Blantyre — Attorney General Thabo Chakaka-Nyirenda, SC, told Justice Chimbizgani Kacheche at the High Court in Blantyre that the Democratic Progressive Party’s (DPP) proposed “independent ICT audit” of the Malawi Electoral Commission’s (MEC) Election Management System (EMS) was so expansive it would amount to “sanctioned hacking”.
Presenting submissions for MEC, the AG said the opposition’s Concept Note demanded measures such as penetration testing, red-team simulations and source-code review—steps which, he argued, inherently require attempts to breach protected systems.
“The Claimants submitted an ICT audit concept. Its scope was excessive: it involved penetration testing, red-team simulations, code review. This would mean attempting to ‘break into’ MEC’s systems—an act tantamount to sanctioned hacking,” Nyirenda said.
‘Hand over the keys’
Nyirenda told the Court the Claimants’ plan contemplated MEC handing over source code, administrator passwords, encryption keys and database access paths to third-party auditors—without any clear procurement pathway or vetting standard for who those auditors would be. He said such disclosure would “fatally compromise the confidentiality and integrity” of the election infrastructure.
“International electoral practice and cyber-security standards uniformly warn against uncontrolled access to core electoral systems,” he said, adding that even limited breaches in cryptographic or administrative control can cascade into full-system compromise.
Chilima case cited: real risks, wrong remedy
To underscore the risks, the AG leaned on the Chilima & Chakwera v Mutharika & Electoral Commission [2020] MWHC 2 judgment, where the High Court scrutinised MEC’s electronic Results Management System (eRMS) after the 2019 poll. He reminded the Court that:
- The judges found no evidence of data deletion or deliberate rigging; results from all 5,002 polling stations were retrieved.
- But the Court did flag the use of default user accounts and shared passwords as a serious weakness that undermined system reliability.
Quoting paragraph 1329, he said:
“Default user accounts presented a risk to the integrity of the eRMS… detracting from the quality and reliability of the system.”
Nyirenda argued that the DPP’s current “non-scoped” audit would re-create and worsen those very vulnerabilities by compelling disclosure of active usernames, passwords and elevated privileges to outsiders. “Far from transparency, this is an invitation to systemic fragility,” he said.
MEC says it already opened doors—within the law
According to Nyirenda, the Concept Note—“collectively authored by opposition parties”—admits MEC had shared the register, permitted inspection, and was already investigating anomalies. He said MEC also ran stakeholder demonstrations and technical briefings, and invited parties’ nominated ICT experts to view EMS modules, a proportionate route that balances transparency with system security and vendor intellectual property.
Nyirenda highlighted that the DPP audit as framed was overbroad, unscoped, and would force exposure of source code, credentials and encryption keys, creating unacceptable security risks.
‘Best practice is controlled, scoped transparency—demonstrations, dry-runs, logs, and inspection of the printed register generated from the electronic system—not carte-blanche access. Malawi’s legal framework permits electronic compilation and transmission within a hybrid, safeguarded process; courts have already cautioned against practices (like shared credentials) that reduce system integrity—risks the proposed audit would re-introduce.’ Nyirenda argued.
Hybrid systems are not new, Court told
The AG stressed that MEC’s hybrid model—biometric/EMD-based verification alongside the printed register, and electronic transmission backed by physical forms—is neither novel nor unlawful. He said it was used in 2019 and 2020, and that Chilima & Chakwera Case (2020) recognized electronic transmission as part of the operational framework. The hybrid approach, he said, adds redundancy and allows multi-tier verification at polling stations, constituency tally centres, and the National Tally Centre.
‘Inconsistency’ alleged against DPP witness
Turning to evidence from Dr Jean Mathanga, a DPP witness and former MEC Commissioner, Nyirenda noted she served during the 2019 and 2020 elections when hybrid systems were used.
“Today she opposes what she once supervised, showing inconsistency and expediency,” he said, arguing that her present stance repudiates the very approach she previously helped administer.
The Attorney General urged the High Court to reject reliefs that would “paralyse a lawfully adopted electoral plan and endanger critical infrastructure” one week before the September 16 General Elections.
Bottom Line of the State’s Case
The audit demanded by the Claimants is overbroad, unscoped, and reckless. It would compel the Electoral Commission to surrender its source code, encryption keys, administrative credentials, and database access protocols to outside actors. Such disclosure would not enhance transparency—it would obliterate system security and expose the core electoral infrastructure to manipulation.
International best practice in election management does not sanction “carte-blanche” access to electoral systems. Instead, it endorses structured and scoped transparency: controlled demonstrations for stakeholders, supervised dry-runs of the technology, verifiable audit logs, and inspection of the printed voter register generated from the electronic system. These mechanisms safeguard both public confidence and the technical integrity of the system.
Malawi’s legal framework expressly authorises electronic compilation of the voters’ register and electronic transmission of results within a hybrid model—manual verification operating in parallel with digital tools. This dual safeguard has been used in past electoral cycles and is consistent with regional and global standards.
Most importantly, both domestic and comparative jurisprudence have cautioned against practices—such as default or shared system credentials—that compromise the integrity of electoral technology. The Claimants’ proposal, far from addressing those concerns, would reintroduce and magnify the very risks already condemned by the courts.
The State therefore submits that the Claimants’ reliefs are misconceived, dangerous, and unlawful. The only lawful and prudent path is the one already adopted: a hybrid, transparent, and safeguarded process that respects both electoral integrity and the institutional independence of the Commission.
Justice Kacheche reserved the judgment to 11th September 2025. The Malawi Law Society who were admitted as Amicus Curiae was given up to 9th September 2025 to file its written brief.
