Ask HN: What's the right way to authenticate survey takers?
Right now I'm using Facebook Connect to (and only to) check for real-personhood and ensure that each real person only takes the survey once. I'm really worried that since FB Connect allows me to hypothetically snarf user data and post to the Facebook wall, on top of the basic fact that you need to enter your Facebook credentials, I'll scare off lots of prospective participants.
Is there a better way to do this? Google accounts just shift the problem. I track IPs but those are neither sensitive nor specific. I'm running a general population data collection survey, so it can't have any domain-specific barrier.
5 comments
[ 4.8 ms ] story [ 35.5 ms ] threadI'm not sure if this works with your setup, but presumably, if you have access to peoples' Facebook information, you have access to their emails.
It's an incentivized survey that we'll distribute through ads and word of mouth (i.e., forums and the like) to pass around 2,000 people through it, none of whom we have emails for now.
Obviously, you'd need to log the email address to make sure you only send one email to each address, but that should be the only thing you'd need to keep a record of.
This would seem to provide enough verification of individuals, without too much assing about on the end user side.
It's not perfect, but unless you limit each IP to one entry, people can game the system (creating new Facebook accounts, email accounts, etc.) anyway.
1. When loading the survey page check for a cookie. If it's not present, set the cookie, record the ip-and-cookie mapping, and redirect back to this page. 2. Now that we're loading the page with the cookie, present the form. 3. Upon submission of the form, validate that this IP was previously assigned this cookie, record the ip-cookie-vote triplet. Throw out the vote if that IP hasn't been assigned that cookie.
If a scripter wants to automate requests, they'll have to figure out that they need to get the cookie from you, then use it to vote. You can detect abnormally large ip-vote (and timeframe) combinations and automatically, or later manually, discard anomalous results.
It's not perfect of course, but there is no such thing as a perfect internet survey (unless you're going to mail out SeucurID fobs or some such to the participants).