How to Stop Some Dumb, Destructive Bot From Ruining Your Company's Poll
You have to be vigilant to make sure your poll results are real, not driven by a hired botnet.
It's a common technique for a business to solicit feedback from its audience, either on social media or via web polls and surveys. But, problem: Any time you ask the internet for information, you have to look carefully at what you get back in return. The reason is that the internet is no stranger to corrupting simple polls.
What kind of impact could a campaign have on your poll? You could find an internet meme taking over. You could see a representative sent to a far-off location. You could see a strange choice of venue for an event. Or you could see something more malicious, like what Mountain Dew encountered years ago. (Its attempt to let viewers choose the name for a new green-apple infused soft drink drew such offensive responses that the campaign had to be shut down).
That's just a publicized example of a high-profile poll gone wrong. More insidious are the cases that are never reported. You run a poll to gain demographic information or user feedback, and a clever fraudster manipulates the results to fit his (or her) needs without anyone's ever knowing. You might think you've gained new insight, only to find further efforts to capitalize on that information falling flat.
Contests often fall victim to the same manipulation. If your internet poll helps determine a winner, you have to be vigilant to make sure the winner isn't chosen by a hired botnet rather than your legitimate followers. So, how can you protect your poll and your business from poll manipulation? The answer is to find a poll service or app that provides security against manipulation.
Use a captcha.
Captchas -- programs or systems that distinguish human input from machine input -- are some of the most basic internet security available today, so they should be a baseline bare minimum for any poll you do. The best choice is Google's reCAPTCHA, which uses a variety of signals, ranging from user behavior on pages prior to the poll to mouse movements on the poll page itself. Powered by Google's immense wealth of data, these captchas are good at separating a human response from machine one.
Of course, captchas are in an arms race, and there are tools out there that help scammers bypass even Google's most advanced reCAPTCHA algorithm. People are even developing machine-learning bots that can learn how to get past such algorithms. That's why this solution is just one of many for a secure poll.
Some polling services like Crowdsignal integrate some features of advanced reCAPTCHAs, like tracking mouse movements on the submit button. A bot usually simply jumps to position rather than mouses over, which is easier to detect. Even a bot that records mouse motion will be detected when the exact same motions are used over and over.
Use a unique identifier.
Other different ways exist to help you enforce some level of unique identifier for each entry in a poll. The easiest and most common today, which you see in contest apps like Gleam, is a social media authentication. This requires a user to sign into a valid social account to get an entry or a vote, and puts another barrier to entry in front of your poll.
Again, this isn't a perfect solution on its own. We all know of the issues with bots on Twitter and other social networks. A simple authentication alone will stop some people, but when your opposition controls 10,000 accounts, it's no a barrier to all of them.
Remember, an email address is not a valid unique identifier. It's incredibly easy to generate unique email addresses, temporary or permanent. Gmail even allows you to add a . or a + to your address and customize it; each variation is likely to count as a unique address if you're not filtering properly.
This is where you add some IP filtering to the mix. A poll app that can monitor and filter entries based on IP can help prevent numerous accounts from entering from the same IP address. Sure, you might catch cases where three members of a family using the same computer want to enter, but you can specify just "one entry per household, please" to make it a non-issue.
Using an IP tracing service like MaxMind or IP2Location can also help pinpoint entries that come from obvious proxy servers or data center IPs which are often used to hide this kind of poll manipulation. Normal users are unlikely to be voting from within a data center, right?
Give a false positive.
It's important that you don't give your opposition a reason to look deeper. If the person controlling a botnet encounters a message about his or her vote not counting, or is unable to access the poll with different accounts, this person might dig deeper and find a way to break your security after all. On the other hand, if it looks like the bot's vote is accepted while your system quietly rejects it, the bot's controller will be satisfied and leave things at that.
This can be tricky in cases where the number of votes or the ranking of various options is publicly updated. If a user intends to add 200 votes to the second-place candidate, but doesn't see the vote count rise, he or she will look a little deeper. You don't want that to happen: Let this person think he or she has "won" -- right up until you announce the real results.