Is there a reliable way to prevent cheating in a web based contest where anonymous users can vote?

Question

I'm working on a web-based contest which is supposed to allow anonymous users to vote, but we want to prevent them from voting more than once. IP based limits can be bypassed with anonymous proxies, users can clear cookies, etc. It's possible to use a Silverlight application, which would have access to isolated storage, but users can still clear that.

I don't think it's possible to do this without some joker voting himself up with a bot or something. Got an idea?

Answer 1

Nope, it's the user's computer and they're in control. Unfortunately the only solution is to bring it back on your court so to speak and require authentication.

However, a CAPTCHA helps limit the votes to human users at least.

Of course even with authentication you can't enforce single voting because then they teach the bots to register...

Answer 2

You can certainly make it difficult.

What about building a user profile with such things as ip address, browser useragent, machine name, and whatever other information you can get.

Store the profile for each user, then if you receive a profile which is similar enough to one already in the database (you'll have to tweak that) you can throw out that vote.

I imagine you can probably build a better profile using silverlight, though I'm not sure what information that gives you access to.

Answer 3

Client-side solutions are out for the reasons you listed -- they can be manipulated by the user. Server-side solutions -- as you said -- can be fooled and bypassed.

If you're willing to accept the fact that you can't really be 100% sure that you're getting exactly one vote per person, then there are some measures you can take to reduce the noise.

• Use a CAPTCHA in your vote-submission form to make it harder for bots and scripts to vote.
• Limit the number of votes per IP address to one.
• Consider requiring registration in order to vote. (I know this defeats part of your original question, but it gives you a greater degree of control over the voting.)

That's a good start.

Answer 4

my personal experience in contest developing and monitoring tells me that no, there is no reliable way to avoid cheating if you let anonymous users vote (or do anything that lets them participate in the contest).

you could play with IP, introduce delays between an action and the next, but it's really difficult: the best way is introduce a captcha or something similar, if applicable in your particular situation.

best of all, don't let anonymous users participate: let them "play" and access to a simulation, but the contest needs a login.

Answer 5

The short answer is: no. The longer answer is: but you can make it arbitrarily difficult. What I would do:

• Voting requires solving a captcha (to avoid as much as possible automated voting). To be even more effective I would recommend to have prepared multiple types of simple captchas (like "pick the photo with the cat", "what is 2+2", "type in the word", etc) and rotate them both by the time of the day and by IP, which should make automatic systems ineffective (ie if somebody using IP A creates a bot to solve the captcha, this will become useless the next day or if s/he distributes it onto other computers/uses proxies)
• When filtering by IP you should be careful to consider situations where multiple hosts are behind one public IP (AFAIK AOL proxies all of their customers through a few IPs - so such a limitation would effectively ban AOL users). Also, many proxies send along headers pointing to the original IP (like X-Forwarded-For), so you can take a look at that too.
• Finally, using something like FSO (Flash Shared Objects - "Flash cookies") is obscure enough for 99.99% of the people not to know about. Silverlight is even more obscure. To be even sneakier, you could buy an other domain and set the FSO from that domain (so, if the user is looking for FSO's set by your domain, they won't see any)

None of these methods is 100%, but hopefully combined they give you the level of assurance you need. If you want to take this a level higher, you need to add some kind of user registration (which can be as simple as asking a valid e-mail address when the vote occurs and sending a confirmation link to the given address and not counting the votes for which the link wasn't clicked - so it doesn't need to be a full-fledged "create an account with username / password / firs name / last name / etc").

Answer 6

No, you can't, and it only takes one person and a willing forum to change the outcome of an online vote.

You have to realize the inherent flaws of an online vote and rather than attempting to get around them try to use them to your advantage.