this blog entry has been updated
Earlier today, several observers noticed a strange phenomenon with respect to the City of Hamilton's Pan Am stadium survey. Specifically, the numbers moved overnight from 80% support for the West Harbour to 60/40 and then 50/50 support - but there were almost no pro-East Mountain comments on the comments page.
Curious about this, I decided to try and figure out how difficult it would be to bypass the website's user validation and submit multiple poll entries.
It turned out to be extremely easy - so easy that I must conclude the results are utterly worthless as an indicator of how Hamiltonians feel about the stadium location.
Please note: I'm not accusing the Ticats or anyone affiliated or associated with them of cheating. The survey is so simple to beat that anyone with even a modest knowledge of programming could do it. I wouldn't trust the numbers of either West Harbour or East Mountain supporters on the poll.
I apologize in advance, as this section necessarily gets a bit technical.
Looking at the source code of the main Hamilton Pan Am Stadium page, the survey itself is contained within an inline frame on a page called poll.php. If you've already completed the survey, you should see a bar chart with the results (at 52/48 for the West Harbour as I write this). If you haven't completed the survey, you should see the survey form.
It also has a couple of hidden fields: "action" and "ipAdd". The "action" field will have a value of "newuser" and the ipAdd field will have your IP address.
Once you select a location and submit the form, the poll.php page writes a cookie to your browser indicating that you've already filled in the form, so on subsequent visits you will see the results chart instead of the form.
The simplest way to get around this is simply to block all cookies in your browser and manually fill in the form multiple times - but that's tedious and any self-respecting programmer is far too lazy to execute repeated actions manually when they can be automated.
I decided to write a simple script that generates a random IP address and uses the handy cURL command line tool for executing multiple HTTP POST requests that each register as a legitimate vote. Because cURL doesn't use a browser to issue the page requests, the site never has a chance to install a cookie and block subsequent requests.
Interestingly, at the same time that I was writing and testing my code, the ratio of votes was swinging significantly back and forth as I refreshed the poll.php page in my browser, in a manner that had nothing to do with my activities. (Disclosure: I did enter some votes this way to prove that the method works, but I entered as many votes for the East Mountain as I entered for the West Harbour, so my own testing would not change the overall ratio of votes.)
There are a few things the City could do to reduce the potential for this kind of abuse. Some combination of the following would eliminate casual gaming of the results:
Better yet, the city could scrap the web poll altogether, since even if every vote were legitimate, it would still not be a random, representative sample of Hamiltonians.
Update: as of the morning of July 29, the City has removed the poll from their website. In its place is the following message:
We have removed the poll due to ongoing abuse.
Please continue to post your comments.
You must be logged in to comment.