s manipulation of the South African political landscape.

Writing for the Guardian in May 2017, Alex Hern warned that Facebook had become a key electoral battleground in the UK and that researchers in that country were investigating how automated accounts could be used to “alter political debates online”.

One of the most powerful players in the British election is also one of the most opaque. With just over two weeks to go until voters go to the polls, there are two things every election expert agrees on: what happens on social media, and Facebook in particular, will have an enormous effect on how the country votes; and no one has any clue how to measure what’s actually happening there,” Hern began his piece.

Hern quotes Professor Philip Howard, of the University of Oxford’s “Internet Institute” as saying “I think that there have been several democratic exercises in the last year that have gone off the rails because of large amounts of misinformation in the public sphere.”

In April 2018, the Information Regulator, Pansy Tlakula, issued a statement with regard to the breach by Facebook of the data of some 59,777 South African users which potentially had been shared with Cambridge Analytica.

Tlakula, the country’s former chief electoral officer, was appointed in December 2016, by then-president Jacob Zuma, to head the newly-established Information Regulator conjured to life to ensure compliance with the Protection of Personal Information (Popi) Act and the Promotion of Access to Information Act (PAIA).

Tlakula, after successfully managing and overseeing two national and two local government elections, resigned as chief electoral officer following allegations of maladmistration with regard to the procurement of a lease for the Riverside Office Park in Centurion as the headquarters for the IEC.

In April 2018 Tlakula announced that the IR had written to Facebook to establish if the Cambridge Analytica leak had in fact occurred, the extent of it, and what interim measures were being put in place to prevent a repeat of the breach.

The alleged Facebook data breach follows the data breach which occurred in mid-October 2017 in which it was reported that 27.2 GB database file name: ‘masterdeeds’ compromised on the Go Vault platform operated by Dracore,” said Tlakula in a statement adding “following these reports the regulator wrote to all the parties that were implicated in the alleged breach and subsequently convened a meeting of various government institutions involved in the investigation of the alleged material data breach.”

These institutions included, she said, the SAPS, the Hawks, the National Prosecuting Authority (NPA), Department of Rural Development, the National Credit Regulator and the Association of Credit Bureaus.

The meeting agreed to establish a task team comprising of the representatives of the above mentioned institutions to ensure a multi-disciplinary approach to the investigation.”

Daily Maverick sent several emails and follow-up emails to the address Tlakula listed in her media statement and which is also listed on the IR website with a list of questions.

We waited for a week for a reply or an acknowledgment of receipt but none was forthcoming. These were the questions we would have liked the IR to reply to.

  • What has come out of the Chief Information Regulator’s enquiries with Facebook about the Cambridge Analytica breach?

  • A task team comprising the representatives of the South African Police Service specifically the Hawks, the National Prosecuting Authority (NPA), Department of Rural Development, the National Credit Regulator and the Association of Credit Bureaus was set up following the Cambridge Analytica data breach. What work has the task team undertaken?

  • What does the inclusion of the Hawks and NPA signify?

  • What is the responsibility of Facebook and Twitter in relation to ensuring that the platforms they provide are not used by foreign powers to interfere in the sovereignty of another nation, including in another nation’s elections?

  • The EU’s new General Data Protection Regulation (GDPR) sets a new standard for privacy regulation across the world. The EU has indicated that any organisations that don’t comply with the GDPR will be fined heavily. This would include South African firms that hold EU customers’ personal data. What is the Chief Information Regulator doing to attune South African companies to the need to comply?

Our questions to the IEC with regard to its role in monitoring media coverage, including social media, the potential for fake news or Twitter bots aimed at undermining either candidates, other public figures or journalists covering the election.

The IEC responses were as follows:

DM: What, if anything, is the IEC doing to mitigate against the possibility of foreign actors interfering in South African elections through manipulation via social media?

IEC: Threats to democracy and elections by all types of cyber-attacks are receiving worldwide attention. Any illegal activities with regards to social media as it relates to the mandate of the Electoral Commission will be dealt with by law enforcement agencies.

DM: What safeguards does the IEC have in place to ensure that the election IT systems are not tampered with in anyway whatsoever?

IEC: The Electoral Commission has deployed quality assurance processes and systems monitoring audits while maintaining openness and transparency.

DM: What safeguards are there against hacking of systems?

IEC: Deployed security systems to monitor , identify threats and vulnerabilities towards our ICT.

DM: Why is the IEC’s tender dealing with media monitoring for the IEC focused heavily on coverage of the IEC and how the IEC is perceived as opposed to monitoring how the election is being covered?

IEC: The media monitoring tender is specifically designed to monitor coverage of the mandate of the Electoral Commission as it relates to newsrooms.

DM: Will there be any media monitoring relating to coverage regarding areas where election violence may be of concern?

IEC: The Electoral Commission broadly monitors the coverage of news including areas where there are reports of violence.

DM: What does the IEC consider to be its role in terms of keeping election- related violence to a minimum?

IEC: The Electoral Commission collaborates with the security cluster on election-related violence. Our core mandate is to administer elections while the security cluster deals with issues of elections violence.

DM: Does the IEC regard the anger that can be generated on social media with regard to emotive topics as a risk in terms of heightening tensions that can lead to election related violence?

IEC: The anger that is generated on social media is beyond the mandate of the Electoral Commission, however any election-related violence remain a serious concern to the organisation, hence our collaboration with the security cluster.

DM: Will the IEC be monitoring Twitter bot activity and if so, how? (For example, Twitter bots attacking the character of certain politicians or journalists as they report on the elections).

IEC: The Electoral Commission monitors social media as it relates to its mandate, a dedicated media monitoring company will be responsible for collating this information on our behalf for our consideration.

DM: Will the IEC be monitoring for fake news relating to the elections? What will it do if fake news is detected?

IEC: The Electoral Commission already has regulations in place (Electoral Code of Conduct) which make the publishing of false information regarding a political party or candidate an offence.

DM: What became of the Chief Information Regulator’s enquiries with Facebook about the Cambridge Analytical breach?

IEC: Refer to the office of the Information Regulator.

DM: A task team comprising the representatives of the South African Police Service specifically the Hawks, the National Prosecuting Authority (NPA), Department of Rural Development, the National Credit Regulator and the Association of Credit Bureaus was set up following the Cambridge Analytica data breach. What work has the task team undertaken? What does the inclusion of the Hawks and NPA signify?

IEC: Refer to the task team.

DM: The IEC/ICT-01/2017 ICT professional services tender was to set up a panel of 10 ICT service providers. The successful companies were: AfriGIS, PriceWaterhouseCoopers, Datacentrix (Pty) Ltd, Zakheni ICT (Pty) Ltd, Exponant (Pty) Ltd, Nambiti Technologies (Pty) Ltd, Accenture South Africa (Pty) Ltd, TTH Invasion (Pty) Ltd, Computek Networks (Pty) Ltd and Faranani IT Services (Pty) Ltd each to the amount of R28,000,000. What is the rationale behind the panel of ICT service providers approach? Is this tender designed to ensure free and fair elections? Will this approach in any way distort the IT services provided?

IEC: The rationale is to create a pool of service providers with necessary skilled professionals readily available to draw from as and when required.

DM: How is the issue of needing to register people on the voters roll using proof of address being resolved? To what extent is the work on updating the voters roll complete? What if people can’t produce proof of address because they live in a rural area or township or are homeless and where such proof is tricky to provide? Will their right to vote be undermined?

IEC: Proof of address is not a legal requirement. The right of every registered voter is protected in terms of the constitution of the Republic of South Africa and various electoral legislation and regulations.

In March 2018 IEC chairman Glen Mashinini told MPs that the commission worked in a “challenging environment” and that the current political dynamics in the country would render the 2019 election “robust”.

The IEC was, MPs heard, upgrading its technology and needed to incorporate location-based technologies into the old registration database. Sy Mamabolo, IEC chief electoral officer, said the tender for 38,000 new generation registration devices was in the final stages of evaluation and that delivery had been scheduled for July 2018.

The IEC had a R1.8-billion budget for the financial year but was negotiating with the Treasury for more as the bulk of this budget went into the printing of ballot papers, training staff and equipment.

The internet might provide a virtual space for global interconnectivity but it is also a realm that offers easy pickings for those of ill-intent. The IEC has left the questions it could not reply to the Information Regulator. Now if any of you have a direct line let us know and we’ll call the pigeon back with the written version. DM


Please peer review 3 community comments before your comment can be posted