ECI, or how the “security theater” is excluding the Civil Society
The European Citizen Initiative is a great idea introduced in the Lisbon treaty: every citizen can start an initiative, collect 1 million signatures and have the European Commission respond, in the best case launching a legislative proposal (The European Commission is the only EU institution that has the power to initiate legislation at the EU level). Since the beginning, this idea has been welcomed with a mix of interest (citizens could become more active and engaged with the EU affairs, which could contribute to narrow the EU’s democratic deficit) and fear (we will get extremists using it to push crazy ideas... or simply because institutions don’t like changes). But keep in mind that the initiative is basically a super petition, and that the only legal consequence is that the commission has to reply, not make a law or actually do anything.
I'm not saying that governments (national and the European commission) have actively done all they could to sabotage this great idea, but if I had to make a great idea impractical, I would certainly use the way the Commission has dealt with this one as an inspiration.
A bit of history
I've tried to link to the original documents mentioned, click on their name to download them if you want. Please tell me if the links don't work anymore, I have kept local copies if needed.
First step: green paper and consultation
A vast consultation was initiated by the Commission from 11 November 2009 to 31 January 2010, following the publication of its greenpaper (the document the commission produces each time it needs to launch a consultation for important legislative initiatives).
Many basic points were discussed in the green paper: about the minimum age, if they should be a minimum of signatures per country, how many citizens from how many countries, if the Commission should validate the initiative text... But one was particularly important: the feasibility of the ECI. The text was clear on that point: "it seems clear that the ultimate objective of Community provisions in this regard should be to ensure that Member States can guarantee adequate verification of the eligibility of signatures collected for a European citizens' initiative within their country, without imposing unduly restrictive requirements upon citizens or unnecessary administrative burdens."
Civil society groups, indeed, often raised the point that it shouldn't be too complicated for the organisers to collect the signatures. All good and fair and balanced. The petition gathered quite a successful number of contributions by EU standards (about 300 - contributions from public authorities are no longer accessible, by the way).
Second step: commission proposal
After the big principles and general ideas of the green paper and the various inputs received, the commission analysed the contributions it had received and, taking into account (or not) what had been said, proposed a draft regulation (law). This was an interesting read, and you could see, from the changes since the green paper, that the member states and the civil society had different objectives and needs. I would say that in this draft regulation the first prevailed and the second was basically removed. To stick to our example of the “unnecessary administrative burdens” (see quote above), the sentence was rewritten as: "The procedures should be simple and user-friendly, whilst preventing fraud or abuse of the system and they should not impose unnecessary administrative burdens on the Member States."
Notice what happened to the promise to avoid unnecessary administrative burden: first made to citizens, it has been re-addressed to Member States...
Another point to notice: the annex contains a budget, and includes half a million euro for “Information systems” the first year (and 100,000 for the other years).
Bit of back an forth between the Member states (Council), the European Parliament and the Commission and in December 2010 everyone agrees and...
Step 3: Regulation
That’s the official document Regulation on the European citizens' initiative and it starts with a page turner “Having regard to the Treaty on the Functioning of the European Union, and in particular the first paragraph of Article 24 thereof, …” (Fair warning, laws are not a fun read).
One major issue is that each member state has the freedom to decide what information they need to validate a signature. Again, we are talking about a petition, not about voting to elect someone.
So they all went creative, 9 countries only wanted to make it easier and don’t require an ID number. The rest is putting a major roadblock by wanting a password or ID with an additional bunch of specific requirements (e.g. Bulgarians and Greeks need to provide the father name, Latvia and Slovakia asks the name at birth, Italians need to know the issuing authority for their ID...).
The other big problem is that all that work of collecting signatures can’t be re-used for anything else. That’s the first thing we learn in the NGO world: when you do a campaign, collect the signatures and focus on the campaign, but don’t loose the bigger picture, and try to use them to transform the signatures into supporters, and at least contact them by email from time to time if they give you the authorisation.
I do understand the aim of protecting privacy, and I’m more sensitive than most on this issue. However, if a user wants to make her signature public or want to help promoting the campaign, why should the Commission deny this right? That’s why there is an opt-in to make the information public or to let the organisers contacting us back on almost every petition system.
“The organisers shall ensure that personal data collected for a given citizen’s initiative are not used for any purpose other than their indicated support for that initiative, and shall destroy all statements of support received for that initiative and any copies thereof at the latest one month after submitting that initiative to the Commission”
It is not even sure an email could be sent to signatories to ask them to promote the petition to their friends on twitter, facebook or email, as “asking to promote” is a different purpose than “indicating support”.
The last stab on citizen participation? Online signatures: “In order to put modern technology to good use as a tool of participatory democracy, it is appropriate to provide for statements of support to be collected online as well as in paper form. Online collection systems should have adequate security features in place in order to ensure, inter alia, that the data are securely collected and stored. For that purpose, the Commission should set out detailed technical specifications for online collection systems.”
I’ll explain why it’s so bad in the next part.
As an aside, the regulation says that “The Commission should make available an open-source software”. The free software movement should celebrate, that’s to my knowledge the first time this is explicitly mentioned in an EU regulation (in general the Commission prefers to support intellectual property on software, as it again did this week by signing the infamous ACTATreaty - MEPs, please vote no to this act of piracy!).
Technical Specifications for the online Collection
This one hurts.
The green paper was an open consultation but the technical specification redaction has been written behind closed doors, and despite various requests me and other from the civil societycouldn’t be informed nor provide any input. We couldn’t see it until at least 6 months after it was redacted and the final document was approved with almost no input from the Civil Society (someone leaked me the draft document a few days before its approval... too little, too late).
This document (the approved one) is an endless list of best practices, probably a list that you could copy/paste for any online banking system requirement or military solution. The initial document has been written by Deloitte, an big consultancy company that has more experiences in these fields than about NGOs or campaigning.
It should be noted that some of the requirements (eg the server hosting the application should be installed in a secured rack, DMZ...) means that the hosting cost incurred by the NGOs is several order of magnitude bigger than what you would have to pay otherwise. It also means that all the most modern solutions like cloud hosting are excluded.
Another brilliant quote from the document: Personal data collected from signatories and its backup are secured via strong encryption algorithms in line with point 2.7.7(b). [...] Signatories’ personal data are only available in the system, including the backup, in encrypted format. For the purpose of data consultation or certification by the national authorities in accordance with Article 8 of Regulation (EU) No 211/2011, organisers may export the encrypted data in accordance with point 2.7.7(a).
As a reminder, this is not a legislative act but the iinterpretation of the regulation by a big consultancy company and some public servants from the European Commission, who cautiously reserved to thselves the definition of the technical aspects.
Neither have an experience running a big campaign, and likely no experience of agile (read cheap) software development as we know it in the NGO world, and they haven’t openly discussed it with the Civil Society, however the main stakeholder concerned by this initiative.
I have no idea how they were selected, nor why they didn’t consult a broader range of people.
As for the document from Deloitte, some things are specified in great details and with a bit of extra input, could have been less stupid.
One example? The fields to be completed by the signatories should support the following data formats: “Country 20 alphanumeric characters”. Why on earth would you want to have a 20 char field for a country, when you know their names (hint, they are the Member States) and you can provide a list, and manage only their country code in 2 letters (iso)?
Another one “There are no optional fields as the system should only ask for the necessary data for the Member State chosen.”
So “would you like to be informed of the result and receive our newsletter” is NOT legal? “Would you like to share this initiative with your friend on facebook” is NOT legal? “Would you like to make your signature visible”?
Basically, take out all the techniques we have learnt from years of experience running campaigns, and discard them, or face the risk of having an illegal and not approved solution.
At least be sure they aren’t implemented in the software developed from the commission to collect the signatures, the one that should make it easier to get the software approved.
People at the European Commission told me they were going to see if existing open source software could fit the bill. After all, open source is all about not re-inventing the wheel and collaborating, would make sense to use and if necessary improve an existing software, wouldn’t it?
So, they did indeed conduct a survey of the existing software. The normal way of evaluating open source software is to use a search engine and visit the most used code sources repositories (google code, sourceforge, github, bitbucket...) and to ask openly, for instance in the identified projects (using their mailing list and forums) if they know others that should be included. We are in general aware of other competing projects, and proud enough of our integrity to mention them.
Deloitte, the chosen company to conduct the study, is not known for leading or actively participating in open source software (there are plenty of companies that would have been better suited), so what they did instead was to ask the few contacts in the Member states, that presumably don’t have a lot of experience either on online campaigning nor petitions. And the few they did manage to hear about they didn’t bother contacting.
The normal way to evaluate an open source software is not only to look at what features already exists, but mostly on how simple it would be to add them. After all, it’s open source, so you can easily improve, isn’t it? Another point they have completely missed is the size and activity of the community around each software and ask them if they planned on working on the missing features.
Beside ignoring most of the open sources petition/campaign projects, they didn't even bother contacting the few they stumbled upon. They basically discarded the tool developed for petities.nl (several millions signatures collected), because they didn't find the source even so the author would have provided it! For what I read in the report, they didn't even bother testing the software themselves, but asked the contact persons in the MS to answers questions like “Is the application based on a well-known database ”. If they did do a proper evaluation and actually look at the software themselves, they could have answered these questions without having to rely on a intermediary that might not have had the technical knowledge to answers these.
For instance one question was “The software must have reasonable hardware requirements (no exotic hardware should be required for running the software). “ and two projects “failed” because they didn't answer. If the evaluation had been properly done, they would have tried to install the software themselves and get the answer themselves.
It is interesting to note that the individual answers have been removed from the publication, and only the aggregated results published, so there is no way to see if the conclusion was based on factual mistakes.
What they have done is how you’d evaluate closed source commercial software. A poor methodology to evaluate an open source one.
Anyway, all that doesn’t matter, because even so the report concludes “We hence believe both (public-i and Gov2DemOSS )tools are eligible for reuse“, the commission did chose to develop from scratch their own software. I didn’t quite found the rationale of that decision published.
The normal way of doing an open source development is to publish the specifications, ask for input and improve them, and let people see the development progressing, well before it’s in a working state. As one could have feared, that’s not how it was done. They went silent for months, and only communicated to say to come when the software was ready (without publish any document beforehand) in January 2012.
The result has been published, again failing to apply the most basic open source conventions (eg. provide a “README” or a “LICENCE” file). It is still in pre-alpha status (even so we need to send the software for validation at the latest in one month to be able to launch in April)
The usability is not anywhere near close to the best practices (eg avaaz)... and that doesn’t matter so much, as so far, no one has been able to install it on a pure open source (mysql) framework stack. So long for the “user friendliness”.
Let me repeat that again: the software developed by the european commission in secret has mainly be done using Oracle, an american database company that cost 1000th of euros of licence. Various people tried on a 100% free software stack, and it is impossible to run the official software without having to pay a licence or having to resort to exotic configurations that are not recommended
Luckily, it is not mandatory to use this software. The issue is that very few countries have in place the required process to validate the softwares. Using the “official” software is already going to be difficult to launch in April, having an alternate one might be even harder.
How the Commission is killing any chance of successful online ECI
Those who collected signatures in the street for various petitions know how difficult it is to get a signature already, and you know how much more difficult it is when you need to see an id, let alone write down the number.
This is even more a problem for online signatures. I personally won't sign a petition online that requires me to provide my passport number. This requirement makes it impossible as well to integrate well with social networks, and sign using your Facebook account easily for instance.
Let’s repeat here that the only required result from such a petition is a response from the commission (presumably "thank you for your initiative"...). Did I mention that this is basically the same requirement as for a question by an MEP, and that having an MEP asking a question takes about 2 emails exchange with their assistant (provided that your question interests him)...?
The regulation is hard, having to ask proof of ID for citizen of 18 countries is difficult, having to deal with different mandatory information to collect for each country doesn’t help, but the nail in the coffin is done at the technical level for the online signatures.
To be fair, this is mostly constraints introduced by the Member States, the Commission isn’t the only one to blame ;)
Online ECI problems
To find the first problem, you don't have to go futher than the title “Requirements specification for online collection of statements of support system software“.
Collecting the signatures is a tiny part of the campaign. If you focus only on that one, you will fail. To be successful, it has to be part of a broader action, how to find supporters, how to do viral marketing... and let the people that sign promote the initiative. How to insert it into the social media that they use? How to keep them informed of the progression, may be try to have them organising signatures in their companies or communities?
Knowing your supporters is key, if they accept, you should be able to keep their contact details. I’m sure that if I sign a petition, I want to know more about the organisers and receive more information on the topic! Who knows, I might wake up Sunday morning and go the the market to gather signatures and raise awareness.
Unfortunately, because of the way the technical requirement is written, it’s not possible. Whatever you collect must “not used for any purpose other than their indicated support for that initiative”. And if by any change despite all these problems you succeed collecting all the signatures? You have to destroy all the contact details of your supporters and never contact them again!
Anyway, the software provided by the commission is strictly and only focusing on collecting the signatures, nothing about sending emails, no integration with social networks, nothing about promotion or marketing. It is therefore completely inadequate for any campaign that aims at using the internet properly. That is not technically possible to re-use the contact data to send them an email for instance.
The final nail of certification
Once you got all the servers & software installed (congratulations, you belong to the happy few that did succeed), you need to get it certified in the country you are going to host the system. This means among other paperwork to conduct a risk analysis. You'd think that using the user unfriendly software from the commission would avoid it? Think again. Even so the commission did do a risk analysis (127 pages!) in only convers 3 components (Database, front office, back office). You are expected to cover twice as many once you include the persons that can access the data, the computer they use, the servers & ISP, the network infrastructure, your security policy, the contractual relationship with your provider, their policy...).
We did ask various companies specialising in security audit, the cheapest we could find was above 10'000 euros. On the top of the actual hosting cost. For a solution you can't use for campaigning because you can't contact the people that sign.
To make it cheaper, you can do the certification yourself. These are the "recommanded/mandatory" readings
- ISO/IEC 27000: Information security management systems: Overview and vocabulary
- ISO/IEC 27001: Information security management systems: Requirements
- ISO/IEC 27002: Code of practice for information security management
- ISO/IEC 27005: Information security risk management
- OWASP (Open Web Applications Security Project) best practices
- OWASP top ten most critical web application security risks
- OWASP Application Security Verification Standard (ASVS) Common Weakness Enumeration (CWE)
- FIPS PUB 140-2 - Security requirements for cryptographic modules
Each of them has a lot of pages, most you need to buy. Just the cost of buying these documents is around 1000 euros and reading them is days of work (if you haven't read any norm published by the ISO, let's just say it none has made it to the best seller list of the new york times).
Why this doesn’t help security (much)
“Security theater refers to security measures that make people feel more secure without doing anything to actually improve their security. An example: the photo ID checks that have sprung up in office buildings. No-one has ever explained why verifying that someone has a photo ID provides any actual security, but it looks like security to have a uniformed guard-for-hire looking at ID cards.“
In our case, the problem is the encryption. They require to store all the information encrypted, but, obviously, as the organisers need to decrypt it to send it to the National authorities, you need to have the key.
So that is like you are requiring to store the signature in the most expensive safe and to have it in a home with 2 meters thick walls and a moat with crocodiles, but that you need to leave the key in your pocket. If someone can find a way into the home, then how secure and expensive the safe is doesn’t matter: getting the key is probably not going to be the main problem.
In practice, it means that you need to download the signatures and decrypt them locally, where they don’t require the moat with the crocodiles. As everyone working on security knows, that was the weakest point all along, not so much the server.
Moreover, it means that we can say goodbye to all the smart anti fraud systems we usually have on online petitions. To be able to see if that’s not real signatures, you need to be able to compare the new ones with what you have already. Is there a “mechanical” pattern? Too many signatures from the same domain name, from the same place or having the same zip code? Is this normal to have so many visitors with IP addresses from China or India? Are they signing multiple times?
On a proper system, you could see the pattern and stop the fraud in seconds. Here, you have to download the list of signatures on your pc, decrypt and analyse. Too little, too late.
Discussing with other people from the NGO or academic world, we seem to reach the same conclusion: we need to find a workaround if we want our ECI to succeed. The one we are going to put in place is to separate the “register and support our campaign” and the “online signature collection”.
I’d really want to avoid having to explain that “this time you register your support so we can contact you”, and “that time you need to sign again, but to online collect your support in the crazy stupid way the regulation request”.
In practice, it’s likely to mean a more clunky than necessary interface. We are working on avoiding to ask our supporters to fill two forms and somehow chain them, but not clear how we can do that yet.
Another option we are evaluating is to use encrypted partitions (disks) that would suffice to satisfy the requirement to store the data encrypted, no matter the software used.
Otherwise, the other obvious solution is to have the European Commission hosting their software and let everyone use it, they are almost the only ones that could install it in the first place.
Call me cynical, but from the member states or the commission’s point of view, having unsuccessful initiatives is as useful as successful ones. There is the possibility for the citizen to create an initiative and everyone can sing how much everyone strives to have an open European democracy... it doesn’t matter much if it is used and works in practice. Actually, it is probably even better if it doesn’t work, less things to change, less answers, less of everything...
As for the process, remember how half a million was budgeted for the IT part? Well, when you have a budget, you need to spend it, and that’s way funnier to develop your own toy than having to adjust an existing one. That’s the decease of the IT world: “Not Invented Here”. That’s a shame, there are so many things to implement, like split testing or artificial intelligence to prevent the fraud that would have put Europe at the forefront of eparticipation and add them to an existing solution, instead of developing something clunkier than what already exists and has been used for years.
On the good news, we don’t have to use their software and the public money wasted amounts to less than what was done to bail-out private banks. We could work on a real open source software that has already a community, and that has already all the important components for a successful campaign (emailing, social network integration, petition). We can still work around the “theater security” constraints, but it would be much better, get rid of the constraints that don’t improve anything, ie. adjusting the legislation. Please contact me, I’m happy to collaborate with anyone willing to improve the ECI.
On my side, I have an ECI to launch in April, with the EC provided software that is not made to campaign and that we need to send for certification one month before the launch and that no one seems to know neither how to install nor how to certify it. If you are working on an ECI too, let’s discuss it, I think we’ll need some group therapy.