AG Warns DPP’s Proposed MEC Tech Audit Would Amount to ‘Sanctioned Hacking’

Attorney General Thabo Chakaka-Nyirenda, SC, has warned the High Court that the Democratic Progressive Party’s (DPP) push for an “independent ICT audit” of the Malawi Electoral Commission’s (MEC) Election Management System (EMS) is so expansive it would effectively legalise hacking into core election infrastructure.

Appearing before Justice Chimbizgani Kacheche in Blantyre, the AG argued that the opposition’s Concept Note demanded penetration testing, red-team simulations, and source-code reviews—steps that would require breaching MEC’s protected systems.

“This would mean attempting to ‘break into’ MEC’s systems—an act tantamount to sanctioned hacking,” Nyirenda submitted.

Security Keys at Stake

Nyirenda stressed the plan would compel MEC to hand over administrator passwords, encryption keys, source code and database access paths to third-party auditors with no clear procurement or vetting framework. Such disclosure, he said, would “fatally compromise” the confidentiality and integrity of the election infrastructure.

Chilima Case Cited

He drew parallels with the landmark Chilima & Chakwera v Mutharika & MEC [2020] ruling, where the Court scrutinised MEC’s results system. Although no rigging was proven, the judgment flagged serious weaknesses—such as default accounts and shared passwords—that undermined confidence in the system. Nyirenda argued the DPP’s audit would recreate and amplify these vulnerabilities by exposing live credentials to outsiders.

MEC Says Doors Already Open

According to the AG, MEC has already taken lawful transparency measures: sharing the voters’ register, permitting inspections, hosting stakeholder demonstrations, and allowing nominated ICT experts to view EMS modules. He argued this strikes the right balance between transparency and system security.

Hybrid System Defended

The AG further defended MEC’s hybrid approach—using biometric verification alongside a printed register and transmitting results electronically with manual backups. He said this model, already used in 2019 and 2020, ensures redundancy and multi-tier verification.

Attack on DPP Witness Credibility

Nyirenda also questioned the consistency of DPP witness Dr. Jean Mathanga, a former MEC Commissioner, noting that she previously oversaw the same hybrid systems she now criticises.

Bottom Line of State’s Case

•The DPP’s audit proposal is “overbroad, unscoped, and reckless.”

•It would expose source code, encryption keys, and administrator credentials to outsiders.

•International best practice endorses scoped transparency—demonstrations, dry-runs, audit logs, and inspection of printed registers—not unrestricted access.

•Malawi’s legal framework already authorises the current hybrid system, which courts have upheld.

Nyirenda urged the Court to reject the DPP’s reliefs, warning they would “paralyse a lawfully adopted electoral plan and endanger critical infrastructure” just days before the September 16 General Elections.

Justice Kacheche has reserved judgment until 11 September 2025. The Malawi Law Society, admitted as amicus curiae, has until 9 September to file its brief.