Dumb all over

After the contentious Brexit vote last week, the British Parliament’s House of Commons Committee is investigating potential commandeering of an online petition calling for a second referendum on the matter.

The petition, reportedly initiated by a “Leave” voter, needs only 100,000 signatures to be considered by the Petitions Committee. The tally as of this writing: 3,986,980.

Case closed, right? Parliament will reconsider the peoples’ requests and possibly bring the topic back into debate. Not so fast. According to posts on 4chan, an “image-based bulletin board where anyone can post” anonymously, the petition may have been hijacked by bots written by fervent “Stay” voters.

The Petitions Committee posted on Twitter:

“We take fraud in the petitions system very seriously, because it undermines the process of parliamentary democracy. The Government Digital Service are taking action to investigate and, where necessary, remove fraudulent signatures. People adding fraudulent signatures to this petition should know that they undermine the cause they pretend to support.”

The committee has removed 77,000 signatures, including those from “petitioners” in Antarctica, the South Sandwich Islands, and North Korea, geographies unlikely to instigate activism regarding Brexit from its citizens.

[Editor’s Note: the petition’s tally is now up to 3,988, 285 signatures]

Whoever we are, wherever we're from, we shoulda noticed by now our behavior is dumb

Tensions are still high and U.K. voters want to be heard; Parliament is aware of this, so it’s baffling that it would allow the website it uses for all U.K. Government and Parliament petitions to be so easily hacked. The site doesn’t appear to have mechanisms in place to ward off bots. Even the dreaded and much-ridiculed CAPTCHA.

While the petition itself won’t decide the fate anything other than a possible debate regarding a second referendum (but not a referendum itself), the failure of the government to take website tampering seriously is worrisome.

In the U.S. we’ve seen government website failures, so much so that the Pentagon took the unprecedented step of holding “Hack the Pentagon,” the first of a series of bug bounty programs to help the Department of Defense find vulnerabilities in its public-facing web properties. Sadly, not all governments and governmental departments are as concerned as the DoD.

An automated bot is a script-kiddie whim; what will happen when online voting for presidential elections is actually enacted? It’s probably not so far in the future, since everything else we do happens online. Even the best websites (public and private sector alike) have vulnerabilities, and those that require more sensitive information are generally better written than petition.parliament.uk. Not even requiring valid user input—especially given the strong feelings of voters on the Brexit issue—is negligent at best.  

If our chances expect to improve, it's gonna take a lot more than tryin'

Organizations of all types have to start taking the security of web properties more seriously. The petition (tally now up to 3,991,210 signatures) has more than enough valid signatures—bots be dammed—to be considered. It doesn’t say much for the Committee, though, that it’s claiming to “take fraud in the petitions system very seriously,” yet it can’t even run a properly designed website.

We won't publish your personal details anywhere or use them for anything other than this petition.” Yeah, but some hacker in Antarctica who exploited your site’s vulnerabilities might.