There are a lot of online voting scripts out there. However, they run the risk of being polluted by people voting extra times when their vote should really only count once. People try different techniques to prevent this from happening. One such technique is IP address restricting.
By preventing repeated entries from the same IP address, the assumption is that no one will vote twice since they will only have access to one workstation to vote with. A downside of this technique is that many networks host their devices with private IP addresses and are only exposing a single IP address to the world. Therefore, webservers may see multiple requests from the same IP address, but the requests all originated from different source devices.
The webserver hosting the online voting will then restrict votes from all workstations after a single workstation submits a vote. This is unfair. So I wanted to list different options a person has to get additional IP addresses to allow others to vote in this scenario.
New IPs From Your ISP
Charter hosts my broadband connection. I checked my cable modem and I get 24 hour IP address leases. This doesn't always mean that I will get a new IP address. Some ISPs will always give you the same IP address, as is the case with my Charter connection. This is nice if you are hosting webservices from a home computer. But, since I am not getting a new address from my ISP, I won't be able to vote more than once from multiple computers at home.
Some ISPs do give out more than one IP address from the same cable modem. So, it is possible that if I plug a different device into my cable modem, or if I change the MAC address of my router, I will be able to get a new I address. This can be a lot of work and probably will only result in a handful of new IP addresses.
Getting new IP addresses with your iPhone
I have noticed on my phone that when I switch to airplane mode and then exit out, I get a new IP address everytime. The address pool I am being assigned from looks to have a mask of 255.255.0.0. So, I have 65534 possible IP addresses in that range. This is a huge opportunity for new IP addresses. But then voting has to be done from your phone so the website will need to render correctly on your phone.
This isn't exclusively for the iPhone either. It just happens to be my test hardware. After witnessing this, I would guess any data plan could work like this. My service is through AT&T. All bets are off with other cell providers. If anyone tests another provider (Sprint, Verizon, T-Mobile, etc.), please leave a comment with your results.
Using EFF's Tor/Vidalia
Tor (http://www.torproject.org/) allows you to have your source location masked as you browse online. To a webserver looking at your remote_addr, they will see the final Tor node's IP address. Therefore, your origin can change while using Tor. Vidalia allows you to switch identities with the click of a button. However there are a finite number of nodes in the Tor network at any given time. And there is some priority given to nodes that have less latency. So this method will collide often as you switch identities and obtain the same one over and over again.
Other Options For Voting Restricting/Limiting
Knowing that there are ways to avoid the IP address limiting in the simple case, what options do web developers and server admins have to make their voting more accessible and more robust?
Using JavaScript/Java to access machine IP address
One method to allow multiple people behind the same NAT to log from each workstation, is to access their local IP address. This can be done using function calls in Java to access the true local IP address. So instead of storing the public IP address, you can store the private one.
You will run into new problems now, for people who have the same private address space defined at their site as well (quite common). So, in order to make this technique work, you'll want to append the remoteIP address to the private as well. This should be unique.
However, this is not usually a preferred solution, since now you are requiring the browser to support java/javascript. You are eliminating allowing votes from users who run their browser with those features turned off. So this technique could be attempted as another means, but should not be the only uniqueness test.
Cookies
If a voting site added a cookie to your computer as another measure to indicate that you voted, that could be used as another deterant of people voting multiple times. Only a couple of issues here; a person can still clear their cookies and vote again. And it is also possible that a browser has cookies disabled or doesn't support them. And you are still preventing different people from voting from the same computer.
This shouldn't be a single means of unique vote tracking. It is another way to make it difficult for online polling abuse. Even though this method won't stop everyone, it is similar to locking your door at night. That doesn't mean it is impossible to break into your house; it's just more difficult.
Using CAPTCHA or other Human Validation systems
As much as I hate having to guess some of these systems correctly, this is one of the proven techniques to prevent automated systems from cheating. However, I am sure there are sites dedicated to paying third world country businesses pennies on the dollar to get around this validation as well by actually having humans answer those values and vote for you.
Summary
I just wanted to list some techniques I found and thought about for online voting. It was frustrating to run into a couple of IP address restricted voting sites that were preventing valid votes from being submitted. So I thought about my options for making the votes open to everyone who wanted to vote.
My biggest surprise was the iPhone's new IP address everytime. One reason AT&T might've done this because they didn't want web services easily hosted on phones, so changing IP addresses as often as possible was one way to limit that. Also, I couldn't find how long my lease was, but I would guess it was short as well, so I wouldn't have to go into airplane mode and back out again to get new addresses all the time.
I didn't include above any tactics about involving custom scripts and applications to automate because I didn't experiment doing so. Once it is determined what a webserver uses to determine uniqueness, it can be elementary to an intermediate programmer to write an application to POST whatever headers they want to a webserver. Also, Tor is open source and the documentation for how to request new identities exists. A script that would keep track of identities gotten from Tor and then requesting new ones if a duplicate ever was gotten could automate using the Tor network. I would guess this is against Tor's terms of service, since the Tor network was not created to subvert online polling, but again, the possibilities are endless for writing automated scripts to do the dirty work for you.
I can understand why online pollers take measures to prevent multiple votes, but it really grinds my gears when they implement it in a way that prevents many valid voters from being able to vote.
No comments:
Post a Comment