Column

Authenticating Electronic Petitions

Petitions are an ancient method for people to tell their government (king or Parliament) what they want, and what they don’t want. ‘The relief of grievances’ is a big part of their appeal over the years. Petitions are a way of being heard, if not quite a day in court.

The traditional petition was a list of names and addresses subscribed to the text of the demand or complaint, generally with each person’s signature. The signature gave some assurance that the names represented real people, so the number of names might indicate real support for the message.

It takes work to get a petition going and to find the people to sign it. Even with motivated teams of activists, large numbers can be hard to achieve. It is so often a one-to-one process, a canvasser persuading one signer at a time to join the campaign.

Enter the Internet, champion of one-to-many or many-to-many communications. Electronic petitions are so much more convenient: they can be put in front of millions of people for little money and little effort. They can be posted to a web site so the signers come to the petition, instead of the other way around.

In fact the online petition has been criticized for being just too easy to do – so recipients may not give them much weight. Is this a groundswell of upset citizens I see before me, or just a message gone viral, no more meaningful than the last cat video? It has been suggested that signing such a petition is too easy from the signers’ point of view too – it lets the signers off the hook from any serious commitment: they just sign and consider their activism done. ‘Slacktivism’ is the accusation.

But are the online petitions too easy because people can sign without much challenge, or because one can automate the signing and eliminate the people altogether? In other words, are they more likely to contain fraudulent signatures, phony names? Are they worth any attention at all? Are they any better than anonymous rants? A lot of people will say anything when they don’t put their names to their statements.

Private petitions

Some sites that offer the public opportunities to create online petitions do not make much fuss over identifying or authenticating signers. For example, Avaaz.org allows one to create an account with an email address, or to use a Facebook or Twitter account as a credential. A signer has to enter a name, email address and postal address, including country. Avaaz follows up with a confirmation email. The site does not say if it deletes the name from the petition if the email bounces. The site offers a link to be shared on social media to help propagate the petition.

Change.org does the same, but it sends a verifying email to the address submitted by the person creating the account, in order to activate the account and thus allow the creation of a petition. A signer has to enter the same information as with Avaaz, and a follow-up email is sent. The email also offers links to social media and a suggested text for a further email to friends. The site goes on to offer signers the opportunity to contribute money to the cause of the petition: the funds will permit Change.org to ‘show the petition to [x] potential supporters’, the number depending on the donation. Potential supporters are five for a dollar, minimum donation $10.

ipetitions.com does sign-up for petitioners similarly, with a confirmation email. Petitioners are limited to ten outstanding petitions at a time. The site claims to be ‘alone among Internet sites in offering a range of tools to authenticate signatures’.

With our tools, you [the petitioner, not the recipient: JDG] can filter out duplicate names and email addresses, and you can limit the number of signatures allowed from any IP address within a given period of time. You can also protect a petition with a password—this is a great option for limiting access to signers from a particular company or group.

ipetitions also offers a method by which a petitioner can withdraw the petition and by which a signer can get his or her name taken off. Signers get a confirmation email, as with the sites above. They can also agree to receive messages about related petitions.

Some concern has been expressed about what the private sites do with the personal information they collect in the authentication system. What do people trade to access petitioning power? They do, of course, have privacy policies, but …

Public petitions

The typical target of a petition is government. The private petition services may target government or private organizations, or even individuals. Governments often care who is writing them, and want to know how seriously to consider petitions. As a result, they have set up systems to authenticate the signers on e-petitions sent through government sites. One challenge in doing so is to avoid making petitions too hard to sign, thus discouraging public expression. Another arises from privacy laws that restrict what one can do with collections of names and addresses; authentication and privacy can pull in opposite directions.

One reason impelling governments to authenticate signatures is that they often promise a legislative response, or at least a response by official explanation or a debate in Parliament, if the number of signatures is high enough. So they would like to have some assurance that the signatures have real people behind them.

Let’s look at three countries with some experience in e-petitions to see how they approach authentication.

UNITED KINGDOM

The United Kingdom has a long record in this area. It has had online petitions to government for several years. The current national system, in place since 2011, is called Directgov. There are a number of others, including for Wales and Scotland and for many municipalities. Municipalities are obliged by the Local Democracy, Economic Development and Construction Act, 2009, to have facilities for sending them petitions online.

The national system does insist that petitioners and signers have an address in the UK or be British citizens. The people running the system (in Parliament) say they verify addresses at least. (Since the site has been down since the recent election campaign started, one is unable to check what they do.) In principle, if 100,000 or more signatures are received, the petition will be discussed in Parliament. How seriously it will be discussed is another question, but the same is true for traditional petitions presented by Members of Parliament. The actual procedure involves reference to a backbench committee.

One sceptical writer says that direct.gov “is arguably the first Internet petition system to mean something: it allows concerns to be brushed off officially, rather than simply be ignored.” More critical even, The Guardian said “Directgov is rarely more than a farce – and a destructive one at that.”

UNITED STATES

The United States has the right to petition in the First Amendment to its Constitution. It takes the right seriously. Many states have anti-SLAPP legislation that protects only the expression of opinion to government

In 2011 the United States started ‘We the People‘, an online mechanism for petitioning the American government. It can be used for any desire about federal government action.

This site authenticates the person who creates the petition and all those who sign it. The originator of the petition has to create an account at www.whitehouse.gov. That is done by entering a name, ZIP code and email address, along with a CAPTCHA to avoid automated signups. The system will send a confirmation link to that address; when the person clicks on the confirmation link, the account is created.

Signers of petitions also give a valid email address and ZIP code. The email address is tested in a confirmation message, which involves agreeing as well to the Terms of Participation. No account need be created,and signers need not be within the United States. Once the signature is confirmed, the site offers links to Twitter and Facebook and a link that can be sent to others, to spread the word.

Officially, the government will provide a formal answer to a petition that collects 100,000 signatures in thirty days from being started. In practice, some answers have been given, but a number of petitions with the requisite number of signatures have gone unanswered. Presumably the same is true for petitions received on paper.

CANADA

In Canada, Quebec and the Northwest Territories have led the way in devising rules for e-petitions. Quebec requires e-petitions to go through a Member of the National Assembly (MNA), just like paper petitions. Originators of petitions must find an MNA willing to sponsor the petition. “The MNA chosen to present the petition must do so at one of the first three Assembly sittings after the date on which the signing period ends.“ Making the petitioner find an elected member means that petitions are more likely to be civil and relevant, and they maintain the role of MPs as intermediaries between the citizen and government.(Though as The Guardian said, in the note cited above, if one moves in the right circles, it may be easier to meet and influence one MP to carry a petition than to solicit 100,000 signatures online.)

Originators and those who sign the petitions must enter names, addresses and emails, and they receive an email requiring a confirmation of action and intention before their signature counts.

The conditions for signing are these:

I have read the petition and support it.

I agree to have my family name, given name and place of residence appear on the list of signatures. (The “place of residence” means only the city; residence addresses are not collected from would-be signers.)

The information I have provided is accurate.

When the petition is presented, the Secretary General of the National Assembly (like the Clerk in the other provinces) sends the petition to the appropriate legislative committee. The committee may decide to study it or even hear from the originator. The government must respond.to all petitions.

Federally, e-petitions have been studied for nearly 20 years. Most recently, an NDP Member of Parliament, Kennedy Stewart, has pushed for electronic petitions as well. He made a motion in support of such petitions in January, 2014, which was carried. He submitted a report on the details to the Standing Committee on Procedure and House Affairs that called for appropriate security, to ensure that the signers actually did sign – an improvement, it noted, on the current system for paper petitions. Some of the criteria to be tested were the validity of the email address given (by confirmation message), the IP address used (to ensure that the same address is not the source of multiple signatures, and to ensure that it is in Canada), and perhaps a CAPTCHA to ensure that signatures are not automated.

This report recognized that e-petitions are easier to generate than handwritten ones, so proposed that the government should have to respond, not to a petition with only 25 signatures, as is the case for paper petitions, but to e-petitions that collect over one thousand signatures.

The Standing Committee on Procedure and House Affairs reported in March, 2015, proposing changes to the Standing Orders to authorize e-petitions. The report reviewed the operation of e-petition systems in other countries and ways to ensure that the petitions could work in the same way as paper petitions. The report considered a number of security features to ensure the genuineness of the signatures.

For the originator (petitioner):

A form [on the Parliament’s website] would have to be completed by the e-petitioner in which he or she must provide the following information: full name, full address including postal code, phone number, and e-mail address. The e-petitioner must also confirm by means of self-declaration that he or she is a resident of Canada or a Canadian citizen living outside of Canada. The form to be filled in by the e-petitioner will also receive the e-petition’s prayer (i.e. a request for the addressee to take some action to remedy a grievance …

The creator of an e-petition will be required to confirm the validity of his or her e-mail address. Upon completing the e-petition form, he or she will automatically be sent an e-mail with a link embedded in it that must be clicked in order to activate the submission. In addition, this automatic e-mail will also contain a security mechanism (e.g. a unique code randomly generated by the website) that will prevent the automated creation of e-petitions.

For signers:

In order to sign an e-petition, an individual would need to provide and confirm his or her e-mail address, provide his or her full name, postal code and phone number, confirm that he or she is a resident of Canada or a Canadian citizen living outside of Canada, and confirm through self-declaration that he or she has not previously signed the same e-petition. …

Each signature will first be verified by sending an automatically generated e-mail to the e-mail address provided by the signatory, which contains a link that must be clicked to confirm that email’s validity. The signing process will also involve a security feature (e.g. a unique code randomly generated by the website) to ensure that signatures are not being added to an e-petition on an automated basis. Only one signatory per e-mail address will be permitted to sign the same e-petition. In addition, should the Clerk of Petitions believe that a signature is not authentic or not permissible, the Clerk of Petitions may disallow it. Only after a signatory’s information has been verified will his or her signature count toward an e-petition’s total signatures.

The software used to manage e-petition signatures should safeguard the integrity of the e-petition process and flag issues or unusual patterns for spot-checks and verification. For example, the software could flag instances of signatures with the same first and last names; similar e-mail addresses; where a high number of signatories (e.g. ten or more) originate from the same IP address for the same e-petition; or it could flag a disproportionate number of signatories for the same e-petition originating from non-Canadian IP addresses. For greater certainty, this would not otherwise limit the ability of the Clerk of Petitions from taking other measures to monitor and verify the integrity of the e-petition process. To avoid the potential for abuse by political staff during work hours, no signatures will be accepted from IP addresses associated with the Parliament of Canada or the Government of Canada.

If at any time the Clerk of Petitions believes that the integrity of an e-petition has become irreversibly compromised through inauthentic signatures, the Clerk of Petitions may withdraw the e-petition and notify the e-petitioner accordingly.

The Standing Committee went on to set out in detail how petitions would be dealt with once properly received. After four months, a petition with fewer than 500 signatures (half the number recommended by Mr. Stewart, but twenty times the number for a valid paper petition) would be deemed withdrawn. The procedure would be the same as for paper petitions, except that the names of signatories would not be tabled in the House. A number of other privacy protections were also recommended.

As with paper petitions, the government would have to respond to e-petitions within 45 days of tabling.

The Standing Committee proposed amendments to the Standing Order of the House to support these recommendations. The amendments appear at the end of its report. They are to take effect, along with the e-petition system, at the opening of the 42nd Parliament, i.e. the House that will be elected in October, 2015.

It is interesting that the Standing Orders as amended do not include any of the authentication measures or other security or privacy details set out in Mr. Stewart’s submission or in the Standing Committee’s report. Perhaps the Clerk of the House of Commons is intended to implement such measures administratively.

News reports confirm that the Standing Committee’s report was adopted. E-petitions to Ottawa are on their way.

Conclusions

The main way private and public sites have to authenticate the signers of petitions is to verify that the stated email address works, in that it does not fail. Sometimes the would-be signer has to respond to the test mail as well. Just about any other form of authentication would take more time for actual human beings than an online site can afford.

Some of the methods discussed by the Canadian federal Standing Committee go beyond this, in ways that could be managed technically, such as eliminating more than one signature per IP domain. There is not yet any sign that they will be used.

On the other side of the question, it is not clear that any e-petitions have been seriously fraudulent in their alleged numbers. In the circumstances, probably a fairly rudimentary authentication system is sufficient.

As usual with information technology security questions, one must do a threat-risk analysis. What is the reward for undetected fraud? A chance – not a large one, according to some critics – of some legislative debate or executive response. Neither is unduly costly, especially given the discretion whether a response will be given. The Canadian rules tend to require a written response from government; we do not yet have data on whether the electronic petitions are significantly outnumbering the paper ones and thus causing excess work – a reason to check their validity more carefully.

At this stage in the development of e-petitions, the balance is probably right: pretty good authentication.

Comments

  1. Ontario’s Standing Committee on the Legislative Assembly has held hearings on petitions, mainly electronic petitions. The Committee heard from the Information and Privacy Commissioner and the Chief Privacy Officer and Archivist of Ontario.

    On authentication, the Commissioner said this (at p. 5):

    [T]the amount and type of personal information collected for the purposes of verifying the residency, authenticity and non-duplication of individuals should be proportionate to the purpose of the e-petition program, which is to promote engagement and encourage or solicit a non-binding government response to the request. While some jurisdictions require signatories to provide their first and last name, city, province, country, postal code and email address, others, such as the United States, require signatories to provide only their first and last name and email address, with the individual’s ZIP code being optional. Based on our review of current practices and given the non-binding nature of the government’s response, the collection of first and last name, email address and postal code should suffice for verification purposes. As noted above, however, techniques used to protect the process for signing e-petitions from abuse by hackers may require additional information.

    The Commissioner concluded (at p. 8):

    The IPC believes that e-petitions have the potential to improve the quality and level of engagement by Ontarians, resulting in increased government transparency and accountability. They will also increase citizen access, make the petition process more convenient and allow citizens to interact with their government in a manner they have come to expect. However, due to the sensitivity, attractiveness and digital nature of the personal information contained in e-petitions, any integration of e-petitions into the Legislative Assembly’s existing petition procedures should have in place the necessary controls to protect the privacy of individuals.

  2. WHERE do I go to find out if the petitions sent me by email are legitimate? so that I am not just giving opportunity to information gathering types? I would gladly sign hand written petitions but there are not any around me. I want my voice heard, but I need to know if it is being heard or if I am just the victim of an information gathering scam group. There is no other way for my wishes to be known to my representatives without legit petitions. We don’t know what bills they are voting on, to call and tell them yes or no from us. I am getting an incredible amount of spam now, which I think is because I sign petitions. I do not respond to ads. WHO do I ask about this? I am from Michigan.