Categories
Good to know

About the Security of Online Votings. An Attempt to Explain.

We hear the following questions almost every day:

"Is it possible to cheat when voting on Pinpoll?"

"How do you make sure that one can only vote once?"

"One answer of my poll received multiple votes within a short period of time - how's that even possible?"

The short answer to this: A secure, anonymous online voting is a perfect example of an Oxymoron - “secure” and “anonymous” are mutually exclusive by definition.

In the News

We are regularly confronted with the fact that people call on others to manipulate the online voting of our customers in Social Media. Not to influence the result in their favour, but rather to prove that anonymous online voting is not suitable for establishing a representative opinion. Some even offer programs designed to facilitate manipulation. To our colleagues at Opinary, they even dedicated an article (available in German language only).

Folks, no one ever claimed it was a representative voting. People just love to give their opinion and see what others think. Every result should be reflected accordingly and that's it.

Then there are those who explain to us with little technical knowledge how poorly our fraud prevention was programmed. "Why don't you just allow one vote per IP address?" Um, no, that's just not how it works in the age of large offices and free VPNs. This group of people also likes to send us videos demonstrating for minutes how they change their IP address, delete their cookies and cast another vote. That's amusing in many ways. Don't you have other things to do? And do you really believe that every vote counts just because we show a voting animation?

And finally, another group of people joins in: the “mature and self-determined citizens”. The results of each and every poll is questioned, especially when it comes to Corona, vaccinations or restrictions on “personal freedom”. These people even call us and insult our crew on the phone. They threaten us with "going public” in tabloids, in case we don't do our job. Well right, we could simply limit the voting by IP address 😉

This brings us to the core of the problem: These three groups of people would also complain if we tried to prevent manipulation using all technically means possible. Why? Because this could only be done by weakening data protection to a large extent.

Data Protection vs. Fraud Prevention

There is a good reason for the requirement of personal legitimation in public elections: only if I know who has cast their vote already can I prevent that person from voting again. In our polls, however, there is no “requirement for identification”. We must therefore find other ways to remember who has voted already. This memory can be simulated, for example, by setting a cookie. Data protection is also guaranteed, since the user consents to the setting of the cookie, which is technically necessary in this case and not used for tracking. Alone, it is easy to delete a cookie in order to be able to vote again. But who's the bad guy now: the provider of a voting solution, who complies to data protection laws, or the participant, who deliberately manipulates the poll?

Fingerprinting

To prevent manipulation in the first place, we used fingerprinting technology until a few months ago. A “fingerprint” was created, encrypted and stored in our database, which is unique for each browser. Of course, this can also be generated over and over again by a bot. However, that requires significantly more technical knowledge compared to deleting a cookie.

However, this method had a serious disadvantage: Firefox and its service provider Disconnect blocked Pinpoll because we used fingerprinting and it was assumed that this was done for tracking reasons, although it was purely done for fraud prevention. We were overwhelmed by complaints, both from customers and users, as it was no longer possible to vote in Firefox. And that proves the dilemma: On the one hand, people want to participate in the voting. On the other hand, they want to remain anonymous. After a lot of back and forth, we decided to forego fingerprinting in the interests of data protection, thus preserving the anonymity of the participants and allowing people to vote again in Firefox. We shouldn't “punish” 99.99% of the people with measures that serve to combat the remaining 0.01%.

Conclusion

Ultimately, the following situation emerged: If our customers do not activate any additional mechanisms (see next section), then the one answer captures the most votes, whose supporters take the trouble to vote as often as possible. To do so, you invest a lot of your personal time in order to demonstrate your “stronger” support for a certain answer.

The same effect also occurs when a large fan base stirs the drum for a particular answer. It is not the “best” option winning, but the number of votes. For awards and voting contest, we therefore recommend to combine the final results of an audience and a jury voting, weighted according to priority.

Five Suggestions to Increase Security

In order to make online polls as secure and fair as possible besides meeting the high demands on data protection of the participants - especially if there's prizes involved - we offer our customers several options with various levels of security and pricing:

  1. SMS Verification
    In order for a vote to count, it must be confirmed using a pin code that is sent via SMS.

    + highest level of protection against manual fraud and against bots
    ~ requires signing-up with our partner websms
    - adds additional costs

  2. Geofencing
    For a vote to count, it must be cast within a specific country. The list of allowed countries is provided by the customer, e.g., only US + CA + UK.

    + cheap
    ~ medium protection against manual fraud and against bots

  3. Google reCaptcha v2/v3
    In order for the vote to count, a puzzle has to be solved with reCaptcha v2. With reCaptcha v3, bot detection takes place in the background without any interruption of the user experience (e.g., based upon mouse movements etc.).

    ~ medium protection against bots, only
    - poor user experience with reCaptcha v2
    - requires clarification of data protection aspects with a third party (Google)

  4. Request Throttling by IP
    Within a certain period of time, we only allow a certain number of votes per IP address (well, yes 😉 ).

    + active by default
    ~ medium protection against manual fraud and against bots

  5. Later Announcement of the Winner
    The current result is initially hidden and the participant's email address is requested. Votes only count if a valid email address is given. The result will be announced after evaluating the email addresses.

    + high level of protection
    + low costs
    - increased effort at the customer's end

These mechanisms can of course be combined as required, which increases the level of protection at the expense of the user experience.

Upon request, we may also do a comprehensive audit at the end of a voting, in order to identify patterns that suggest fraud. Invalid votes can thus be corrected afterwards. This possibility of correction should be communicated to all participants in advance, if possible. In general, we recommend communicating strict terms for voting.

Our customer Falstaff demonstrates this just perfectly with the following voting contest (website in German language, only): https://www.falstaff.ch/nd/voting-die-beliebtesten-kaffeebars-der-schweiz/