A British programmer has released a series of videos demonstrating how he flooded web petitions on the British Government’s official website with up to 3,500 fake signatures an hour and evaded government attempts to block his methods.
In a series of YouTube videos, programmer “Adam Adams” (not his real name) demonstrated how his computer program was able to bypass the internal systems of the website to flood petitions with fake votes.
By using real names and legitimate email addresses, his program, the source code of which can be viewed here, was able to add thousands of signatures onto any petition he wanted, massively inflating the perceived demand for a discussion on the related issues.
Adams demonstrated his method by adding 12,000 signatures to a petition demanding a commitment to building a space elevator in the UK. All of the signatures were removed within 7 hours, but according to Adams, this was only because he had used a “very obvious method.” “All emails are from a single domain,” he continued. “If one was serious it would be very easy to obfuscate fake signatures, by using a number of domains and voting only for real/popular petitions.”
The code involved does not currently break any laws. Adams does not gain unauthorised access to the government’s systems, but instead communicates with the server in the same way that a human does. It is also extremely simple, as the core logic has about 100 lines of code within it, which create the email, fill the petition form, check the email and click on the link.
The government does shut down fraudulent petitions when it detects them, but in this case, they had to be alerted by an outside source. Dr Mark Avery, the creator of a petition to ban driven grouse shooting, alerted the House of Commons Petitions Twitter account to the sudden spike in numbers on his petition. The fraudulent signatures were removed, but no further action was taken.
Western governments have made increasing use of e-petition systems to boost political engagement in recent years. In the U.K., if a web petition on the government’s official site gains 100,000 signatures or more, it will be considered for a debate in Parliament. Given Adams’ videos, this raises the question of how many previous debates have been triggered with petitions that contained fake votes.
Adams noted that the bot targeted a few serious petitions at the same time as flippant ones, to see if there was any difference in the time it took for signatures to be taken off the final count – the grouse shooting petition in particular was only targeted after it had reached the 100,000 signature mark, in order to not affect its legitimacy.
Furthermore, according to Adams, the House of Commons has yet to introduce an adequate system to prevent further abuse of the system.
“The point is, after the [fraudulent 2nd referendum petition], they should have introduced measures to prevent the same thing from happening in the future,” said Adams. “They never acknowledged how the fraud was committed, and out of 4 million votes they only recognised 77 thousand overseas signatures as fraudulent.”
Even though the examples given were corrected by the petitions site, Adams claims that there are still ways to make vote manipulation impossible to detect on the system. According to Adams, if his bot had only introduced “100-200 signatures in an hour, then nobody would have noticed. If a bot uses 10 domains and sends 100 requests an hour, it is completely undetectable.” A simple way of stopping the bot from functioning would be captcha verification, Adams said, a system that has yet to been introduced.
“Whilst I don’t mind buggy websites it’s a bit worrying [that] the UK government and Parliament waste time on and… can potentially make a decision based on something [that] can be so easily abused,” said Adams. “On top of that they have postal vote fraud problem which seems to be done just as easily.”
A House of Commons spokesperson told Breitbart Tech that “any UK resident or British citizen is entitled to sign e-petitions. We ask petitioners to confirm their details, including name, email address, and postcode. The Government Digital Service (GDS) investigates signature patterns to check for fraudulent activity on petitions. Any signatures which match more than one of the criteria indicating fraud are removed.”
“GDS uses a number of techniques, including automated and manual, to identify, block or remove signatures. Further anti-fraud measures have been introduced in recent weeks following analysis of the fraud detected on the EU referendum petition. We are unable to comment further on our security checks. Much like the traditional paper petitioning system which asks people to provide an address and signature, the e-petitions system aims to strike a balance between allowing people to easily register their support for issues which are important to them, whilst discouraging dishonesty.”
Soon after we had received the statement from the House of Commons, Adams informed Breitbart News that there was now a signature limit per petition per IP, although he says he easily cracked this new security stage by routing his traffic via free proxy servers, instantly nullifying this new layer of security within 24 hours of it being created.
Jack Hadfield is a student at the University of Warwick and a regular contributor to Breitbart Tech. You can follow him on Twitter @ToryBastard_ or email him at firstname.lastname@example.org.