I’m trying to run a website where we’d like to collect anonymous votes, but also limit it to as close to 1 vote per person as possible.
I’m sure that’s not possible, so instead I was thinking of something like Pantopticlick, which combines metrics like your available fonts, screen size, time zone, user agent, and other public settings into a semi-unique fingerprint so at least it’s 1 vote per browser.
Is anything similar to this fingerprinting technology available as an API or some sort of open-source snippet so I can easily use it on an existing website?
In case you’re wondering, there’s nothing insidious going on here. If we manage to implement this, the fingerprint itself will be hashed and human-unreadable. We’re not interested in tracking our users across sites or anything like that; we just want to try to prevent vote-spam.
Ugh. Please don’t use an evercookie. They are really nasty and antisocial ideas. They are specifically designed to get around what most people would regard as acceptable web site behaviour. A cookie that you can’t delete, and deliberately hides itself is not what I would call ethical code, and may well fall foul of some privacy laws. They are blockable, Betterprivacy makes a solid attempt, and TACO with Albine makes a very serious barrier. I run both.
One aspect of an evercookie is that you leave a deliberately indelible trace on the computer of every person that uses your site. This is visible to any other site that knows about the evercookie, and thus you leave a trace for other sites to invisibly track that the user has voted for something on your site. Whilst your collection of votes might be anonymous, you have left a far from anonymous track that points back to every person that voted. If I were voting on your site I would be less than happy to discover this was happening.
So evercookies aren’t subject to the domain/site limitations of regular cookies? Hmm, that would be unfortunate. I initially did want something that’s hard to delete (because the whole point of this thing is countering anonymous vote fraud), but I definitely don’t want to impact their privacy on altogether unrelated sites.
Thinking about it some more, you know, maybe even a regular cookie would work for our needs. I think I’d rather have a few more fraudulent votes than a few more upset users.
And, anyways, if you want to get around any type of cookie, all you have to do is use a different web browser. You don’t have to be very technically knowledgeable to figure that out.
You’d probably be better off using some sort of IP tracking. Sure, some people will use the same IP, but you can get around that by saying one vote per household. And to help with proxies, just get one of those antispam proxy lists to use as a IP ban list. Sure, you’ll still be vulnerable to a few fraudulent votes, but less so than just using a cookie.
BTW, this is all in theory. I have no idea how easy it is to implement this stuff. I just know that this is how some sites work.
Evercookie had the (small) benefit of working cross-browser, supposedly. That benefit isn’t enough to justify the privacy risks if it can be tracked by other sites they visit, though.
IP tracking won’t work for us because most of our target audience will be coming from a single university, which I believe does some degree of NATing. We’d hate to have 30 people in the same classroom/computer lab be considered 1 individual.
The more I think about this particular case, the more it seems that a regular cookie is a better idea. After more consideration, it’s more accidental re-votes that we want to prevent rather than out-right vote fraud. If fraud becomes a bigger problem later, more draconian measures may be justified, but for now we’re going to trust our users.
Nonetheless, thanks for the suggestion. Good for future reference.
Well, a quick check using the test set up by the creator (who released it to try and make browsers capable of stopping this sort of thing) did not show any crossbrowser capabilities on my computer. Only Firefox continues to have the cookie set, and not Chrome or Internet Explorer.
Looking at the Wikipedia article, the only two cookie parts that are possibly crossbrowser are the Flash and Silverlight cookies. And the Silverlight cookies no longer seem to work, so that just leaves Flash. And if I disable Flashblock, that does seem to let the cookie get through.
BTW, browser fingerprinting is probably not that useful in your intended environment either: while students will probably also have their own computers and devices, all university computers are likely to have the same browser settings.