Tag: Privacy

Barbados’ Digital Aspirations: A Reality Check

nielharper

In a recent Barbados Today article, the CEO of the newly minted GovTech Barbados stated with confidence that the country is “on the brink of a sweeping digital transformation, with a particular focus on enhancing its cybersecurity infrastructure.” While the ambition is commendable, it’s crucial to examine these claims with a critical eye. As someone deeply involved in the tech sector for almost 30 years, I find several elements of this grand vision questionable at best, and potentially misleading at worst.

The ‘Conundrum’ of the Tier 3 Data Center

The government’s plan to establish a Tier 3 National Data Center sounds impressive on paper. However, this claim ignores several fundamental realities of Barbados’ infrastructure, market conditions, and human capacity.

Costs

With a monopoly electric company serving the entire island, is it even possible to achieve the redundancy and reliability required for a Tier 3 facility in a cost effective manner? Tier 3 data centers demand multiple, independent power distribution paths. In the Uptime Institute tier model, onsite power is the only reliable source of power – it is completely within the span of control of the organization, with no conflicting external entity’s profitability goals. Given the high costs of commercial power in Barbados ($0.33 per KWh – one of the highest in the world), and the even higher costs associated with operations and maintenance for onsite generated power, has the government properly assessed the overall costs of delivering the power requirements for a Tier 3 data center?

In addition, a Tier 3 data center requires the installation of redundant systems in terms of uninterrupted power (UPS), direct current battery plants, diesel-based power generators, and HVAC systems, including heating (H), ventilation (V) and precision air conditioning (AC). Below is an overview from Kio (a global data center company) in US dollars of the costs of building out such facilities.

With regards to network connectivity, a Tier 3 data center must have multiple Internet service provider connections and dedicated fiber optic cabling. This is particularly challenging as telecoms costs in Barbados are phenomenally high when compared to the global average. Furthermore, a mile of fiber optics can cost upwards of $250,000 USD. Then there are the incremental costs for perimeter control/fencing, access control systems, metal detectors, video monitoring, fuel tanks, telecoms grounding and lightning protection, fire suppression, racking hardware, networking equipment, server infrastructure, tier certification, etc. I will address the costs for staffing in greater detail in the next section.

The capital expenditure (CapEx) and operational expenditure (OpEx) can quickly skyrocket. My conservative estimation is CapEx of approximately USD$20 million for the greenfield build-out of the Tier 3 facility and USD$5-10 million in annual OpEx to successfully run it.

Taking into consideration that Tier 3 data centers usually have a commercial model, it would be good if the government can explain to the general public how the build-out is being funded, whether taxpayers will be expected to cover the costs, will more loans and increased debt be involved, how will the return on investment (ROI) be achieved, what does the total cost of ownership (TCO) look like over a 5-10 year period, and other related financing and cost recovery details.

Talent

Another area worth a deeper dive is the talent associated with the operations and maintenance of a Tier 3 data center. For operational sustainability, staffing must be divided into three (3) categories.

  • Headcount: The number of personnel needed to meet the workload requirements for specific maintenance activities and shift presence. Assuming a 24x7x365 operation, headcount will be needed to cover daily administration, preventative maintenance, corrective maintenance, vendor support, project support, and tenant work orders.
  • Qualifications: The degrees, certifications, technical training, and experience required to properly maintain and operate the wide array of installed infrastructure.
  • Organization: The reporting structure for escalating issues or concerns, with roles and responsibilities defined for each group.

Most of the persons on-island that meet these requirements are employed by Digicel, Flow, or commercial banks. The remaining talent would have to be sourced from overseas. What is the government’s strategy for attracting and retaining this level of talent? How will they do so in a fiscally responsible manner? Has a skills gap analysis been performed for the public sector? Is there a talent management and professional development plan to ensure that this digital initiative is adequately resourced from the human capital perspective? 

Environmental Impact

Data centers are responsible for an enormous negative environmental impact: their gluttonous annual consumption of electricity, greenhouse gas emissions, heavy water consumption, generation of toxic electronic waste, and other types of direct and indirect ecological harms are of a major concern. In conformity with the United Nations Sustainable Development Goals (UN SDGs), the potential environmental impact of data centers should be numerically assessed to compare to the environmental capacity and chart a plan towards sustainability.

Has the government completed an environment impact assessment (EIA) for the data center facility? Have they engaged surrounding residents to discuss the known issues with data centers, including noise pollution and drought risks? Given the government’s commitment to climate change, what are their plans for the Tier 3 facility vis-a-vis carbon-neutrality, carbon offsetting, and investment in renewable energy systems like wind and solar? What is the government’s broader toxic electronic waste disposal strategy? 

The “Sovereign Cloud” Misnomer

The term “sovereign cloud” has been tossed around, but it appears to be more buzzword than substance. In the tech world, a sovereign cloud typically refers to public cloud services that treat workloads as if they’re in the client’s home country, even when physically hosted elsewhere.  Sovereignty requirements mandate that customers’ usage of what’s typically understood as public cloud must be immune from the impact of foreign laws and mandates; sovereignty overall is then a key requirement for consideration alongside other controls requirements such as security, resilience, data residency, and privacy. These factors generally apply when a government or international organization is purchasing services from an overseas-based cloud provider.

What GovTech Barbados is proposing is simply a government-owned data center located on Bajan soil. It’s inherently sovereign, but a “sovereign cloud” it isn’t – it’s just a standard approach to local data hosting. By misusing this term, are they trying to make a normal infrastructure upgrade sound more innovative than it really is?

The vast majority of the government’s public sector computing environment is based on traditional client-server architecture and on-premise data processing. There’s nothing specifically “cloud-centric” about it. Bearing that in mind, it would be good to better understand the government’s future state cloud architecture. How will cloud-related skills be obtained in the public sector where they currently don’t exist? What’s the overall enterprise architecture model? How will they transform deeply antiquated, siloed and fragmented government systems into a cohesive architecture premised upon modern cloud technologies? What cloud solutions will be used for orchestration, observability, infrastructure, databases, etc.? How will existing infrastructure and applications be refactored to be cloud native? Is their approach based on private cloud, public cloud, or multi-cloud? Have disaster recovery needs been considered? Has the partner/vendor ecosystem been defined? What about third-party risk management (TPRM)? These questions and more need to be answered.

The last 2 questions are especially pertinent given the announced partnerships with Promotech and Fortinet – The former (Promotech) is a consumer electronics retailer with zero credentials in deploying complex, secure, enterprise-scale technologies and the latter (Fortinet), while a solid cybersecurity solutions vendor, requires advanced expertise to properly deploy and manage their equipment. Fortinet is also known to be quite expensive in terms of professional services and they have had a number of security issues in recent times.

Cybersecurity: Promises vs. Reality

The government’s emphasis on cybersecurity is not new. In fact, it’s a tune we’ve been hearing from as far back as 2012. Over the last 10 years, the Government of Barbados has received substantial funding from various international bodies to enhance its cybersecurity posture. Yet, where is our national cybersecurity unit? Why is our cybersecurity maturity so low compared to other developing countries such as Botswana, Cuba, Ethiopia, Ghana, Guyana, Jamaica, and Kenya, among others?

And despite numerous cybersecurity assessments, strategies, and roadmaps conducted by international organizations (e.g., ITU, OAS, European Commission, etc.), we seem no closer to establishing a robust cybersecurity framework than we were a decade ago. 

In the International Telecommunications Union’s (ITU’s) recently released 2024 Global Cybersecurity Index, Barbados scored quite poorly against the Americas regional average (see below).

With this ITU ranking as a backdrop, it has to be said that the GovTech Barbados announcement feels like déjà vu. What’s different this time? How can we trust that these plans will materialize when similar promises have fallen flat repeatedly? Amidst the talk of setting up a national cybersecurity unit, is Mr. Boyce aware that the responsibility for national cybersecurity lies with the Barbados Defence Force (BDF) Cyber Unit? Has he consulted with anyone on what was the mandate, scope, and lessons learned from the government’s failed Cyber Security Working Group (CSWG)? Has someone told him that in recent years, a Barbados Computer Emergency Response Team (BCERT) was funded by international donors, an office location and equipment was setup, but the CERT was never staffed or actually operational? To be frank, he seems quite unaware of what has transpired in the nation’s cybersecurity landscape over the past 5-7 years.

The Spectre of Abuse, Censorship, and Exclusion

While the government touts the benefits of centralized digital infrastructure, we must also consider its darker implications. A nationally controlled data center, pervasive e-government systems, and fully integrated identity-based platforms can easily become powerful tools for abuse of authority, mass surveillance, and oppression. These risks are even more pronounced with GovTech’s proposed use of artificial intelligence (with no regulatory safeguards) and the government’s insistence on implementing poorly drafted and potentially rights-violating cybercrime laws.

Myself and others have raised serious concerns, including worries about how new citizen-centered digital services are developed and managed; social exclusion and discrimination; privacy and data protection; cybersecurity; and major risks for human rights. In the context of human rights, the risks are related to the right to privacy, freedom of movement, freedom of expression, and other protected rights. For example, GovTech has stated that they plan on “releasing certain public datasets” in order “to spur the development of new products and services from local tech companies.” Government must be transparent on whether or not personal data will be involved and how these decisions align with the Data Protection Act, including what risk assessments and security countermeasures will be put into place to prevent material harm to individuals.

With all government data and services funneled through a single point, the temptation for overreach becomes significant. Who will oversee this system? What checks and balances will be in place to prevent abuse? The ability to control information flow and access to digital services could be weaponized against dissenting voices or used to manipulate public opinion.

We must demand clear, legally robust safeguards against such misuse. Without them, our journey towards digital transformation may well become a path to digital authoritarianism.

The Bigger Picture

While digital transformation is undoubtedly crucial for Barbados’ future, we must approach these grand declarations with healthy skepticism. Are we genuinely prepared for the scale of change being proposed? Do we have the necessary infrastructure, expertise, and, most importantly, the political will to see these projects through?

Moreover, in our rush to digitize, are we addressing more fundamental issues? Can we talk about advanced data centers when parts of our island still struggle with basic Internet connectivity? Are affordable Internet and telecoms services even attainable when the regulating functions within the Ministry of Industry, Information, Science and Technology (MIST) and the Fair Trading Commission (FTC) are incapable of delivering core consumer benefits (e.g., consumer protection, service quality, diverse product and services offerings, affordable prices, etc.)? Can we really talk about cybersecurity when breaches of government IT systems are the norm as opposed to the exception? Why are the bulk of e-government services still lacking in accessibility features for the differently abled?

Mr. Boyce emphasized that, “The National Data Centre will allow the government to take a more data-driven approach to governance.” Data centers and data governance are both important for the country’s data-driven future, but they have very different focuses, and the links between the two are tenuous. A data center is a physical facility that is used to house IT infrastructure, applications, and related data. Data centers are designed based on technology components: networks, computing, and storage resources that enable the delivery of shared applications and data. Data governance involves the management of data quality, security, usability, and availability. It is oriented towards people and processes – policies, procedures, roles, and metrics which ensure data is leveraged efficiently and effectively. Data governance can help the government and private corporations make better decisions, reduce costs, and comply with regulations such as the Data Protection Act (DPA), General Data Protection Regulation (GDPR), and others. However, one can have a data center and still have poor data governance or you can have no data center and have strong data governance. There are literally no dependencies of either element on the other.

“A key aspect of the digital transformation plan is to integrate digital services, allowing ministries and departments to collaborate seamlessly. Initiatives such as digital identifiers and signatures will enable citizens to access multiple services through a centralized portal, gov.bb, reducing fragmentation in the current system.” This statement from the CEO of GovTech is quite worrisome. Does he know that over the last 4 years there was an IDB-funded e-Services Project with these same objectives that failed spectacularly? Does he realize that the National Digital ID project – another public sector IT project that was poorly executed – was designed to provide centralized identity-based services to citizens, including digital identifiers and signatures?

The fact remains that IT projects for the Government of Barbados seldom fail due to technology-related issues. The technologies are generally sound and fit for purpose. Leadership-related issues are at the core of these repeated failures. A lack of skills in managing complex, large scale IT projects is also a major factor, which leads to a corresponding inclination to rely instead on outsourcing to consulting firms or a heavy dependence on the professional services arms of vendors. The problem here is that government employees lack the capabilities to manage these third-parties, are unable to meet government-owned deliverables, or impose unrealistic / infeasible requirements on experts that actually know what they’re doing. In addition to the absence of skills for managing large IT efforts in general, there are also huge deficiencies in change management skills in particular.

A Call for Transparency and Realism

As citizens, we deserve more than lofty promises and tech jargon. We need a clear, realistic roadmap for digital transformation that acknowledges our current limitations and outlines concrete steps to overcome them.

Instead of grand visions, let’s start with achievable goals. Develop a strategic roadmap that has a long-term arch and practicality that survives biased political motivations and changes in government administrations. Improve our basic digital infrastructure and access to it for all. Invest in education to build a tech-savvy workforce. Ensure that our legal and regulatory framework supports open, accessible, secure, rights upholding, and citizen-centric digital services. Create governance, risk, and oversight mechanisms which guarantee that projects deliver tangible value, not just headlines.

Barbados has the potential to become a digital leader in the Caribbean, but not through wishful thinking. We need honest assessments, pragmatic planning, and, above all, a commitment to turning words into action. Until then, these digital aspirations will remain just that – unfulfilled aspirations.

2024 ISC2 Global Achievement Award

nielharper

I am pleased to announce that I am the recipient of the 2024 ISC2 Global Achievement Award in the Senior Professional (EMEA) category. The award recognises an individual regionally who has significantly contributed to the enhancement of the cybersecurity workforce by demonstrating a leadership role in their profession.

Cyberspace is only as secure, resilient, and prosperous as its weakest link. This is why I have committed over a decade of my life to developing the next generation of digital trust professionals across the globe. ‘Cyber capacity building’ is a vital need for every nation state in order for citizens to benefit from digitisation while ensuring that critical national infrastructure and digital assets are protected.

This award is testament to my work across the globe addressing the complex risks associated with cyberspace and pervasive digitisation, and ensuring that individuals, communities, corporations, and governments are equipped and empowered to mitigate these risks.

Let me also give a shoutout to Sametria McKinney from The Bahamas who won the same award in the Americas category 🙏🏾 She’s a superstar!!!

The Caribbean is WINNING!!!!!

You can explore the other recipients on the awards landing page.

Cybersecurity Risks and Solutions in Outsourcing

nielharper

Q: How can generative AI be leveraged to enhance defensive capabilities and support the work of cybersecurity professionals?

A: AI and related features such as machine learning, natural language processing, data mining, predictive analytics, behavioral analytics, and automated decision-making can be used to recognize patterns and learn from past incidents, interpreting human language and democratizing security decision-making across relevant teams, extracting valuable patterns and insights from large datasets, forecasting potential threats based on historical data, monitoring and analyzing user behavior to detect anomalies, and enabling quicker, data-driven responses to identified threats.

Still, AI has become a buzzword recently and is by no means a panacea or replacement for good security practices. Cybersecurity professionals must still develop competencies in delivering the core basics of day-to-day operations—risk assessment, asset management, vulnerability management, security architecture, secure software development, identity and access management, audit logging and monitoring, etc.”

I very much enjoyed this interview with Hugo on third-party risk management (TPRM), especially around clarifying how strong TPRM controls can allow businesses to reap significant benefits from outsourcing key business processes (e.g., cost savings, leveraging specialised talent, productivity, scalability, optimisation of of advanced technologies, strengthening data security, increased global footprint, etc.).

You can view the full interview at this link.

The Lacework Modern CISO Network: Board Book

nielharper

“When boards fail to adequately oversee a growing risk with potentially catastrophic consequences, it’s a serious issue.

Yet, the problem remains — and often goes undetected.

Cybersecurity-related discussions in boardrooms sometimes seem to offer great promise; but in reality, they are unproductive sessions that lead to unfulfilled hopes. On the flip side, sometimes important issues are raised and directors do not sufficiently comprehend the matter under discussion. When board members do have technical knowledge, but are unfamiliar with both cybersecurity at the strategic level and the process of security oversight, boards seem to make other time-sucking errors that can create dangerous failures of oversight.

Finding board members who can successfully blend cybersecurity know-how with business acumen is not an easy task. According to the IANS Research report, just 14% of Russell 3000 CISOs have at least four out of the five ideal board candidate traits.

It is this challenge that this publication seeks to reconcile.”

The Modern CISO Network: Board Book offers boards a directory of experienced experts ready to advise and guide businesses as they navigate the complex world of cybersecurity. By arming companies with a diverse directory of CISOs and other cybersecurity leaders with relevant expertise both in terms of cybersecurity and business acumen, the board book will hopefully make it easier for companies to improve their resilience against modern-day threats.

Transitioning from a techie to a business leader is one the most valuable steps that a CIO or CISO can take, and provides immense value to both the individual in their professional journey and to the organization in terms of addressing pervasive business risks.

I am happy to be featured in the Board Book alongside some of the most outstanding board-ready CISOs in the world. I tip my hat to each and every one of them!

ISACA Board Director Niel Harper Secures a Role on the Professional Standards Working Group of UK Cyber Security Council

nielharper

“The UK Cyber Security Council has announced that Niel Harper, a cybersecurity executive and member of the ISACA Board of Directors, has secured a role in its Professional Standards Working Group. This appointment is an important recognition of Harper’s expertise and contributions to the field of cybersecurity.”

Workforce development is critically important to the security and resilience of nation states (and organizations as a matter of fact). There is diversity in the breadth and depth of cyber security skills required across government. These include deep technical skills and the non-technical cyber security skills that are needed across other specialisms and professions, such as digital, policy, commercial and assurance.

Guided by the standards and pathways established by the UK Cyber Security Council, the UK government will develop its understanding of the range of cyber security skills and knowledge required across government and will respond accordingly, ensuring that its workforce is inclusive and diverse.

I am honoured to have been chosen to join the Professional Standards Working Group of the UK Cyber Security Council. Collaborating with top experts in the field to shape the future of cybersecurity standards in the UK is an exciting opportunity.

No, We Don’t Need Generative AI Meddling in Our CI/CD Pipelines!

nielharper

Infosecurity Magazine recent published an articled titled ‘ChatGPT Leveraged to Enhance Software Supply Chain Security.’

In the article, Neatsun Ziv, CEO and co-founder of OX Security, said that the utilisation of AI tools will provide faster and more accurate data to developers compared to other tools, allowing them to repair security issues far more easily. Harman Singh, managing director and consultant at Cyphere, said that he expects ChatGPT and other generative AI models to make accuracy, speed and quality improvements to the vulnerability management process.

In my opinion, we really don’t need ChatGPT or other generative AI models writing code or integrated into vulnerability management processes. These tools are way too rudimentary and unreliable for such important tasks.

We need to train software developers on secure coding, for example on general standards like Building Security in Maturity Model (BSIMM), OpenSAMM (Software Assurance Maturity Model), and Open Web Application Security Project (OWASP) and on specific frameworks they use such as Angular, Laravel, Flutter, Ruby on Rails, .NET, and others.

We need strong access controls for repos and pushing updates to repos. We need tooling that creates SBOMs, detects bugs and vulnerabilities in code, and analyses dependencies for vulnerabilities and excessive permissions, among other things. We need effective and repeatable security architecture, patch mgmt and vulnerability mgmt tools and processes. We need software developers who are competent in threat modelling as well as in security by design and privacy design principles.

We DO NOT need generative AI meddling in our CI/CD pipeline and SSDLC (particularly right now)!

Regulating AI Tech is No Longer an Option: It’s a Must!

nielharper

“Responsible, ethical use of AI is the key. From a corporate perspective, business leaders need to articulate why they are planning to use AI and how it will benefit individuals. Companies should develop policies and standards for monitoring algorithms and enhancing data governance and be transparent with the results of AI algorithms. Corporate leadership should establish and define company values and AI guidelines, creating frameworks for determining acceptable uses of AI technologies.

Achieving the delicate balance between innovation and human-centered design is the optimal approach for developing responsible technology and guaranteeing that AI delivers on its promise for this and future generations. Discussions of the risks and harms of artificial intelligence should always be front and center, so leaders can find solutions to deliver the technology with human, social and economic benefits as core underlying principles.”

I recently wrote a short piece on the ISACA Now Blog explaining why a robust framework of laws and regulations are needed for the potential of “AI” to be truly realised.

Check it out and let me know your thoughts!

12 CISO Resolutions for 2022

nielharper

At the beginning of January, my peers and I shared our security and privacy resolutions for 2022 with CSO Online. The full article can be found here on their website.

However, I wanted to further elaborate here on my plans for privacy and security across the enterprise this year.

I have a couple of resolutions for the upcoming year. Firstly, I want to focus more energy and resources on privacy and data. My second resolution is to refine and enhance the control framework around third-party risk management. In third place, but definitely not of lesser importance, is improving my enterprise’s protection against ransomware. The next resolution on my list is continuing to advocate the importance of email security to every business leader I meet; I am specifically referring to Domain-based Message Authentication, Reporting and Conformance (DMARC), DomainKeys Identified Mail (DKIM), and Sender Policy Framework (SPF). Finally, I want to gain more control over ‘shadow IT.’

With regards to privacy and data, it’s not only about responding to growing demands from GDPR and other national and regional privacy regulations. It’s just good practice to get a solid handle on where business-critical data assets reside and how this data moves inside and outside of your organization, ensuring that you have adequate and effective controls to prevent data leakage and privacy rights violations (and of course avoid fines). Over 55% of data breaches are now caused by a third-party, so ensuring that I have an efficient, standardized approach for assessing third party risk will most definitely reduce privacy and security exposures from vendors, services providers and even contractors. Ransomware continues to increase in terms of prevalence and severity, so a strong prevention and response strategy is key to operational, financial, and reputation risk reduction. Email security in some form has been around since the early 2000s, and yet less than 35% of companies have implemented DMARC, DKIM and SPF. The value of these technologies in combating brand impersonation, reputation damage, and phishing attacks can’t be emphasized enough. Shadow IT in basic terms means that you’ve lost control and visibility into your IT environment, and if you can’t account for IT assets, you can’t protect them.

My approach to privacy and data governance is premised on user/cultural awareness, end-to-end risk assessment, detailed records of processing activities, effective incident response, strong security controls, and building capabilities to integrate ‘privacy by design’into the CI/CD. I plan to move away from using spreadsheets and manual processes to manage third-party risks, and instead leverage best-of-breed software tools that analyze, track, and minimize risks arising from supply chain exposures. With ransomware, my objective is to incorporate identity and access governance, multi-factor authentication (MFA), advanced honeypots, endpoint detection and response (EDR), and multi-tiered backups (3-2-1 strategy) into a cohesive ransomware prevention strategy. As it pertains to email security, my focus is less about my own shop (we’re already there) and more about assisting my peers and small to medium enterprises (SMEs) in properly setting up DMARC, DKIM, and SPF. Preventing shadow IT begins with enhancing usability and eliminating risky workarounds by removing the hindrances that foster them (i.e., being more agile in addressing discrete stakeholder requirements in close collaboration with the IT function).

Pandemic Democracy: COVID-19 And Election Management

nielharper

Elections are large, social gatherings that involve masses of individuals and galvanise entire societies. No other national operation presents a similar degree of operational magnitude, legal and procedural complexity, and broad-based participation.

The COVID-19 pandemic has quickly disrupted elections, creating new pressures and challenges on how they are managed. The key public health threat associated with elections stems from the need for voters to cast their ballots in person, at a polling stations, most often on a single day. Caribbean nations are particularly impacted as they don’t generally support absentee voting, provisional balloting, early voting, or e-voting (in-person or online).

On January 9th, I participated in a Town Hall discussion hosted by the University of the West Indies – Cave Hill Campus.

The panel was predominantly made up of very experienced and highly capable election management professionals, with myself being the sole expert focusing on leveraging technology to guarantee the representativity and legitimacy of the democratic process. My contributions were specifically around the following areas:

  • Guaranteeing access to the voter registration list in a secure and privacy enabling manner
  • Ensuring speed and transparency in counting votes by moving to secure, electronic systems
  • Emergency planning in response to situations like national disasters and pandemics
  • Accommodation for hospitalised voters
  • Staffing electoral commissions with key IT and information security resources
  • The need for government investment in the digitalisation of elections

It was a very stimulating discussion, and I want to express my gratitude to the University of the West Indies for inviting me. Additionally, I want to thank the panelists and the moderators (Professor Cynthia Barrow-Giles and Dr. Dalano DaSouza) for sharing their ideas and insights.

Why the Barbados Election List Data Leak is Problematic – And How it Could Have Been Prevented

nielharper

On 27 December 2021, the Prime Minister of Barbados Mia Amor Mottley scheduled a snap election for 19 January 2022.

On 29 December 2021, a full data dump of all eligible voters in the country was published by the Government of Barbados on the open Internet. This occurred largely because the Representation of the People Act 13(1) states “The [Electoral] Commission shall cause to be prepared and shall publish not later than the 31st day of January in every year a register of electors for each constituency and a register of foreign service electors entitled to vote at any election.” 

In the past, this list was made available in somewhat controlled environments to be queried by election officials, candidates, voters, etc. to ensure that elections accurately reflected the will of the people (in most all cases it was usually printed and held at libraries, constituency offices, polling stations, etc. to be reviewed by interested parties). To limit congregation of individuals in the previously mentioned locations during COVID-19 times, it was decided to publish the full voters list on the Internet to ensure access for all.

The 5250-page list contains approximately 250,000 individual records with the below personally identifiable information (PII). *

  • Last Name
  • First Name
  • National Registration Number (similar to a Social Security Number in the United States)
  • Gender
  • Date of Birth
  • Residential Status
  • Constituency (Voting District)
  • Home Address

* The total population of Barbados currently hovers around 290,000 persons.

Instead of this data being restricted to a few thousand persons in Barbados, it was now accessible by all 4.6 billion Internet users, exposing 250,000 Barbadians to increased risks of data misuse and abuse, fraud, identity theft, and other financial and reputation risks. The information was quickly downloaded and posted on Reddit and a number of hacker/fraudster sites on the Dark Web, making it perpetually available to malicious actors. There is also a high physical risk to individuals with regards to stalking, home invasions, robberies, rape, etc.

PII, also referred to as personal data, covers a wide variety of information that can identify a living individual. If a piece of information is unique to that person, it can lead back to them in several ways, and it is private and needs to be protected with the greatest care.

Why Does Personal Data Need to be Kept Safe?

The reason this type of information requires protection is that it can be used to commit fraud or to steal an individual’s identity.

Depending on what a thief is trying to accomplish, he will need different types of information. To open specific accounts all that is needed is an email address, while in other cases an individual’s name, address, date of birth, a national registration number, and other information may be required.

It’s also critical to note that accounts of all types can be opened over the phone or via the internet without having to physically visit a location for your identity to be verified. This provides opportunities for criminals with appropriate stolen information to open bank accounts, enter into contractual agreements, or make claims using someone else’s information or identity.

If a criminal is fraudulently using your information, you might not even know it. They may not use the credit card you already own to make purchases (in which case you might catch them by looking at your purchase history). Most often, criminals open up new, separate accounts using the victim’s information, leaving the victim unaware of the damage that is being done until years after the fact. In that time criminals can rack up a lot of debt using your identity.

How Can Identity Thieves Use Your Personal Data?

There are several ways which identity thieves can use your personal data, including but not limited to the following:

  • Open a new credit card account.
  • Create fake social media accounts with your identity (e.g., Facebook, Twitter, Instagram, etc.).
  • Take out a commercial bank loan.
  • Obtain and use your debit card to withdraw funds.
  • Change your billing address so your bills will no longer be delivered.
  • Obtain expensive medical care or procedures.
  • Open new utilities accounts in your name (e.g. electricity, water, natural gas, etc.).
  • Obtain a mobile phone service.
  • Open a bank account, obtain a cheque book, and write bad checks.
  • Obtain a new driver’s license or national ID.
  • Use your information when arrested or in a court action.
  • Engage in bullying, stalking, harassment or otherwise cause fear.
  • Inflict severe reputation damage.
  • Combine it with additional data gathered from the Internet (e.g., Google search, Facebook, Instagram, LinkedIn, etc.) to create even more detailed profiles of individuals.

How Long Does It Take Fraudsters to Use Stolen Personal Data?

In 2017, the Federal Trade Commission (FTC) in the United States demonstrated how criminals can use your personal information within minutes. The FTC developed fake personal data and posted it on a website that hackers use to make stolen information available. It took a mere nine (9) minutes for the fraudsters to access the information, and over 1,200 attempts were made to access email, credit card and payment accounts. The research confirms how valuable personal information is to identity thieves, and if they can gain access to it, they will most definitely use it.

What Should the Government Have Done Instead?

While it’s not an exhaustive list, below are some of the key steps the government should have taken.

From a technology perspective, a searchable database should have been published on the Government Information Service (GIS) portal, where individuals could use personal data which they already knew to confirm that they were on the voters list. The full database could have been provided to election officials and campaign managers using a digital rights management (DRM) solution to control access and distribution of the document. 

The Data Protection Act was approved by Parliament in July 2019 and came into force in March 2021. This statute introduces a strong privacy and data protection regime in Barbados, and its wide-reaching impact on overall data governance across sectors and industries should have triggered key updates to existing legislation, processes and operational guidelines (including the Representation of the People Act and any other legislation involving personal data processing). And this doesn’t even address the urgent need for broader legislative reforms in the country. There are way too many outdated pieces of legislation which are incompatible with progressive changes in technology, changing community awareness, changing community values, and changing expectations of the legal system.

Appropriate funding should be allocated to the Office of the Data Protection Commissioner to better equip them in investigating and monitoring data breaches and providing other types of regulation involving the public sector. Additionally, these financial resources can be used to deliver privacy awareness training to educate government personnel on how to protect individual privacy in their daily work. Simultaneously, a public campaign should be started to achieve broad public awareness on all issues related to the Data Protection Act and the new legal framework created. The Office of the Data Protection Commission is severely under-resourced at present, making it virtually impossible to implement and enforce the Data Protection Act, which focuses largely on preventing exactly these types of data leakages. For example, adhering to the principle of data minimisation would have significantly reduced the risk and impact of publishing the entire voters list. By this I mean the narrowing of data collection and processing to strictly what is needed – In this case, there is absolutely no reason to publicly release the National Registration Number (NRN) and Date of Birth of all eligible voters.

Why the Electoral and Boundaries Commission (EBC) is Dead Wrong

The Electoral and Boundaries Commission (EBC) has strongly (and wrongly might I add) defended its decision to publish the voters list online. Their position is that “We are obligated to publish the list now electronically so that more people can have access to it.” Chairman of the EBC Queen’s Counsel Leslie Haynes also maintains that “ID numbers are not private” and made reference to them “being published before the introduction of the digital age in public libraries, rum shops, the electoral office and other spaces.” Because a law states that you must publish information electronically doesn’t mean you should make it accessible to 4.6 billion Internet users (including hackers, fraudsters and other cyber criminals). There are numerous laws in Barbados that are outdated, poorly drafted, contradictory to other laws, and incompatible with existing technology – Should we follow them all to the letter or do we comprehensively update them to be more fit for purpose? Moreover, there are numerous technology solutions available for publishing said data online in a controlled manner to reduce the overall risk and exposure. And if they are not at fault, why did government officials remove the voters list from the public websites?

Finally, national registration number (NRN), date of birth (DOB) and home address are all private information, and there are established technical standards, privacy principles, and national laws or treaties around the globe that assert as much. From a data minimisation perspective, the requirements of the law could have been satisfied without including NRN and DOB.

Where online can you find the social security numbers (SSNs) for all eligible voting Americans? What about the passport numbers or driver’s license numbers for all voting Canadians? What about the national ID numbers for all voters in France, Denmark, Switzerland, Germany, etc.? The answer is NOWHERE!

[UPDATE] Sunday, 2 January 2022 – I have amended the original blog post in response to the EBC’s staunch defence of their decision to publish the voters list on the open Internet.