As the Zone watched the 21 March 2023 Cambridgeshire County Council meeting vote against the referendum, Cllr Alex Beckett raised some interesting points over the Greater Cambridgeshire Partnership (GCP) Making Connections consultation.
Cllr Alex Becket said the following. It seems he mixed up voting and replying to the consultation. At least it is presumed to be a slip, perhaps like reassuring the other Councillors over exemptions to the Mill Road bus gate – where he misspoke and gave incorrect information.
“..coming back to people voting all over the world, that’s actually a slight specialist subject of mine. I used to be an IT security professional, what I used do is doing those sorts of things. So there are very many ways you can look to exclude those and to look at where people have voted from and to take out multiple responses. Very happy to do that. The GCP will no doubt be looking carefully at the data to make sure it is an accurate refelection.
Cllr Alex Beckett, Cambridgeshire County Council meeting 21 March 2023
This is excellent news. As an IT Security Professional, he will know how to identify and root out all those bad responses. He is seemingly happy to do so, despite it not being his problem, as he isn’t a part of the GCP.
The Zone also has a history in IT security, perhaps not up at Cllr Beckett’s level. The Zone’s experience is from both sides of the fence in offensive and defensive roles. The Zone could expand more on this, but as the saying goes, you would need to be humanly disposed of. Harsh, but there we go. Nothing to see here. Move along, please.
So, from the Zone’s perspective, how could the GCP detect improper responses? Let us look at a few options that spring to mind during a sunny Cambridge afternoon.
Possible detection criteria | Reason to exclude or downgrade | Why is this an invalid reason to exclude or downgrade the response |
---|---|---|
The response only answered specific questions, potentially only Question 9. No further response was included in the response. | Root out just those responses to Q9 as incomplete. So they can be discounted as providing no further response, so the quality of the response is too poor to be counted. | The consultation had a single compulsory question. No information was provided about how the responses would be examined or if a threshold was needed to make a response valid. Answering just a single question is a perfectly valid response. |
No name provided | The response is anonymous, so there is no way to identify the response as being a person eligible to respond. The response may be ignored or downgraded. | There was no requirement to supply identifying information as part of the consultation. Simply because a response was anonymous does not discount the response as being valid. |
No location (postcode) provided | The lack of a location means the response cannot be determined as that from someone impacted by the proposals so the response may be ignored or downgraded. | No geographic limits were imposed. As the proposal impacts the Greater Cambridgeshire area, extending to much of East Anglia. The regional trauma centre and Addenbrookes hospitals serve a much wider area than just the GCP proposal. So a response from any location is valid. |
The location provided is outside the Greater Cambridgeshire area | The response has been completed by someone outside the GCP’s remit of Greater Cambridgeshire, so it can be discounted or downgraded. | See above. |
The IP address of the respondent is outside the region, country, etc. | The response could be invalid as the location of the computer completing the response is outside the area. | This would be a false assumption for any one of the following. A response could be completed by someone away from home. Using a mobile network where the presenting IP address could be anywhere in the country. Using a VPN service to mask their IP address is a basic security precaution. IP address tracking isn’t like the films. While tracking an IP address to a location is possible, it’s not just a simple lookup like the phone book. It requires a bit of effort, in some cases, a warrant too. |
Multiple responses from the same IP address | Responses from the same IP address show that someone is completing multiple responses, so the responses are excluded or downgraded. | Any home broadband presents to the internet as a single IP address, regardless of the number of devices within a household. So if multiple people complete the consultation on their own or shared devices, they will all have the same IP address. This does not make them invalid. Users of a VPN service will also share IP addresses, which will be where the VPN breaks out onto the internet. The response could be completed on behalf of another person, such as an elderly neighbour who doesn’t have the ability to do it themselves. Filtering by IP address is pretty much pointless. |
Multiple responses from a machine with the same session cookie. | The consultation website created a session cookie when completing the response to enable you to save partially completed responses to complete later on. Once the response was submitted, this data was cleared. However, a session cookie with a 2 year expiration date was left on your machine. This may be used to track if the same machine completed multiple responses. Therefore multiple responses can be deemed to be excluded or downgraded. | Whilst they did indeed leave a long-term session cookie on any machine completing the consultation (lasting 2 years), this does not exclude any responses from this machine as invalid. Multiple people could share the same machine. In fact, the cookie is created when you visit the consultation webpage. It may not even be linked to a successful submission. What could be suspicious is if the same machine completed 100’s of responses within a few minutes. Although that data would need to be explicitly identified in any report. |
The response was from a browser in Private mode. | The responder blocked the cookies and hid behind an anonymous mode on their browser. This could indicate the responder is deliberately trying to hide their digital identity so that the response may be excluded or downgraded. | Running a browser in private mode or using security software to do the same is normal. With the increase in digital fraud, trying to hide your digital footprint is quite common as a self-protection measure. Many devices do this automatically by default for you. Just because a response is from someone protecting their digital identity does not make grounds for exclusion. A responder using TOR, for example, hides their identity and location pretty well. |
Responses contain the same or very similar data. | Many responses with the same or similar data supplied indicate template responses so that they can be excluded or downgraded. This could be similar incorrect spellings or grammeritcal seen across multiple responses. Each such response can be grouped with the others, and those are treated as a single response. | This would be an invalid assumption. Some pressure groups went as far as offering question-by-question template responses for people to use. Just because many responses are the same or similar does not exclude them from being valid responses. Many responders could share the same views and express them in the same ways. They are all equally valid. |
This is a tiny, high-level view of potential reasons to exclude or downgrade a response. Many more routes are available but are too detailed or technical to go into here. Suffice it to say that it is quite hard to hide your digital footprint. From a technical standpoint, it is quite obvious when people do try, but the act of doing so should not be used against them. Well, that’s not strictly true. But a lot depends on the bigger picture of what they are trying to do or gain access to.
Knowing how the GCP responses could be filtered impartially will be interesting, assuming they admit to doing it and publish the criteria. The Zone cannot see why any consultation responses should be excluded or downgraded. Every response, however terse, is core data to be fed into the GCP. Similar responses should also not be grouped as a single entity. Doing so will skew the results.