The Article 50 Petition HAS been hijacked by bots. We know, because we did it!
The petition to revoke Article 50 has received millions of signatures. It looked pretty obvious to us that it was being gamed by bots to make false political capital, seriously devaluing the UK Government’s platform for digital democracy. So we tested it for ourselves. In a single weekend, with a budget of £22, we were able to make 72,000 confirmed robotic entries. Imagine if we’d put any real effort and resources into it!
Why did we do it?
A few reasons prompted us to perform this experiment:
1/ We believe in citizen participation and engagement as fundamentals for a healthy democracy, and think that digital should be a powerful enabling channel. We hate to see the credibility of that destroyed by slipshod systems open to corruption.
2/ The equivalent petition in 2016 calling for a “Second Referendum” just after the real referendum result also received millions of questionable signatures. After investigation, government admitted that it had indeed been hit by huge levels of fraudulent bot activity. Action was promised to prevent recurrence. Yet, a couple of years later, the same thing seemed to be happening with a petition on the same subject and on an even greater scale. That suggested a failure to address known problems.
3/ Despite knowing that the system had previously been abused, sections of the media seemed to be underplaying any possibility of the petition having been gamed. The arguments given were laughable, but this added false credibility for vested interests wanting to present a distorted picture of their support based on these numbers.
How did we do it?
We didn’t want to invest too much time, just enough for a proof-of-concept to confirm that the petition system was unrecoverably discredited.
So, armed with a few hours of a junior develop’s time on Friday evening, we built a PHP script that we then ran over the weekend using spare capacity on one of our web servers. This was the methodology:
* Writing the code: 3 hours to develop, test, and refine a crude but functional script. The bot created unique submissions and then polled the email service to click the verification links in the ‘thank you’ emails sent by the Petitions service.
* Installation on a server: using spare capacity on a single existing server.
Postcode lookups: using a free API service to pull in a random but genuine UK postcode to go with each submission.
* Random name generator: using a free script to generate random but realistic first names and surnames.
* Email: £12 to set up an IMAP mailbox with a catch-all facility so that all incoming email would be collected regardless of the specific address used.
* Domains: Temporarily repurposed 10 ‘sleeping’ domains in our existing portfolio so they could be used for email purposes.
* Proxies: £10 for a month’s access to thousands of proxy IP addresses to make it appear that the entries were coming from different computers.
What happened?
Over the weekend we managed to get just over 72,000 ‘signatures’ submitted successfully to the service. These all had unique names, email addresses, and valid UK postcodes. All submissions were verified by email.
Conclusions
“With just £22, some spare kit lying around, and a few hours’ work, we were able to submit more than 72,000 fake signatures to the petition to revoke Article 50.
We were just trying to demonstrate that the petitions service is wide open to abuse. We managed that without breaking a sweat.
If we had been making a serious effort to abuse the platform to misrepresent the strength of public opinion, it appears that would have been very easy to do. And judging by the ridiculous numbers for those two anti-Brexit petitions, it seems that it is exactly what has been happening.
The UK Government online petitions service needs urgent attention. In its current state, rather than supporting democracy, it is making subversion of democracy child’s play.”
Kevin Holdridge
Managing Director, Kent House Digital Marketing
More information:
https://www.kent.house/uk-petition-article-50-hijacked-by-bots/