From: Exit Explains
Exit Explains: Security Concerns Over Biometric Voter Identification

The Central Election Commission Regulatory Commission has determined the characteristics of the electronic identification system to be used in the April 25, 2021 elections throughout the country.

Electronic identification has been one of the main demands of the extra-parliamentary opposition, as a condition of being part of electoral reform.

An electronic device will be installed in each polling station which reads identity cards or passports, reading their electronic chip. The devices work independently and offline, without being able to communicate with any other device or computer network.

A verification software will be registered in each machine, which contains the voter list for the entire respective constituency. So the voter enters the Voting Center and presents the card or passport to the voters.

The card or passport is read by the device, which performs three tasks:

  1. Verifies voter identity;
  2. Verifies whether the voter is registered in the constituency and polling station;
  3. Finds out if the same card has been used before by prohibiting multiple voting within the same polling station.

If the voter details do not match those of the card, and the image does not match the person, he is not allowed to vote.

The work on election technology will be overseen by State Election Deputy Commissioner Lealba Pelinku, who explained the process to Neritan Sejamini.  She explained:

“At this stage, we can say that these are devices that will work offline. None of the devices is connected to the communication network.”

Pelinku clarified that voter data will be stored by applying the law in force on the protection of personal data:

“The person signs with fingerprints. That is, they will sign with a fingerprint, not a fingerprint identification. All data collected on the equipment will be centralized in a system near the CEC and will be cross-checked for verification and violations.

The system and equipment will store and process data according to security standards and according to the law in force for the storage of biometric data.

The device encrypts the data so their verification will be done. Data cannot be used outside of devices.

The data is not usable outside the system and outside the devices are encrypted. We must enforce the law on personal data.

The company has the obligation to program the equipment and system to respect the law of data protection “.

Now the question arises whether such a system can be implemented in 3-4 months, before the impending election.

In terms of their security, the Data Protection Commissioner has said that if they do not comply with the law and the constitution, the devices will not be certified by them. This means they will not be able to be used.

Commissioner Besnik Dervishi said:

“The biggest problem is the timeframe for implementing this project. The commissioner’s office has built-in standards for personal data protection. We will request the preservation of the information system.”

In terms of whether the data could be abused, Dervishi said:

“Data will be collected and processed for the facility that it has been collected for. Once it has been used, the data will be destroyed.”

He said that if security cannot be guaranteed then the commissioner will put a halt to the initiative.

“In the field of data protection, the power of the Commissioner is complete. It is a legal obligation for both the CEC and the Commissioner to give their opinion. The Commissioner has legal instruments, we will do monitoring and carry out inspections.

If the CEC does not implement recommendations, the Commissioner has the right to ban the system for the use of personal data.”