In the days around the Brexit vote, an online activist linked to 4chan's imageboard created multiple automated scripts allowing rapid response to petitions posted to the official UK Government petitions website.
First Published 29th June 2016
Power in numbers.
4 min read | Reflare Research Team
With the broad global adoption of the internet and social media, online polls of various sorts have become valuable tools for political forecasting, policymaking and market research.
However, the (semi-)anonymous nature of these polls makes them ripe targets for manipulation by special interest groups. In today's briefing, we will examine the impact of manipulations and the state of potential mitigation strategies.
After the UK's referendum on EU membership led to a win for the "Leave" campaign, a petition was started on the UK Government's official petitions site asking for a second referendum. While millions of valid signatures were placed under the petition, it soon became apparent that thousands of further signatures had been created by online activists linked to the 4chan image board.
This most recent example highlights the central issue with online polling: The anonymous nature of the internet allows for vote manipulation.
While some polling providers require the registration of email addresses or phone numbers, the solving of CAPTCHAS or the creation of accounts, all of these steps can easily be circumvented by an activist determined to cast several votes.
Worse yet, in many cases, the voting process can be completely automated.
This means that even a single technically versed attacker can completely control the outcome of a badly secured poll. Since online petitions are expected to represent the will of the population, a single person may thus hack his or her way to large political influence if the petition's signatures aren't sufficiently verified.
Polls requiring the registration and confirmation of email addresses or phone numbers are slightly harder to influence, but still pose no real challenge to a determined attacker with the necessary technical know-how.
CAPTCHA systems such as Google's reCAPTCHA can prevent automation to some degree. While easy CAPTCHA systems have been cracked, more sophisticated solutions still provide a reasonable technical hurdle to automation.
That said, since a human can solve about one CAPTCHA every 3 seconds, a determined attacker could still cast more than a thousand votes on a given poll.
Requiring Facebook authentication before polling helps prevent automated fraud since Facebook itself heavily monitors for fraud. This approach however prevents those people with no Facebook accounts from participating in the polling process thus skewing the results. Lastly, "verified" Facebook accounts can be purchased on the black market for mere cents if the attacker has a sufficient budget.
At this point, short of a governmental deployment of digital identity certificates to the general population, all online polls are therefore ripe for manipulation. We expect this state to continue for the foreseeable future.
All online polls - be they petitions, questionnaires or opinion polling - should therefore be expected to be at least partially compromised.