Friday 17 June 2016

Security 001

A couple of issues that have come up so far: 1. the rogue admin scenario and more generally robustness to sabotage, schism, etc. - this goes beyond security proper and into the realms of resilience - back-up & recovery, that kind of thing. Chris:
Something which I've been thinking about, which will be an issue regardless of the platform(s) we use, is how to hold the administrators/moderators to account. This isn't an immediate issue but it could become one down the road, so I think it is good to try to address this from thee start. We want to ensure that admins aren't in some way giving preference to those they agree with and also that admins aren't in some way directing the discussions. There are various suggestions I can make to ensure that users' views are represented. This can include electing moderators and having the chief authority be a council selected by sortition. It would be good to have mechanisms in place in the software which allow for changes to these roles, including recall, to happen automatically. Another issue is that of the sysadmin-type roles. These are by there nature technical and are thus not something that just anyone can do. This is a role which probably would not be suitable for election. However, it is also the single most powerful position, as the sysadmin can reprogram the entire system if they want. As I see it, the best way to handle something like this would be to keep the configurations and source files open source such that, if the sysadmin were to go rogue, someone else could immediately copy the website and start it up where it left off.
2. login method & credentials for various classes of personnel. Chris again:
People contributing to the response papers would need to be members of [LR]. Perhaps to register they would need to prove membership of Momentum, or something. Momentum's database would have to give everyone a unique identifier. If they could find that out and enter it in when registering, along with the email or postcode they used with Momentum, then their membership could be verified. This would likely require coordination with Momentum in order to happen, unfortunately, and god knows whether we'd be able to get them to actually respond.

1 comment:

Tim Wilkinson said...

Need input on this: how are we going to vet new members? In security terms, I'm thinking of avoiding saboteurs and vandals, and to the extent that people may end up as admins etc, infiltrators etc. Considering such scenarios may sound over-dramatic but given this is a 'security' thread for once I don't think I have to jump through any hoops to explain why it's necessary to consider what are in fact entirely plausible scenarios assuming - as we obviously must - that the project gets off the ground.

I think we probably want to restrict membership to Labour members. As well as helping to filter out various kinds of advertent and inadvertent troublemakers, it would give the project the status (if not officially) of a Labour organisation, which has some cachet compared to the status of a random bunch of people on the internet, and would be useful as we try to expand our circle of contacts, patrons, influence etc.

Three main possibilities occur to me:

1. We personally invite members based on our own knowledge of them and assessment that they are not likely to cause problems. Cons: cliquey, may be quite a slow way to build a network. Standardly in this kind of social network members thus invited would also invite more people. However the further down a chain like that one goes, the less faith one can have that our idea of a trustworthy invitee is being adhered to.

2. We rely on Labour party vetting and require proof of membership of the Labour party. How we do this is unclear. I don't think we can expect co-operation from the Party machine, unless members approach their CLP to contact us on their behalf or something like that. This might have advantages in gaining visibility and (one hopes) registering demand within CLPs, but also meakes us reliant on those CLPs, who may be hostile or dilatory.

Is there an email domain that all and only members can gain access to? I had thought of using sometyhing like and requiring applicants to post on a forum there to prove they had access, but the site appears to have no member feedback facility at all these days (all the more need for our initiative! I wonder who removed all the Web 2.0 facilities and why? It is 'Promoted by Iain McNicol on behalf of the Labour Party both at Southside, 105 Victoria Street'.)

Do we ask for a scan or photo of a membership card? Will people be willing to provide this (do we try to enlist someone they trust to guarantee that there wonlt be any unspecified 'funny business' involving such scans?)

Maybe we just ask for a membership number etc and check these as and when possible. This would mean that anyone joining under the false pretence of being a Labour member would have to fabricate a definite deception. If we are offering a service in exchange for the information, one might arguably even suggest that doing so is a breach of quasi-contract, or even a criminal fraud.

3. We get verification or approval via Momentum. This combines various advantages and disadvantages of the other two approaches.

Getting co-operation from Momentum, especially individual branches, is a much better bet than from Labour. But there is less security, no guarantee of Labour membership, and the same bottleneck involved, of relying on branch chairs to forward or endorse applications. Momentum is a good vehcile for recruitment but perhaps less so for vetting. I'll leave this hanging and come back to it later..