Hacker Newsnew | past | comments | ask | show | jobs | submitlogin
Ask HN: What's the right way to authenticate survey takers?
7 points by frisco on April 5, 2009 | hide | past | favorite | 5 comments
Right now I'm using Facebook Connect to (and only to) check for real-personhood and ensure that each real person only takes the survey once. I'm really worried that since FB Connect allows me to hypothetically snarf user data and post to the Facebook wall, on top of the basic fact that you need to enter your Facebook credentials, I'll scare off lots of prospective participants.

Is there a better way to do this? Google accounts just shift the problem. I track IPs but those are neither sensitive nor specific. I'm running a general population data collection survey, so it can't have any domain-specific barrier.



I'm just coming up with this off the top of my head, but:

1. When loading the survey page check for a cookie. If it's not present, set the cookie, record the ip-and-cookie mapping, and redirect back to this page. 2. Now that we're loading the page with the cookie, present the form. 3. Upon submission of the form, validate that this IP was previously assigned this cookie, record the ip-cookie-vote triplet. Throw out the vote if that IP hasn't been assigned that cookie.

If a scripter wants to automate requests, they'll have to figure out that they need to get the cookie from you, then use it to vote. You can detect abnormally large ip-vote (and timeframe) combinations and automatically, or later manually, discard anomalous results.

It's not perfect of course, but there is no such thing as a perfect internet survey (unless you're going to mail out SeucurID fobs or some such to the participants).


How about just identifying via their IP and name, and also log their browser user-agent too, then when getting the results, query the database to find IPs which have taken part more than n times, and manually check for the signs that the entry was done by the same person or a bot?

It's not perfect, but unless you limit each IP to one entry, people can game the system (creating new Facebook accounts, email accounts, etc.) anyway.


Send each participant an email which contains a link to the survey. The link contains a hash key. Each hash key is only valid once. So, each link is only valid once. If you're really worried, also have people do a captcha before they take the survey.

I'm not sure if this works with your setup, but presumably, if you have access to peoples' Facebook information, you have access to their emails.


No, so flip that: I don't have access to any FB info now, and I don't need it for anything, so I'd like to find a way to validate people without bringing out the privacy concerns of FB connect.

It's an incentivized survey that we'll distribute through ads and word of mouth (i.e., forums and the like) to pass around 2,000 people through it, none of whom we have emails for now.


So can you make the first page of the survey a request for an email address, which you send a verification email to. They enter their email address, you send them an email with some sort of uid in the url, they then click that link to continue with the survey.

Obviously, you'd need to log the email address to make sure you only send one email to each address, but that should be the only thing you'd need to keep a record of.

This would seem to provide enough verification of individuals, without too much assing about on the end user side.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: