News:

SMF 2.0.19 has been released! Please update. Read more.

Main Menu

Detect Multiple Accounts from Same IP

Started by Doug Heffernan, May 31, 2020, 12:24:45 PM

Previous topic - Next topic

Doug Heffernan

These sql queries will list all duplicate accounts registered and posting at your forum from the same ip. I was going to turn this into a mod, but due to not having much free time atm for that, I am posting the raw sql queries here.

For registrations:

SELECT member_ip, COUNT(*) AS accounts_registered, GROUP_CONCAT(member_name) as names FROM smf_members GROUP BY member_ip HAVING COUNT( member_ip ) > 1;

For posts:

SELECT poster_ip, COUNT( * ) AS multipe_posters, GROUP_CONCAT(poster_name) as posters FROM smf_messages GROUP BY poster_ip HAVING COUNT(DISTINCT poster_name) > 1;

Wellwisher

The problem with IP search is that is there may be multiple users in the same occupancy, intuition or place of business etc. There are people sharing wifi between 2 houses so this could hinder your website's rep. However if you can combine it with other factors eg email address... might be a good thing.

Decent_946

And also, mostly people are using dynamic IP. So it's possible that the IP of user will change occasionally. As in my case, my IP keeps changing on every visit. :P I look forward if this can be done with uniqueID of system or mac address. So this can actually avoid a user from registering multiple accounts from 1 machine.
Thankx to RebellioN

Arantor

No, and no, because the web server is not given that information to be able to decide.

Not that machines can't fake a MAC address.

Doug Heffernan

I think that there isn't any absolute foolproof way to do this. Users can change ip addresses very easily.

You can try to set a unique cookie, but as we all know cookies are too easy to remove to be reliable. The same goes for the flash cookies, but these can also be managable as well, or the user may not have flash installed.

Then there is browser fingerprinting. We can do a fingerprinting algorithm using different variables from the $_SERVER, but users can switch to a different browser. Also there might not be enough data to differentiate between users on the same network.

Any way you cut it, it just is not possible to get a 100% accuracy in indetifying multiple accounts.

That being said, one or all of the above mentioned methods are sufficient to detect multiple accounts of less tech-savvy users btw.

Doug Heffernan

Quote from: Decent_946 on June 06, 2020, 03:42:54 PM
And also, mostly people are using dynamic IP. So it's possible that the IP of user will change occasionally. As in my case, my IP keeps changing on every visit. :P I look forward if this can be done with uniqueID of system or mac address. So this can actually avoid a user from registering multiple accounts from 1 machine.

As it happens I was contacted by a member last night who had an interesting concept as to the best method for detecting multiple accounts. The concept was to set a unique cookie to users devices when they browse your forum. The cookie exparation date is set to one year and its unique string associated with the users device will be saved to a table. So even if the user deletes their cookies, it won't matter much.

Anytime that an user will browse your forum from the same device, logged in from another account, i.e. as another user, his/her action(s) the unique key will be logged and it will display all users who logged in and what browser they used when a match is found.

Let us take this scanario, user registers an account at your forum from his work pc and another from his home. Each time he/she does that, a unique string will be generated for each account and logged in the db table that the mod adds.

Now, whenever the user loggs in from either account, from both devices, the mod scans the table where the unique strings have been stored, and it will display the matched strings, a.ka.a the duplicate results.

This is the most accurate way to detect multiple accounts imo.

Anyways, I have submited the mod here should you be interested. It is waiting approval currently.

https://www.simplemachines.org/community/index.php?topic=573611

Arantor

Kind of shame that would be illegal in the EU :(

Doug Heffernan

Quote from: Arantor on June 07, 2020, 08:32:37 AM
Kind of shame that would be illegal in the EU :(

May I ask why it would be illegal in the EU?

Arantor

It would violate GDPR as well as not being part of the 'necessary cookies' such that you'd have to get users to accept explicitly.

Doug Heffernan

Quote from: Arantor on June 07, 2020, 08:36:47 AM
It would violate GDPR as well as not being part of the 'necessary cookies' such that you'd have to get users to accept explicitly.

Where does 'necessary cookies' fall under btw? I did some research on the subject and as long as the admin places a notice about cookies as required, it should not be a problem imo.


Arantor

Necessary cookies are ones *required* to make the service work. A cookie that tracks what you're adding into a cart, sure. A cookie for the purposes of you logging in and keeping your session, sure.

A cookie designed for profiling (which is what you're doing) is not 'necessary' and would require some pretty explicitly opt-in notices for the user, plus the site owner would have to disclose this cookie and what it was used for.

In fact in Germany in particular, even a temporary session cookie is legally questionable without explicit permission, let alone something more permanent.

Heck, even the secondary cookie SMF emits for preventing ban evasion requires some care in terms of cookie policy wording.

The whole 'tracking' thing is exactly what this legislation was intended to prevent.

Doug Heffernan

Quote from: Arantor on June 07, 2020, 08:53:13 AM
Necessary cookies are ones *required* to make the service work. A cookie that tracks what you're adding into a cart, sure. A cookie for the purposes of you logging in and keeping your session, sure.

A cookie designed for profiling (which is what you're doing) is not 'necessary' and would require some pretty explicitly opt-in notices for the user, plus the site owner would have to disclose this cookie and what it was used for.

In fact in Germany in particular, even a temporary session cookie is legally questionable without explicit permission, let alone something more permanent.

Heck, even the secondary cookie SMF emits for preventing ban evasion requires some care in terms of cookie policy wording.

The whole 'tracking' thing is exactly what this legislation was intended to prevent.

It is the webmaster ''s duty to inform their users about it. As long as they state clearly about the cookie and its usage I do not see any problem.

For ex, something like this:

Third Party Cookies

The site owner has set an additional cookie, smf_member_id, in addition to the standard cookies.

This cookie is used to identify if you are logged in and it is used for website usage tracking.


That should cover it imo. But as mentioned, it is the duty/responsibility of the website owner to do that and not the mod 's author.

Arantor

No, it's not the webmaster's duty to inform. Their duty is to obtain permission before using such a cookie. Unless you facilitate such, which seems antithetical to the design and implementation, you have bigger problems.

Doug Heffernan

Quote from: Arantor on June 07, 2020, 09:20:13 AM
No, it's not the webmaster's duty to inform. Their duty is to obtain permission before using such a cookie. Unless you facilitate such, which seems antithetical to the design and implementation, you have bigger problems.

There is nothing antithetical or illegal about this concept. And yes, it is the webmaster 's duty to inform users about what cookies they use in their webiste. And the user can decide to use or not use said website.

This mod can be used in EU without any problems at all.

Arantor

Try reading the legislation; user consent has to be obtained *before the cookies are delivered*. And the use for tracking requires explicit consent under the GDPR or as I have to deal with it, the Data Protection Act 2018.

It really isn't enough to just 'inform users'.

Doug Heffernan

Quote from: Arantor on June 07, 2020, 09:38:56 AM
Try reading the legislation; user consent has to be obtained *before the cookies are delivered*. And the use for tracking requires explicit consent under the GDPR or as I have to deal with it, the Data Protection Act 2018.

It really isn't enough to just 'inform users'.

And the user has the choice to either vist the website or not. And if the user visists said site, he/she has consented.

This concept exists as mod for all the other forum softwares. And it is used by users in the eu without any issue.

Under the GDPR, it is the legal responsibility of website owners and operators to make sure that personal data is collected and processed lawfully.

Typically, GDPR cookie compliance is achieved on websites through cookie banners that allow users to select and accept certain cookies for activation rather than others, when visiting a site.

Arantor

No, for the kind of tracking you're doing, implied consent is not considered sufficient.

But I only have to deal with this in a very practical and legal context, I've only presented on it at international conferences, and I've only had to actually talk to the regulators, I'm not nearly as equipped as someone on the internet.

Sorry for trying to be cautious.

Doug Heffernan

Quote from: Arantor on June 07, 2020, 10:10:31 AM
No, for the kind of tracking you're doing, implied consent is not considered sufficient.

But I only have to deal with this in a very practical and legal context, I've only presented on it at international conferences, and I've only had to actually talk to the regulators, I'm not nearly as equipped as someone on the internet.

Sorry for trying to be cautious.

There is no need to be sorry imo. I completely understand your concerns.

One of the big paid forums has this built in btw. The cookie name and what it does is mentioned in their cookie settings page. And the user has the choice to accept it or not. If they click the "I accept button", they have given their consent.

m4z

Quote from: Doug Heffernan on June 07, 2020, 09:53:40 AM
And the user has the choice to either vist the website or not. And if the user visists said site, he/she has consented.

That's not correct, see https://gdpr.eu/cookies/
"Faith is what you have in things that don't exist."
--Homer Simpson

Es gibt hier im Forum ein deutsches Support-Board!
<werbung>Meine Freundin hat ihr erstes Buch veröffentlicht!</werbung>

Doug Heffernan

Quote from: m4z on June 07, 2020, 12:12:59 PM
Quote from: Doug Heffernan on June 07, 2020, 09:53:40 AM
And the user has the choice to either vist the website or not. And if the user visists said site, he/she has consented.

That's not correct, see https://gdpr.eu/cookies/

I am not sure what I was supposed to read there.

m4z

I recommend reading the whole text. Visiting or using a website is not consent. Cookies have to be agreed to, for each type of cookie (essential, tracking, marketing etc.), before the cookie is set (possible exception: essential cookies, where it might not be technically feasible otherwise), by a user action.
You are not allowed to deny service if a non-essential type of cookie is not accepted by the user. (Essentially, this is what you're doing if you force the user to either accept the tracking cookie and use the service, or go away.)

Or, to use a more direct quote:
QuoteConsent must be freely given
"Freely given" consent essentially means you have not cornered the data subject into agreeing to you using their data. For one thing, that means you cannot require consent to data processing as a condition of using the service. They need to be able to say no.
"Faith is what you have in things that don't exist."
--Homer Simpson

Es gibt hier im Forum ein deutsches Support-Board!
<werbung>Meine Freundin hat ihr erstes Buch veröffentlicht!</werbung>

Doug Heffernan

Quote from: m4z on June 07, 2020, 01:18:53 PM
I recommend reading the whole text. Visiting or using a website is not consent. Cookies have to be agreed to, for each type of cookie (essential, tracking, marketing etc.), before the cookie is set (possible exception: essential cookies, where it might not be technically feasible otherwise), by a user action.
You are not allowed to deny service if a non-essential type of cookie is not accepted by the user. (Essentially, this is what you're doing if you force the user to either accept the tracking cookie and use the service, or go away.)

Or, to use a more direct quote:
QuoteConsent must be freely given
"Freely given" consent essentially means you have not cornered the data subject into agreeing to you using their data. For one thing, that means you cannot require consent to data processing as a condition of using the service. They need to be able to say no.

That has nothing to do with the mod in question btw. Other forums have what my mod does built in and mention it in the cookie banner, like I mentioned in one of my previous posts above. Anyways, the bottom line is that the mod can be used fine in eu countries as well.

Other than that, talking about cookies and what not, is a discussion for elsewhere.

SpacePhoenix

Quote from: Arantor on June 07, 2020, 08:53:13 AM
In fact in Germany in particular, even a temporary session cookie is legally questionable without explicit permission, let alone something more permanent.


That sounds a bit like a legal minefield, technically just by them visiting a page it sounds like the site could potentially fall foul of the relevant German law. Ironically the only way to record that someone hasn't given permission for cookies to be used (afaik) is - cookies

Advertisement: