The IP Idiom
Homer Simpson: Kids, there's three ways to do things; the right way, the wrong way and the Max Power way!
Bart: Isn't that the wrong way?
Homer Simpson: Yeah, but faster!
About a year ago, we were asked to develop a website that invited users to register, prioritise various areas of business focus, and leave a comment against each area. Their comments then appeared automatically on the website, under each topic, without any administrator approval.
One of the most interesting comments posted by a user (from a web developer’s point of view) was not related to any of the business focus areas but regarding the functionality of the website itself. The comment read something along the lines of “This site does not log IP addresses so you can register more than once and skew the results!”.
Even though the user posts were never intended to be used in any official capacity (more to start discussions which would lead to further, more detailed engagement), the client was, understandably, concerned about the possibility of this potential flaw with the website.
However, we explained that to filter by IP address would limit the amount of users able to interact with the website* and would actually provide very little benefit (users were already required to enter a unique email address to register, plus we should inherently trust our users to interact in an honest way).
Another example of a similar type of online ‘voting’ issue is a website that asks users to register their opposition to wind farms, by clicking a button marked “register”. Upon clicking this button, the count of those opposing wind farms would increase by one.
It’s quite obvious what could happen if you were to click this button twice…
We have no way of knowing if this record of opposition will be used in any official capacity, such as to gauge public reaction to wind farms, or whether it is simply used as a count on the website, but the potential for this to be abused is huge and is, undoubtedly, the wrong way of doing things (although, as Homer said, it is quite a lot faster).
We have been asked before why we restrict users registering on our online consultations to one per unique email address, especially when some email addresses, particularly in the case of families, are used by multiple people.
The simple answer is, it’s the best way we know of to ensure a robust audit trail and minimal user manipulation, but it’s still only part of our solution.
Apart from registering something that is absolutely unique to one person (their DNA being the only thing that springs to mind), there is no absolutely foolproof way to restrict user accounts to one per person. Again, we have to adopt the assumption that generally people are good.
In the case of email addresses, with the advent of free email accounts available from some of the biggest names on the internet, there is very little to stop a determined person from creating multiple email accounts in order to submit multiple questionnaires under different guises. This is where the second part of our solution comes in.
When a user registers on one of our websites, as well as their email address and other relevant data, we take note of the IP address that the user registers from. If this IP address is already logged against a registered user, we notify the relevant parties and advise them on how to proceed.
The majority of the time, we find that multiple registrations from the same IP address are completely different people, but occasionally, we encounter a user who appears to have less than honourable intentions.
So, short of requiring users to register their biometric data in order to take part in a consultation, there is no way to 100% prevent attempts to abuse the system, but the method we have in place is, for the time being, the right way of doing things.
*Without getting into detailed descriptions about dynamic IP allocation by ISP’s, the easiest way to think of this is that an IP address generally applies to a building as opposed to an individual, so by limiting responses to one per IP address, you’d be limiting it to one per building, which means places with public internet access, such as libraries, work places, internet cafes and your local Costa would only be allowed one registration each.