An abstract image of a greyscale gradient shape on top of a greyscale gradient background.

Image by Xiaowei Wang.

The Party Decides

Darren Loucaides

How the Five Star Movement hacked itself.

In late July 2017, a twenty-five-year-old hacker named Luigi Gubello emailed the staff of Rousseau to tell them that he had found a security vulnerability in their software. Rousseau is the online platform that one of Italy’s most popular political parties, the Movimento 5 Stelle, or Five Star Movement, uses to engage its supporters. Five Star claims to be at the forefront of digital democracy, allowing its members to vote online for everything from its policies to its political leaders. If Rousseau were compromised, Five Star’s candidates for the Italian parliament could theoretically be selected by rogue actors, from lone hackers to foreign governments. 

Gubello is a “white-hat” hacker, breaking into IT systems to highlight their vulnerabilities, not to exploit them. Gubello explained in his email to Rosseau staff that he had infiltrated the platform using SQL injection, a well-known type of vulnerability in which a data input field—username, say—is used to send commands to a database program, allowing a hacker to change or delete data entries, or download an entire database. It was the same sort of attack that played a major role in the famous hacking of Heartland Payment Systems in 2009, which caused hundreds of millions of dollars in losses to companies around the world, but it’s also the sort of attack that a precocious high schooler might have launched in the early 2000s to boost her grades.

In his email to Rousseau, Gubello explained why the vulnerability was dangerous and how to resolve it. Shortly afterwards Gubello received a reply from Rousseau’s staff thanking him, and claiming to have fixed the problem. The following month, in August 2017, Gubello, concerned about the continued vulnerability of Rousseau, went public with his findings in a blog post and urged the platform’s users to change their passwords. “Hacker reveals: M5S’s Rousseau site is not secure,” declared La Stampa, the Italian newspaper. 

At the time, Five Star was approaching one of its most consequential votes ever, to determine who would be the leader of the party and its de facto candidate for prime minister going into the following year’s Italian general election. If the party triumphed then, this person could become the leader of the entire country. 

On September 21, 2017, shortly after Five Star opened voting for its leadership election, the Rousseau servers stalled. Scores of members were unable to cast a ballot, and the party was forced to extend the voting until noon the following day. The party claimed this was due to the sheer numbers of people taking part, but of Five Star’s 140,000 members, little more than 37,000 voted.

More than 80 percent of those voters selected a thirty-two-year-old politician named Luigi di Maio. It was a “world record,” claimed a euphoric post on the party’s blog: “the first leader of a political force chosen and voted for entirely on the Net.” But then, just after voting finished, a malicious “black-hat” hacker named rogue0 began tweeting that they had compromised the election.

“Think of it like a house with many open windows,” Gubello said of Rousseau when we spoke recently. “I saw only one open window”—the vulnerability he used to deploy his SQL injection attack—“and they closed it. But rogue0 found another one.” 

Open Windows

Among the tweets that rogue0 sent that night were screenshots of multiple votes he had generated for Luigi Di Maio, the winner of Five Star’s leadership contest. The party claimed that every vote had been authenticated using text message confirmations, but rogue0 poured scorn on this. “Rest assured, Luigi Di Maio has already won, dozens of my certified votes assure you,” the hacker tweeted. Even after the warning of Gubello, Rousseau—and Five Star’s purported digital direct democracy—had been left exposed.

Another series of screenshots rogue0 posted appear to show the hacker signing into the accounts of various senior members of Five Star. In the subsequent hours and days, rogue0 also published some of the login details he had scraped from the Rousseau database; several of Five Star’s leaders and digital operations staff had laughably basic passwords, such as their birthdays. “Seriously I can continue all night long this way,” rogue0 tweeted at one point. Eventually, the hacker dumped the entire database into a publicly accessible pastebin.

Gubello suspects that rogue0 accessed the login details using another SQL injection attack that swiped an admin password from the database. Fabrizio Carimati, an Italian internet security expert, agreed. “In reality, Rousseau's website was simply badly written, so everyone suspects that rogue0 used basic techniques,” Carimati told me. He added that the chances of the hack being a SQL injection attack were “99 percent.”

Rousseau was vulnerable in part because it was built using a proprietary content management system based on a version of the Movable Type software released in 2008. The upshot was that Rousseau had to be maintained in-house, and was only as secure as its best programmers could make it. 

Other digital parties use more robust systems. Spain’s left-wing Podemos utilizes an open source and blockchain-based system for its online voting which claims to be tamper-proof; it also allows for external verification, which Five Star didn’t have in place until 2018. The Pirate parties of Northern Europe, which, broadly speaking, advocate direct democracy and internet freedom, use open-source software such as LiquidFeedback and Loomio, which can be security-tested and improved by almost anyone; similarly, organizations such as Occupy Wall Street and city governments in Reykjavik, Barcelona, Madrid, and Paris have adopted open-source voting tools.

It’s difficult to say exactly why Five Star relied on old, self-maintained software. Perhaps it was simply a legacy system with high switching costs. But its proprietary nature also fit with the general culture of the people running the party. Though Five Star has presented itself as a populist movement empowered by digital tools, the reality is that Rousseau is controlled by a private firm, Casaleggio Associates, which operates with a great deal of secrecy and has exerted a significant amount of control over the movement. 

A Sense of Community

The Five Star Movement was founded by Beppe Grillo, a comedian famous across Italy for his pugnacious humour, and an internet entrepreneur named Gianroberto Casaleggio—the founder of Casaleggio Associates. For more than a decade, Grillo has been the movement’s figurehead. But until his death from brain cancer in 2016, Casaleggio, who was relatively unknown among most Italians, was the movement’s most powerful figure.

Casaleggio had some intensely bizarre political beliefs that seemed to verge at once on the paranoid and the utopian. He was a fan of Genghis Khan’s horseback couriers and Benito Mussolini’s radio broadcasts, and foresaw a future a few generations hence in which a total war would annihilate billions of people, leaving the remnant to govern itself by means of a worldwide internet democracy.

But Casaleggio also had a more calculated side. Since the 1990s, he had sold businesses digital tools for managing employee sentiment. These included web-based forums in which workers could float new ideas and air grievances, all while being monitored by their bosses. Casaleggio would then help employers intervene strategically in the online discussion, promoting certain ideas while tamping down dissent. It was this approach—offering users a sense of community and self-determination while quietly shaping the discourse from above—that Casaleggio later instituted in the realm of electoral politics, first through a wildly popular blog he built for Grillo in the 2000s and later with Rousseau, which launched shortly after his death in 2016.

The 2017 leadership election that rogue0 hacked was a representative instance of Casaleggio’s approach. Five Star initially appeared to many observers to be a left-leaning populist movement—its first policy positions included advocating renewable energy, revitalized public transport, and a universal basic income—that railed against the real and perceived corruptions of Italy’s political establishment. But at heart both Grillo and Casaleggio had more right-wing sympathies. Casaleggio’s son Davide, who took over Casaleggio Associates after his father’s death, shares these sympathies. His and Grillo’s preferred candidate in the 2017 election was Luigi Di Maio, the son of an Italian neo-fascist. 

Di Maio was already well known in the movement but, in the weeks leading up to the vote, Casaleggio Associates used Five Star’s blog to praise Di Maio repeatedly. The result was more like a confirmatory ballot than a plebiscite: members were essentially rubber-stamping the decision of the party bosses. “The election of Di Maio can be described as a ‘show election’ in the sense that there was not real competition,” the scholar Paolo Gerbaudo, whose book The Digital Party examines digital democracies around the world, told me. “All the candidates that could have stood a chance did not participate in the election, and the results were widely anticipated.” Far from making the vote more democratic, digital tools helped the party’s leaders engineer their preferred outcome.

Business as Usual

In the wake of Five Star’s 2017 leadership election, and the hacks by Luigi Gubello and rogue0, the Italian Data Protection Authority conducted an investigation into Casaleggio Associates for breaking data privacy laws. The hacks had revealed that the company was collecting an extraordinary amount of members’ personal data, along with their voting records, and combining this with data gleaned from members’ social media accounts. It’s the sort of information that could potentially be used to create highly targeted messaging for every member of the Five Star party, thus deepening Casaleggio Associates’ centralized control over the ostensibly popular movement.

Around the same time as that investigation was underway, Five Star took legal action against Gubello, whom party leaders now accused of being rogue0. In January 2018, Italian police tracked down Gubello at his girlfriend’s house in Trieste and examined his phone and computer. Meanwhile, Five Star claimed Rousseau’s vulnerabilities had been addressed, and described the platform as a “fortress.”

But in February, just a month before the 2018 Italian general election, rogue0 struck again, showing that they could still access the Rousseau database and take control of administrator accounts. In March, Five Star won a plurality of votes in the general election, and formed a coalition government with a nativist right-wing party called Lega, or the League. Di Maio was made the Minister of Labor and Social Policies, the Minister of Economic Development, and the Deputy Prime Minister. (He now serves as the government’s Minister of Foreign Affairs.)

Rogue0’s identity has not been revealed, though the journalist Jacopo Iacoboni has perhaps come closest to discovering it. He has had a handful of conversations with the hacker via direct messages on Twitter. Iacoboni says it was rogue0 who reached out to him. “I never knew his real identity,” Iacoboni told me, assuming the hacker was one person, and a man. “But he seemed to me someone who knew people at Casaleggio Associates very well—this was my impression after our Q&A.”

Today, Rousseau’s Movable Type content management system is gone. User passwords are now allowed to be longer than the previous requirement of just eight characters. “In fact, following orders by our [Data] Protection Authority, the Rousseau website was practically rewritten from scratch,” noted security expert Fabrizio Carimati. But it’s not clear exactly what’s replaced Five Star’s old systems. “Casaleggio now claims that the platform has been completely redone,” Iacoboni said, before noting that this is impossible to verify. 

 

But the vulnerabilities go deeper than software. Luigi Gubello believes that for voters to put their faith in digital democracy, the systems being used need to be transparent. Yet algorithms, coding, cryptography—the building blocks behind a digital democracy—require expertise to fully grasp. “People must be able to trust the election process,” Gubello insists. “Can you trust it if you cannot understand and really check it?”

This is part of the paradox that seems to be at the core of all digital democracy movements: the same technologies that are supposedly meant to empower members can instead provide vectors of control for party elites. Even Podemos in Spain, with its populist politics and sophisticated digital transparency measures, mainly holds confirmatory ballots approving decisions already made by the leadership, as Paulo Gerbaudo notes. 

Both Five Star and its Rousseau platform are less celebrated than they once were. The party has crumbled in opinion polls and in January 2020, Luigi Di Maio resigned as leader amid infighting and defections. For the time being, he has been replaced by a caretaker leader. Di Maio’s resignation raises the possibility of another leadership contest conducted on Rousseau in the coming months. But the shine has gone from the party’s digital democracy ambitions. “We hear little of Rousseau now, it’s no longer really news,” Carimati said. “That’s because Five Star is one big crisis. And Rousseau is seen as increasingly irrelevant.”

This piece appears in Logic's issue 10, "Security". To order the issue, head on over to our store. To receive future issues, subscribe.