Politicians are fond of saying that the only poll that matters is the one on election day.
That may be especially true this year, especially when it comes to online polls that, like anything in the digital, connected world, are vulnerable to mischief.
The mischief is enabled by bots – hundreds to many thousands of computers under the control of an attacker that are more typically used to send out spam, create Distributed Denial of Service (DDoS) attacks and commit various kinds of fraud – but in this case are used to skew poll results. They can make it look like public opinion views one candidate as the winner of a debate when the real vote would show the other candidate did.
“If you know how advanced bots are, then you know it is easy for them to complete online polls and create whatever result they want to show, said Augustine Fou, an independent digital advertising fraud researcher, who added that bots can manipulate everything from “trending” topics on social media to how popular celebrities are.
Indeed, a portion of pop star Justin Bieber's alleged popularity evaporated in 2014 when Instagram moved to purge its site of obviously fake accounts. He “lost” more than 3.5 million “followers.”
“Ever since Facebook moved to automating trending topics – in other words, no human oversight – those have been easily gamed,” Fou said. “Fake stories have been easily trended using bots to make it look like people were interested, sharing, and talking about a story – again child’s play for hackers with bots.”
Rami Essaid, cofounder and CEO of Distil Networks, said following the first debate between Democratic nominee Hillary Clinton and Republican nominee Donald Trump, a number of online spot polls showed Trump the decisive winner, while respondents to more credible polls such as CNN/ORC showed Clinton the winner by 62 percent to 27 percent.
[ ALSO ON CSO: Bad bots on the rise: A look at mobile, social, porn, and spam bots ]
“After the second debate, a CNN poll showed that 12% of the respondents gave the win to Trump, 14% to Clinton, and 70% to Gary Johnson (the Libertarian candidate),” Essaid said. “And Johnson didn’t even participate. So when you look at these examples, the influence of bots is quite clear.”
Paul Vixie, CEO of Farsight Security, said online polls are, “hackable through simple crowdsourcing. Look at the MLB all-star voting, even before the Internet, to see how this consistently yields non-representative results.”
It doesn’t have to be “official” polls either. A group of US and UK academics posted a study this week that showed automated posts on Twitter heavily favored Trump over Clinton. They found traffic on pro-Trump hashtags was about double that of pro-Clinton hashtags; and that about a third of the Trump traffic was driven by bots compared to about a fifth of the Clinton traffic.
Fou said the bottom line is the digital version of the old adage: Don’t believe everything you read. “Don't believe everything you see online,” he said. “Or, more accurately these days, don't believe anything you see online – given how easy it is to manipulate photos and videos, the term ‘photographic evidence’ is no longer meaningful.”
[ IS IT POSSIBLE FOR THE ELECTION TO BE HACKED? See CSO's package of stories on the FUD of rigging the election ]
Essaid cited the iconic late British Prime Minister Winston Churchill, who lived many decades before online polling, but was still suspicious of statistical results. He reportedly said, “Statistics are like a drunk with a lamp post – used more for support than illumination,” and, “I only believe in statistics that I doctored myself.”
Of course, most people are aware that a poll is not an official result. It is not peer-reviewed research or an actual vote. Are they really so malleable that their decision about which candidate to support can be changed by the results of an online poll, credible or not? In other words, do opinions drive polls, or do polls drive opinions?
According to Essaid, both can be true. A good poll tabulates the opinions of people, but he said there are examples of how polls or even social media discussions, “actually can drive opinions.”
The recent Brexit referendum, “had its share of poll hoaxes, and a report from Oxford University and Budapest’s Corvinus University determined that bots played a ‘small but strategic role’ in the social media discussion around it,” he said.
Another, which he called “chilling,” appeared in Bloomberg Businessweek this past spring. Titled "How to Hack an Election," it profiled Andrés Sepúlveda, who is serving time in prison for rigging elections throughout Latin America for almost a decade.
“As Sepúlveda found, ‘voters trusted what they thought were spontaneous expressions of real people on social media more than they did experts on television and in newspapers,’” Essaid said. “The problem is, a lot of those ‘people’ aren’t real.”
Vixie said it is clear people can be influenced by peer pressure. “Most political bumper stickers are sold after the election, not before it,” he said. So while that may not have changed any votes before election day, “there's a very obvious climbing-on-board effect.”
Fou said he doesn’t believe online polls have a direct impact on people's votes, since, “they are not even reflective of real people's eventual voting preference.”
But he said their impact can be amplified because, “media outlets are citing them without really checking the accuracy or even the relevance.”
Still, given the ease with which bots can be used to create fake votes, plenty of expertise to use them on both sides of the partisan divide and plenty of motivation by campaign loyalists to use any means to gain an edge, wouldn’t the skewing efforts even out?
Both Fou and Essaid say they don’t. Fou said hackers with 4chan (an imageboard and message board site said to be the birthplace of meme culture and the Anonymous hacker group), “appear to be supporting Trump for some reason, making the polls show that he won the debates. It doesn’t seem evenly balanced and therefore won’t tend to even out. “
And according to Essaid, automation changes everything. “If in the past you could influence something by 20% and one side did 15% and the other did 22%, sure, it would kind of even out.
“But automation can influence something by 100 or even 1,000%, in which case we have no idea what is actually happening.”
All of which raises the question: If it is so easy to create fraudulent poll results, can’t that activity be spotted by the companies conducting them?
The short answer is yes.
“There are techniques and tools to detect devices and prevent bots from accessing their sites,” Essaid said. “So what it really comes down to is, are they truly unable or have they just not made it a priority?”
Fou agreed, but said given the sophistication of bots, it is not easy. “Bots are not dumb enough to submit 1,000 poll answers in one second, and get caught,“ he said. “They are also not dumb enough to use fake postal addresses or ZIP codes. They will use real ones that pass any address verification service. Similarly, the typical tech defenses that online polls have in place are no match for hackers who are determined to trick the polls and create fake data.”
As “smart” as bots are, experts say they tend to have some telltale characteristics on social media platforms:
- They rarely include a profile image. If they do, it is often shared with multiple accounts.
- They follow many accounts, but have very few followers, since they have no real family, friends or associates.
- They post when, if they were human, they would be sleeping
- They tend to respond faster than is humanly possible
- They send the same response to dozens, or hundreds, of others
- They seem to have very narrow “interests.” They tweet only on the topic their creator programed them to post about.
The election polling will subside in a few weeks, of course. But experts agree there ought to be public pressure on pollsters and social media companies to root out the fraud. And it can be vastly reduced, they say.
“Any online website has a bot problem,” Essaid said. “Companies need to identify and fingerprint the device rather than just an IP address. They need to detect all the behaviors of automation, like determining if they use a real browser or do the headers look correct.
“They should also challenge the bot to prove that it is a human, using various puzzles, and use machine learning to determine if it is a real user. All of this should happen in real-time before the bot gains access to the site.”
Vixie said any polling organization that wants to be taken seriously will have to invest in cyber security. “More than compliance, this means top-to-bottom risk management,” he said.
But, he said, most remain in denial. “The self-deception of most defenders is, ‘I'm not important enough to be attacked in that way,’ or ‘I can't afford the investment it would take to defend against that,’ or ‘internet security is not my primary business and I refuse to make it a first-tier cost.’ Those are just differing ways to lose.”
Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.