December 04, 2008
|
Anti-vote-gaming strategies
|
496 hit(s)
Many sites allow users to vote on individual entries. Heck, the entire premise of social bookmarking is basically people voting for Web content: the content with the most votes "wins," in the sense of visibility or prominence. Getting a large number of votes on Reddit or Digg or Deli.cio.us (now renamed Delicious.com, too bad) is good for business in either the direct way (more eyeballs = better ad revenue) or just bragging rights. (Assuming your server can handle it, ie, does not suffer the Slashdot Effect.)
Sites that sell products also often have rating systems -- Amazon, of course, and Netflix, Newegg, all them guys. You can rate the merchants from whom you buy over the Web. Here in my division, we let you rate topics on MSDN.
Given that there is value in votes, sites that offer voting generally implement ways to prevent people from voting multiple times. If I were of a nefarious bent of mind, for example, and wanted to make sure that a topic I work on is highly rated in MSDN, I could theoretically click the 5th star hundreds of times. I would then get kudos at work and probably a huge bonus or something.[1]
Thus, most sites track someone who has voted. If users are anonymous (ie, they don't have to log in), this is most typically (and most easily) done with a browser cookie; if the site sees that the user already has the cookie, the site disables voting. Another strategy is to track the user's IP address. Some sites track voters by sessions--you can't vote again during your current browser session.
All of these systems are easy to defeat for someone who is motivated and/or someone who can write a halfway decent script. For cookies, you can delete the cookie and vote again. For IP tracking, you can switch machines and vote again.[2] (This also works for cookies.) For sesions, you can close your browser, reopen it, and then vote again.[3]
If you want a reasonable chance of accurate voting, you make people log in and identify themselves, and track by user ID. As one developer has put it succinctly, "Anonymity or uniqueness. Pick one."
Or, if the voting isn't all that critical, you can take a different anti-gaming approach. The Toolmonger.com blog features new or just cool tools. (There's something for everyone on the Web, ain't there?[4]) Each entry includes an "Interesting Post" button that lets you log that you liked the post. (If not necessarily the tool.)
The blog authors explain it this way:Well, we use this information in a couple of ways. First, we review it every so often to see what topics we should put more effort into and which topics Toolmongers as a whole aren’t really interested in. We also use it to assist in selecting the “top 5? tools each week for our Week in Tools roundup. And, we use it to determine which posts we should discuss in the Toolmonger podcast. As you can see, the "votes" are not exactly determining the fate of nations or anything. So the Toolmonger folks are more relaxed than some sites in tracking whether you vote. They address this, and they reveal their somewhat novel strategy for preventing revoting:Can’t I just click it 10,000 times? Is this a real contest/voting system?
Yes. No. Please don’t. We’re not looking to become the next Digg here, so we haven’t invested in trying to prevent gaming of the system or other such abuses. We’ll simply ask you to use the system as it’s intended, clicking the button only once when you’re interested in a post. We’ll go over the results and use our own common sense when interpreting them. Imagine: social engineering that consists of asking people to be nice (they even say "please"), with a pledge that they'll use common sense. I don't think I'd stake the security of an actual election on this particular strategy, but it is refreshing to see someone using a less technology-bound way to manage their site.
|
|
