"I demand the immediate resignation of Prime Minister Mariano Rajoy and the calling of elections, as well as the resignation of any member of the People's Party named in the documents who holds office publicly or in the party."

That's not an opposition leader speaking but more than a million Spanish citizens who signed a petition on Change.org as a reaction to an unprecedented corruption scandal involving the highest ranks of the government.

Three weeks ago, the Spanish newspaper El Pais published documents that appeared to include evidence linking the former People’s Party (PP) Treasurer Luis Barcenas to fund embezzlement of several millions of euros and secret payments to high-profile party members, including current Prime Minister Mariano Rajoy, who has led the party since 2004.

The petition collected 200,000 signatures within 12 hours of going live; it then went viral. Several national newspaper and online news outlets reported that it was an example of popular exasperation with the politicians. After gathering 1 million signatures in about a week, it became the fastest growing Change.org petition ever.

Prime Minister Rajoy insisted that the accusations against him were false, declaring: “If someone believes that because of this harassment I’ll lose spirit or abandon the task given to me by the Spanish people, then they are wrong,” Bloomberg reported.

The conservative newspaper ABC.es reported that sources inside the People's Party believe the Change.org petition is "absolutely fictitious" because it does not verify the data of the signatores, meaning that anyone could subscribe "once or a thousand times." According to ABC's report, PP sources claimed that the system was "fraudulent" because signatores to the petition are not required to produce proof of identity in the form of a National Identity Card number or a certified electronic signature, with the latter commonly used in several European countries.

Since the political events sparked several controversies regarding the signatures, I reached out to Benjamin Joffe-Walt, Change.org Global Communications Director.

During an interview that was conducted via Skype, he told me that there actually were some attempts to spam the petition, but those were mostly directed at a couple of related petitions rather than the main one. According to a press release from Change.org, the organization detected a few hundreds fake signatures.

“We have a sophisticated automated system that detects those signatures. We intentionally remove them afterwards and not in real time [because] we want spammers to think they have succeeded,” Joffe-Walt explained. He refused to give me the name of a hacker that allegedly tried to spam the petition, citing privacy reasons.

There were also about 19,000 bounce-back emails related to the main petition, said Joffe-Walt: “Those numbers include people that actually want to sign the petition but are afraid or don't want to give us their real email address.” Those signatures were removed as well.

“Servers may be violated, of course. A spam attacker could create an Internet domain and thousands of email addresses that can be used to sign the petition or even use proxy servers to use different IP addresses,” said Fabio Pietrosanti. Pietrosanti is an expert on cybersecurity and one of the creators of Global Leaks, the first whistleblowing open source project. In response to questions sent to him by email, he wrote, “With time and money it would be certainly possible to try to affect significantly a petition. But the more the false signatures the easier [it will] be for Change.org to notice such an anomaly and to detect automated techniques and patterns, as they've been facing those issues for quite some time now.”

The petition was shared 1.6 million times on Facebook and more than 32,000 times on Twitter, confirmed Joffe-Walt on Thursday. “And it's also teaching us a lot,” he continued, explaining that the engineering staff had just added a box in the confirmation email for further proof of a member's identity, a feature to avoid the impersonation of prominent people. "We've been working on the idea for some time, now but this petition pushed us to complete it.”

Pietrosanti, a co-founder of the Hermes Center for Transparency and Digital Human Rights and a hacker himself, thinks that Change.org should open up their data, rather than trying to keep their security techniques secret: “If Change.org want to be more transparent, they should publish a complete log of all traffic related to the signatures and the signup process: in this way they could have a public review and crowdsource anomalies detection,” he explains, “Of course some data are sensitive but there are ways to hide them. This way they would be able to have a public analysis of related to the petition activity and in my opinion this would result in a greater help for them.”

Even though it's been active for little more than a year, Change.org has seen significant success in Spain with 3 million users (roughly 10 percent of domestic Internet users). The U.S.-based organization acquired a ready-made member user base, thanks to its September 2011 acquisition of the Spanish petition platform Actuable.

Albert Medran, Change.org's Spain Communications Director, said that Spaniards create about 1,000 petitions per month, particularly on issues related to human rights and the environment.

In recent months anti-corruption issues have become increasingly important in Spain, with the number of petitions launched against political parties demanding resignations continuing to increase.

In April I reported about a transparency law that was being drafted by the Spanish government. “Faced with economic hardship and in a turbulent political time, a freedom of information law would be one way to boost credibility with the public,” I wrote at the time.

Ten months later, the stakes in Spain are higher than ever and this may not be enough.

This article has been modified: it previously stated that Change.org had detected 19,000 false signatures, as written on a Change.org press release dated February 7. The number actually refers to bounce-back emails. Benjamin Joffe-Walt explained that this was due to a translation error in the press release.

The article also states erroneously that the new feature in the confirmation email is a captcha box.

Personal Democracy Media is grateful to the Omidyar Network for its generous support of techPresident's WeGov section.