Gaming Online Polls: How Hard Could It Be?

 

It is election season once again, and with it comes a slew of opinion polls showing this politician or that politician-to-be, as the nation’s favorite candidate (for the time being). These polls are conducted regularly, over a relatively long period of time, in order to reflect the vicissitudes of electoral whims. Now, since more than half of Filipinos are online, a number of these polls have been conducted through websites. The move is understandable as the benefits are obvious: using the net to reach out to participants is far more convenient and time-efficient than going to them personally, or conducting interviews through the phone. The costs are also diminished, since forms don’t even have to be printed.

But how accurate are online polls, really?

A poll’s accuracy and confidence rating depends largely on how sampling was conducted. This in turn hinges on two questions: First, is the sample large enough? Second, is it representative enough?

No doubt an online poll could potentially reach out to a very broad population. Its extent goes hand in hand with the speed by which Internet connectivity expands. To date more than half of Filipinos are active online, spanning all age groups and socio-economic classes. Everyone could theoretically hand in his or her questionnaire, and the sample could approximate the Filipino population closer than has ever been achieved before.

Except not everyone votes. Not everyone takes these votes as seriously as the next. A relatively small, yet particularly motivated minority in real life, might make for a sizable and loud majority online. These small groups could magnify their presence by redoubling their internet efforts: voting twice, commenting more, drowning out the voices of others, to solidify their online clout. Motivated groups could skew online polls through heavy online activity, simply because other groups, though larger, couldn’t be bothered enough to react.

Of course, loud minorities can be corrected by responsible polling measures. Multiple voting could be prevented by identity verification: ensuring that each vote is tied to a unique e-mail address, social media account, or a phone number. This ensures that everybody votes but once.

Except that not everybody is a somebody.

We’re all probably acquainted with them, as we meet their online accounts everywhere we go: attractive, young women (with a few men), with model level looks, pictures professionally taken, usually blonde and Caucasian. So many, and yet they somehow tend to say the same things over and over, each with more than a thousand liked Facebook pages.

They can help promote a product, advertise a brand, and yes, vote in online polls. These fake yet active accounts are called bots, churned out by the hundreds each day by so-called “click farms”. These farms are usually small-scale operations: employing only a handful of individuals. But they work round the clock with multiple shifts. They also seem to pop everywhere, but mostly in the third world.

According to a New Republic article, we are currently experiencing a bot bubble of sorts[1]. The article investigates one of these click farms, right at the very heart of Cebu. Day and night shift employees create social media profiles with bare-bones descriptions and identifying information. Profile portraits come from a library of pictures and scavenged from a variety of online dating sites. Should these profiles need to be phone verified, the employee simply needs to insert any SIM card (stacks of which are found in the click farm) into an old phone and reply to the site asking for confirmation.

These bots are then sold, or rather, sort of hired out, to anyone in need of Twitter mentions or Facebook likes, wholesale and instant. Once a click farm receives an order, all it has to do is run a program and thousands of bots automatically act in unison. This kind of efficiency made the bot market huge: the article estimates a range of several hundred million dollars for either tweets or likes. Celebrities and Corporations want them for advertising and name or brand visibility. Presumably, politicians would want them for much of the same.

An unscrupulous candidate (or his campaign aides) could hire click farms with their legions of fake accounts, and have these bots fill out online surveys of current popularity. A candidate who does well in the more visible polls would gain attention from more and more people. This is at the heart of what makes gaming polls attractive: attention breeds attention, setting off a cascading wave of popularity might just be enough to win the elections.

This prospect makes monitoring polls all the more important. The pollster should always be on the lookout for signs of unusual activity: a sudden spike of voters, uniform voting from unusual places, irregular vote distribution, and the like.

A vigilant pollster could correct such errors, enabling him to invalidate polls likely won through the use of click farms. However, it remains impossible to determine just who was behind polling fraud. Groups and individuals who can set up click farms and other black market operations are usually savvy enough to cover their trail. The Cebu click farm, for example, sets up proxy servers to make it seem like it operates from Manhattan. It also uses certain programs to disable Facebook’s tracking cookies.

Of course, the prospective poll manipulator isn’t limited to hiring click farms, as the darker parts of the web provide a varied array of opportunities.

One could opt to hire, or sublease a host of infected computers to answer polls for him. The infrastructure is already there as could be seen in DDoS-for-hire services. A Distributed Denial of Service is a malicious attack on a website or server by overloading it with simulated traffic, making it inaccessible to legitimate users. It is ‘distributed’ because a DDoS attack uses the processing power of a network of ‘enslaved’ computers called a botnet, infected through malware, phishing emails, vulnerability scans and other methods. This network of enslaved computers could then be subleased for as low as twenty to forty dollars[2]. This sublessor can then loose this army of bots on websites to shut it down, or perhaps with a few tweaks, click on polls to skew results.

Those who provide DDoS-for-hire services call themselves “Stressors”. Ostensibly, their service involves testing the vulnerability of their clients’ networks. Of course, they don’t bother to check if the network they’re attacking really belongs to their client. This cover allows them to work with greater visibility in mainstream markets.

For those inclined to dig the Internet deeper, the Dark Web provides even more potent and diverse solutions that are downright illegal. Here, mercenary hackers ply their trade, breaking into accounts, stealing credit cards, attacking servers, and many more. They are paid mostly in Bitcoin, for ease of transfer and greater anonymity.

Dell conducted a study about the services offered and their price point. A website could be hacked or its information stolen for $100-$300, depending on the hacker’s reputation. Up to 15,000 individual computers could be infected, with the client’s malware of choice, for just $250. DDoS attacks can be bought per hour ($3-$5) per day ($90-$100) or per week ($400-$600)[3]. According to Business Insider, Yelp reviews could be ordered for $3 a write-up. One can even rent a tool to hack Facebook accounts, $19.99 for three months[4]. With this tool, Facebook pages can get likes from legitimate accounts, without the users ever knowing.

Of course, for those willing to learn, why hire when you could do it yourself. Hacking lessons are available online, just $20 for the first month[5]. Tutorials about setting up hidden services also abound[6]. This allows conducting operations through the Dark Web, harder to reach but also harder to detect or catch.

All this goes to show how easy it can be to manipulate online polls. One can buy bots from click farms, botnets from Stressors, professional hacking services from the Dark Web or even lessons to do everything by oneself, and any of this can be done in relative safety.

As the law stands, click farms are not doing anything illegal. Acquiring, using or misusing a social media account belonging to another constitutes Computer-Related Identity Theft, punished under Section 4(b)(3) of the Cybercrime Prevention Act of 2012. But click farms don’t use real accounts; their business is in creating fake ones. That act isn’t punished under the law.

DDoS attacks, on the other hand, involve acts which would constitute Illegal Access, Illegal Interception, Data Interference, System Interference, Misuse of Devices, or Computer-related Fraud, all punishable under the Cybercrime Prevention Act. The challenge for law enforcers, however, is technical or practical rather than legal. As of December last year, the NBI Cybercrime Division only has 4 trained computer forensics specialists, with more than 150 cases being reported per month[7]. Hackers also operate from everywhere around the globe, using proxy servers and other simulated trails, making them supremely difficult to find. The government just isn’t equipped for the task.

Properly conducted, online polls remain as practical and convenient statistical tools, thanks to efficient and near costless data gathering and efficiency. But at the same time, and from the technical standpoint, the fact remains that these polls are easily altered and gamed.

 

Read more about the Data Privacy practice at Disini & Disini Law Office

Read more about the Emerging Media practice at Disini & Disini Law Office

Read more about the Technology and Telecommunications practice at Disini & Disini Law Office

______________________________________________________________________________________________________________________________________________________

[1] https://newrepublic.com/article/121551/bot-bubble-click-farms-have-inflated-social-media-currency

[2] https://www.incapsula.com/ddos/booters-stressers-ddosers.html

[3] https://www.secureworks.com/blog/the-underground-hacking-economy-is-alive-and-well

[4] http://www.businessinsider.com/9-things-you-can-hire-a-hacker-to-do-and-how-much-it-will-generally-cost-2015-5?op=1

[5] Ibid.

[6] https://www.deepdotweb.com/2015/03/27/onionshop-guide-how-to-set-up-a-hidden-service/

[7] http://www.philstar.com/metro/2015/12/06/1529558/lack-witnesses-manpower-hamper-cybercrime-probers

Image courtesy of Stuart Miles at FreeDigitalPhotos.net