The European Citizens’ Initiative (ECI) is a potentially significant change coming out of the Lisbon Treaty: here, I try to see how general security principles could be applied to the process from signing up (online) to validating an entire ECI
The basic idea of the ECI is that if an initiative attracts the right number of signatures from around 9 different countries, the Commission will be required to treat it as a legislative proposal – similar in concept I guess to initiative petitions in California, Switzerland or Italy – with the caveat that the proposals still have to be enacted by Council and Parliament, giving a way to prevent minority groups using ECIs to impose their ideas on the whole EU
- Read the official version at the Commission’s website here.
One of the objectives of the EuroPetition project is to support the ECI process, so, I thought I’d write about one specific aspect of the ECI, applying general security principles to the route a signature must take before it can be validated as part of the 1m stong roll. So without further ado, here’s the picture. I talk about it more below…
When it comes to think of the processes and risks involved, it’s best to divide the process into four, corresponding to the larger pale blue and pink shapes. Each is considered in turn, together with some of the risks that would need to be mitigated.
- This is very much a work in progress: please correct me if where I have made mistakes…
Claiming identity: signing
Who you say you are. The act of signing is one of asserting (a) you are human – ie not a spambot and (b) you are a EU citizen. The signature may be communicated through a number of channels – paper and dedicated websites are the dominant route right now, but SMS/MMS, IPTV, and Social Media tools (like Facebook apps, or CitizenScape) are coming up strong, and others will appear too. Spam checks will be a constant challenge for online signature collection.
Checking identity: verification
Verification is conceptually split between:
- How do you prove it – authentication (address, ID documents for paper- and their electronic equivalent
- What you can do (ie sign the ECI) – authorisation
In practice it seems best to start with the two together and keep the threshold low. A range of authentication techniques can be used: it is not necessary at this stage in the process to validate every signature against a national electoral rolls: it is quite possible to leave this to the validation stage.
I think for now, authentication the main thing. So long as the signature is on an EU petition, the assumption will be that it is by someone who is eligible to sign, remembering that there is a verification back-stop to ensure that invalid sigs don’t distort the overall result. This has the advantage of keeping the actual signing process simple.
Too much verification will discourage signatures and kill the ECI
Risks: spam, forged signatures, invalid signatures, over complication validation discouraging engagement.
Building the list: Secure storage
The final signature storage should ensure data retains integrity and is auditable, respects confidentiality and remains available to authorised users. Options for storing the signatures vary between a single EU-wide database, through to a myriad of local systems submit signatures.
The system should ensure data retains integrity and is auditable, confidential and available to authorised users (only).
There are the usual needs for the system holding the signatures to be subject to a security analysis and testing, including:
- Stress / size tests of database: need to be confident with a database with 1m+ signatures – and the record insertion rate that implies
- Certification of records once in system to prevent/detect tampering
- Support for sample based verification of signatures (retrospective checks on authorisation)
- Exchange and exposure of signature data using common format between systems
Risks: tampered records, lack of audit trail – leading for instance to signatures being applied to multiple ECIs, breach of Data Protection and privacy legislation
Represented by the pink box. There would be a one-off (but repeatable and auditable) process for validating a petition/ECI as a whole, whether at national, or EU level. A great way of killing the ECI would be to insist on 100% verification of all signatures. It should be possible to pick a sample to give the required level of certainty that the threshold has been crossed (eg if you want to be 99.9% that you have 1m valid signatures in when 1.1m have been submitted – sample size would be x, for some x in the low 100s).
Risks: Bureaucracy, bad process design/sampling
There is an administrative challenge of deciding on eligibility criteria and rules:
what about a German resident in London: they can vote in local elections in England, but German national elections. They shouldn’t be allowed to sign twice… now, what if this German signs the petition on an Austrian website?
Conclusion and questions
The great thing is that there are no novel challenges here, so long as there is clarity of ideas around the basic security requirements.
This begs the question: What do they do in places that have equivalent systems in place??? I don’t know…
PS: I just want to mention what a pleasure it is working with Word 2007’s ‘Publish to Blog feature’. It just works.