web opinion polls - preventing multiple votes?

Question

What measures should be implemented in my sites opinion polls so that the numbers are accurate?

Cookies? ISP address? etc.

p.s. I am not a programmer, I just want to tell my programmer which measures to take.

Answer 1

there is no a bullet proof way.
Cookies can be deleted (or rejected to begin with, to make it even easier). Besides, the automated scripts, that generate thousands of votes in a second, just won't send the cookies to you at all (and those are the ones to protect against, not a poor user, who just happens to hit a "vote" button twice by mistake - that would not affect your outcome much anyway).

IP address isn't much better, because of tens of thousands of anonymous proxies, that are readily available to everyone.
Besides, some ISPs (like, AOL) use a pool of proxies for all their users. So, that if the same AOL user hits your website twice in a row, you could see two different IPs, and, what's worse, if you see the same IP again, it could be a totally different user, that just happened to get routed through the same AOL proxy.

The most common approach is, you set the cookie, and disallow voting if it is already set. That will take care about 80% or so of duplicate votes (most are made by mistake anyway, and most of the rest won't know to clear their cookies).
In addition, record a timestamp and the ip with each vote. You cannot just disallow multiple votes from the same ip, because, as I described above, that'll exclude most of the AOL users at once, but you can watch the traffic, and look for patterns - like lots of identical votes coming in from the same ip within a short interval - that could indicate possible fraud. This can be automated to an extent, but cannot be real-time (you'll have to look for fraudulent votes and clean them up later).

Next step would be instead of letting the user vote right away, to ask for an email, then generate a unique single-use link, send it to that email address, and register the vote after the user clicks on it. You'd have to keep the lists of emails that already voted somewhere, to check for duplicates.
This would make it next to impossible to come up with an automated script that floods your poll with thousands of votes to skew the results, although, the same person could still vote several times by registering several email addresses (cookies and ips don't protect from that either, as most people have access to more than one computer anyway).

Answer 2

I'm not a computer programmer either, but do know that I defeated a small town newspaper poll once by using the technique of deleting cookies on my computer and simply revoting over and over. They were relying on cookies to keep track of whether or not you had voted on a certain poll and since that was stored in a cookie on my computer deleting the cookies and then going back to the poll allowed me to vote as if I was a first time voter. Just my 2 cents, but think that isp address might be more secure on this, or it might be possible to do both. Either way though cookies are not secure unless backed up by some sort of security on your site itself. Also some sort of program that records the "speed" of votes would help as well as I was able to cast dozens of votes in an hour and they were only getting a couple an hour when the votes weren't being "stacked". :-) Good luck either way though. By the way it is also easy to use the "deleting cookie" technique to revote on many of the major media sites, but because they get so many thousands of votes an hour would be darned near impossible to actually influence the outcome. Smaller sites though are very vulnerable to such influence.

Answer 3

There is no silver bullet to prevent multiple voting in an open poll. The question of how accurate the poll will be is dependent on your authentication process.

If the poll is an open poll (i.e., anyone who visits your site can vote) the only thing you can do is employ cookies. Create a GUID or some other unique identifier, and store it in a cookie that never expires. You can then keep track of which polls (if any) that particular GUID has voted in. Cookies are easily bypassed, so if one of the requirements of the poll is that it is unauthenticated, you must accept a certain degree of ballot stuffing. It is unavoidable. ISP's like AOL, and anonymizing services use dynamic proxies so that every request comes from a different IP address. You cannot use the IP address to restrict votes.

If the poll is a closed poll, it is much easier to prevent ballot stuffing. A closed poll requires users to be authenticated to you in some way. The downside is that it will turn away users who do not wish to provide you with personal information or take the extra time to authenticate.

The most obvious option is to have accounts on your site. Users who are logged in can vote, and votes are tied to accounts. One vote per account.

That is a very large barrier to entry just for a poll, however. One simpler option falls something along these lines: the user picks their choice on the list, and then enters their e-mail address, and hits submit. You then create a GUID and a "vote placeholder" in your database, and e-mail the user a link to a page that accepts the GUID. When they click that link from their e-mail, it will verify the vote from the unique GUID.

Most first reactions are something like "that's just as much of a pain... most users are not going to want to have to vote and then check their e-mail to finish the process." That is true, but most polls are open for days, or weeks. Users can easily be informed that "hey, the next time you check your e-mail, make sure you click the one from us to get your vote counted." Since they will most likely check their e-mail at some point anyway, this is not extra work for them. I have used this method a number of times and it has a very high rate of vote completion. My polls also monitor which e-mails get bounced back and discard them (people who enter nonexistent addresses). The number of valid addresses that get confirmed later on is usually 85-95% by the end of the poll.

It's all a trade-off, of course. At one end of the spectrum is zero difficulty to vote with a high rate of fraud, and the other end is highly difficult to vote with a zero rate of fraud... option 3 will be somewhere in the middle. A moderate barrier to entry in this instance will yield a low, but not nonexistent, rate of fraud. Multiple e-mail addresses per person are unavoidable, but no one (we hope) is going to create 2500 Hotmail accounts *and* check them all in order to stuff your ballot box.

Answer 4

it incredibly is prevented in the registration technique. you could in basic terms be registered in a single vote casting district. a minimum of interior of one state. you could technically be registered in greater beneficial than one district in case you look after properties in diverse states. even nonetheless, in case you VOTE in greater beneficial than one state, then there's a technique (set up by employing the states to maintain vote casting integrity) that exams to work out if human beings voted for the time of jurisdictions. guess what. those human beings pass to penal complex. the clarification that voter fraud is almost non-existent is: a million. it is not common. 2. it incredibly is common to get caught. 3. The consequences are extreme. 4. Your 3 or 4 greater beneficial votes in simple terms do no longer result an election. Commiting in-individual voter fraud is a ludicrous factor to do, and that's the clarification no person ever does it.