February 3, 2012 at 15:06Honest internet voting using sms
In December 2011, we tried to hold a competition for the best phrase for a T-shirt with the main prize - iPhone 4. Of course, we suspected that when logging in via Facebook and Vkontakte there could be all kinds of cheating and bribing votes. However, the scale of the fraud exceeded all our expectations and amounted to thousands of left votes without even a single visit to the voting page on our website . As a result, we were forced to first remove several phrases from the competition, and then generally declare the voting results invalid. Having appointed a second vote at the end of January 2012, we seriously thought about how to ensure the maximum honesty and objectivity of the second vote.
Having refused authorization by email (as a way of not giving the proper level of protection against fraud), we decided to resort to the paid SMSDirect service (from iFree). Voting via SMS takes place in 3 stages:
1. The user presses the “Vote” button for the phrase he likes;
2. Enters a Russian cell phone number; receives a personal code by SMS;
3. Enters the received code on the site and confirms his vote.
On the voting page, users are guaranteed the security of their personal data, the free of charge SMS and the ability to vote only once from one number. Of the obvious consof such a scenario of Internet voting is its non-free nature for the organizer and the high probability of users refusing to disclose personal data (phone numbers). Of the pluses are the high reliability of the voting results and the high probability of participation of motivated respondents.
Technical steps:
1. We connected an SMS service ( SMSDirect )
2. We made a standard form for identification via SMS in two parts:
(the id id of the phrase was passed for the person to vote for)
a) enter the number ->
(check the number and send the code) - >
b) enter the code that came.
3. For each submission of the first part, if the correct number was entered (the correct format + did not vote for this phrase),
- an entry was created in the database that was waiting for confirmation.
- a session id was created that is associated with the code and phone number,
so the correct code will be relevant only for this session.
(that is, if your code is currently entered, another voting person in his form — it won’t work.)
- the second part was opened (code entry)
4. By submission of the second part with the correct code entered, this entry was confirmed, and from that moment counted like a vote for a certain phrase.
Potential technical difficulties: Checking the number, if you had to check the codes of the operators in the St. Petersburg and Leningrad region, but it turned out that SMSDirect sends sms all over Russia at the same price, so for our part it was enough to limit ourselves to checking the 7th first, and the total number of digits in the number (accordingly, the operator also marks the other incorrect numbers).
Protection against potential fraud (and bots) that enter reasonable numbers and simply send our SMS to them, in order to cause us trouble. In addition to limiting, the number of connections from the user up to ip / cookie does not work, which, in general, is not entirely reliable. It is interesting how large companies (Vkontakte and Google, Alfabank) that use SMS sending to suppress fraud and authorization solve and solve such a problem.
Our conclusion : at a reasonable cost of sending a test SMS, it is likely that losses from unbridled SMS-sabotage of users will be small, due to the considerable complexity of the SMS request procedure itself.
The main bonus for us: transparency of voting. Comparing the base of votes with the base of sent SMS (we have + on the service side), the uniqueness and validity of votes is easily checked up to the number. Well, as practice shows, getting three SIM-cards is much more difficult than three electronic mailboxes or three accounts, say, on Facebook :)
Having refused authorization by email (as a way of not giving the proper level of protection against fraud), we decided to resort to the paid SMSDirect service (from iFree). Voting via SMS takes place in 3 stages:
1. The user presses the “Vote” button for the phrase he likes;
2. Enters a Russian cell phone number; receives a personal code by SMS;
3. Enters the received code on the site and confirms his vote.
On the voting page, users are guaranteed the security of their personal data, the free of charge SMS and the ability to vote only once from one number. Of the obvious consof such a scenario of Internet voting is its non-free nature for the organizer and the high probability of users refusing to disclose personal data (phone numbers). Of the pluses are the high reliability of the voting results and the high probability of participation of motivated respondents.
Technical steps:
1. We connected an SMS service ( SMSDirect )
2. We made a standard form for identification via SMS in two parts:
(the id id of the phrase was passed for the person to vote for)
a) enter the number ->
(check the number and send the code) - >
b) enter the code that came.
3. For each submission of the first part, if the correct number was entered (the correct format + did not vote for this phrase),
- an entry was created in the database that was waiting for confirmation.
- a session id was created that is associated with the code and phone number,
so the correct code will be relevant only for this session.
(that is, if your code is currently entered, another voting person in his form — it won’t work.)
- the second part was opened (code entry)
4. By submission of the second part with the correct code entered, this entry was confirmed, and from that moment counted like a vote for a certain phrase.
Potential technical difficulties: Checking the number, if you had to check the codes of the operators in the St. Petersburg and Leningrad region, but it turned out that SMSDirect sends sms all over Russia at the same price, so for our part it was enough to limit ourselves to checking the 7th first, and the total number of digits in the number (accordingly, the operator also marks the other incorrect numbers).
Protection against potential fraud (and bots) that enter reasonable numbers and simply send our SMS to them, in order to cause us trouble. In addition to limiting, the number of connections from the user up to ip / cookie does not work, which, in general, is not entirely reliable. It is interesting how large companies (Vkontakte and Google, Alfabank) that use SMS sending to suppress fraud and authorization solve and solve such a problem.
Our conclusion : at a reasonable cost of sending a test SMS, it is likely that losses from unbridled SMS-sabotage of users will be small, due to the considerable complexity of the SMS request procedure itself.
The main bonus for us: transparency of voting. Comparing the base of votes with the base of sent SMS (we have + on the service side), the uniqueness and validity of votes is easily checked up to the number. Well, as practice shows, getting three SIM-cards is much more difficult than three electronic mailboxes or three accounts, say, on Facebook :)