John and Nina Swanson run a business selling vintage postcards on eBay. To keep customers happy, the Swansons reply to buyers promptly and ship on time. This policy is reflected in their eBay feedback score — a rating based on responses to prior transactions. Positive comments are scored as one point. Neutral and negative remarks are recorded as zero and negative one, respectively. The Swansons have a score of over 2,000.

Six years ago, University of Michigan information studies professor Paul Resnick asked the couple to participate in an experiment. Resnick wanted the Swansons to continue selling postcards through their established profile, but also to offer the same goods and services through seven fake identities. Initially these bogus profiles would have no reputation; later they would be given negative scores. The Swansons agreed.

After 470 auctions, Resnick found that the Swansons’ main account, with its high customer rating, earned an average of 8.1 percent more per transaction than the fakes. It was the first hard proof that a feedback score — a number generated by a collection of unrelated people — carries quantifiable real-world value. “What we’re seeing here is a new kind of trust,” Resnick says. “It’s a kind of impersonal trust geared to situations with lots of interactions among strangers.”

In other words, the crowd matters. Today we harness the masses for everything from choosing the next pop star on American Idol to perfecting open source software and assembling Wikipedia articles. But perhaps the most widespread and vital uses for group input online are in scoring systems. In addition to eBay feedback, these are the customer ratings that Amazon.com and Yahoo Shopping post with product reviews. They’re the feedback scores that Netflix tallies to help subscribers decide which movies to order. And they’re the up-or-down votes that sites like Digg and Reddit (part of the Wired Media Group, which also includes WIRED magazine) rely on to determine which stories to feed Web surfers.

But as rating systems have become more popular — and, as Resnick shows, valuable — there has been what some would say is a predictable response: the emergence of scammers, spammers, and thieves bent on manipulating the mob. Call it crowdhacking.

In some cases, crowdhackers are looking to boost sales or increase traffic to their Web sites. In other instances, they’re simply ripping off unsuspecting consumers. Either way, the more we base decisions on the wisdom of crowds, the greater the incentive to cheat.

The feedback system on eBay was the first widely used community-scoring program. Launched in 1996, it was a way for people to feel comfortable buying things from strangers. Under eBay’s rules, only people involved in a given transaction can rate it, and eBay won’t remove remarks once they’re posted.

This scheme quickly became the gold standard, serving as a model for user-rating systems everywhere from Amazon to Yelp. But people soon realized that the setup was easy to manipulate.

Cheats on eBay typically work like this: A scammer builds up a positive profile by selling hundreds of low-end items, then uses that high score to burn customers on big-ticket sales. That’s what police say an Arizona woman named Nancy Dreksler did in 2003. According to police reports, once Dreksler had acquired positive feedback by peddling inexpensive CDs and DVDs, she sold over $100,000 worth of nonexistent items and fled with the money, leaving more than 500 buyers empty-handed. Arizona authorities say they may yet file charges; meantime, Dreksler has pled guilty to theft and securities fraud charges in a separate Nevada case.

John Morgan, a professor at UC Berkeley’s Haas School of Business, says reputation gaming is surprisingly common on eBay. Morgan recently published a study in which he found more than 6,000 examples of buyers and sellers engaging in transactions solely to boost one another’s scores. These auctions frequently had titles like “100+ Feedback” and a price of 1 cent. Often, the item for trade was a booklet explaining how to increase feedback by reselling that same booklet.

“We saw a number of sellers who used sham transactions to build reputation, laid low for a period of time, and then reentered high-value markets as apparently ‘reputable’ sellers,” Morgan says.

eBay says it constantly hunts for cheaters. According to spokesperson Catherine England, the company uses sophisticated fraud-detection tools to spot suspicious activities and “individuals who may be attempting to inflate their feedback.” She declines to identify these tools but concedes that they are “not 100 percent perfect.”

Other commerce sites have even fewer controls. Yahoo Shopping, for instance, lets anyone post a review, making it easy for merchants to boost their ratings by submitting multiple reviews under false names.

A glaring example of this was disclosed last year, when then VP of Yahoo Shopping, Rob Solomon, admitted to Forbes that the company’s merchant-rating system had been “rigged” by a Brooklyn-based company called PriceRitePhoto. Somehow this shop had managed to get stellar Yahoo ratings, despite many negative reports from disgruntled customers. Blogger Thomas Hawk wrote a post detailing how he’d been threatened by PriceRitePhoto’s owner after writing negative comments about his experiences ordering a camera. Yahoo finally banned the store, but it returned within months under the name Barclays-Photo, according to the Better Business Bureau. After several more complaints, Yahoo removed BarclaysPhoto from its listings. As of late January, it continues to operate (with suspiciously excellent ratings) on eBay.

Over the past few years, crowd scoring systems have made their way to news and article aggregators. Instead of recommending products or services, these sites solicit community rankings to help steer readers to interesting online stories and postings.

The biggest and best known of these is Digg. Members submit articles, along with a short description and link, to the Digg system. Other members can then look through these articles and choose either to “digg” or “bury” the stories. Articles with the most diggs make it onto the site’s widely read front page.

But just as an eBay seller’s reputation can be falsely inflated, so, too, can the popularity of an article on Digg. The method of choice is the so-called Sybil attack. Named after the famous case of a woman with 16 personalities, a Sybil attack occurs when an individual opens multiple accounts and has them all recommend the same thing. With enough votes, the story makes it to the front page. The payoff can be huge. Getting fronted on Digg means millions of readers and has the potential to catapult a story to the top of a Google search. If the dugg site has advertisers, it’s a financial windfall. If the site sells something — say, a gadget or a funny T-shirt — the rewards can be even greater.

These attacks work — so well, in fact, that several organizations have sprung up to help people launch them. A Web site called User/Submitter charges $20, plus $1 per digg, to boost a story to Digg’s front page. The site accomplishes this feat by paying an army of digg users 50 cents every time they vote for three User/Submitter-selected articles. Speaking anonymously, the operator of User/Submitter says that in just two months of operation the site has garnered more than 100 clients, many of whom are “writers or representatives from high-traffic news sites.”

Then there’s Spike the Vote, a sort of Digg-based pyramid scheme in which members earn one point every time they digg an endorsed story. Once members have enough points, they can submit stories of their own to be dugg by the network.

Recently, Spike the Vote’s owner, known only as Spike, sold the site on eBay. A Digg user named Jim Messenger bought the site and gave it to Digg, which promptly shut it down. But Messenger wasn’t just being altruistic. He bought Spike the Vote because he knew Digg’s followers would put a story about what he had done on Digg’s front page. This, he figured, would attract customers to his search engine optimization business.

Another way to game Digg is to focus on the site’s heaviest users. The top 100 users on Digg account for as much as 50 percent of all the stories that make it to the front page. Realizing this, a company called JetNumbers approached several of these users and asked if they would promote its VoIP service on the site. At least one agreed. And last August, a top 100 Digg user known as Geekforlife sold his account on eBay for $822.

Digg founder Kevin Rose says he’s working to root out the dishonesty. Digg’s watchdogs understand the legitimate ways that stories become popular. Using that model, they’re constantly tweaking algorithms that seek out nonstandard voting patterns. “Flags go up if, for instance, you’ve created a bunch of new accounts and they all do one thing,” Rose says. The alarm also sounds if all the votes for a particular story come from one referring site, or if votes for a story come from people who don’t click through to read it before giving the thumbs-up.

There are a number of other antihacking techniques that Rose says he can’t talk about. One of these, according to Messenger, involves a “friends macro” tool that Messenger acquired (and later gave to Digg) with the purchase of Spike the Vote. This tool lets users amp up their friend lists — which can be valuable in getting votes for your stories. Understanding how it works, Messenger says, has undoubtedly helped Digg find cheaters.

Del.icio.us, the social bookmarking service, also allows users to vote on the most popular articles of the day; a link to a story counts as a vote. Like Digg, the site, owned by Yahoo, is ripe for crowdhacking.

Last September, Fred Stutzman, a PhD student at the University of North Carolina, followed a link on del.icio.us to an identity-management startup called my:eego. Curious, Stutzman began checking out the users who had recommended the service. The first 16 all had exactly the same linking pattern — they had bookmarked two other startups, and their accounts contained no other information or links.

Hours after Stutzman blogged about the Sybil attack, del.icio.us deleted the accounts of the link spammers. Had the Sybil gone unnoticed, however, my:eego’s scheme might have worked. Legitimate users like Stutzman would have visited my:eego and possibly bookmarked it, creating more buzz on del.icio.us until the misled crowd had provided the link swarm my:eego was after.

Similar tricks have worked on other occasions. Last November, a story titled “Geek’s Guide to Getting in Shape: 13 Surefire Tips” quickly tallied more than 100 del.icio.us links before blogger Niall Kennedy outed the article as geek bait. Turns out the story was planted on several aggregators by a Web site loaded with advertising for cheap dental plans. (Yahoo and del.icio.us declined to comment for this story.)

So we have an arms race: the crowd-hackers manipulating eBay and Yahoo and Digg and del.icio.us versus the crowd defenders — developers and other users who scrub scams out of the system. The University of Michigan’s Resnick is optimistic that the good guys will prevail, so long as they continue to build algorithms that smoke out the cheaters. “A good reputation system makes people more trustworthy,” Resnick says, “because word gets around if they’re not.”

Tell that to Jakob Lodwick. In July, Lodwick, CTO of the company that owns the Web site CollegeHumor, wanted to see how many people on del.icio.us would be willing to link to something for money. He started a contest in which he promised to pick, at random, one del.icio.us user who linked to the contest site and give that person $100. He had nearly 2,700 links when he awarded the check to “NedOne.” As for the thousands who provided meaningless links for nothing? They’re proof that the crowd can’t always be trusted.

Contributing editor Annalee Newitz (annalee@techsploitation.com) wrote about Neanderthals in issue 14.07.

credit Tavis Coburn



credit Tavis Coburn

Related Stories

>

I Bought Votes on Digg

A sneaky web service offers to get you to the front page of the popular news aggregator for $1 per digg. We'll see about that. By Annalee Newitz.

Hunting Down Digg's Bury Brigade

Members of the social news site's community meet resistance as they attempt to out an anonymous group of no-goodniks. By NewAssignment.Net's David Cohn.