Eric Grimm, Senior Programmer, wrote this piece about voting fraud — and how to stop it.
Online contests are all the rage with the kids these days. After the initial entries are judged, frequently the finalists’ submissions are opened up for voting by the public at large to determine a final winner. If the prize is tantalizing enough, this creates a rather large target for voter fraud. This is something that wakes me up in the middle of the night with cold sweats and a sickly feeling in my stomach. So what have I done to severely limit this eventuality? Read on for The Answer.
As tempting as it is to make the barrier to entry low (“just click here to vote for your favorite!”), know that to do so is very risky. This is a sure-fire way to invite vote spamming and fraud. Ideally, you’ll need to vet the voter somehow, by asking for some verifiable information, either before allowing them to cast their vote, or in order to qualify their vote as legitimate. Here are some suggestions:
- Allow only one vote per day (or for the duration of the voting period) per voter.
- Have the voter supply their email address, send a link to that address that, when clicked, will “approve” their vote. If you allow repeat voting, you can make this a one-time check so as not to nag the voter too much.
- Allow the voter to use a social sign-in (Facebook, Twitter, Google, etc).
- In order to avoid script spamming, use a server- and browser-token and ensure they match when the voting form is submitted.
- Along those same lines, ensure the the form is being submitted from the correct domain.
- Honeypots. In order to weed out scripted votes, you may consider creating a hidden field that humans won’t see, but a robot or script will see and populate. If this field has a value when the form is submitted, then you know that there is not a human on the other end of the wire.
Even with these checks in place, there is still the potential for invalid voting. After the voting period has ended, you should endeavor to validate all the records that you have received, through some form of forensic analysis. While this is being done, you don’t want the public at large to get wind of any nefarious activities (not by you, of course, but by “them”). Here are a few suggestions to mask your activities during this time:
- First, NEVER show a real-time, raw vote count for the entries. It invites inspection and uncomfortable questions, and can also serve as a deterrent to vote for other candidates. If entry #1 has 95,000 votes, and entry #2 has only 5,000, then the game has already been (perceptually) lost. Conversely, if you determine that 99% of entry #1’s votes are fraudulent, you may get called out when their vote total drops to 950 overnight.
- In that same vein, avoid showing vote tallies as a percentage – again, if entry #1 has 95% of the votes, then their lead is already (theoretically) insurmountable.
If you must show a leader board, please couch it in disclaimers galore. “Final votes pending review”, and so on. (Read more about leaderboard nightmares in our previous blog.)
- Also consider having the vote tally only count as a percentage of the entry’s final score. This way, a lower-scoring entry with a runaway voting fanbase is less likely to beat out a clearly superior entry from someone with less friends, or less tech-savviness, or more scruples.
Finally, here are some methods that might seem sound, but are full of flaws. These include:
- IP address filtering. Some domains (aol.com, for example) funnel traffic through a relatively small set of IP addresses. If you block further voting (per day or for the voting duration) based on this, or use it as a voter’s identity, then you are eliminating a lot of potentially valid voters.
- CAPTCHA and other human-identifying widgets used without other identifiers. These have their place, but should be used in tandem with the afore-mentioned methods, but should not be the sole gateway. They are relatively easy to defeat or bypass with scripts, though they are getting more robust.
Ultimately voter fraud is something you should be concerned about, as it can easily destroy the integrity of your promotion and damage your brand. It only takes one bad apple to ruin the sharpest pens in the box. What should you do? Let Marden Kane handle it for you, and divest yourself of the responsibility. Contact us for a consultation.