Detecting bots in online voting

by Adam Harasimowicz

Bots can ruin even the best competition. Their advantages are scale and speed. And it is very hard to compete with them. So it can discourage genuine participants.

Usually, as a competition organizer, you want to achieve some specific goal - promote a brand, new product or engage customers. You invest in setting up the voting (or other type of the game or activity) or pay external company for running the competition. Also, you provide prizes for the winners.

And it may happen that all your preparations and investments will lead to poor results or in some scenarios even to negative outcomes of the campaign.

Thus, it is good to prepare yourself upfront to be able to prevent such situations and achieve what you wanted.

Below you will find few advices how to make online voting fair. The described approach is not only applicable to bots, but also to other types of the fraud which you may encounter running the voting.

Blocking bots

In general, there are three phases or steps which you should consider trying to block and neutralize bots or non-genuine users:

  1. Pre-competition preparation
  2. Actions during the voting
  3. Post-competition steps

Additionally to it, we can distinguish:

  1. Pre factum
  2. And post factum actions.

Saying simply, something what we can do so the scam will not happen and the actions which we take if anyway the fraud happened.

Pre-competition preparation

This is a very crucial part and preparing well will benefit later significantly. At this stage, you should achieve two things:

  • make voting as hard to automate as possible (of course without making the same to genuine human participants)
  • collect all data necessary to later be able to identify the fraud.

Prevent automation

Referring to the first part, you should consider if the participants have to register or not, if the registration by an email is possible or only through a social media account, if there will be any limitation related to an IP address or a voter's country. Also, you should make sure that in a Terms and Conditions agreement, you have a part which prohibits automated voting.

Additionally, you can add more obstacles to make the automation more difficult - e.g. entering on a page will generate a token (with a limited TTL) which will be necessary to send a valid vote - in such a way, you will eliminate bots which use proxies without session support.

Collect data

Having data will help you to identify bots and fraudulent activities earlier. Depend on the competition, the type of the information to collect may vary. However, some of them will be useful in a majority of the situations. Below, you can find few ideas:

  • timestamp
  • IP address
  • country
  • region
  • city
  • session id
  • cookie information
  • operating system
  • browser type and version (User-Agent)
  • window size
  • installed plugins
  • if JavaScript enabled
  • language settings
  • device time and timezone
  • device type
  • referrer address
  • visited URL (including passed parameters through GET)
  • email domain if you require registration

Besides, if the competition is run in European Union, remember about GDPR and add to T&C information what data will you collect and what is a purpose.

During the voting

When the competition is running, you should observe what is happening and at least analyze all abnormal situations. Identifying fraudulent behaviors quickly will help you to avoid discouraging genuine participants who can feel that taking part in the game is pointless when confronted with bots.

At this part, you may want to block some accounts, IP addresses or ban particular email domains.

Also, take a closer look when some participants gain votes very rapidly or during late night hours (unless it is international competition).

Remember that the majority of the bot actions are designed to give someone unfair advantage. However, in some situations, the bot may aim to harm a genuine user - e.g. the competitor wants to block his rival by pretending that the bot supports him.

After the competition

When the voting has finished, it does not mean end for you. At this stage you should analyze data and pay a special attention to the users who are eligible to win the prizes.

Besides the analysis, you may consider to use a bit more old-school approach and call winners to interview them shortly what will add an extra security layer.

Afterword

If you would like to add something to the article, do not hesitate to leave a comment.

If you feel that you would like to know more or you need a help with securing the online voting, just leave a message: