

Ask HN: What's the right way to authenticate survey takers? - frisco

Right now I'm using Facebook Connect to (and only to) check for real-personhood and ensure that each real person only takes the survey once.  I'm really worried that since FB Connect allows me to hypothetically snarf user data and post to the Facebook wall, on top of the basic fact that you need to enter your Facebook credentials, I'll scare off lots of prospective participants.<p>Is there a better way to do this?  Google accounts just shift the problem.  I track IPs but those are neither sensitive nor specific.  I'm running a general population data collection survey, so it can't have any domain-specific barrier.
======
arantius
I'm just coming up with this off the top of my head, but:

1\. When loading the survey page check for a cookie. If it's not present, set
the cookie, record the ip-and-cookie mapping, and redirect back to this page.
2\. Now that we're loading the page with the cookie, present the form. 3\.
Upon submission of the form, validate that this IP was previously assigned
this cookie, record the ip-cookie-vote triplet. Throw out the vote if that IP
hasn't been assigned that cookie.

If a scripter wants to automate requests, they'll have to figure out that they
need to get the cookie from you, then use it to vote. You can detect
abnormally large ip-vote (and timeframe) combinations and automatically, or
later manually, discard anomalous results.

It's not perfect of course, but there is no such thing as a perfect internet
survey (unless you're going to mail out SeucurID fobs or some such to the
participants).

------
ashleyw
How about just identifying via their IP and name, and also log their browser
user-agent too, then when getting the results, query the database to find IPs
which have taken part more than n times, and manually check for the signs that
the entry was done by the same person or a bot?

It's not perfect, but unless you limit each IP to one entry, people can game
the system (creating new Facebook accounts, email accounts, etc.) anyway.

------
javert
Send each participant an email which contains a link to the survey. The link
contains a hash key. Each hash key is only valid once. So, each link is only
valid once. If you're really worried, also have people do a captcha before
they take the survey.

I'm not sure if this works with your setup, but presumably, if you have access
to peoples' Facebook information, you have access to their emails.

~~~
frisco
No, so flip that: I don't have access to any FB info now, and I don't need it
for anything, so I'd like to find a way to validate people without bringing
out the privacy concerns of FB connect.

It's an incentivized survey that we'll distribute through ads and word of
mouth (i.e., forums and the like) to pass around 2,000 people through it, none
of whom we have emails for now.

~~~
Jaymz87
So can you make the first page of the survey a request for an email address,
which you send a verification email to. They enter their email address, you
send them an email with some sort of uid in the url, they then click that link
to continue with the survey.

Obviously, you'd need to log the email address to make sure you only send one
email to each address, but that should be the only thing you'd need to keep a
record of.

This would seem to provide enough verification of individuals, without too
much assing about on the end user side.

