A petition on the UK parliament website calling for the government to stop Brexit has attracted more than 3 million signatures.
Former Ukip leader Nigel Farage told the BBC’s Today programme a lot of the signatures were “from Russia”.
It’s true that some of the signatures have come from overseas, and we know that hackers have targeted official petitions relating to Brexit before.
We also know that it is relatively easy to sign the petition using a false identity. So how seriously should we take the petition?
The petition
The petition calls for the government to “revoke Article 50 and remain in the EU”.
It quickly passed the threshold of 100,000 signatures needed for parliament to have to consider the question for debate.
The numbers are being updated quickly, but at time of writing, the petition has just over 3.3 million signatures.
You “sign” by clicking a button on the website, entering a name, email address, location and postcode, and ticking a box that says you are a British citizen or UK resident.
An email gets sent to the address you entered, and you click on another link to complete the process.
It has been suggested today that it’s possible to sign more than once using different names and the same email address, but FactCheck has not been able to replicate that result – we get an error message telling us we have already signed.
It’s possible that people who thought they were signing multiple times missed the fact that they needed to get an email and click on the link to get your signature added.
Update: the House of Commons have now told us that two people can in fact sign from the same email address, although we still can’t replicate this in tests.
A spokesman said: “Many people share an email account with a partner or do not have access to email. To ensure that the petitions system is as accessible as possible, up to two people can sign from the same email address. An email address can only be used twice.
“The number of these signatures is strictly monitored to ensure that this feature is not abused. The number of these signatures on the article 50 petition is within the normal range – around 1 per cent.”
The security problems
Residency and nationality
People can sign from all over the world, and there doesn’t appear to be a way of definitively checking their nationality or residency.
If you click on the “get petition data” link, you get a list of countries where signatures originate.
The list is enormous, covering almost every country in the world and some fairly obscure overseas territories: Bonaire, Sint Eustatius and Saba, anyone?
This is not necessarily evidence that hackers are gaming the system. After all, a British citizen living anywhere in the world can legitimately sign the petition, and sometimes people use Virtual Private Networks (VPNs) based overseas to hide their real online location.
Of course, it would be suspicious if very large numbers of people in places with small populations – say British Antarctic Territory – were signing up.
But they aren’t. The obscure island territories are showing handfuls of signatures, and the countries with the most are ones with large British expat populations like France, Spain, Germany and the US.
How many of the signatures were made by computers overseas? Only 3.8 per cent, according to the latest data on the petitions site (the numbers are being updated all the time, so you may get a different result if you run the calculation yourself after reading this).
So at the moment, it doesn’t look like enough signatures are coming from overseas to skew the results significantly.
But ultimately, we can’t be sure about where people are from, because the petition relies on honesty. You tick a box declaring yourself to be a British citizen or resident, but there is no detailed check on your status.
It’s also worth noting that people who are resident in the UK but not citizens can legitimately sign the petition, whereas the voting rules in the 2016 EU referendum were very different.
Most EU citizens living in Britain could not vote for or against Brexit, so it’s possible that a significant number of people signing the petition did not take part in the referendum. How many? We don’t know.
You can sign using a false name
We tested the system in the newsroom, and we found that it’s very quick and easy to sign the petition using a false identity.
We created an account under a made-up name with an email platform that doesn’t have strict rules about verifying the identification of its users.
The petition sent an email to the bogus email account and we could have registered our signature if we had clicked on the link.
This opens the question of whether individuals have signed the petition multiple times using pseudonymous accounts, perhaps using different devices with different IP addresses.
Our understanding, based on conversations with cybersecurity professionals, is that this would be fairly easy to spot if it was being done with thousands of signatures at a time.
Many signatures coming from a device with the same IP address – or made at exactly the same time – would raise red flags.
When hackers used software to automatically add large numbers of multiple signatures to an earlier Brexit-related petition in 2016, the site administrators went back and looked for patterns of suspicious behaviour, then removed tens of thousands of dodgy signatures.
We can speculate that they might do the same again, but the House of Commons is being fairly tight-lipped about its security measures.
A spokesman told us: “The Government Digital Service use a number of techniques, automated and manual, to identify and block signatures from bots, disposable email addresses or other sources that show signs of fraudulent activity.
“They also monitor signing patterns to check for fraudulent activity. Much like the traditional paper petitioning system, which asks people to provide an address and signature, the e-petitions system aims to strike a balance between allowing people to easily register their support for issues which are important to them, whilst discouraging dishonesty.
“We can’t comment in more detail about the security measures.”
They did add that they had introduced “additional measures” after the 2016 hack “to stop the abuse of free and disposable email addresses to add fraudulent signatures to a petition”.
In a later, separate statement, they told FactCheck: “Some types of fraud are monitored to ensure that it does not affect the integrity of the petition. Evidence of fraud may affect whether the Petitions Committee choose to act on the petition.
“We do not comment in detail on fraud. Ideally someone who has tried to fraudulently sign the petition would never realise that they have failed.”
The verdict
In the absence of more detail from the people who run the petitions website, it’s hard to say exactly how resistant the system is to fraud.
When hackers used bots to add bogus signatures to another Brexit petition in 2016, they boasted about it on the 4Chan message board.
We can’t find evidence of people bragging on that site a about large-scale security breaches this time around. And the House of Commons says it has stepped up security since then.
There is a question mark around overseas signatures, but these are not happening in large numbers.
Similarly, the House of Commons has deliberately designed the system so that two people can sign using the same email address, saying many people share accounts with their partner. It opens the possibility of more duplication, but the Commons says the number of people doing this is only around 1 per cent.
Perhaps more worryingly, it is pretty easy for individuals to sign the petition more than once using fake email addresses, and we simply don’t know if the security protocols are good enough to spot these duplicates and remove them from the final tally.
This story was updated on 25/03/2019 to include more information from the House of Commons.
