Online EU-consultatie
ISA study for open source software for online collection of statements of support for European citizens’ initiatives
Questionnaire for Member States, EU institutions and other organisms regarding the use of open source software systems for online collection of statements of support for European citizens’ initiatives. [1]
Please, specify the name of your organisation
Stichting Petities.nl (or Foundation Petitions.nl)
Please, specify your first and last name
Reinder Rustema
Please, specify your contact information (e-mail address, phone number)
reinder@rustema.nl +31621224775
Inhoud
- 1 Please complete the following questions for each identified system
- 2 What are the technical characteristics of the system?
- 3 Which data input features has the system?
- 4 Which features has the system concerning the confidentiality of personal data?
- 5 Which features has the system concerning the integrity of personal data?
- 6 Which features has the system concerning the storage of personal data?
- 7 Which features has the system concerning reporting?
Please complete the following questions for each identified system
1. Do you have/do you know about any online data collection systems[1] in place and/or in development? [1] An online data collection system is a web-based software application that is able to collect, store and process data.
Yes
1.1 What is the name of the system?
petities.nl, the national signature data collection system in the Netherlands, part of the EuroPetition.eu project.
1.2 What is the URL/web page address?
http://petitions.nl is the online national data signature gathering system. A showcase of the upcoming version can be found at http://demo.petities.nl an 'explanimation' video about it at http://www.youtube.com/watch?v=cKAiBMzA10M and the open sourced code at http://github.com/petities
1.3 Which party/Who developed the system? It can be a natural person or a company.
The Foundation Petitions.nl in collaboration with Alias Internet Publishing. The source code can be found at github.com/petities It received several rounds of funding from the Dutch national government. Programmers R. Tuithof, S. Onland, J. Kok and S. Preeker have worked on the code since 2005.
1.4 For which purpose or what organisation is it used?
The goal of the foundation Petitions.nl is to make it easy for citizens to start or sign a petition, pass it on to the relevant authority and broadcast the answer from the authority back to all the signatories. Between May 2005 and February 2011 around 1,3 million confirmed signatures have been collected in one database for more than 700 local, national and European petitions and citizens initiatives. Only national citizens initiatives so far, but the system will be ready for European Citizens Initiatives as soon as the requirements are known. Both the code and the service will be publicly available to all Europeans.
The system has a history with three versions. Version one and two were developed with the Alias Internet Publishing framework and version three (December 2009) is built with the Ruby on Rails framework. Currently version 3.2 is being developed which will be the first with an open sourced code. Also it will be multi-lingual. At least English will be supported, but theoretically all languages of the European Union can have an interface the moment it is translated.
What are the technical characteristics of the system?
2.1 Is it an open-source software ? Open-source software (OSS) is computer software that is available in source code and certain other rights normally reserved for copyright holders are provided under a software license that permits users to study, change and improve the software.
Yes
2.2 In which programming language is the source code written?
PHP
2.3 Is the source code available on line?
Yes
2.3.1 Where is the source code published ? (http://...)
2.4 Under which license is the source code available?
GPL
Other
2.4.1 Please specify
AGPL to be precise
3. Does the tool contain help functionalities or frequently asked questions?
Yes
Which data input features has the system?
4.1 Is the data filled in on screen or uploaded by document?
The data input is mainly done by individual citizens through a centralised web interface, but other interfaces (mobile web, SMS, mobile App, Java-widgets on other sites, applets, interactive television and what comes in the future) can all do input using the application programming interface (API). The system always sends out an e-mail to have a signature confirmed and ask to fill in extra (required) fields. Without an e-mail address one can not sign.
Existing databases with signatures can be uploaded to the website on request, under the condition that each signature comes with a working e-mailaddress and each signature (statement of support) is confirmed by e-mail.
4.2 Are the data fields fixed or can they vary per country, region or language or vary depending on the answers to previous questions?
Certain data fields can remain hidden or not compulsory. For example, petitions have less compulsory fields than citizens initiatives. Our ambition is to further the petitions datastandard from the EuroPetition project and establish an XML standard for both petitions and citizens initiatives, with petitions being 'upwards compatible' to citizens initiatives. In other words, an citizens initiative which does not comply to formal requirements can still function in the same system as a petition.
4.3 Does the system allow the definition of input controls on certain fields? (e.g. data format, number format)
Yes
4.4 Does the system allow the definition of mandatory fields?
Yes
4.5 Are the data fields easily configurable?
Yes
4.6.1 Which of the official European languages can be used?
Using the Tolk add on, automatic translation to any language are possible. First only the English translation will be formally available. Other translations will be implemented when there is funding for high quality translations.
4.6.2 Is it easy to add an additional language?
Which features has the system concerning the confidentiality of personal data?
5.1 Do signatories need to register on the website to access the system?
Yes
5.2 Does the system have authetication mechanisms, such as login and password, token, ... for the signatories ? If yes, please list the mechanisms.
The e-mail address functions as the login and a token e-mailed to the signatories is the password. The token is included in a unique URL which gives direct access to the signature confirmation page by following the link in the e-mail. It is not required to enter a password anywhere, just following a link in an e-mail is the most user friendly solution. In the first version a username and password combination was used, but this proved to be a huge obstacle to achieve volume. With this design one can only sign once per e-mail address.
5.3 Does the system have authentication mechanisms, such as login and password, token...for the (database) administrators? If yes, please list the mechanisms.
Yes, the database administrators and the lead petitioners (author of petition or citizens initiative) do have a login and password accessible through the petities.nl/admin screen. The e-mail address is the login.
5.4 Which measures (e.g. protocols,...) were implemented to ensure a secure client-server conversation throughout the entire dialogue ? e.g. (HTTPS,...)
The https-protocol is used (and soon also ipsec under IPv6) for the lead petitioners and the database administrators and petition managers (authorities receiving petitions through petities.nl). Confirming a signature will also go through https in version 3.2 (spring 2011). In version 3.1 signatories confirm their signature over http.
Which features has the system concerning the integrity of personal data?
6.1 Is data modification possible once the statement form is submitted?
Yes
6.1.1 Please specify who can modify the data
Citizen who submitted
Organisers
Member state
Other
6.2 Is data deletion possible once the statement form is submitted?
Yes
6.2.1 Please specify who can delete data
Citizen who submitted
Other
6.3 Which measures are in place to prevent malicious code? (cross site scripting, SQL injections,...)
Which features has the system concerning the storage of personal data?
7.1 Does the application support different access profiles to the application's data? E.g. signatories, organisers, administrators...
Yes
7.2 Is the application based on a well-known database?
Yes
7.2.1. Please specify on which database is the application based?
MySQL
7.3 Is the system protected from external attacks ? (E.g. database, network, host...)
Yes, the web-servers are a demilitarized zone (E.g. physical or logical subnetwork that contains and exposes an organization's external services to the Internet)
Yes, there a firewall and/or proxy implemented to protect the system from outside attacks
Other
7.3.1 Please specify how is the system protected from external attacks (Other)
Which features has the system concerning reporting?
8.1 Does it contain reporting and/or exporting functions on the data collected?
Yes
8.1.1 Please give details
Export as PDF or as .csv with fields required by authorities. In the case of a citizens initiative more fields are included than in the case of a petition. The exported information also includes information about signatories which have chosen to remain invisible through the website. E-mail addresses are always excluded from the export. Maximum three e-mailings can be broadcast to the signatories through our system, but never executed by any citizen or any authority, moderated by the administrators of the Foundation Petitions.nl, based on a formal, neutral set of criteria.
8.2 Who has the authority to view reports and/or export this information?
Organisers
Member State
Other
8.3 How is the collected data passed on to the competent authorities?
Electronically
Paper
CD-ROM
8.4 Is there any functionality to facilitate the validation of signatories by competent authorities?
Yes
8.5 Which security mesures were implemented, with regard to reporting personal data? E.g. data alteration,...
Yes
9. Did you apply any existing practice standards for specific subject as security, usability, accessibility, etc, in the development of the system? E.g; ISO standards,...
The website scored the highest in all criteria for the national accessibility standard and received three stars out of three (drempelvrij.nl)
The usability of the site has been tested since 2005 by nearly 1,5 million users, resulting of hundreds of e-mail comments translated into usability improvements.
As a security guideline we prefer not to store data we do not need.
10. Do you think the tool should be considered for re-use?
The tool is written with international re-use in mind. Other neutral foundations or businesses with the goal to promote petitioning in the democratic process can and should use our tool which has been tested for more than five years by more than 1,5 million users. It is funded with public money and therefore should be used by the public, also internationally. It can not easily (and perhaps should not) be used by organisers of specific initiatives. It is a specialised business to service the online collection of signatures reliably. It is an option to make the use of the system by anyone else but the organiser of a specific initiative invisible. The reliability of the data can no longer be guaranteed (data can be altered) and the privacy of the users is not properly protected (they can receive e-mailings).
The service is designed for "petition service providers" rather than NGO's and activists. They are considered as end-users (like any citizen). By having many different end-users using the same system the tool becomes more reliable because of the neutral position of the petition service provider. End-users need less marketing because of the experience and trust many of the citizens already have signing other petitions or citizens initiatives with the same national service. The economies of scale makes it also cheaper to operate the service. One or a few such service in each region in Europe would do. Using the API and the network of EuroPetition the signatures can be synchronised and exchanged in such a decentralised network.