Security Issue with Parliament Petitions Website

This is only a minor issue, but one I thought people should be aware of…

While the website at https://petition.parliament.uk/petitions says “We won’t publish your personal details anywhere or use them for anything other than this petition”, it *is* still possible for someone to find out if you’ve signed a particular petition, if they know your name, email address, and postcode.

If you sign a petition, what happens is you get redirected to a page saying “please check your email” — you’re sent an email with a link in it to click, to confirm that the person associated with the email account actually wants to sign.

But if you sign a petition that has already been signed someone using that email address, you see this instead:

Image of a web form with “You cannot sign this petition again” in red over the email address

This means that if anyone wants to know if you’ve signed a particular petition, they can go and find out, just by entering your details.

Now, this is a minor issue, and can’t be used on a major scale — but it’s still revealing your personal data, and I can think of circumstances where someone would not want that data revealed.

The solution is easy — just have the website *always* redirect to the “check your email” page, and send out another email saying “you have already signed this petition”. That simultaneously stops anyone from finding your data, and also lets you know that someone’s been trying to use your name and email address. Quite why they’ve chosen to do something which I’m pretty sure is in breach of the Data Protection Act instead, I don’t know…

This entry was posted in Uncategorized and tagged . Bookmark the permalink.

One Response to Security Issue with Parliament Petitions Website

  1. Nonconformistradical says:

    “Now, this is a minor issue, and can’t be used on a major scale — but it’s still revealing your personal data, and I can think of circumstances where someone would not want that data revealed.”
    And I would have thought it was breaking the data protection law.
    Personally I keep a separate email address for signing petitions….

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s