Code for Croatia are one of many groups around the world who have used our software Alaveteli to set up a Freedom of Information site — ImamoPravoZnati (“We have the right to know”) was launched in 2015 and has processed more than 4,000 requests.
Many organisations might count that a success and leave it there, but Code for Croatia are clearly a little more ambitious. We’ve been interested to hear about their two latest projects.
A platform for consumer complaints
The Alaveteli code was written to send FOI requests to public authorities. But in essence, it’s little more than a system for sending emails to a predetermined list of recipients, and publishing the whole thread of correspondence online.
Change that list of recipients, and you can create a whole new type of site. Reklamacije (“Complaints”) puts the process of making consumer complaints online. It’s early days as yet — the site’s still in the beta phase, during which testers are putting it through its paces. There have been messages about bank closures, insurance policies… and even the inconsistent quality of the quesadillas at a Mexican food chain.
As we’ve often mentioned here on this blog, our FixMyStreet codebase has been put to many different purposes that require map-based reporting, but as far as we’re aware this is the first non-FOI use of Alaveteli so we’ll be watching with interest. Perhaps it might give you ideas about setting up a similar service elsewhere?
Probing travel expenses
Code for Croatia have also launched a campaign asking users to request details of ministers’ travel expenses.
If that sounds familiar, you’ll be remembering that back in January, AccessInfo did much the same with EU Commissioners and their expenses on the European Union FOI site AskTheEU. We can tentatively say that they were successful, too: it’s been announced that the EU expenses will be proactively published every two months. AskTheEU say they welcome the move ‘cautiously’, so let’s see how it all pans out.
The key to both these campaigns is pre-filled requests that make it really simple for supporters to make a request to a specific politician, while ensuring that the requests aren’t duplicated.
That’s something that Gemma explained how to do in this blog post — it’s a massive benefit of the friendly global Alaveteli community that we can all share insights like this, and especially that other groups can try out initiatives that have proved successful.
Access to information is a particularly powerful tool in countries like Colombia, where corruption is high and vital peace treaties are underway.
To make accessing information easier for citizens and public authorities alike, a group of journalists in Bogotá including DataSketch, have recently set up the Freedom of Information request platform QueremosDatos (the name of which translates as “We want data/information”).
The platform uses our Alaveteli software, and we thoroughly enjoyed working with the Colombian team to set the site up with them.
We asked María Isabel Magaña, who is coordinating the QueremosDatos project, about the site and its impacts so far:
Why did you decide to set up QueremosDatos?
I first learned about Alaveteli in Spain while I was doing my Masters in Investigative Journalism. There I was introduced to the platform TuDerechoASaber.es and to the power that FOIA and transparency had. I just knew Colombia needed something like that, especially since the Congress had just approved the first law regarding this matter.
What made you choose to use Alaveteli software for your platform?
What I love about Alaveteli is how easy it is to use for both users and admins. Designing the platform and making it useful for any type of person was the most attractive feature Alaveteli had. But also, because of the people behind it. Gemma, Gareth, and so many more people were ready to help me achieve this goal despite the different time zones and how much time it took to get it up and running.
What impact do you hope the site has?
It has been almost six months since we launched the site. The impact has been great! We have helped people make 274 requests to more than 6,000 authorities. The Government has been interested in the project and has helped us get in touch with different authorities to help them learn about FOIA and the Colombian law and how to work with people through the platform. Users love it, especially journalists.
Which responses on the site have you been most excited about seeing?
My favourite response so far has been one regarding victims of the Colombian conflict. It was very exciting to get the information because of what it meant for the person who was requesting it, and because of the historical context my country is going through. I also enjoyed seeing the transformation the police had when giving their answers: at first they always sent a response asking the user to call them. After a few explanations, they’re now sending complete answers to the requests via the site.
Do you know of examples where information obtained through the site has been used?
Yes! Journalists have used it mostly in ongoing investigations regarding medicines, drug trafficking, and abortion. Students have used it for journalism classes and homework too.
What are your future plans for QueremosDatos?
We are confirming an alliance with the government to promote the site in public offices and to teach public servants about what the Right to Know is, and their responsibilities with it. This pedagogy will be replicated in universities to teach different users about their power to request information.
Many thanks to María for answering our questions. It’s been great to see the impact the site has already had on authorities and citizens alike, especially the change in behaviour by certain public authorities.
We’re really looking forward to following the project’s continuing work, and wish the team the utmost success in their quest to make Colombia a much more transparent society!
We recently explained how to use pre-written Freedom of Information requests for a campaign. We’re glad to see this being used by AskTheEU, the Alaveteli site for Europe.
Today, AskTheEU launches a campaign to request the travel expenses of EU Commissioners — and they are calling on the public to help submit a total of 168 requests.
No matter what your feeling are towards the EU (let’s not even go there), we hope that everyone is in favour of transparency. AskTheEU’s campaign follows the discovery from a request that Commission President Jean-Claude Juncker spent €63,000 on an air taxi to Turkey for the G20 summit. Naturally, they were keen to know whether this level of spending is replicated across the organisation.
After a two-year battle, AskTheEU’s parent organisation Access Info has established that the European Commission will provide information on Commissioner’s travel expenses, but only in two-month bundles.
They’ve already made a start: after submitting legal appeals and new requests, Access Info won access to a handful of documents about the travel expenses of five Commissioners: these can be seen here.
But there’s plenty more to discover, and that’s where the general public comes in. Thanks to the pre-written requests function, all the hard work is already done: it’s just a matter of picking one or two time periods and submitting the already-composed request.
Anyone can participate by going to the campaign website from today. All requests and responses will be made public on AsktheEU.
Well, we’re delighted to say we’ve been shortlisted for a grant. innovateAFRICA judges will take a few weeks to consider shortlisted applications, and winners will be announced on 30th January.
In the meantime, we thought we’d ask the project’s coordinators, Henry Maina from ARTICLE 19 East Africa and Louise Crow from mySociety, to describe the project in a bit more detail and explain why they think it’s so important.
What is the Alaveteli Professional project?
Louise: Alaveteli Professional is a new toolset that we are currently building as a companion service to our existing Alaveteli software. Alaveteli is mySociety’s open-source platform for making public freedom of information (FOI) requests to public bodies.
Alaveteli Professional will provide journalists and those who use FOI in their work with extra functionality and training to ease the process of raising, managing and interpreting FOI requests, which can be a very time consuming and overwhelming task. This is so that they can spend their valuable time on creating more high-impact journalism and research that holds public authorities to account.
Why bring the Alaveteli Professional project to Kenya?
Henry: The project will enable more Kenyan journalists to utilise one critical tool in their armoury: namely the Freedom of Information law enacted on 31st August 2016. It will also complement our earlier training of 25 journalists on the FOI law.
Louise: innovateAFRICA funding will allow us to bring our newly developed toolset to the Kenyan context. The toolset will have already been tried and tested by journalists in the UK and Czech Republic, so we’ll use examples of how these European journalists have successfully used the platform to generate stories in our trainings with Kenyan media. Simply building these tools is not, on its own, enough. For this reason, the Alaveteli Professional project in Kenya will also involve refining the tools for the Kenyan context, the training of journalists, the creation of support materials and the provision of direct assistance in making and analysing requests.
From ARTICLE 19’s experience of training Kenyan journalists on the new FOI law, how will the Alaveteli Professional project help them with their work?
Henry: ARTICLE 19 has trained journalists on the Freedom of Information laws in Rwanda, Kenya, Uganda and South Sudan. In all our past training, we created manual request protocols and follow-up required making telephone calls. The Alaveteli Professional project will help most journalists to easily file, track and share information about information requests in an easy to engage, review platform.
Why is it so important for journalists and citizens alike to hold authorities to account in Kenya?
Henry: First, journalists and citizens are keen to understand why and how their public servants and officials take decisions. Second, citizens have a right to participate in the management of public affairs and effective engagement is only possible if the citizens are well informed.
Will the project also benefit Kenyan citizens who aren’t journalists?
Louise: Yes. Providing journalists with the extra toolset requires us to first install a standard version of Alaveteli. Therefore, alongside citizens in 25 other countries in the world, Kenyan citizens will be able to use the platform to easily send requests to public authorities, or, as all responses to requests are published on the site, browse already-released information.
Citizens will also benefit even if they don’t use the site at all: they’ll benefit from news stories that expose corruption and mismanagement or missing funds and so on, and thus hold those in power to account.
What impact will the project have on Kenyan information officers/civil servants?
Henry: The project is likely to have great impact on Kenyan information officers and public officials. First, it will offer an objective platform to recognise and reward civil servants that enhance access to information as they will be able to manage requests more efficiently. Second, given the trend in questions, officers will be aware of the information that they can and should proactively disclose to lessen individual requests. Third, it will bolster ARTICLE 19’s ongoing work of training information officers that seeks to help them better understand the law and their obligations under it. Four, most of the government decisions will gain traction with citizens as there will be publicly available information on why and how such decisions were arrived at.
What lasting impact do you hope the project will achieve?
Henry: The Kenyan government will be more transparent and accountable, journalists will be more professional and their stories more credible and factual, allowing the country to entrench democratic values.
Louise: As with all our Alaveteli projects, we hope the project will amplify the power of Freedom of Information and open government, by giving a broad swathe of citizens the information they need to hold those in power to account, and to improve their own lives.
How you can help
So there you are — a little more detail on why we hope to bring Alaveteli Professional to Kenya. We hope you can see the value as much as we can! If so, and you’d like to help support the project, please do tweet with the hashtag #innovateAFRICA: every such public show of support brings us a little closer to winning the grant.
If you are using Freedom of Information for a campaign, and you need to request the same information from several different bodies, or a variety of information from one body, it can be useful to put your supporters to work for you.
We recently profiled the Detention Logs project, which is using Freedom of Information requests to uncover conditions in Australia’s detention centres. Anyone can use the information already uncovered to request further documents or clarify ambiguous facts.
One aspect we didn’t mention is that, in order to make this process as quick and simple as possible, Detention Logs provides users with a pre-written FOI request which they can tweak as necessary before sending off to the relevant authority. This is linked to from a button on the Detention Logs website
This nifty bit of functionality could be useful for all kinds of campaigns. If yours is one of them, read on to discover how to set it up.
As you can see, this unwieldy web address contains all the information that RightToKnow, Australia’s Freedom of Information site, needs in order to create a pre-filled request.The URL tells it who the request should go to, what the title of the request is, and what should go in the main body.
It’s quite simple to create these yourself. Just build the URL up in steps:
- Begin by telling the site that this is a new request: https://www.righttoknow.org.au/new/
- Add a forward slash (/) and then the body you want the request to be sent to (exactly as it is written in the url of the body’s page of the website): https://www.righttoknow.org.au/new/nsw_police_force
- Add a question mark: This tells the website that we are going to introduce a ‘parameter string’. Now our URL looks like this: https://www.righttoknow.org.au/new/nsw_police_force?
- Input a title: we need to indicate that the next part should go into the ‘title’ field, like this: https://www.righttoknow.org.au/new/nsw_police_force?title= and then dictate what the title should be: https://www.righttoknow.org.au/new/nsw_police_force?title=Police%20brutality Notice that if there is a space between words, it should be shown as %20. To make the process of encoding the URLs easier, you can use an encoder tool like this one: http://meyerweb.com/eric/tools/dencoder/
- Input the body of the request, again using ‘%20’ between each word. This is where your URL can become very long! We use the parameter default_letter and the salutation (Dear…) and signoff (Yours…) are automatically wrapped around this by the site, so there’s no need to include them:
So, there you have it. A customised URL that you can set up if you need supporters to send a pre-written request to a specified body or bodies.
As mentioned above, the Detention Logs project used this method to help their supporters request detention centre incident reports, attaching a different URL to each report so that the title would contain the relevant report number. To see the technical details of how they set this up, visit their GitHub page.
Here are some other parameters that can be used in addition to the ones above:
- body – This is an alternative to default_letter which lets you specify the entire body of the request including the salutation and signoff.
- tags – This allows you to add a space-separated list of tags, so for example you can identify any requests made through your campaign or which refer to the same topic. For example, the Detention Logs project used tags like this: &tags=detentionlogs%20incident-number%3A1-2PQQH5
A tag can have a ‘name’ and an optional ‘value’ (created in the form “name:value”). The first tag in the above example is ‘detentionlogs’ (‘name’) and the second tag is ‘incident-number:A1-2PQQH5’ (‘name:value’). The encoder tool above changes the colon to ‘%3’.
If you use this pre-written request tool we’d love to hear about it, so please get in touch if you do.
We’ve just released Alaveteli 0.26! Here are some of the highlights.
Request page design update
After some research in to where people enter the site we decided to revamp the request pages to give a better first impression.
We’ve used the “action bar” pattern from the authority pages to move the request actions to a neater drop-down menu. We’ve also promoted the “follow” button to help other types of users interact with the site.
Since lots of users are entering an Alaveteli on the request pages, it might not be obvious that they too can ask for information. We’ve now made an obvious link to the new request flow from the sidebar of the request pages to emphasise this.
The correspondence bubbles have had a bit of a makeover too. Its now a lot more obvious how to link to a particular piece of correspondence, and we’ve tidied the header so that its a little clearer who’s saying what.
The listing of similar requests in the request page sidebar has been improved after observing they were useful to users.
Also in design-world we’ve added the more modern request status icons, made the search interfaces more consistent and helped prevent blank searches on the “Find an authority” page.
Admin UI Improvements
As an Alaveteli grows it can get trickier to keep an eye on everything that’s happening on the site.
We’ve now added a new comments list so that admins can catch offensive or spam comments sooner.
For the same reasons, we’ve added sorting to the users list and made banned users more obvious.
The CSV import page layout and inline documentation has also been updated.
The new statistics page adds contributor leaderboards to help admins identify users as potential volunteers, as well as a graph showing when site admins hide things to improve the transparency of the site.
Extra search powers
Conversion tracking improvements
The full list of highlights and upgrade notes for this release is in the changelog.
Thanks again to everyone who’s contributed!
Australia: land of sand, surf and koalas. Renowned for its laid-back attitude and a friendly welcome for all… or so those up here in the northern hemisphere might believe, spoon-fed our preconceptions via the squeaky-clean medium of Aussie soaps.
What’s not so well-known is Australia’s decades-long resistance to people seeking asylum. Since the early 1990s, Australian Prime Ministers have implemented, upheld and strengthened laws to hold refugees in mandatory, indefinite detention, and to forcibly turn boats away from their shores. Australia has been repeatedly condemned by the UN for inhumane treatment of people in its immigration detention system, and people held inside have maintained continuous protest for years.
Once you learn all this, it seems perhaps unsurprising that immigration detention is, as website Detention Logs puts it, one of the most “hotly debated, contested and emotional topics in Australia”.
Getting it out in the open
Detention Logs is among the most purposeful and systematic uses of Freedom of Information we’ve seen yet.
It’s not a mySociety-affiliated project (although one of its founders is also a member of Open Australia, who use our Alaveteli software to run the RightToKnow site), but it is one that’s very much in our sphere of interest. We wanted to write about it because it’s a great example of putting FOI to work in order to get truth out into the open, and make societal change.
At the time the project was set up, Australia’s detention centres were run by the British companies Serco and G4S; access is, as you might expect, limited. However, contractors to the government must report to them, and the report documents fall under the citizens’ Right To Know via Australia’s Freedom of Information Act.
Reports are made whenever an ‘incident’ of note occurs in one of the nation’s detention centres; that covers assault, accidents, escapes, riots, the discovery of weapons and several other categories — including births and deaths.
Detention Logs have, at the time of writing, obtained 7,632 incident reports which cover the period between 3 Oct 2009 and 26 May 2011. These may be explored on their site via a data browser, allowing readers to filter by date, incident type and detention centre.
Finding the stories
Like many official documents, these reports were composed for internal eyes only. They can be difficult to decipher, or heavily redacted. Often, they suggest more questions than they answer.
Users are encouraged to ‘adopt’ a report, then submit a further FOI request for more information: a ‘reporting recipe’ guides beginners in how to do this, and how to pull out stories both for the ‘far view’ (looking at all the data in aggregate) and the ‘near view’ (investigating individuals’ stories).
For researchers and the technically-minded, there’s also the option to download the data in bulk.
The result is that the public are gaining an unprecedented understanding of what life is like for detainees — and staff — inside Australia’s detention centres.
Open data brings change
The resulting stories are published on their Investigations page, but the data has also been used by national press and beyond.
Luke Bacon, one of Detention Logs’ founders, told us of a few outcomes:
- The Detention Logs project was a precursor to the Guardian’s publication of the Nauru Files — more than 2,000 leaked incident reports from a detention camp on the Pacific island of Nauru. These have been presented in an online exploratory browser tool: the project was led by reporter Paul Farrell who is also a Detention Logs founder.
- In turn, this has prompted a parliamentary inquiry into the treatment of people in the immigration detention system.
- The data from Detention Logs has been used in research to show that the detention system is causing people to self-harm and attempt suicide.
- The immigration department started releasing better information about how many people were in detention.
So — while the issue of detention continues to be an inflammatory topic for the people of Australia, the project has been at least something of a success for transparency.
It all goes to show what can be achieved when information is shared – and when the work of trawling through it is shared too.
If you found this project interesting, you might also like to read about Muckrock’s FOI work on private prisons in the USA.
It’s something we wanted to build, and something we believed there was a need for: but wanting and believing do not make a sound business case, and that’s why we spent the first few weeks of the project in a ‘discovery’ phase.
Our plan was to find out as much as we could about journalists, our prospective users — and particularly just how they go about using FOI in their work. Ultimately, though, we were seeking to understand whether journalists really would want, or need, the product as we were imagining it.
So we went and talked to people at both ends of the FOI process: on the one hand, journalists who make requests, and on the other, the information officers who respond to them.
Since we’re planning on making Alaveteli Professional available to partners around the world, it also made sense to conduct similar interviews outside the UK. Thanks to links with our Czech partner, running Informace Pro Všechny on Alaveteli, that was a simple matter. A recent event at the Times building in London also allowed us to present and discuss our findings, and listen to a couple of interesting expert presentations: Matt Burgess of Buzzfeed talked about some brilliant use of FOI to expose criminal landlords, and listed FOI officers’ biggest complaints about journalists. Josh Boswell of the Sunday Times was equally insightful as he ran through the ways that he uses FOI when developing stories.
These conversations have all helped.
The life of an investigative journalist is never simple
The insights our interviewees gave us were turned by Mike Thompson (formerly of mySociety, and brought back in for this phase) into a simple process model showing how journalists work when they’re pursuing an investigation using FOI.
After conceiving of a story that requires input from one or more FOI request, every journalist will go through three broad phases: research; request and response; and the final data analysis and writing. The more complicated cases can also involve refused requests and the appeals process.
For a busy working journalist, there are challenges at every step. Each of these adds time and complexity to the process of writing a story, which is an anathema to the normal daily news cycle. FOI-based stories can be slow, and timing unpredictable — editors do not particularly like being told that you’re working on a story, but can’t say when it will be ready, or how much value it will have.
During the research phase diligent journalists will make a time-consuming trawl through resources like authorities’ own disclosure logs and our own site WhatDoTheyKnow (or its equivalents in other countries), to see if the data they need has already been released.
Where a ‘round robin’ request is planned, asking for information from multiple authorities — sometimes hundreds — for information, further research is needed to ensure that only relevant bodies are included. In our two-tired council system, where different levels of authority deal with different responsibilities, and not always according to a consistent pattern, that can be a real challenge.
Wording a request also takes some expertise: get that wrong and the authorities will be coming back for clarification, which adds even more time to the process.
Once the request has been made it’s hard to keep on top of correspondence, especially for a large round robin request. Imagine sending a request to every council in the country, as might well be done for a UK-wide story, and then dealing with each body’s acknowledgements, requests for clarifications and refusals.
When the responses are in journalists often find that interpretation is a challenge. Different authorities might store data or measure metrics differently from one another; and pulling out a meaningful story means having the insight to, for example, adjust figures to account for the fact that different authorities are different sizes and cater for differently-dispersed populations.
Sadly, it’s often at this stage that journalists realise that they’ve asked the wrong question to start with, or wish that they’d included an additional dimension to the data they’ve requested.
What journalists need
As we talked through all these difficulties with journalists, we gained a pretty good understanding of their needs. Some of these had been on our list from the start, and others were a surprise, showing the value of this kind of exploration before you sit down to write a single line of code.
Here’s what our final list of the most desirable features looks like:
An embargo We already knew, anecdotally, that journalists tend not to use WhatDoTheyKnow to make requests, because of its public nature. It was slightly sobering to have this confirmed via first person accounts from journalists who had had their stories ‘stolen’… and those who admitted to having appropriated stories themselves! Every journalist we spoke to agreed that any FOI tool for their profession would need to include a way of keeping requests hidden until after publication of their story.
However, this adds a slight dilemma. Using Alaveteli Professional and going through the embargo-setting process introduces an extra hurdle into the journalist’s process, when our aim is, of course, to make the FOI procedure quicker and smoother. Can we ensure that everything else is so beneficial that this one additional task is worthwhile for the user?
Talking to journalists, we discovered that almost all are keen to share their data once their story has gone live. Not only does it give concrete corroboration of the piece, but it was felt that an active profile on an Alaveteli site, bursting with successful investigations, could add to a journalist’s reputation — a very important consideration in the industry.
Request management tools Any service that could put order into the myriad responses that can quickly descend into chaos would be welcome for journalists who typically have several FOI requests on the go at any one time.
Alaveteli Professional’s dashboard interface would allow for a snapshot view of request statuses. Related requests could be bundled together, and there would be the ability to quickly tag and classify new correspondence.
Round-robin tools Rather than send a notification every time a body responds (often with no more than an acknowledgement), the system could hold back, alerting you only when a request appears to need attention, or send you status updates for the entire project at predefined intervals.
Refusal advice Many journalists abandon a request once it’s been refused, whether from a lack of time or a lack of knowledge about the appeals process. WhatDoTheyKnow Professional would be able to offer in-context advice on refusals, helping journalists take the next step.
Insight tools Can we save journalists’ time in the research phase, by giving an easy representation of what sort of information is already available on Alaveteli sites, and by breaking down what kind of information each authority holds? That could help with terminology, too: if a request refers to data in the same language that is used internally within the council, then their understanding of the request and their response is likely to be quicker and easier.
Onwards to Alpha
We’re currently working on the next part of the build — the alpha phase.
In this, we’re building quick, minimally-functional prototypes that will clearly show how Alaveteli Professional will work, but without investing time into a fully-refined product. After all, what we discover may mean that we change our plans, and it’s better not to have gone too far down the line at that point.
If you are a journalist and you would like to get involved with testing during this stage and the next — beta — then please do get in touch at email@example.com.
We’d love to bring our Alaveteli Professional project to Kenyan journalism.
As of this year, Kenyan citizens are enjoying a new right to know, thanks to their Freedom Of Information Act, pending since 2007 and finally passed this year.
Alaveteli Professional will provide Kenyan journalists with a toolset and training to help them make full use of FOI legislation, so they can raise, manage and interpret requests more easily, in order to generate high-impact public interest stories.
But the project will also bring benefits to all Kenyans. By helping journalists and citizen reporters to make full use of the Act, it will ultimately make it easier for everyone to hold power to account.
How you can help
Now here’s the bit you need to know about: please tweet using the hashtag #innovateAFRICA explaining why you think Alaveteli Professional in Kenya is an important digital solution.
This will demonstrate that you agree that Alaveteli Professional is worthy of innovateAFRICA’s support — every tweet helps to give our application more traction.
Tweets from everyone are welcome, but yours will have extra leverage if you’re a mySociety partner, a Kenyan journalist or activist who would use the project, a funder or a digital innovator yourself.
Please use your 140 characters to help us bring better FOI capabilities to Kenya! And don’t forget that hashtag: #innovateAFRICA.
Image: Innovate Africa
What happens when your site is the target of a major spam attack? That wasn’t something we were particularly keen to find out — but it’s a scenario we’re now fully acquainted with. That’s all thanks to a recent concerted assault on our Freedom of Information site WhatDoTheyKnow.
All is calm again now, and hopefully, as a user of the site, you’ll have noticed very little. Yes, you’ll now have to complete a recaptcha when creating a new request*, and you might have discovered that the site was inaccessible for a couple of hours. Beyond that, everything is pretty much as it was.
From our point of view, though, it was an emergency situation that meant that several of us had to put down what we were doing and join in with some quick decision-making.
It was around 12:30 on a Wednesday afternoon when Richard, one of the volunteers who helps to run WhatDoTheyKnow, noticed unusual activity on the site.
WhatDoTheyKnow was created to help people send requests for information to public authorities — a service for the wider good. Unfortunately, at this point, it was also doing something quite the opposite of good: it was providing the means for unknown sources to send those same authorities hundreds of spam messages.
We’d like to apologise to those who were on the receiving end: clearly, spam is a nuisance for everyone who receives it and we’re unhappy to have played any part in its perpetuation.
We also had a secondary concern. It seemed likely that recipients would mark these incoming emails as spam. When enough people had done that, email providers would see us as an insecure source, and block all our messages, valid or otherwise, potentially preventing the WhatDoTheyKnow system from running efficiently.
A little fire-fighting? That’s actually situation normal
Spam is an obvious example of the site being abused, but it’s perhaps worth mentioning that we work hard on many levels to ensure that WhatDoTheyKnow is only used for its core purpose: the requesting of information under the FOI Act.
And note that we’ve always been careful to protect against abuse. WhatDoTheyKnow does already have several measures in place as standard: we only allow one account per email address; we verify that email addresses are genuine; and we cap the number of requests that users can make each day (a restriction that we only override for users who are demonstrably making acceptable use of our service). We reckon that these measures very much helped to reduce the impact of the attacks.
After a quick discussion between the volunteer team, trustees and mySociety staff, we took the site offline to give us time to work on a solution while stopping any more spam from being sent.
Of course, we then removed all the spam requests and comments from the site and banned the accounts that had made them. We also contacted the affected bodies to let them know what had happened and to assure them that we were taking steps to deal with it.
When we brought the site back up, a couple of hours later, we did so cautiously and with new restrictions and safeguards in place.
Spam ‘requests’ had been sent over a period of about 13 hours. There were in the region of 800 made, though only about 500 actually got sent to authorities. Additionally, around 368 spam comments were left on existing requests. These relatively small numbers lead us to believe that they were being made manually.
Time to breathe… or nearly
Once we’d discovered the issue, dealing with it and getting the site back up and running took us 2.5 hours.
Job done — so now we could sit back and relax, eh? But no: the next day we discovered that a couple of other sites running on the Alaveteli platform, AskTheEu and New Zealand’s FYI, were being subjected to the same attacks.
So we rolled out the changes we’d made on WhatDoTheyKnow to make them available to all Alaveteli users. And then, finally, we could get back to the everyday work we’d been doing before — making our sites better for you, and the other nice non-spamming people who use them.
* We’ll be looking at removing it as soon as we can, though, as recaptcha doesn’t offer a very accessible experience for many disabled people. Meanwhile, we can manually remove the recaptcha for specific accounts, so if you’re struggling with it, contact the team to implement this exemption.