As a prolific⁴ user of Untappd - the social network for beer drinkers - I'm always on the lookout for a beer I've never met before⁵. So I was delighted to see this on offer: What ho! A exclusive beer! Rather! I generously let mine host pay for it and enjoyed quaffing it.

But eagle-eyed⁶ readers may have noticed something odd about the the beer's lens. There's no indication of who the brewer is and what the alcoholic strength is⁷.

I didn't feel like quizzing the innocent barkeep⁸ so I did the next best thing. I immediately⁹ sent a Freedom of Information request to the House of Lords. About beer.

Fair play to those poor souls in the records office, they replied pretty sharpish to my somewhat frivolous request.

Who is the brewer of this beer?

The House Administration holds this information. The brewer is Greene King.

What is the beer’s ABV?

The House Administration holds this information. The ABV of the beer is 4%.

Hurrah! Success!

Now, you may think this is a trivial thing to use FoI for. And, to a certain degree, you're right. But the point about FoI is that you never know what you're going to uncover.

For example, is it illegal to sell beer in Parliament without displaying the ABV?¹⁰

Given the Baron Bilimoria sits in the House of Lords and invented Cobra Beer - was there some sort of kickback scheme here?¹¹

Would the team refuse the FoI because their record keeping is disastrous and finding simple information would be too onerous?¹²

As someone who has been on the receiving end of one-or-two¹³ FoI requests of varying degrees of vindictiveness, I feel a little guilty about sending something which seems so spurious.

But, I truly believe, that our rights are like a muscle. We have to regularly exercise them. Sometimes we'll uncover something interesting, other times something important, and occasionally something unexpected. And, for this request, something utterly mundane.

So here's a cheers to everyone at the HoL for answering my question so promptly 🍻

I got a letter from Black Rod - who runs both houses […] and it says that I am banned for life from the House of Commons and the House of Lords.

It's at the 7 minute 20 mark on the video - or listen to the whole thing on SoundCloud.

"Hmmm…" I wondered, "Who else has been banned from Parliament?"

TO THE BAT-FREEDOM OF INFORMATION MACHINE, ROBIN!

Using the excellent What Do They Know site, I fired off an FoI request to the House of Commons.

I quickly received this back:

The House of Commons has not banned any person, therefore does not hold this information.

I notice in your request you mention Black Rod. It may interest you to know that Black Rod is a senior officer in the House of Lords. As our response only deals with people banned by the House of Commons you may wish to consider forwarding your request to the House of Lords

Carole Fisher - Information Rights and Information Security (IRIS) Service | House of Commons

While waiting for an answer, I'd done a little research and discovered that the Suffragette Emily Wilding Davison was banned from Parliament.

The letter mentions that she should be added to the "Index Expungatoris" - a list of people banned from Parliament. (NB this is also referred to as the the "Index Expurgatorius")

I wrote to the House of Lords and specifically mentioned the "Index". Their reply was swift:

The House Administration does not hold "a list of people who have been banned from Parliament." A search has been conducted and no recorded information relevant to your request has been located.

Frances Grey - Freedom of Information Officer - House of Lords

So! There you have it. If you think that you have been banned from Parliament, it seems that they don't hold any records and you are free to enter.

✱ This does NOT constitute legal advice!

The UK Parliament website is pretty great. It houses a huge amount of historical information, lets people easily see what's happening in the Commons and the Lords, and is run by some really clever people.

That's why it's so depressing to see such a basic error as this XSS flaw in their search engine.

What Is XSS?

Briefly, some websites will let you display or run arbitrary code on them if you input that code in their search box. (It's a bit more complicated than that - but it'll do for an executive summary.)

By searching for the text

<em>test

We can make the rest of the page display in italics.

This is because the page sees the <em> tag and echoes it back as part of the HTML.

What else can we do?

If we want to be cheeky - we can add iframes and YouTube videos onto the page.

So, if the page will display any code we tell it, can we make it run JavaScript? Yes.

Searching for a string like

<script>alert("hello");</script>

Hey presto, we can "decorate" this page with text, images, video, run JavaScript on there - using Firefox.

Now, what's interesting is that the iframe and JavaScript attacks don't work in the Chrome web browser.

Chrome has a reasonably good Anti XSS filter which strips out most JavaScript and iFrames (although it can be bypassed).

However, Chrome and Firefox both let through seemingly benign text formatting tags, as well as the more dangerous image and HTML5 video tags.

Putting It All Together

OK, so we can have a bit of mischief - but is that all that the bad guys can do? No! Even if they can't run JavaScript, they can still run pretty convincing adverts, or direct people to install malware, or a whole host of other nasty things. Because the domain is parliament.uk it carries with it a significant level of trust.

Using XSS a spammer can place an HTML5 video selling their wares with an apparent Parliamentary endorsement. They can add links, images, sound - everything they need for a scam.

Or, perhaps they are evil. They can send an email to every MP saying:

Please Reset your password - visit http://....

Before you know it, they've gathered the Minister for Administrative Affairs' private details and are plundering Sir Humphrey's vaults.

Yeah, the above doesn't look brilliantly convincing - but would you trust your MP to notice the discrepancies?

Mitigating

The simple rule is that you should never ever print out the content that the user has searched for. If you have to, make absolutely sure that you escape all the characters and enforce strict limits on the number of characters returned.

Browsers should get better at detecting this. While Chrome rightly blocks the iFrame and JavaScript - it thinks text, images, and videos are safe. They're not. In the above examples, the XSS code is echoed in the HTML Title, as well as the URL bar. It should be fairly obvious to the browser that this is an unusual state of affairs.

Disclosure

• This XSS flaw was responsibly disclosed to the UK Parliament on Friday 7th February 2014.
• On Tuesday 11th of February they confirmed that a fix had been put in place.
• The UK Government bug bounty was paid on.... Oh... my mistake...

BONUS SATIRE

My manifesto suggestion was very simple - every time you visit an MP, it should cost you £5 or £10. If you want to go and speak to your MP you have to hand her a crisp new note. This has the dual advantage of weeding out vexatious visitors and, more importantly, reminding the MP who exactly they work for.

It has - I'll grant you - some drawbacks. If you can't afford a fiver (and many can't) you're denied access to your elected Member of Parliament. It also means those with the biggest cheque-books get to write the law. This is, many would argue, extremely unseemly and a recipe for corruption.

Before he became Health Secretary, the Tory MP Andrew Lansley accepted large donations from private health companies. When he became Minister, he helped drive legislation which - it would seem - directly benefited those who had donated to him.

John Nash, the chairman of Care UK, gave £21,000 to fund Andrew Lansley’s personal office in November. Mr Nash, a private equity tycoon, also manages several other businesses providing services to the NHS and stands to be one of the biggest beneficiaries of Conservative policies to increase the use of private health providers. Source: Daily Telegraph

It's important to stress that this is not bribery. Bribery is when a Tory politician receives £30,000 to ask questions in the House of Commons (See the Cash For Questions affair on Wikipedia).

Taking money to ask questions is wrong. Taking money and then independently helping to change legislation is fine. It's an important distinction.

Perfectly Normal

Let us take, for example, the Kingdom of Bahrain. They sent MP's investigating the regime luxury hampers worth at least £200 each. They funded flights to the country for several MPs, and gave the PM a fountain pen and jewellery.

On May 18th 2012, the Queen invited the King of Bahrain to dine with her.

It is perfectly legal and acceptable to use cold-hard-cash, to fund foreign trips, or to purchase goods and services - in order to help MPs understand complex issues and take the tough decisions which are needed.

Grass Roots

This year has seen the rise of Kickstarter and similar crowd-funding websites. An aspiring author, inventor, or musician takes to the Internet and says "If X number of people give me Y pounds, I'll be able to produce product Z!"

It's a nifty system. I've used it to help support new books and video games this year and been very impressed with the results.

It's obvious that sites like 38degrees and Avaaz are doing something right. They're attracting huge numbers of people to attempt to engage with politicians. But sending letters or - worse - a truck load of email "signatures" on a petition just doesn't cut it any more. If we want to influence politicians, we have to pay.

The campaigning site 38degrees raised £50,000 to run an opinion poll and place an advert in national newspapers. That money was wasted. It didn't help change the Government's mind on NHS privatisation. Why should it?

I'm suggesting it would have been better to give that money directly to Andrew Lansley. It's over double what he received from the chairman of Care UK. They could have given him half now, half on scrapping the Health and Social Care Act 2012.

£50k might be overkill. They could have matched the original donation and then the rest could have been used to buy him a nice holiday, some chocolates for his wife, presents for his kids, etc.

So, that's what I'm proposing. A crowd-funding political "donation" site.

Putting it into Practice

There are two ways to make this work.

The first is like a regular Kickstarter campaign.

"I want to raise £30,000 to buy something nice for the Environment Secretary Owen Paterson if he will repeal the ban on Fox Hunting."

Members of the public could then purchase gifts to send to the MP(s) - in a similar fashion to Oxfam Unwrapped. Select how much you can afford and then purchase, say, a tasty treat to pack into a luxury hamper.

Once enough money is raised, the gift or the cash is given to the MP. Now, there is a slight risk that an MP won't behave honourably. An MP could accept the money or gift but then not do what we want them to do. This leads us on to the second option.

Popular website Arrest Blair wants people to perform a Citizen's Arrest on the former Prime Minister. They've raised a bunch of money and will give a quarter of it to anyone who attempts to arrest Tony Blair. So far, they have paid out around £11,000 between the four people who have attempted to hold Blair accountable for his alleged war crimes.

That, in essence, would be the second model. A citizen would say

"I want to raise £30,000 to buy something nice for any MP who helps repeal the ban on Fox Hunting."

Once the money is raised, any MP who helps successfully to bring forth legislation can claim her share of the prize.

This system is not fool-proof - which is a pity as there are no shortage of fools in the House of Commons - but I am confident that it would help to alleviate our democratic deficit.

Are the houses representative of the people in terms of gender diversity? Are the Labour Party younger than the Conservatives? Are the parties in the Lords particularly dissimilar?

You can play with the hack or watch a video demonstration.

• Each bubble represents a political party
• The size of the bubble represents how many members they have
• The Y-Axis (Vertical) represents the average age of MPs / Lords
• The X-Axis (horizontal) represents how gender balanced the parties are

(As you can tell, the hack was heavily inspired by Hans Rosling)

Data

A quick word about the data we used.

The (beta) APIs had some reasonably good documentation - although the examples could have been better. It seemed to assume that a user was already intimately familiar with the (sometimes arcane) principles of Parliament.

It also only spat out XML, so that needed to be converted to JSON.

The main issue we had was with the quality of the data. Let's look at two examples.

First, Linda Perham (picked solely because she's a mate of my mum!)

{
  "FullTitle": "Linda Perham MP",
  "DateOfBirth": "1947-06-29T00:00:00",
  "DateOfDeath": {
    "-xsi:nil": "true",
  },
  "Gender": "F",
  "Party": {
    "-Id": "15",
    "#text": "Labour"
  },
  "House": "Commons",
  "MemberFrom": "Ilford North",
  "HouseStartDate": "1997-05-01T00:00:00",
  "HouseEndDate": "2005-05-05T00:00:00",
  "CurrentStatus": {
    "-IsActive": "False",
    "StartDate": {
      "-xsi:nil": "true",
    }
  }
},

That's pretty comprehensive. We can see when she joined, left, her age, that she's still alive, and who she represents.

Now, let's take George Galloway who has had an... interesting... Parliamentary career.

{
  "FullTitle": "Mr George Galloway MP",
  "DateOfBirth": "1954-08-16T00:00:00",
  "DateOfDeath": {
    "-xsi:nil": "true",
  },
  "Gender": "M",
  "Party": {
    "-Id": "26",
    "#text": "Respect"
  },
  "House": "Commons",
  "MemberFrom": "Bradford West",
  "HouseStartDate": "2012-03-30T00:00:00",
  "HouseEndDate": {
    "-xsi:nil": "true",
  },
  "CurrentStatus": {
    "-Id": "0",
    "-IsActive": "True",
    "Name": "Current Member",
    "StartDate": "2007-10-31T00:00:00"
  }
},

All we have is his current status. It doesn't mention his previous life as a Labour MP, nor does it mention that he was the Respect MP of Bethnal Green in 2005.

For MPs who have subsequently gone to the House of Lords, the data is also unhelpful.

Betty Boothroyd was a Labour MP (for two different constituencies), then became The Speaker of the House of Commons, then went to the House of Lords. This is all the information we have on her.

{
  "FullTitle": "The Rt Hon. the Baroness Boothroyd OM",
  "DateOfBirth": "1929-10-08T00:00:00",
  "DateOfDeath": {
    "-xsi:nil": "true",
  },
  "Gender": "F",
  "Party": {
    "-Id": "6",
    "#text": "Crossbench"
  },
  "House": "Lords",
  "MemberFrom": "Life peer",
  "HouseStartDate": "2001-01-15T00:00:00",
  "HouseEndDate": {
    "-xsi:nil": "true",
  },
  "CurrentStatus": {
    "-Id": "0",
    "-IsActive": "True",
    "Name": "Current Member",
    "StartDate": "2001-01-15T00:00:00"
  }
}

There's also a significant lack of historical data. There are some Lords & MPs in the dataset who were in Parliament in the 1940s - but only a few. It would be great to have a comprehensive record of, say, the last 100 years.

There needs to be a better representation of when a member has "changed" - whether that's affiliation, leaving and then returning, being elevated, changing constituency, or even gender. (Although, as far as I'm aware, there have been no Trans MPs. Nor any MPs with non ASCII characters in their name.)

The data represents a very monochromatic view of the world.

For examining broad trends, it was sufficient for a hackday. We had tried scraping Wikipedia to get full details of every election, but that was a bit beyond us (over 1000 people for every election, plus by-elections, for the last 50 years.)

What We Found

I was particularly surprised by how little gender diversity there is. 50% of the population is female, yet the Labour Party have roughly 33% women MPs. Caroline Lucas is the sole (female) representative of the Green Party - which doesn't quite balance out the entirely male Bishops in the House of Lords.

In our data, you can see the big jump after the 1997 election - where the number female MPs doubled.

Labour are consistently older than the Tories. That was completely against my expectations.

So, play with the hack and see what you notice.

Thanks

As well as my amazing team mates Max Bye and John Sandall, I must thank the team from Rewired State; they put on a storming hackathon. There was plenty of interesting data, a good mix of people, healthy food and drink (as well as the obligatory pizza).

While it would have been lovely to hold the event in Parliament - I appreciate that a hoard of geeks turning up with a panoply of dodgy electronics may not have best pleased the Serjeant-at-Arms. So The Hub Westminster was a fine substitute.

Special mention to Alex Blandford who was very helpful at explaining the data and helping us navigate through the peculiarities of the system.

Finally, massive thanks to the Speaker for this fine certificate.

This year, Claire Perry MP produced an "independent" report into online child protection. By "independent" I mean "produced by vested interests including religious groups".

It makes for pretty tedious reading, however you may get a laugh from the antics of our MPs on page 86 when they start discussing Internet filters...

Helen Goodman: I’m sorry, maybe I’m particularly stupid, but I haven’t understood how I get this software or this kit or whatever it is, this filter thingy that you click or whatever without buying a new computer and I don’t want to spend a thousand pounds just to have a filter. I just haven’t understood what I do, and you’ve been talking to us and I’ve been in this room for half an hour.

Matt Lambert: You can download any number of parental control software for free...

Helen Goodman: But I don’t know how to download parental controls. I can send an email, I can click onto Windows but the minute you talk about downloading software, my brain goes bzzzz.

Matt Lambert: Ok, I’m sorry I’m using a technical term, but if you go to search and you ask for parental controls, you will find, whichever search engine you’re using, you’ll find any number of free options including ours.

Jonny Shipp: If you talk to your Service Provider, they’ll help you, I think, mostly.

Helen Goodman: How do you talk to them?

Jonny Shipp: The service provider that provides your internet connection at home.

Helen Goodman: You mean you phone them up?

Jonny Shipp: Yes, or however you’d normally talk to them.

Helen Goodman: I don’t normally talk to them very often.

Fiona Mactaggart: The point that Helen is rather effectively illustrating is the point that, this is the point I was trying to make about being stupid, about the fact that for this best to work, particularly when children are more technically aware than their parents, they know how to get around better than mum and dad, that actually there has to be something which is really simple and which kind of delivers itself to your door...

The "particularly stupid" Helen Goodman speaks for the Labour party on matters of Culture, Media, and Sport. Which, in our twisted democracy, also means "The Internet".

I'm not saying that someone with such responsibility needs to be able to compile their own software, or rebuild a PC. But it would be nice if they understood how to install software.

On an entirely unrelated note, please join the Open Rights Group today. They're doing great work trying to stop Parliament from destroying the Internet.

More people are being prosecuted for free speech on social media, copyright trolls are lurking and website blocking injunctions need tackling: ORG is ready to bring the fight for digital rights to the courts.

Every supporter donating at least £5 per month by direct debit receives a free copy of Rapture of the Nerds co-authored by Cory Doctorow, a member of our Advisory Council and Charles Stross, one of ORG's founding members.

ORG needs to fund a new position: a legal expert who can co-ordinate a crack-team of volunteer lawyers, perform thorough legal research, and create new case law to actively prevent potential threats to civil liberties.

Please help ORG achieve it goal:

150 new supporters will allow ORG to start our legal project.

300 new supporters will allow ORG to pay a Legal Officer full time.

Please set up a Direct Debit today.

ORG supporters usually give between £5 and £10 each month, but please be as generous as you can afford to be.

Further discussion on HackerNews.

These are my notes on the session. I've applied the Chatham House Rule - mostly because I can't remember who said what, rather than any backroom skulduggery. Any errors are mine and mine alone.

Neither Vodafone nor EE have signed up to the Network Neutrality pledge. O2 have.

(Disclaimer, I work for Telefonica, these thoughts are my own.) The Open Internet Code of Practice is the Government’s non-regulatory approach to net neutrality.

It basically says that ISPs will not discriminate between services, and if they do they can't call their product "Internet Access". It's all fairly sensible but O2 is the only mobile ISP who have signed up. This means the vast majority of 4G providers could start to block or degrade services which they think don't fit their business model.

Indeed, EE say they don't ban VoIP but want the right to filter such OTT services.

Ed Vaizey's form of "free market" capitalism states that because we have such good competition in the UK, people will be free to switch to other services which don't break the net. This conveniently ignores the fact that customers are tied in to 18 month long contracts (24 months if they want EE's 4G) and so are not able to easily switch.

Net Neutrality also offers some other interesting questions. VoIP and TVoIP have vastly different needs when it comes to latency - is it acceptable to prioritise a constant VoIP stream? Yes - assuming all streams of a similar nature are treated equally.

Of course, if those services are encrypted it could be very hard to tell which services are which.

Finally, emergency service calls are prioritised on the radio access and given network priority. Is that discrimination? Yes - but broadly acceptable in a net neutrality context.

Speed of Rollout

The 4G rollout is expected to be quick - much quicker than the 3G deployment. This is due to a number of factors.

• The auction has been brought forward.
• With EE having a head start, other operators will have to compete rapidly.
• Spectrum is expected to be much cheaper than the 3G bands. This means there will be more money for masts and networking kit.
• Mast sharing and relaxed planning permission should make setting up the network much more efficient.

Transco

There is only one electricity grid. One water network. One set of gas pipes. Yet different companies can sell different services at different prices across them. This idea is known as "Transco".

In the UK we effectively have only two mobile networks. EE (T-Mobile and Orange - who share with Three) is one, Vodafone/O2 is the other (they share masts, not spectrum and network kit).

All the major providers have outsourced the running of their network to NSN or Ericsson (an idiotic idea, but there we are).

Each company has to bid billions for new spectrum and spend millions on new masts and networking kit. Wouldn't it be more sensible if there were a national mobile network with O2, Vodafone, EE etc just acting as MVNOs? Each could buy wholesale access (and still run their own customer databases etc) at a vastly reduced cost and the public should benefit from improved coverage.

There seemed to be a lot of sympathy in the room for this idea. Apparently the Netherlands is investigating "National Roaming" which would allow your phone to roam on to a competitor network if you didn't have any signal.

One other point of interest - Ofcom apparantly want to see a non mobile operator in the 4G space. Perhaps someone selling wholesale or M2M access.

Speed

There are serious worries around real world speeds - as noted by EE claiming only 12Mbps downlink speed. Given the hype around the speeds is not likely to be met by real-world experience, this could deter customers.

The mobile industry may also be overselling capacity. ADSL suffers from insufficient backhaul - domestic ISPs bank on users only using the internet in short burst so don't buy enough connectivity. If we're all streaming movies all the time - speeds will suffer.

Price

Will customers pay?

There has been much derision over EE's pricing as being far too high and restrictive. Considering how long it took to build up a 3G customer base, can the industry attract customers to 4G when the coverage is patchy, phones are expensive, and battery life is worse? If they do - can they convince them to pay a premium for it?

Consider domestic ISPs. Pipex offered dial-up internet access for 50p a day back in 1996. Today, 16 years later, that £15 per month will get you "superfast" 24Mbps Internet access.

Technology brings prices down - even if they blip up temporarily. No doubt when other players enter the 4G market, prices will tumble.

Finally...

What will people do with 4G? Most people expect "The same, but faster". Can we find new services, or are we stuck with better speed, lower latency?

That's not a bad thing to be stuck with, but I wonder what the "killer app" will be that makes people want a 4G phone in their pocket... We all thought that 3G's killer app would be video calling. How wrong we were!

I don't have the money to lobby bribe donate to the Conservative party. I'm too scared of the police attempting to kill protesters to go and stand up for my beliefs. What can I do that will make me feel smug and self-righteous yet won't involve me having to go outside in the snow?

It is, I understand, illegal to blockade Parliament. But there's nothing to stop us enforcing a virtual blockade, is there?

I tweeted as much on Twitter, and got the following reply.

How

So, here's how to blockade Parliament. This guide assumes you have moderate technical ability and know what an .htaccess file is. If you are unsure, please ask a geek to help you. They will, invariably, accept payment in beer, pizza or sexual favours.

The Houses of Parliament have the following IP address range.

194.60.0.0/18

That translates to every IP address from 194.60.0.0 to 194.60.63.255 . (See http://www.mediawiki.org/wiki/Help:Range_blocks for details.)

In your .htaccess file, add the following

order allow,deny
deny from 194.60.
allow from all

That will simply block access from the Houses of Parliament. It will also catch a few other IP addresses in the same range - but that's acceptable collateral damage.

If you want to be a bit more creative, you can redirect the users to any URL you want.

RewriteCond %{REMOTE_ADDR} ^194.60.
RedirectMatch 301 ^.*$ http://www.example.com/index.htm

All we need now is for every website - from the humblest blog to the mightiest newspaper - to block Parliament from their websites and redirect them somewhere more enlightening.

Where Should I Redirect Them To?

My good friend Tom Scott has penned this rather eloquent piece for the Guardian explaining why filtering cannot work. I would refrain from pointing at shock-sites. You'll only give MPs something else to consider banning.

Hang On! There Are Massive Flaws In This Plan!

Yes, yes there are.

Politicians may need access to information which has been inadvertently blocked. For example, a gay MP might want help coming to terms with his or her sexuality - only to find the content unavailable.

Of course, politicians could use a proxy to get round these restrictions. They could use their phone's web browser. They could access from a friend's house. They could get a mate to download content onto a USB drive and hand it over in the playground.

In short, this plan is as ill-conceived as the ridiculous notion that you can ban children from access naughty images and videos.

Open Rights Group

If you care about Internet Freedom, please join the Open Rights Group.