The New Zealand Herald have disabled all online polls on their website until further notice, after a hacker (or hackers) severely skewed the results of three polls. I say well done, and I’m sure I’m not the only one sick of online polls being carried out by the media and reported as news.
Firstly there’s the obvious problem that online polls are in no way scientific. The findings cannot be transferred to the population at large because those surveyed are only those visiting the particular website. The results can’t even be claimed to be representative of the overall readership of the website, as only those choosing to participate are included.
The only way to claim a poll has any validity is to take a truly random sample of the target population. The views of people visiting a website may not represent the views of people in the rest of the population. The type of people choosing to participate in an online poll may not represent the wider selection of people who visit the website.
Despite all of this, I’ve seen far too many cases where the NZ Herald has published online poll results as front page news. Having a tiny disclaimer at the bottom of the article saying the poll results aren’t scientific doesn’t make it any less misleading.
Secondly, even if the media want their online polls to simply be a gimmick, and only report them as being the views of those who read the website and choose to participate, there are still issues that can’t be resolved.
There is no way to secure an online poll and still have it open to anyone who visits the website. By secure I mean preventing people from entering multiple times. The ways I’ve seen various media attempt to do it are:
This involves storing a record on the users computer once they have participated, and checking for that record every time someone tries to enter the poll to ensure no one votes more than once.
This is among the most primitive methods for securing a poll, and the one currently used by the NZ Herald. First, it is very easy to disable cookies on your computer, eliminating the problem for most polls (including the NZ Herald polls). Some polls are a little smarter and will not allow you to enter the poll unless you have cookies enabled. This is still easy to get around as you can delete your cookies and then re-enter.
2. Email Address
This involves making people enter an email address before participating, and then ensuring that the same email address cannot participate more than once. If utilised correctly, this method can be slightly more effective than the cookies method.
The Dominion Post used this method in a very insecure way a couple of years ago by simply making people enter an email address before participating. They didn’t bother to verify email address entered, so anyone could just make up non-existent email addresses and enter multiple times.
The more secure way of using this method is to send the user an email and force them to click on a unique link before their vote is counted. This ensures that the person does own the email address in question. Of course for people like me who own domain names and have “catch-all” email addresses, we can just start with say email@example.com, firstname.lastname@example.org, email@example.com and keep going for eternity.
3. IP Address
Everyone using the internet has a unique Internet Protocol Address, at least for the particular time they are on the web. The smartest polls only allow one entry per IP Address, but the method is still not full-proof. Limiting by IP Address means only one person per household or office can participate for a start.
Those without a static or fixed IP Address (most of NZ) can simply reboot their modem or router, thereby re-logging on to their Internet Service Provider and obtaining a new IP Address. Of course this takes time, and probably limits the number of times someone might be willing to bother entering.
Unfortunately for those utilising this method, there are easier and more effective ways to bypass it. IP Addresses are sent in the header data to a web page, and are very easy to fake if you know what you’re doing.
I’ve never seen an online poll for which I can’t easily write a script to run on my computer and vote as many times as I may wish. I can even multi-thread the scripts so they vote multiple times simultaneously over and over again. Even better, none of this so called “hacking” is illegal, as it doesn’t involve anything more than accessing what is publicly available.
The media continue to use online polls and report the results as news, seemingly not caring that all security methods have been proven unsafe in the past. So thanks to the hacker who forced the NZ Herald to stop using online polls. Let’s hope the change is permanent and they don’t attempt any of the other insecure methods listed above.
lprent: Editing teh Herald also posted on this with some interesting points (between the justifiable sniggering)