A lot of "experts" in social media have made the assertion that if you participate in a voting ring on any of the major social sites, you'll get caught. There is a mystique around the all-knowing data centers that can track your activities on their site. If you cheat, you'll get burned. It's that simple.

I'm not going to pass judgement on whether or not you should participate in voting rings. It's probably not good for your karma. But I am going to say that there is a lot of voting ring activity out there, and if you don't understand the issues around it you're going to be at a disadvantage.

The Rings Exist

It doesn't take much in the way of google searching to turn up a number of vote exchange networks. They're pretty blatant about it. Here are some of the major ones that I found with a cursory search:

• Piqqus - Formerly known as DiggBoss, Members exchange social votes on Digg, StumbleUpon and Propeller.
• SubmitterBot - Exchange Digg and StumbleUpon votes, part of a larger service
• 1rst Link - Exchange links on a huge list of social neworks, as well as a no-reciprocal link exchange.
• Spike The Vote - Formerly a Digg exchange site, was sold on Ebay and purchased by a Digger for $1,000 who shut it down.
• Stumblebot - Appears to be software that will generate stumbles. Not sure if this is a network or just a bot.
• Social Traffic Exchange - A forum for exchanging votes on several social media sites

There are lots more, but you get the idea. You'll notice I nofollowed those links because I don't want to encourage them. But the exchanges aren't limited to just forums and applications. Do a search for "social media" in Google and Yahoo Groups and you'll find several mailing lists all targeted at the same kind of activity.

This is Cheating!

Perhaps, but there is a ton of it going on. Is participating in one of these rings any different than the "A Listers" who send out 25 IMs in the morning to get the 15 votes on Sphinn required to get their articles to the Up and Coming section? Why is it always the same people getting to the front page on these sites? If you don't think there's some offsite networking going on in the social media world, you need to pull your head out of the sand.

Is it cheating when the system has become so corrupt that the way the "Big Names" get their stuff to the top is to rely upon soliciting votes from their friends? It's a self perpetuating cycle, because the people with offsite friend networks are the ones that get to the front page, and front page exposure on these networks is what leads even more people to follow you.

If you think it's possible for "great content" to simply rise to the top, then try this experiment. Go find the greatest Digg bait in the world, something that just can't miss. Submit it with an account that has no history and no friends. The only thing that's going to happen is that some other, more popular Digger is going to find your content and submit it again (ignoring your duplicate), and then it will get popular. This is a popular complaint about MrBabyMan -- people claim that he finds the gems with only a few votes and resubmits them in a different category.

The simple fact is that even the greatest content in the world requires promotion in order to get seen.

Analyze the Top Diggers

Here's an example of the activities of a top 100 Digger. You'd recognize the name, but I'm not going to out them. If you look at their history, they've been digging about 85 stories a day for the last two years. 39% of their submissions go popular.

How much work is 85 Diggs a day? If you put in 6 hours a day on the site, that's a Digg every 4.3 minutes. No breaks. No vacations. If you're taking the time to read the stories you're digging everything you read. This person also submits about 5 stories a day. And they blog a lot. And they participate in a lot of other social networks and are at the top of those too. And they've got a full time job. They either work 20 hours a day, or they've got some special help.

I suppose it's possible that they're just super-human and can Digg like that, but it's much more likely that they've got a bot or a Greasemonkey script that handles a lot of the load. Or there's an entire agency behind that persona doing all that work. Just vote the first five pages each day or the submissions of other popular Diggers, with a 4 minute delay. When you submit something, send an email blast to 25 buddies to get those first votes. Enough people follow this person that they can get most anything to the front page. They also do a good job of submitting Diggable material, but one wonders how the heck they're making money at it. Negative stories about McCain and Bush will always do well with the right care and feeding, but it's tough to monetize them.

Why Can't Social Sites Catch These People

It's mathematics, pure and simple. The problem is simply not computable in any reasonable amount of time.

Let's take our Top Digger in the above example and see if we could catch them by looking at the voting behaviors on their stories. The trick is that they send out 25 vote requests, but the pool of people they can request from is much larger, say 250. So for any given story, there's a 10% chance that a person out of the group will vote for it. And the average story gets a few hundred votes because they've become popular, so we're looking for 10% out of that.

This is a well understood problem in computer science. What we're trying to figure out here are the functional determinants in the data. We're saying that a submission by A leads to votes by B and C. If the variance is 0% -- in other words, every time A submits B and C vote, then it's pretty easy to spot. You can take a small sample of data, and just iterate through A,B,and C's behavior a single time and you'll find that there is an exact correlation. We can see that A functionally determines B and C.

But what if B & C only vote for A's stories 50% of the time? Now our nice and neat functional dependency algorithms won't work. We can't use a small random sample of data, we have to look at a much larger set in order to spot the trend. So instead of looking at 25 submissions to spot the trend, I'd have to look at all 2,500. And remember, out of the 1,000s of people that ever voted on a story submitted by A, I don't know who B & C are ahead of time. So I have to look at everyone that has ever voted on a submission by A. Now work the numbers if our voting pool only votes 10% of the time. If I look at our Top Digger's friends page I see that there are over 22,000 recent Diggs by people in their friend network. And that's a very small amount of Diggs compared to the total number of Diggs across all of their submissions. It's just not possible to spot the rings. If you had a billion dollars in venture capital and a giant supercomputer you still couldn't police it.

What Can Social Networks Do?

What is possible is to spot a ring if you have a hypothesis about who to look at ahead of time. For instance, let's say A is silly and submits something that is clearly spam. It gets 5 votes before it is marked as spam. Now checking the voting behavior of A vs 5 people is quite easy. And if you roll them up, what does it mean?

• You've taken out 5 people from a group of 250, which is pretty easy to rebuild.

• If you ban the Top Digger, you're opening yourself to the ultimate black hat attack. Want to take someone down? Just set up 5 fake accounts and have them digg the Top Diggers submissions 100% of the time. Then send a complaint to Digg that you've spotted a voting ring.
• Your process required manual intervention, which is quite expensive.

You can also send out employees to join these networks and participate, looking for people that are asking for their submissions to be voted up and banning them. They don't generally do this because someone can just ask for votes for someone else's submissions and have them wrongly accused of participating in the ring. If the sites are smart, they'll periodically insert stories from top users to be voted up. A black hatter could lay waste to hundreds of competitors by submitting their stories to various voting rings.

Likewise, they can track activity. If you vote a story every 2 seconds you're leaving a clear footprint. Except that people do that all the time without consequences on Digg. Witness the Greasemonkey scripts used by the bury brigade that automatically bury stories than contain certain keywords or from certain users. So if you're a top digger they're likely to check your history and if you do something like digg a bunch of stories without a pause you'll get caught.

There's no way they can catch everyone. They can't even catch a small percentage. What they can do is concentrate on policing their top users and clear spammers very carefully, and if they catch someone make their ban very public pour encourager les autres. And they can keep fostering the fantasy that anybody that cheats on a social network is going to get caught, aided and abbetted by "A List" people that did exactly that on their way up.

But if users stay away from submitting stories that are clearly spam, insert pauses in their voting, and limit their ring activity to around 10%, there's no way they're going to get caught. At least not until we get a few orders of magnitude in compute power available.

I am ashamed to admit it, but I think I'm friends with a Digg Robot. Ever since we released the Digg Friend Finder we've gotten tons of "friends" requests on Digg. And unlike a lot of people who just click "yes" I like to look at the people who want to be my friend. (This is probably some Freudian leftover from High School and cruel practical jokes.)

Super Hot Chicks Make Me Suspicious

Like with all those pretty women who want to be my facebook friends (Calling Mr. Spitzer!) I was startled to see Susan's friend request. Ok, I don't look like my picture of Clint but I'm at least an older guy, but a picture of pretty girl on the internet always brings the comic book guy from The Simpsons to mind.

So I decided to look at Susan's profile. Hmmm:

• Member for two months
• 981 "friends"
• 3 fans
• All diggs on one topic: Bottled Water

Sock Puppet or Robot?

That is a very good question. What's the difference? Well, the Wikipedia guys have a pretty good take on it - a sock puppet is a "fake" third party making statements on behalf of a principal in a controversy. Now, I don't think there is any controversy about clean water, so she's for sure not a sock puppet.

Robot or Avatar or....

If you spend 10 seconds looking at my activity you'll see that i work at Promote-My-Site, and unless you're from someplace far-far-away you'll figure out that my picture is some kind of inside joke and not meant to imply that I'm actually King Clint. You'll also notice that I'm very interested in Social Networking, Social Bookmarking, and Social Media in general. I also like videos of dogs biting people at family a get together. (Some kids never really grow up.)

But when you look at Susan and her lack of profile and her mono-focus on bottled water, you have to think - Mister Roboto. But there are some comments in there too, so clearly someone has put some time into mixing human interaction into their robot's travels through digg.

So I'm going to call for a new category: Android.

Susan, if you're really just a extra-pretty intern at a bottled water company who is extra-diligent and focused on promoting your employer, I apologize for the Asimovian smears. But, if you're just a well built android sailing under the radar of the Digg Bury Brigade, well, then I salute your creator.

I was reading this really cool article on Chlorine Trifluoride, which apparently can basically burn through just about anything, including sand, asbestos tile, glass, and probably even leftover high school cafeteria pizza.  I completely love this description:

It is, of course, extremely toxic, but that's the least of the problem. It is hypergolic [ignites on contacts - ed with AP chemistry] with every known fuel, and so rapidly hypergolic that no ignition delay has ever been measured. It is also hypergolic with such things as cloth, wood, and test engineers, not to mention asbestos, sand, and water-with which it reacts explosively.

Speaking of Explosive

We have been spending a lot of time looking at SEO tools while deploying some of our own (Yahoo Store SEO Analyzier, Digg Friend Finder, Backlink Pinger) and while we've talked a lot about SEO Application Architecture we never did much writing about security.  I guess we thought that with all the, er, black hat stuff that can go on around this industry that people would be careful about how their SEO applications were architected.

Uh, No

Without naming names, though you'd recognize them as very big players, we found dozens of security holes in their applications, including but not limited to:

• Wide Open Ajax Services - Ajax is a wonderful thing. And FireFox protects the browser against cross site scripting. But if the service on the back end is willing to accept a call from anything and doesn't verify that it's the client that's actually calling, then someone else can write an application that does the same thing you do, but uses your server to do the work. For example, another server running PHP could use curl to load one of your pages and then make web service calls to your "public" service and you'd be hard pressed to tell. You'd think you were getting lots of traffic, but you'd just be providing the back end for someone else.
• Javascript Based Security - It's hard to believe, but we've seen plenty of applications that take a login in javascript, make an Ajax call to authenticate, and then enable a button or show content using javascript. If some hacker couldn't figure out how to rape and pillage those systems I think they'd get kicked out of their club.

About That Picture

That is a picture of a couple of pounds of Chlorine Trifluoride going off inside an asbestos berm test container. Or it is your website as some hacker takes control of your PR checker (for example) and hoses down google with it until they block your IP or penalize your site?

Ouch.

Perils of Outsourcing

Of the dozen or so tools we found with major security flaws the most common theme was not age of deployment, or country, or sophistication of the tool.  It was that the development was outsourced by a very non technical person.  Not non-technical as in "doesn't understand SEO" or "can't figure out how to tickle google" but as in: not much exposure to complex software engineering.

One thing you should know: we have some extremely technical people on staff.  (Not me, I just fetch the coffee.)  I think we could probably safely outsource applications built to a safe and sophisticated  architectural specification, but it'd be tricky.

We described our SEO architectural technical stack earlier, but here it is again:

Here is my rule of thumb: if you can't understand that picture, you can't export the work.  You need someone working for you who "gets" it.  I'm not bragging - we're not perfect and there are a lot of things (*cough* graphic design *cough*) that we don't do very well and have to get help with.

Conclusion

If you are going to outsource some development and you'd like to avoid a meltdown, well, you should probably get someone on staff or at least locally consulting with you to ensure that you have proper security. If you can't look at the code that your overseas outsourcing partner is giving you and make sense of it, then you probably shouldn't be trying to play that game.

Phone number portability has been a boon to consumers and the mobile industry, so why will OpenID be a total disaster for social networking and social bookmarking if anyone is stupid enough to use it?

This Woke Me Up

We got a LOT of hits on an article via this Russian scuttle-based bookmarking site. So I was poking around to see if there were any smart ideas we could use and I ran across their registration page.

Tell me, and nothing against the folks running this site, because I wouldn't know them from Adam's housecat, but if you thought about it for 10 seconds, would you use your OpenID there?

Controls

When you switch your phone number from Verizon to Sprint there are elaborate checks and balances. Plus you know that the call center person isn't writing down your phone number so they can call the Maldives or something.

And if you use OpenID to move between your MyYahoo and Gmail accounts, that is probably ok. Because those guys have lots of corporate controls in place.

You can read this excellent Wikipedia Article to understand the types of technology controls built into OpenID (geek warning!).

Trust

At the end of the day you can really only use a site if you trust it. On Amazon many of us have our credit cards stored and one-click buying turned on. I use Overstock a lot, but I don't keep a credit card on file there. When I buy stuff from some smaller retailers I go get a one-use credit card number from my bank.

And you can only use OpenID as a single signon across sites if you trust it.

Single Signon Works in Corporations

Yes, we have it in our office too. But that is a trusted environment. How many of the websites that you regularly use are ones you would really trust? I say that because....

Accidents and Theft Will Happen

What happens when one of the issuing authorities has an, er, well, minor problem?

Like losing the tax records for the UK last November:

Britain's Revenue and Customs department is scrambling to find two discs that contained data on 25 million people.

How about if someone in a trusted position just steals it all. Never happen? Let me remind you of a story from a few years ago:

An engineer working for America Online was arrested yesterday and charged with stealing 92 million e-mail addresses of AOL customers and selling them to spammers that were peddling penis enlargement pills and online gambling sites.

Let's all remember that AOL lost all that before you could buy an 8G memory stick for $40 at Office-Stuff-R-Us.

Phishing is Easy

I get those so-called MasterCard or eBay emails all the time. Sometimes, if they look really good, I go visit to see what I can see. I got one from Malaysia the other day and their site had more than 100 pages that looked EXACTLY like the ones at Citibank.

Wow.

They do, and if you google around a bit you'll find excellent articles like Radar's. And I think that the idea of putting lots of pieces of security (a picture you should see every time, etc) is good. It's like airport security - a hundred little barriers and places to make a mistake and get caught.

Some differences:

• You have to, as a user, be paying attention to see and use the security measures.
• The guy caught sneaking onto a plane with box cutters last week was risking physical detention. How you going to catch some guy living in his mom's basement stealing OpenID's via a phony soccer survey site?

What Would Your Momma Do?

Let's say your mom uses OpenId on LOLCats (it is embarassing but true!) and one day she clicks on a banner ad for some site importing French cheese. They ask her to login using her OpenId so she can fill out a "short" five minute survey and earn a free pound of brie. While there they ask her to "update" some of her OpenID details.

Did she notice and use the security features? Or did she just help someone order a dozen Garmin GPS units from Amazon using her one-click account?

Remember what I said above, OpenID's security only works if you're paying attention. And if nobody steals or loses the information at a trusted center.

I am obviously going to give this a "pass" and I think you should too. I don't share passwords across sites so that I'm insulated from just the kind of problems that are bound to occur with a system like OpenID.

I'm just wondering how long until the first big security breach happens.

One of the first things that might warn you that Novasoft's SutumbleBot is a social network spamming tool is their blatant ripoff of StumbleUpon's logo.

LogoLicious Infringement

StumbleBot's logo:

StumbleUpon's logo:

Oh, wait, never mind, completely different - one has a blue background and the identical blue/green graphic is 15 degrees out. My bad.

Danger Will Robinson, Stumble Spambulator Coming Our Way

I think the other 'look out' moment is when the sales pitch is all about how to do something without getting caught:

Stumblebot is an easy to use application that lets you create thousands of Stumbleupon accounts, stumble your websites with those accounts and generate thousands of unique visitors from Stumbleupon in no time.

Stumblebot also allows you the option to post randomized relevant tags and reviews for these stumbles. It also includes a username checker and uses rotating proxies and user configurable delays between posts.

I am not a lawyer, but I'm pretty sure that if you're not violating the TOS doing all that, well, then, they must not have much of a TOS.

Novasoft - Sounds Familiar

Yes, we reviewed their Tag Automater and were not impressed - it costs almost $300 to purchase and then there is a $67/month "service" fee. It seemed like a lot of money for a tool that didn't do much.

Tool Overview

This tool is more reasonably priced at around $150, and even has a $1/2-day demo version. I was about set to pay the buck and give it a try, then I thought to look around to figure out how to terminate the demo period. Nothing. I looked on the support ticket area - this product wasn't even listed. So I decided to NOT get involved in a pay pal hassle.

I sent them an email, but as they did not respond to my previous emails, I don't really expect a response again.

I will say that, given Stumble's architecture, that it would be very possible to patch together a tool that would let you 'fake stumble' your posts with a low likelihood of getting caught.

How Worthwhile is Fake Stumble Traffic?

I had a friend who owned an okay-ish Italian place some years ago. He'd let me eat dinner for half price if I'd sit in the window seat and give the thumbs up to people who stopped to read the menu. But the food was only OK, so the people never would come back. I have to believe that if you're counting on people from stumble coming back after falling for this false-trail system then you've not quite understood what makes stumble traffic work.

Conclusion

I think self-stumbling your content is fine, and if you write good content then you'll get an appropriate level of traffic. I'd avoid this social spamming tool - not only are you violating Stumble's TOS but you're also putting your focus and emphasis in the wrong place.

Ernst-Jan Pfauth, at The Next Web, does some back-of-the-envelope calculation and figures out that Facebook may be making $15M/year in selling "virtual gifts." And she smartly urges other social networking websites to jump on that bandwagon.

Anyone remember a slightly less scary looking Whoopi Goldberg hawking Flooze in the last bubble?

How long until our customers want to pay us in virtual credits we can use in Second Life to buy private education for our virtual children?

We put up a post yesterday with a cool table of information about social websites and, because I hate having to scrape stuff off the web, we used google docs to store the information. But that is all we'll use google doc's for - because it has kreppy features and google has, or so it seems, reserved the right to use your "private" documents for whatever they please.

Horrible Lack of Functionality

First the functionality. Let's just say if my options were between Google's spreadsheet and a copy of Lotus-1-2-3 running on an Adds Viewpoint under CPM, I'd probably take Lotus. Yes, their stuff has that little functionality.

For example, some maroon at Google (who I am sure is worth 250x what I am, but never mind that) has breathlessly announced that you can build a web form that saves data in a spreadsheet. No, really. Big News at Google.

Leaving aside that people have been saving web form information to disk for, oh, 10 years ... Excel has been able to create forms since version 0. In 1990.

And don't even get me started on formatting, calculation features.

And a TOS to Bind Them All

But, most importantly, scope this quote from Google Doc's TOS :

You retain copyright and any other rights you already hold in Content which you submit, post or display on or through, the Service. By submitting, posting or displaying the Content you give Google a worldwide, royalty-free, and non-exclusive license to reproduce, adapt, modify, translate, publish, publicly perform, publicly display and distribute any Content which you submit, post or display on or through the Service for the sole purpose of enabling Google to provide you with the Service in accordance with its Privacy Policy.

I can't tell you what our legal consultant said about that because they might think I was giving legal advice and, frankly, I hate it when they come in my office and slap me around. And then send me a bill.

But I will say that we immediately pulled our important documents off google and started up a wiki behind the firewall. Because while I am sure that some lawyer made them put that in there, it sure reads like they can do what they darn well please ... but not with my document full of account numbers and passwords!