[thelist] Online poll issues

Wed Apr 3 12:34:01 CST 2002

Simon Willison wrote:

> Josh wrote:
>> What about a timing mechanism.  Still... Yeah... Come on, there should
>> be a way to do this.
>>
> There isn't, plain and simple. If someone wants to cheat in your poll
> they will - be it by deleting their cookies, changing their IP address
> (for example dialling up to another connection on a modem), using a
> different web browser or even goign to a seperate computer and voting
> again!
>
> You can make it "inconvenient" for people to cheat in your poll using
> cookies, IP address and so forth, but you can never completely stop
> someone who is determined to cheat.
 > [snip]

The best way to examine this problem is to try it from the other end.
Not that I'm advocating messing with other people's hard work, but...

Bear with me on a related example:

Download.com recently implemented a semi-required registration pop-up if
you download more than x files in y minutes. When I go on a shareware
spree to find the micromanagement program of my dreams, I frequently
download 10 files in the space of 10 minutes, and I have absolutely no
interest in receiving valuable offers from C|NET and its "partners".
Last time I got the registration notice, it took me all of 20 seconds to
track down the proper cookie and delete it, thus freeing me to download
another 3 or so items before getting another notice. At the time, I
didn't even think about the ethical considerations of robbing C|NET of
their advertising dollars. I'm thinking about it now, and feeling quite
rebellious and naughty. :)

The point of this is that if it only takes me a few seconds to work
around a system C|NET payed someone a lot of money to come up with, it's
gotta be *really* hard when you raise the stakes to ballot-box stuffing
and the like.

HTTP is still a stateless and *anonymous* protocol. You can do what you
will to work around these issues, but you can never outsmart everyone
when you're using a transmission method that is, essentially, dumb.

If you tack another protocol on, however, you might start to get
somewhere.  For example, my cellphone is in a closed system with
authentication on both ends. No transmission happens between my phone
and VoiceStream's system that can't be traced back directly to me. This
is a relatively solid way to make sure that I only get one vote (from my
phone, anyway; the option of beating up my friends and voting from their
phones is still valid). Moreover, VoiceStream could probably do a pretty
good job of making sure that I only have one phone, if they wanted to,
since they do credit checks and such. Tack this voting method onto the
end of a web interface, and you've got a nearly reliable, but difficult
to implement, voting system.

Coming back around to Rachel's original post: +1 vote for the article. I
haven't really seen the issue addressed before, but it ties into so many
other major web issues (security & privacy, online elections, fraud,
etc.) that its time has definitely come. Actually, a whole series of
articles on "redefining the person/individual in a virtual world"
strikes me as a fun activity, but I can't volunteer. :)
--

David Wagner
dave at worlddomination.net