473,320 Members | 1,612 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,320 software developers and data experts.

Voting mechanism (think digg) without registration

Hi all.

Is it possible to implement an accurate voting mechanism (think
digg.com) that does not require users to sign in before voting?

I think for many people registering is pain and thus they rarely give
their votes online. Just look at digg and compare the number of votes to
the number of people visiting their website.
IOW what if somebody needs votes but cannot afford to bother users with
registration process?

I understand that just leaving it open for anybody is not really an
option since any jerk can ruin other users' votes just by clicking like
crazy with his mouse, but on the other hand somebody can register with
100 different names and cause identical damage.

- Limiting votes to an IP is also not perfect, since people are behind
NATs quite often (or maybe your opinion is different?).
- I was thinking about email-based authentication (when you want to
vote, system sends email which you have to confirm), where you would
need to have many email accounts to manipulate votes, but isnt' it even
bigger pain than registering?
- Maybe very long captchas? (that would require jerks to type a lot, but
still...)
- Some weird JavaScript setup that requires you to leave the site open
for a while for the vote to become active? (nah)

So (and I don't need it to be perfect every time), do you have any idea
on how to make it complicated enough that most of the jerks stay off and
it's simpler/better than registering for the good users?

Thanks,

-marek
Oct 31 '06 #1
10 2598
Marek Zawadzki wrote:
- Limiting votes to an IP is also not perfect, since people are behind
NATs quite often (or maybe your opinion is different?).
Maybe. See below:
- I was thinking about email-based authentication (when you want to
vote, system sends email which you have to confirm), where you would
need to have many email accounts to manipulate votes, but isnt' it even
bigger pain than registering?
I'd wager that it is less of a perceived hassle to log into a website
than to go check your email after voting to click a link.
- Maybe very long captchas? (that would require jerks to type a lot, but
still...)
Ugh. I hate captchas. Especially long ones.
- Some weird JavaScript setup that requires you to leave the site open
for a while for the vote to become active? (nah)
And what happens when they have javascript disabled?
>
So (and I don't need it to be perfect every time), do you have any idea
on how to make it complicated enough that most of the jerks stay off and
it's simpler/better than registering for the good users?
Off the top of my head, how about a two-fold system where votes can be
cast by both registered and anonymous users. Where registered users
can vote once, and are counted as a full vote, but anonymous votes are
counted at some % of a full vote, maybe half, maybe 2/3, or whatever
works for you. You could also tie that in with the IP address by
counting successive votes from the same IP to be worth less and less.

That way, someone trying to skew the results by voting multiple times
finds his votes being worth less and less as he votes more.

But...I digress. This isn't a national election or anything, so does
it really matter if the results are skewed a bit? Is the benefit worth
the effort?

Oct 31 '06 #2
Moot wrote:
Marek Zawadzki wrote:
[...]
>- Some weird JavaScript setup that requires you to leave the site open
for a while for the vote to become active? (nah)

And what happens when they have javascript disabled?
(thanks for your insights)
OK, let's assume JS has to be enabled for the website to work correctly.

[...]
Off the top of my head, how about a two-fold system where votes can be
cast by both registered and anonymous users. Where registered users
can vote once, and are counted as a full vote, but anonymous votes are
counted at some % of a full vote, maybe half, maybe 2/3, or whatever
works for you. You could also tie that in with the IP address by
counting successive votes from the same IP to be worth less and less.

That way, someone trying to skew the results by voting multiple times
finds his votes being worth less and less as he votes more.
But this doesn't solve the problem of people behind NATs (I guess I
could for example disable some large offices from voting this way?).
But...I digress. This isn't a national election or anything, so does
it really matter if the results are skewed a bit? Is the benefit worth
the effort?
I think it is, because if even at digg.com only a few dozens of votes
really make a difference to the order of topics then it doesn't take too
much for one person to completely change what appears and where on the
website.

I just believe people (including me) are generally averse to giving
away their info, creating accounts and even clicking something if they
don't have to. And I still would like to get some output from them ;-)

-marek
Oct 31 '06 #3
Marek Zawadzki wrote:
Hi all.

Is it possible to implement an accurate voting mechanism (think
digg.com) that does not require users to sign in before voting?

I think for many people registering is pain and thus they rarely give
their votes online. Just look at digg and compare the number of votes to
the number of people visiting their website.
IOW what if somebody needs votes but cannot afford to bother users with
registration process?

I understand that just leaving it open for anybody is not really an
option since any jerk can ruin other users' votes just by clicking like
crazy with his mouse, but on the other hand somebody can register with
100 different names and cause identical damage.

- Limiting votes to an IP is also not perfect, since people are behind
NATs quite often (or maybe your opinion is different?).
- I was thinking about email-based authentication (when you want to
vote, system sends email which you have to confirm), where you would
need to have many email accounts to manipulate votes, but isnt' it even
bigger pain than registering?
- Maybe very long captchas? (that would require jerks to type a lot, but
still...)
- Some weird JavaScript setup that requires you to leave the site open
for a while for the vote to become active? (nah)

So (and I don't need it to be perfect every time), do you have any idea
on how to make it complicated enough that most of the jerks stay off and
it's simpler/better than registering for the good users?

Thanks,

-marek
Hi Marek,

For what it is worth, when I was in a similar situation, I couldn't find any
foolproof solution.
IP-checking frustrates people behind 1 IP adress as you mentioned.
You can soften that restriction this a little by letting 1 vote originating
from the same IP adress every 5 minutes or so, but every programmer can
write a script that will vote every 5 minutes.

Registering and logging in are the only options that give you rudimentary
reliability.
Allow 1 loginaccount for each email.

All other solutions can by bypassed somehow and are thus unreliable.

I think you should ask yourself how important the votes are. If it is just
for fun, use an IP-block with some time-interval.
If it is important, register the users.
Of course users can register more emailadresses and scew the results, but
this is a lot of work, and you can make their life misserable by using
IP-checking in combination with registering.
To circumvent that they have to use a new IPadress and a new email for each
vote they make, probably too much work for a kid that wants to screw up
your results. :-)

Regards,
Erwin Moller
Nov 1 '06 #4
>Is it possible to implement an accurate voting mechanism (think
>digg.com) that does not require users to sign in before voting?
"accurate" implies you've got some rule as to who gets to vote and
who gets to cast how many votes. For example, each shareholder
gets one vote per share they own, or perhaps each person gets one
vote per pound they weigh. In this situation, you have to accurately
know something about the person. Or, there's one-person-one-vote,
which still means you need to prevent them from voting twice. Or,
there's the convenient one-IP-one-vote or one-computer-one-vote.

What is your target rule for who votes and who doesn't?

Accurate votes are not easy. Look at how many ways electronic
voting machine vendors have blown it in the USA (and elsewhere).
>I think for many people registering is pain and thus they rarely give
their votes online. Just look at digg and compare the number of votes to
the number of people visiting their website.
IOW what if somebody needs votes but cannot afford to bother users with
registration process?
>I understand that just leaving it open for anybody is not really an
option since any jerk can ruin other users' votes just by clicking like
crazy with his mouse, but on the other hand somebody can register with
100 different names and cause identical damage.
>- Limiting votes to an IP is also not perfect, since people are behind
NATs quite often (or maybe your opinion is different?).
Not only NAT, but also web proxies. If I understand correctly,
"All of AOL" qualifies as "quite often". Plus people with dynamic
IPs can vote often.

You might discourage hacking by limiting the vote from an IP without
telling anyone. For example, if you get 9 votes from a single IP,
they each count as 1/9 of a vote.
>- I was thinking about email-based authentication (when you want to
vote, system sends email which you have to confirm), where you would
need to have many email accounts to manipulate votes, but isnt' it even
bigger pain than registering?
Probably.
>- Maybe very long captchas? (that would require jerks to type a lot, but
still...)
Captchas are good against bots, not against people. You can stop
users from voting a million times, but probably not stop a user
from voting a hundred times.
>- Some weird JavaScript setup that requires you to leave the site open
for a while for the vote to become active? (nah)
What does "leave the site open" mean?
>So (and I don't need it to be perfect every time), do you have any idea
on how to make it complicated enough that most of the jerks stay off and
it's simpler/better than registering for the good users?
You could try a "I voted on this survey" cookie. If you insist that they
accept cookies before even SEEING the survey, this might work well enough
for your purposes. They are, however, easily defeatable.

Nov 1 '06 #5
Gordon Burditt wrote:
[...]
>- Some weird JavaScript setup that requires you to leave the site open
for a while for the vote to become active? (nah)

What does "leave the site open" mean?
(thanks very much for your input everybody)
I mean there is timeout/session mechanism implemented with
JavaScript/ajax that stores the vote only after the page has been open
for some time after voting. (so to defeat this you would have to vote,
wait some time with the webpage open in your browser for the vote to
become actually counted, vote again, wait and so on)

[...]
You could try a "I voted on this survey" cookie. If you insist that they
accept cookies before even SEEING the survey, this might work well enough
for your purposes. They are, however, easily defeatable.
I am sorry, I don't quite get this idea, could you give more details?

And one more question, maybe more on the psychological side - what
actually stops these kids from manipulating digg's content? I guess
opening 100 accounts shouldn't take too much and it should be enough to
get any link on top of the list?

-marek
Nov 1 '06 #6
>[...]
>You could try a "I voted on this survey" cookie. If you insist that they
accept cookies before even SEEING the survey, this might work well enough
for your purposes. They are, however, easily defeatable.

I am sorry, I don't quite get this idea, could you give more details?
It's very simple (and very defeatable). For each different thing
they can vote on, define a cookie name, like
"I_VOTED_FOR_Benbrook_DOG_CATCHER_PLACE_53". Perhaps you want to
make this a bit less obvious. If you try to vote for Benbrook Dog
Catcher Place 53 (the place has really gone to the dogs if it needs
53 dog catchers) and this cookie is ALREADY set, they're trying to
vote twice for this race. After they vote, set that cookie.

This tries to enforce one vote per computer. Or perhaps one per
computer account, if they've got different profiles. That's a
better approximation to one per person than one vote per IP.

This works (a little) better if you insist that they turn on cookies
before they get to the vote pages. It's easy to defeat if the user
is asked whether to accept cookies and he refuses any set after you
submit the voting page.

You could perhaps use this in conjunction with IP checking. For
example, you might allow votes from a given IP more often if they
don't have the cookie and haven't been trying to duplicate-vote
recently according to the cookie.
>And one more question, maybe more on the psychological side - what
actually stops these kids from manipulating digg's content? I guess
opening 100 accounts shouldn't take too much and it should be enough to
get any link on top of the list?
Nov 2 '06 #7
Gordon Burditt wrote:
>>[...]
>>>You could try a "I voted on this survey" cookie. If you insist that they
accept cookies before even SEEING the survey, this might work well enough
for your purposes. They are, however, easily defeatable.

I am sorry, I don't quite get this idea, could you give more details?


It's very simple (and very defeatable). For each different thing
they can vote on, define a cookie name, like
"I_VOTED_FOR_Benbrook_DOG_CATCHER_PLACE_53". Perhaps you want to
make this a bit less obvious. If you try to vote for Benbrook Dog
Catcher Place 53 (the place has really gone to the dogs if it needs
53 dog catchers) and this cookie is ALREADY set, they're trying to
vote twice for this race. After they vote, set that cookie.

This tries to enforce one vote per computer. Or perhaps one per
computer account, if they've got different profiles. That's a
better approximation to one per person than one vote per IP.

This works (a little) better if you insist that they turn on cookies
before they get to the vote pages. It's easy to defeat if the user
is asked whether to accept cookies and he refuses any set after you
submit the voting page.

You could perhaps use this in conjunction with IP checking. For
example, you might allow votes from a given IP more often if they
don't have the cookie and haven't been trying to duplicate-vote
recently according to the cookie.

>>And one more question, maybe more on the psychological side - what
actually stops these kids from manipulating digg's content? I guess
opening 100 accounts shouldn't take too much and it should be enough to
get any link on top of the list?

Doesn't work at all. For instance, I have my systems set up to clear
all cookies when the browser is closed. And I could also go in and
clear the cookies manually at any time.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attglobal.net
==================
Nov 2 '06 #8
>>>>You could try a "I voted on this survey" cookie. If you insist that they
>>>>accept cookies before even SEEING the survey, this might work well enough
for your purposes. They are, however, easily defeatable.

I am sorry, I don't quite get this idea, could you give more details?


It's very simple (and very defeatable). For each different thing
they can vote on, define a cookie name, like
"I_VOTED_FOR_Benbrook_DOG_CATCHER_PLACE_53". Perhaps you want to
make this a bit less obvious. If you try to vote for Benbrook Dog
Catcher Place 53 (the place has really gone to the dogs if it needs
53 dog catchers) and this cookie is ALREADY set, they're trying to
vote twice for this race. After they vote, set that cookie.

This tries to enforce one vote per computer. Or perhaps one per
computer account, if they've got different profiles. That's a
better approximation to one per person than one vote per IP.

This works (a little) better if you insist that they turn on cookies
before they get to the vote pages. It's easy to defeat if the user
is asked whether to accept cookies and he refuses any set after you
submit the voting page.

You could perhaps use this in conjunction with IP checking. For
example, you might allow votes from a given IP more often if they
don't have the cookie and haven't been trying to duplicate-vote
recently according to the cookie.

>>>And one more question, maybe more on the psychological side - what
actually stops these kids from manipulating digg's content? I guess
opening 100 accounts shouldn't take too much and it should be enough to
get any link on top of the list?


Doesn't work at all. For instance, I have my systems set up to clear
all cookies when the browser is closed. And I could also go in and
clear the cookies manually at any time.
Yes, it does. It means that the kiddies who don't use bots have
to close and re-open the browser every time, and that slows them
down by at least a factor of two. Probably more. And manually
clearing cookies probably doubles the number of mouseclicks or
keystrokes needed per vote. So it slows down the rate of duplicate
votes. A little. It also prevents the casual cheaters who don't
know what a cookie is and give up easily from casting duplicate
votes.

As I said, the method is very defeatable. It's a lot like making
a vault door out of 1-ply toilet paper, which is still better than
no door at all: it might slow down bank robbers by a second or so.
More if they can't stop laughing.
People spending millions of dollars on elections (like the US
government and state governments) haven't managed to stop phony
votes, either. You're certainly not going to do any better without
even having a voter registration list. All they can do is try to
reduce the problem.

Nov 2 '06 #9
Gordon Burditt wrote:
>>>>>You could try a "I voted on this survey" cookie. If you insist that they
>accept cookies before even SEEING the survey, this might work well enough
>for your purposes. They are, however, easily defeatable.

I am sorry, I don't quite get this idea, could you give more details?
It's very simple (and very defeatable). For each different thing
they can vote on, define a cookie name, like
"I_VOTED_FOR_Benbrook_DOG_CATCHER_PLACE_53". Perhaps you want to
make this a bit less obvious. If you try to vote for Benbrook Dog
Catcher Place 53 (the place has really gone to the dogs if it needs
53 dog catchers) and this cookie is ALREADY set, they're trying to
vote twice for this race. After they vote, set that cookie.

This tries to enforce one vote per computer. Or perhaps one per
computer account, if they've got different profiles. That's a
better approximation to one per person than one vote per IP.

This works (a little) better if you insist that they turn on cookies
before they get to the vote pages. It's easy to defeat if the user
is asked whether to accept cookies and he refuses any set after you
submit the voting page.

You could perhaps use this in conjunction with IP checking. For
example, you might allow votes from a given IP more often if they
don't have the cookie and haven't been trying to duplicate-vote
recently according to the cookie.

And one more question, maybe more on the psychological side - what
actually stops these kids from manipulating digg's content? I guess
opening 100 accounts shouldn't take too much and it should be enough to
get any link on top of the list?

Doesn't work at all. For instance, I have my systems set up to clear
all cookies when the browser is closed. And I could also go in and
clear the cookies manually at any time.


Yes, it does. It means that the kiddies who don't use bots have
to close and re-open the browser every time, and that slows them
down by at least a factor of two. Probably more. And manually
clearing cookies probably doubles the number of mouseclicks or
keystrokes needed per vote. So it slows down the rate of duplicate
votes. A little. It also prevents the casual cheaters who don't
know what a cookie is and give up easily from casting duplicate
votes.
Or just clear the cookies. A couple of clicks with the mouse. No problem.
As I said, the method is very defeatable. It's a lot like making
a vault door out of 1-ply toilet paper, which is still better than
no door at all: it might slow down bank robbers by a second or so.
More if they can't stop laughing.
So defeatable it's not worth doing. Worse than providing no security,
rather it provides the illusion of security.
>
People spending millions of dollars on elections (like the US
government and state governments) haven't managed to stop phony
votes, either. You're certainly not going to do any better without
even having a voter registration list. All they can do is try to
reduce the problem.
Yep.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attglobal.net
==================
Nov 4 '06 #10
BBM
Marek Zawadzki wrote:
- I was thinking about email-based authentication (when you want to
vote, system sends email which you have to confirm), where you would
need to have many email accounts to manipulate votes, but isnt' it even
bigger pain than registering?
I didn't see many comments on this thought... bad idea. Not only is
creating an email account easy (heck, with just gmail I've got 100
invitations in one account, and I've got ~5 accounts, and IIRC, new
accounts get 15 invitations) and free (Gmail, Yahoo, MSN...), but you
don't even have to register an account to get an email, evidenced by
mailinator.com: Pick a name, append "@mailinator.com" (or any of
mailinator's aliases), and you've got a valid email address for
receiving only, the inbox of which anybody can access.

Nov 4 '06 #11

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

9
by: PiedmontBiz | last post by:
Listening to National Public Radio while reading comp.lang.python. What a life! I just heard a piece on NPR about the security failures of an electronic voting system being developed. I know a...
10
by: windandwaves | last post by:
Hi Folk I am developing a voting / polling system. Eg. Who is your favourite sport star: a. mike b. sara c. frank
5
by: george | last post by:
Hi All I've used couple of GPL/free voting scripts (some of these are very good), but need to create/find one that allows users to add a new answer. For example: This is a voting question -...
5
by: Al Dykes | last post by:
I've got a voting script that's a little too simple. I can vote as as many times as I can click on the link in my browser. I'n not trying to write an official voting system but I would like to...
2
by: blinkfn46 | last post by:
http://digg.com/tech_news/Great_idea_2 please comment on this link
0
by: Mirce | last post by:
I have installed a phpBB2 forum at next URL: http://www.hcu.untz.ba This site is dedicated to handicapped persons. I have posted a poll at this site. The results of voting on poll questions are...
0
by: Suresh P | last post by:
Hi All, Can anyone suggest me a voting / polling tool to be used for photo contest. It is fine if I link out to their site. I want to upload all the photos, and allow visitors to vote ONE TIME...
1
by: christam1 | last post by:
Hi there, I'm creating a PHP/XML-based voting system. There are 24 options for a user to vote from, and ideally I'd like the user to see a picture of each person they vote for. So far, I've managed...
2
jamwil
by: jamwil | last post by:
What's up guys. I'm having some issues... I've created a method as part of my lifestreaming class which takes an rss feed, and puts the data into a database... It's fairly simple... Check...
0
by: ryjfgjl | last post by:
ExcelToDatabase: batch import excel into database automatically...
0
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
1
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
0
by: jfyes | last post by:
As a hardware engineer, after seeing that CEIWEI recently released a new tool for Modbus RTU Over TCP/UDP filtering and monitoring, I actively went to its official website to take a look. It turned...
0
by: ArrayDB | last post by:
The error message I've encountered is; ERROR:root:Error generating model response: exception: access violation writing 0x0000000000005140, which seems to be indicative of an access violation...
1
by: PapaRatzi | last post by:
Hello, I am teaching myself MS Access forms design and Visual Basic. I've created a table to capture a list of Top 30 singles and forms to capture new entries. The final step is a form (unbound)...
1
by: CloudSolutions | last post by:
Introduction: For many beginners and individual users, requiring a credit card and email registration may pose a barrier when starting to use cloud servers. However, some cloud server providers now...
1
by: Defcon1945 | last post by:
I'm trying to learn Python using Pycharm but import shutil doesn't work
1
by: Shællîpôpï 09 | last post by:
If u are using a keypad phone, how do u turn on JavaScript, to access features like WhatsApp, Facebook, Instagram....

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.