Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Identifying anonymous users

If I had a poll on my site, and I didn't want to require a registration to vote, but I only wanted each visit one, how might I do this?

Let's say a visitor from IP 123.34.243.57 visits the site and votes. Would it then be safe to disallow anyone from 123.34.243.* from voting? Is this a good strategy?

What's another one?

like image 291
core Avatar asked Aug 29 '09 19:08

core


People also ask

How do you identify users?

The best way to know your users is to talk to them directly. Thus, a live interview is the most popular and effective means of user profiling. However, if you are at the early stages of product development, you don't have any users yet. In this case, you can analyze your competitors and talk to their users instead.

What are anonymous users?

Anonymous User is any user who accesses network resources without providing a username or password. Anonymous User. Some Microsoft Windows Server applications like Microsoft Internet Information Services (IIS) can be configured to allow anonymous users to access their resources.

How can I check website visitors anonymously?

You can identify anonymous website visitors by using website visitor identification software that translates their IP address to a company name. Once you know who is looking at your website, you can proactively contact them and turn them into leads.


2 Answers

This is a fundamental challenge with all voting sites on the Internet, and you're just breaking the surface of the problem.

The way you've phrased it, you "only want to allow each visit one [vote]" indicates that you want to allow them to vote once each time they open their browser and go to the site. I don't think this is really what you seek.

I suspect what you want is that a given individual Person can vote only once ever (per survey, maybe).

The problem is, once you've framed the question properly, the problem becomes much more clear. You're not trying to identify an Internet node (IP address), visit (session cookie), browser instance (persistent cookie), or computer (difficult also to identify).

You can use techniques with Cookies, and they were suitably for a typical user. Subverting this technique is as easy as - Clearing your cookies in the browser, - Disallowing cookies in the browser, - Opening another browser, - Walking to another computer, - Using an anonimizer, - ... endless other ways.

You can do validation by e-mail address, but you indicated you don't want to do registration, so I don't believe that solves you problem either.

If you really need to identify a unique user for a voting system, you'll need to have some authority who's willing to vouch for the identity of any given user, or only allow the software to be accessed from a trusted platform.

The first technique requires registration (and often a costly and time-consuming registration at that), that verifies the actual legal name and location of the individual. Then, using Public Key Infrastructure (aka Digital Certificates), you can identify an individual person based on the credentials he supplies.

The second technique, requiring a trusted platform, relies on the hardware following certain pre-determined behavior. You could, for example, create a voting site that works through the XBox 360 or iPhone. You would create an app that is installed to one of those devices. Based on the way the platform is protected, you could use uniqueness characteristics, such as the hardware address or Live ID on the XBox 360 or the hardware address or telephone number on the iPhone, to get general assurance that the user is the same one who has visited before. Because you have control over the application and the user specifically does not, due to the nature of the trusted platform, you have reasonable assurance that most users will not be able to subvert the intent of the application.

I suspect this is a long-winded way of saying you can do it, but it's a far from easy problem to solve.

Consider political elections and how much resources and energy goes into making those fair and anonymous, and still it's a very challenging problem.

like image 103
Jason R. Coombs Avatar answered Sep 24 '22 19:09

Jason R. Coombs


Using the public IP for this would probably be a bad idea. Unique visitors from the same corporate LAN would all look like one user if you use this approach.

Perhaps cookies? I believe that is what most sites use.

Combine with some sort of monitoring, automatic or manually (for instance log file analysis). Be suspicious of traffic patterns that indicate a script.

like image 32
codeape Avatar answered Sep 21 '22 19:09

codeape