How to win or cheat ANY online voting contest

It’s no secret that I’m not a fan of voting competitions, especially ones that are built irresponsibly. That’s why I’ve set out to create the definitive guide on breaking (/cheating) poorly designed nonprofit voting competitions.
The problem with voting competitions is that they pit nonprofits against each other for a prize that usually doesn’t come close to the true cost of the votes that these organizations push to get. What’s more, they run the risk of burning out the supporters of these great organizations.  More from Mark Horvath’s interview on winning these contests.


In the worst case scenario, one organization decides to cheat because the system is designed with flaws by some marketing firm and they see a way to easily game the system to win money for their great cause. I am not justifying or endorsing cheating – I actually believe the only way to win these contests is by not playing. However, in an effort to scare the pants off of people creating these contests I decided to create this guide.
NOTE Whole Whale does not cheat on behalf of our clients. It is not a service WW offers nor will ever offer.
Wow! @WholeWhale just wrote the guide on how to beat most nonprofit online voting contests. Click To Tweet

Step 1: Figure out how it is built

Online voting competitions will use a variety of ways to track votes through a website. Here are the most common building technical:

A Web Form Built with the GET method

This method (low security) means that the form will push the data into the URL and you will see it. e.g.  wholewhale.com/thanks.asp?orgname=charity&vote=true
How to break: Find that URL and go ham on the refresh button. Hide the cookies and IP address if they are tracking. Post that link anywhere you can and every click will equal a vote. Honestly, no reputable contest will be built this way because it isn’t 2006, but hey, you never know…

A Web Form Built with the POST method

This method (medium security) means that the form will push the data through the body of the request and will not show in the URL.
How to break: you may be able to use the back button if cookies aren’t being set. If they are being set you can hide cookies with a browser like Chrome with cookies disabled. If they built it correctly you will need a more advanced human assisted tech approach (see step 2 below).

  • Cookies – contests that don’t require a sign in and allow anonymous votes depend on cookies that may have timers in some cases. To break: clear your cookies, vote, repeat. Use Chrome and a cookie remover to block the cookies of the site, if it still lets you vote you’re all set to click away.
  • IP – Some use the IP to determine location voting. You can use a proxy server or a local VPN like Hotspot Shield.
  • Online Account – This will require multiple accounts and a more advanced approach to get enough votes. Depending on how the account is authenticated, it may be not be possible to automate mass voting.
  • Email confirmation – This is the most common system I see, it requires an email to be confirmed from the inbox with the link to record the vote.

 

Step 2: Human assisted automation

The following are various tactics which can be combined to break most voting systems with a little help from third party tools. In order to not look suspicious it is important not to show suspiciously large voting counts – I can immediately tell if a distribution of votes is unnatural and violating an expected power law (20% of the contestants getting 80% of the total votes). In one case we spotted this in a contest one of our clients were considering and we advised them not to participate – later we found several articles on the cheating that had occurred.
NOTE Whole Whale does not cheat on behalf of our clients. It is not a service WW offers nor will ever offer.

Computer Macros

A macro is a program that you can setup on a computer that goes through a series of clicks and keyboard strokes on a timed interval. If a voting system doesn’t require a captcha or other human test, a macro can be created to go through a voting cycle unabated. Combine these tools with a hotspot shield and cookies disabled on a computer can break most non-email verification process. Some tools:

  • Macro Express – downloadable software that will let you turn your computer into a bot that is timed to click and enter information as needed.
  • AutoHotkey – downloadable software that will let you click the heck out of buttons or load pages.

 

Email Generators

For secure voting systems that don’t have strict email confirmations, there are ways to generate emails quickly. These email hacks can also be used to create accounts for systems the require logins.

  • Any single Gmail, Hotmail, Yahoo or normal domain email address can be made into thousands of emails by adding a “+” or “.” after the name and before the “@” sign. For example, [email protected] can be [email protected] and the email will still be delivered to your address.
  • If you own your own domain, you can create a bunch of aliases for one email account.
  • Mailinator – this is a site that will generate emails for you on demand and give you a quick inbox that the confirmation link will be sent to. Using a variety of email domains can help make this look less spammy. This is a list of temporary email domains hosted via mailinator: http://torvpn.com/temporaryemail.html

 

Outsourced Voting

For a nominal amount of money, an organization can purchase votes or emails through ‘Vote Brokers’. These groups will do your bidding in the same way they translate audio to text or do other simple outsource tasks for companies. Technically it is against the Amazon Turk policy to pay workers to vote – which is great.  However you can still hire someone on a site like UpWork to build a script that could use the above tactics.
 

Proxy Voting

A proxy vote traditionally means that a voter transfers their right to vote to a third party. Massive lists of proxy accounts can be managed by a single person simply logging in one by one and voting. Imagine if political staffers could collect permission to vote on behalf of voters in a district in perpetuity — not really the will or action of a crowd, but highly effective.
The best way to win a nonprofit voting competition is by not entering. Click To Tweet

Finally, for the contest creators

This post is meant to ruin poorly designed voting competitions and to scare anyone thinking about building a nonprofit voting competition. I hate the idea of cheating nonprofits and I think that starts when a contest doesn’t use responsible design.

Responsible Contest Design Questions

  • Can your online system be quickly gamed by the exploits above? (I beg you not to use GET requests or anonymous voting)
  • Can you use a third party authentication to stop the email hack?
  • Is the prize pool large enough to make an expected value equation make sense for all participants?

Expected Value for Voting Contest = Prize amount  *  (total # winners / total # charities)

  • Do the nonprofits involved get to keep the voter data that relates to their org? In the case of emails, do they get them?
  • Is there a way to build this so that every participant wins in some way?
  • Is the time frame limited so there is only a small window of nonsense voting requests?
  • Is there a clever way to design the voting process so that it actually produces some positive impact for the nonprofit? e.g. voters have to submit photos they take of the cause that the nonprofit can have access to later for their photo database. Or they must submit 1 idea that they think would improve their work. etc.
  • Could you use a threshold voting, where nonprofits need to get to X votes to be considered by a panel? This caps the voting nonsense while still getting a bit of the network effect you are hoping for your brand. This pairs well with a social integration.

 
I hope these questions will spur some more creative approaches to contest design and will add more value to the nonprofits who participate.
NOTE Whole Whale does not cheat on behalf of our clients. It is not a service WW offers nor will ever offer. Also, please don’t reach out to us to vote for your contest.
 
So there you have it – our guide to breaking online voting contests so your nonprofit can win. And more importantly, to bring transparency to this one-sided marketing tactic.
 

Even more awesome resources