Why bots probably aren't gaming the 'Cancel Brexit' petition By Zoe Kleinman

Technology reporter, BBC News Published duration 22 March 2019 Related Topics Brexit

image copyright Getty Images

Questions have been asked about whether a government petition calling for Brexit to be cancelled has been swamped by bots.

Bots are automated programmes which can carry out a command thousands of times.

The BBC spoke to three cyber-security experts about how likely it is that a number of the 3m signatures gathered so far are not genuine.

They all agreed that the petition's email validation process would be a deterrent.

Each signatory has to supply a unique email address to which a verification link is sent before their signature can be accepted. UK-based signatories must also share a valid postcode.

While email addresses are easy enough to set up, doing that in real time at high volume is less straightforward.

Additionally, while it is possible to buy lists of email addresses stolen in various data breaches on the black market, the owner of the list would still need to access those email accounts and retrieve the validation email before being able to sign in the name of somebody else.

The email verification would be likely to deter bots said Lisa Forte, partner at the cyber-security firm Red-Goat.

"Any significant political decision such as this petition is highly likely to attract bots," she told the BBC.

"This particular petition is now employing email verification before signing, meaning it is much harder and therefore much less likely bots are being employed."

'A bit of a pain'

Cyber-security expert Kevin Beaumont said that while it was possible that bots were involved, it would be "a bit of a pain" to build a sophisticated enough programme to cope with the email addresses.

"They would have to make a bot that signs up with unique email addresses, then clicks the unique link to sign," he said.

The House of Commons declined to comment on its security checks but it did say the Government Digital Service uses "a number of techniques" to identify potentially fraudulent signatures and bot activity.

It is not possible to use the same email address more than once to sign the petition.

However, bot activity could still be used to slow down or crash the platform, meaning that people wanting to leave genuine signatures could be prevented from doing so.

This is known as a Distributed Denial of Service (DDoS) attack.

How secure is the petition platform?

"I'm not sure the system itself is that sophisticated - it fell over as soon as people started voting in large numbers," said Prof Alan Woodward from Surrey University.

The UK government's petition platform has crashed several times under the weight of traffic in recent days. The petition launched on 20 February, but has now gone viral.

"Is there some gaming going on? I wouldn't be at all surprised," he added.

"It's a petition, it's not a vote - it's not meant to be as secure as an e-voting system."

According to the rules of the site, anyone can submit a petition. If it gets 10,000 signatures it will receive a government response, and if it gets 100,000 it will be debated in parliament. Beyond that, the numbers don't make a difference, he pointed out.

Is it Russia?

Former UKIP leader Nigel Farage suggested that "Russian collusion" was behind the unprecedented traffic towards the Brexit petition.

While Russia is notorious for seeking to meddle in the politics of the west, on this occasion there is a question mark over what its intentions would be, added Prof Woodward.

"All the evidence is that Russia was supporting the Leave campaign," he said.

"So why would they suddenly be supporting Remain?"

While the petition data (which is currently not updating) reveals that signatures are coming in from all over the world - including small numbers from Russia, China, Iran and one from North Korea where it is unlikely the page can be seen - the UK government said that any British resident or citizen can sign, wherever they are.

The BBC understands that fewer than 4% of signatures are coming from outside the UK at time of writing.

It is however not difficult to disguise or hide a location on the web.

Has it happened before?