52

Over the last few days, I've been hearing often about the petition to (pratically) "repeat" the Brexit referendum and I noticed that it is an online petition.

I noticed that the "sign petition" form just requires name, email address, and postcode, and then you'll receive an email to confirm your signature.

Is this system secure? Can't someone just create a bot that will fill the form continuously (and confirm the email) using a different address each time? Looking at the privacy page, it also appears that it doesn't even have a captcha system, and the email verification is the only "system" to prevent bots.

Last but not least it doesn't have a system to ensure that the signer is British.

jwodder
  • 166
  • 1
  • 6
Matteo Umili
  • 901
  • 1
  • 8
  • 11
  • 10
    On a side note, this is not a petition system just for a second Brexit vote. It is a system used for any question Brittish citizens want to raise in parliament. – Anders Jun 27 '16 at 08:02
  • 1
    Breitbart (take with a pinch of salt though still plausable) linked to a pastebin script that used python mechanize and automatically created throwaway email accounts and signed the petition with them. It has various screenshots of people on twitter encouraging its use / giving out postcodes. Unfortunately the script has now been removed but it was mirrored at http://archive.is/pzULl – Stu W Jun 27 '16 at 13:10
  • There is also the interesting issue that anyone can buy an electronic copy of the UK electoral register which contains the names and addresses of everyone registered to vote so you can send direct marketing stuff to them (unless you have asked for your name to be removed). Faking signups wouldn't be hard, particularly if you or your employer had a copy of this database... – Stu W Jun 27 '16 at 16:31
  • 1
    Security isn't yes-or-no, and the answer depends on what threats you consider in-scope, so it'd be more helpful if you stated your threat model. See our [help/on-topic]: "Security is a very contextual topic: threats that are deemed important in your environment may be inconsequential in somebody else's, and vice versa. [...] To get the most helpful answers you should tell us: [...] * who uses the asset you're trying to protect, and who you think might want to abuse it (and why) * what steps you've already taken to protect that asset * what risks you think you still need to mitigate". – D.W. Jun 27 '16 at 21:11
  • 1
    Matt and PyRulez - a discussion on the pros and cons of paper vs electronic voting can happen on [chat] - not here in comments. – Rory Alsop Jun 28 '16 at 16:20
  • 2
    Given that some 30,000 votes came from IP addresses associated with the Vatican City (Pop. 800), I'm gonna offer a cautious "no". – Richard Jun 29 '16 at 11:51
  • Interestingly, I recently noticed on a different occasion that the corresponding online petition portal for the USA does not look like taking any measures against fraud signatures, either. Even more: There is no "I am a US citizen" check box and even the Terms and Conditions do *not* require the signer to be US citizen, US resident, or in any way affiliated with the US – Hagen von Eitzen Jun 29 '16 at 12:13
  • My guess is the fact that the [UK parliamentary petitions](https://petition.parliament.uk/petitions/229963) website is currently "down for maintenance" strongly suggests that they've been overwhelmed by a deluge of "fake, bot-powered" signatures. The country is supposedly split 50/50 over the Brexit issue, so it's just ridiculous to suppose that over 1M people suddenly wanted to sign this one in a matter of hours, whereas it took the other side weeks to reach even *half* that number (or are most "leavers" actually apathetic and/or too dumb to use the Internet?). – FumbleFingers Mar 21 '19 at 17:18
  • Just FYI. This topic is likely to be receiving more attention following another high-profile petition that has received over 2m backers in 36 hours. – James Snell Mar 22 '19 at 10:16
  • @FumbleFingers - the failure seems to relate to under-provisioning rather than an intentional DoS. The pattern in the number of signatures so far is consistent with a viral distribution and the locations signatures come from is largely consistent with areas which you would expect them to be. Code tweaks to (for example) reduce the frequency of counter updates and modifications to a json breakdown by constituency appear to have mitigated it for the meantime. – James Snell Mar 22 '19 at 10:28
  • @JamesSnell: As I write (19 hours after first comment) the site is back up, this petition has over **3.1M** signatures - almost ten times the number who have signed the much longer-running "Leave with no deal" (i.e. - *actually* leave, since the only deal on offer is [BRINO](https://www.euronews.com/2018/02/26/translating-brexicon-knowing-your-bremoaner-from-your-brino)). This either reflects staggeringly high levels of activity by "bad actors", or I'm forced to suppose that people who support the status quo are far more "activist" than people who want sociopolitical change. Counterintuitive. – FumbleFingers Mar 22 '19 at 13:16
  • @FumbleFingers - I don't think it's appropriate to suggest those who wish to remain in the EU reject socio-political change. They see that the genuine problems which the leave-supporting community raise most often actually come from the actions of British Governments. As such committing international seppuku is only going to worsen matters. – James Snell Apr 01 '19 at 09:23

9 Answers9

77

The petitions site is purely a mechanism to see whether there may be high enough numbers to support something, and if so, that something will be discussed in Parliament.

There are some checks and balances (for example 80,000 fake votes were identified and removed) but there is no need for a strong level of trust here, as nothing is decided by any of these petitions.

For the re-doing of the European Exit referendum, there are around 4 million signatories, and even with some level of fraud, the government already knows that it is something they need to discuss.

In summary - can it be trusted to the level required for this purpose? almost certainly. Can it be trusted to have no fraud? No.

Rory Alsop
  • 61,367
  • 12
  • 115
  • 320
  • Comments are not for extended discussion; this conversation has been [moved to chat](http://chat.stackexchange.com/rooms/41749/discussion-on-answer-by-rory-alsop-is-the-uk-parliament-e-petition-system-trustw). – Rory Alsop Jun 28 '16 at 07:16
20

General comments

Can you be 100% sure that every signature is from a real person? No. Can you take some precautions to make it harder to cheat? Yes.

Here are some things that the British government could do (no idea if they actually do it):

  • Require a successful CAPTCHA after X attempts from the same IP.
  • Rate limit by IP. Sure, five persons in the same household might want to sign up, or 10 persons on the same company network after they had a chat about it at lunch. But if you get 100 signatures in a steady pattern you can be fairly sure someone is trying to inflate the numbers.
  • Do geolocation of the IP and correlate with the entered post code. Most people would do this from home without a VPN or proxy. If you get 90% of the signatures matching, you can be fairly safe most of them are legit.
  • Look for pattern in the data. If there is a strange spike in signup during two hours, and those signups have different characteristics than others, it might be because someone rented a botnet during that time period.
  • When the petition reaches a limit, pick a random selection of signers and try to verify them. This could be done e.g. by emailing them and asking them to call from a UK phone number listed on the name they used in the petition. This would give you an upper limit estimate on how large percentage of the signatures are fake.

Could a smart attacker with a botnet overcome these things? Possibly, but it does raise the bar.

Case study

Stu-W linked to a Python script used to automatically sign the petition. The script has a number of weaknesses that could be easily used to filter out the forgeries:

  • The post code is a constant hard coded into the script (SW1A 0AA). Even if individual users would change it, a large number if signatures from the same post code in a short time would be a dead giveaway.
  • The emails used are generated with the Python tempmail module, that is just a wrapper for the temp-mail.ru service. So just filtering out domains used by them would do the trick.
  • The name is just a bunch of randomized characters like "ûqv knzõâ".
  • All the posts would be from the same IP address. So just rate limit or filter out IPs with more than X signatures in Y time from the database.
  • There is no attempt to set a believable User-Agent header.

In other words, this script is rather dumb. Even though it could be used to sign the petition, that does not mean that the obviously fake signatures will not be filtered out later. Just because you submit does not mean you will get counted.

Anders
  • 64,406
  • 24
  • 178
  • 215
  • 5
    Beware of IP geolocalisation! Most large companies have a single connection point to real internet, and as it is a firewall, only this IP will be used, even if the actual user location is at the other end ot the country. – Serge Ballesta Jun 27 '16 at 14:34
  • 3
    @SergeBallesta I am not saying all cases where the geolocation does not match should be filtered out. I am suggesting it could be used as a sanity check on the data set as a whole. – Anders Jun 27 '16 at 14:38
  • 4
    Not only is the post code a constant, it's the postcode of the Parliament itself! Nobody actually lives there, as far as I know. – crazyscot Jun 28 '16 at 04:48
  • The Python script should be treated as a proof of concept. It is entirely possible to create better randomization and send requests using some sort of botnet to have a good distribution of IP addresses. – ksiimson Jun 28 '16 at 20:10
  • 1
    @siimsoni Hence my first sentence. If the conversation in comments is correct it was actually used, though. – Anders Jun 28 '16 at 20:47
  • 2
    @crazyscot Actually, the Speaker's House (apartment) is there, in the Elizabeth Tower. – Andrew Leach Jun 29 '16 at 10:57
  • I stand corrected! – crazyscot Jun 29 '16 at 22:31
  • It’s also worth noting that the petitions site has now changed their email address filter to block “plus addressing”. My guess is that some automated signups also used that method and scripting (for example) gmail accounts. – James Snell Mar 22 '19 at 10:13
15

I don't know if this is how things are done in Britain, but this is how things are done in the Netherlands whenever a petition is submitted to the government:

  • A random sample of the signatures is taken;
  • These signatures are verified (I think they call people to ask if they've signed);
  • the resulting ratio of valid:invalid signatures is then applied to the whole petition.

If enough of the signatures on the petition are valid, the petition has to be taken into consideration by the parliament.

Since the threshold on UK petitions is 10,000 to be considered by the government and 100,000 to be considered for debate, only 0.3% (consideration) / 2.7% (debate) of 3,677,062 signatures would have to be valid.

user2428118
  • 2,768
  • 16
  • 23
  • After said sample is taken, does the team / agency / government whatever take the time to sample a larger portion of the votes (or even all of them) for some better precision, or do they normally accept the sample as is? I'd assume the sample is typically close enough anyway – Jeremy Kato Jun 27 '16 at 16:14
3

For the governement tool :

I see one interesting point : there is a map showing the distribution accross the votes : http://petitionmap.unboxedconsulting.com/?petition=131215.

We can see here that the votes have been made accross all the country, and the distribution seems to follow ppopulation density (more votes on London,...). An elaborate bot could have mimic that, but that fast ? This seems unlikely.

This will still require to provide 4Billions of different mail addresses. Most of provider perform checks, and if you use one or two mail domain that aren't widely used and protected against bots, you can still detect and discards those votes.

Furthermore it's a government tools, so they can have quite some checks around it, (ban proxy IP by detecting lot of same IP, ...) but i don't know them.

So i think this petition using the government tool seems like trustable as generating so many votes considering , mail addresses, postal code repartition seems hard to do in the short amount of time it has been since the first results.

EDIT : Answering to D.W comments : since the OP is wonering if the government tool is reliable regarding the one petition with 4000000 votes, what i was saying there is in this case, it is definitively reliable, fakes votes will be filtered well enough to not be so representative.

Now if you asked for a 10k votes it's possible that fakes votes can be too representative to be trustworthy.

Walfrat
  • 406
  • 2
  • 12
  • While interesting, comments are not for extended discussion; this conversation has been [moved to chat](http://chat.stackexchange.com/rooms/41709/discussion-on-answer-by-walfrat-is-the-uk-parliament-e-petition-system-trustwort). – Rory Alsop Jun 27 '16 at 11:49
  • This answer does not appear to answer the question that was asked. The question that was asked is: "is the petition system secure against attack?". This answer appears to be trying to answer the question: "do the results of a particular petition drive appear to be trustworthy?" -- but that's a different question. – D.W. Jun 27 '16 at 21:14
  • @D.W. Well what i'm saying in te end is that petition on the petition system from which the OP asked this question seems to be trustworthy enough regarding the facts. As pointed Rory, you can have some 10 thousands fake votes but the government tools seems to provide fair enough relability for petition with 4000000 votes to be trustworthy. Now if you asked for some 10k votes, i'd say it's possible that there is enough fake votes to be not so reliable. – Walfrat Jun 28 '16 at 07:11
3

You cannot match postcode to IP location, I use Plusnet in the UK and it shows up as being in Dundee (several hundred miles away) from me when I check my location according to location. So it cannot be using that to check.

Similarly, you don't need millions of email addresses, just 1 with many aliases - assuming the email address is actually checked.

I doubt that petition site was built with fraud verification in mind as until recently the petitions were for mostly trivial matters. Its probably just a simple web form using an email response and a duplicate-checker for postcode and name (multiple people could live at the same place)

gbjbaanb
  • 218
  • 1
  • 5
2

They can verify the name and post code against the electoral roll. When they say 80,000 fraudulent names removed, I expect those are the ones that don't match (I don't know this for sure).

However, this is flawed because much of the electoral roll is public.

paj28
  • 32,736
  • 8
  • 92
  • 130
  • 1
    Also, the electoral roll itself has extremely weak security. Getting on the electoral roll essentially boils down to putting a name, address, and signature on a form. There's no verification of the name, address, or even whether or not the person is a British citizen. – Jon Bentley Jun 28 '16 at 14:21
  • And a correction: all of the electoral roll is public. You can opt to have your name excluded from use for marketing purposes, but anyone can inspect the entire roll at any time. – Jon Bentley Jun 28 '16 at 14:23
  • 1
    The [form](https://petition.parliament.uk/petitions/131215/signatures/new) only requires to be a British citizens or a UK resident. Not to be in the electoral roll. So the electoral roll can't be used to eliminate invalid signatures. – dolmen Jun 28 '16 at 17:32
  • @JonBentley - How can I view the unedited roll? It's not intended to be public, but if you know a way, that would be interesting! – paj28 Jun 28 '16 at 18:00
  • @paj28 It absolutely is intended to be public. You can view it by contacting the electoral registry office for your borough. It's usually located in your council's headquarters, town hall, or possibly a library. See [here](https://www.gov.uk/electoral-register/view-electoral-register) for details of viewing it [and here](https://www.gov.uk/electoral-register/opt-out-of-the-open-register) for the opt-out which is what might be causing the confusion. – Jon Bentley Jun 28 '16 at 18:36
  • @JonBentley - My local library only shows the open roll. I was sceptical of what you said, but I've just been on the phone to my local electoral office and they will let me view the full roll - if I make an appointment and come in person. Thanks for the correction... Today I Learned :-) – paj28 Jun 29 '16 at 08:25
2

While the answer would be 'no', in this case it doesn't matter. All it is, is in 'indicator'. It doesn't need to be trusted to be 'looked at'.

If someone were to do internet-voting, then this system would be a very, very bad idea to use.

John Keates
  • 820
  • 4
  • 7
1

It's not just technical security you have to consider. No online voting system is a secret ballot; there is no way to eliminate social pressure to vote a particular way. A dominant member of the household can bully other family members into signing, or simply use their email addresses to do it himself.

Michael Kay
  • 491
  • 3
  • 6
0

You can't make it failproof, but you can increase the amount of parameters to take into account so the maximal percentage of cheat becomes statistically insignifiant.

Still, I live in France, have been to Wales once for a week or so in my whole life, and just signed the petition as a londoner that lives at 1 Jamaica St. My web browser has no permission to use geolocation but I did not use any VPN or proxy so I can be spotted. With one or two more proper precautions, I could have been considered as a fully legit londoner, but I am only one individual among our hole species.

Whether petitions are reliable or not depends on your statistical considerations and definition of reliability.