Spy Blog - SpyBlog.org.uk

The House of Commons Procedure Committee should
learn the lessons from the MySociety.org projects like

a) PledgeBank.com

Given the vast numbers of mobile phones, the ability to sign an e-Petition via a mobile phone SMS text message should be obvious, and has been done by PledgeBank.com for ages.

and

b) the No. 10 Downing Street e-Petitions to the Prime Minister website and its behind the scenes, scalable, IT infrastructure

Both of these essential features owe a lot to the late Chris Lightfoot - RIP.

Learn from the Code of Practice for 12 week Public Consultations issued originally by the Cabinet Office, now under the Department for Business Enterprise & Regulatory Reform. Submissions to such Public Consultations are nowadays mostly via email and / or word processed electronic documents,

Signing a controversial e-Petition - safeguards from snooping ?
.
If Parliament is to be seen by the public to actually be independent of the executive branch of Government, then Parliamentary Privilege must be used to protect those who propose the wording of an e-Petition and those who eventually sign it.

It is inevitable that there will be e-Petitions which touch on politically sensitive subjects e.g. Northern Ireland, animal vivisection, human genetics, abortion, fundamentalist extremist religions, immigration policy, foreign wars etc

All of these topics may attract small minorities whose activities come under suspicion by the Police or Intelligence agencies etc. on the vague grounds of "extremism" or "national security" etc. some of whom may well try the peaceful democratic approach to getting policies changed, by signing an e-Petition, along with the vast majority of others who remain peaceful and law abiding. The current trend towards slurping large amounts of data about the general public, treating them as potential suspects, and retaining it indefinitely into the future, e.g. Project Rich Picture etc. should not be allowed to be applied to the Parliamentary e-Petitions system.

Signing a Parliamentary e-Petition on a controversial topic should never be recorded against you as a black mark on your electronic secret dossier held by law enforcement or intelligence agencies or by any other branch of Government.

Unless there are extremely strong legal protections,comparable to those under which the Census data is collected and protected, then many of the people most likely to be affected, or most vehemently for or against the e-Petition, will be inhibited from responding, and Parliament's political engagement with the public will be brought further into disrepute

There must be legally enforceable prohibitions, with criminal penalty sanctions e.g. up to 2 years in prison and / or unlimited fines, against the use or abuse of the Parliamentary e-Petitions system where it asks for, or records Personal Data (e.g. name, address, post code, Parliamentary Constituency, age etc.) , or any associated electronic Communications Traffic Data e.g. IP address, web browser cookies, web browser type, proxy server variables, mobile telephone SIM card number, mobile phone handset International Mobile Equipment Identifier, Cell ID Location etc.)

The Prime Minster must promise Parliament that the "Wilson Doctrine" extends to all aspects of any such Parliamentary e-Petitions system (see the Spy Blog Wilson Doctrine category archive for more details about this vague exemption from interception of Westminster MPs telephone calls, which should, in theory, cover emails , web form submissions and mobile phone SMS text messages to an e-Petition system)

Any Parliamentary e-Petitions system must be legally exempt from snooping by the Police or Security or Intelligence services etc. under the Regulation of Investigatory Powers Act (RIPA) ,or any other legacy law or secondary legislation powers under any other Statute

Private sector commercial companies must never have access to the data collected.

Individual Members of Parliament or Peers or Political Parties must never have access to name and address or email or phone contact details etc. of e-Petitioners, without the explicit, informed prior consent of the signer.

None of the electronic infrastructure should expose British citizens data to snooping by foreign Governments with useless Data Protection laws or to commercial companies e.g. if the web servers or email servers etc. are hosted in countries outside of the European Economic Area such as the United States of America or the Russian Federation or India etc.

It should be obvious, but it is worth emphasising, that there must never be any HMRC / NAO style "missing unencrypted copies of the entire database" on CDs, DVDs, tapes, laptop computers, USB memory devices etc.malarkey with any Parliamentary e-Petitions system.

The security and privacy protections of the e-Petitions system should be regularly reviewed by independent penetration testing experts, - if you can find any of them left in the UK once the inept and controversial "dual use" and "belief" amendments to the Computer Misuse Act come into force.

e-Petitions do not have to be as limited as paper based ones

Do not be limited by thinking of e-Petitions as being exactly like their paper based analogues. There are things which can easily be done with an e-Petition which are technically impractical with a paper based one e.g. the ability for an authenticated signer to "unsign" the e-Petition at a future date.

Make sure that there is some proper server side filtering of all variations of meta control characters (e.g. "<" or grave accents etc.) in any name or other details web submission forms, to preclude XSS Cross Site Scripting attacks.

Any web form asking for your signing details should also be https// (i.e.SSL / TLS session ) encrypted, just like a credit card or internet banking transaction, by default.

Consider a lenient approach to made up pseudonyms and aliases and email addresses, even if a list of signatories is displayed on a public website. There will be a minority of some offensive names and political slogans, but most web blog or discussion forum users easily take these in their stride.

Following the example of PledgeBank.com, it should be possible, and permitted, for the creators of an e-Petition to email or send SMS texts to signers via the system, without knowing people's individual details, informing them of slight error corrections to an e-Petition, details of when and where the formal response, if any, to the e-Petition can be found , or the existence of other similar e-Petitions on similar topics. The signer should always be able to opt out of such future email / SMS announcements.

There is no reason why aggregated anonymous public statistics of the number of signers of a particular e-Petition by Parliamentary constituency (easily determined explicitly or via a post code lookup during the signing process) should not be available to the public and therefore to constituency Members of Parliament.

One of the lessons from the Cabinet Office / BERR code of practice on Public Consultations, is that it just looks like a "going through the motions' or "rubber stamping" exercise, if the people who have put some ideas out for consultation, then go and issue some secondary legislation or regulations which impinge on the topic under consulation, during or immediately after the 12 week consultation period. This totally devalues the whole exercise.

Care should be taken to coordinate the business of the House of Commons or the House of Lords to ensure that, if, say, a Select Committee is writing a report on a certain issue, and there is also an ongoing e-Petition on the topic, that they do not leak or publish their findings, before the results of the e-Petition have been made public. This mechanism must not, however, be abused to deliberately delay the publication of a Select Committee report which may be critical of the Government until after, say, a forthcoming election or crucial vote in Parliament.

There is an e-Petitions discussion forum on the Parliament website which runs until the 15th February 2008.