For this post, I want to return the word hacking to its nefarious definition. We prefer the kinder definition of a hacker as someone who creates or modifies things to fit some purpose or to improve its function. But a hacker can also be someone who breaks into computer systems or steals phone service or breaks encryption.
There are some “hacker battlefields” that are very visible. Protecting credit card numbers from hackers is a good example. But there are some subtle ones that many people don’t notice. For example, the battle for online reviews. You know, like on Amazon when you rate the soldering iron you bought and leave a note about how it works. That might seem like a strange place for hacking until you stop and think about why people do bad hacking.
In its infancy, the Internet was an networking highway that let you go to a particular host and use tools on it. In fact, I can remember paying DIALOG a lot of money (upwards of $100/hour) to access custom databases online. You could use Gopher to look for particular documents on a server. A hacker, in those days, might be interested in penetrating a particular server and finding individual documents or accessing particular applications.
Despite movie and TV exploits showing password cracking machines and geniuses who figure out passwords using some technobabble explanation, the easiest way to get a password for a machine is usually social engineering. You know, you call someone who has an account on the machine and say something like:
Mr. Green? This is Samantha Rivers with tech support. Our in-phase monitor shows that your machine is being infected by a virus right now. Are you visiting any unusual web sites? No? Well, you better give me your password right now so I can stop it before it encrypts your hard drive with a multispectral quantum entanglement key. If that happens, your data will be lost forever.
This illustrates something I’ve always thought was interesting: hacking a computer is nothing compared to hacking a human. We’ve had human hackers for longer than we’ve had computers. Psychics doing cold- and warm-reading on victims, come to mind. Scams like the pigeon drop or any of hundreds of other scams were perpetrated long before e-mail offering you a share of some Nigerian prince’s bank account were technically possible. Ad men have long been people-hackers as have merchandisers. Next time you are in the cereal aisle at a supermarket, note the placement of the cheap brands vs. the pricey brands. It isn’t an accident.
Not all of this hacking is illegal or even bad. Granted, conning victims isn’t a good thing, but placing pricey cereal at eye-level is just optimizing profit. It all boils down to this: a person-hacker wants to make you do something. Buy a product. Spend more money. Give them your money. Fake online reviews are the newest form of social engineering.
Positive and Negative Reviews
In the case of online reviews, you have several competing interests. The value of positive reviews to my product is pretty obvious. A little less obvious is the value of negative reviews for my competitors. This goes on more than you might think. Several years ago I had a book due out tied to the release of a Microsoft operating system. Microsoft delayed the release, so we delayed the book also. I had about two chapters completely done and maybe another four in draft on the original release date. Despite that, a few days after that date a very nasty Amazon review showed up saying the book didn’t even deserve one star, but that was the least you could give. It also suggested an “excellent” alternative book that I won’t name.
Short of someone breaking into my office, no one had seen more than two chapters of the book. And those people all worked for my publisher, so the obvious answer was the review was totally fake and very likely posted by someone with fiduciary interests in the other title. To Amazon’s credit, they did remove the post once we let them know the review was on a book that wasn’t available yet.
There is a third stakeholder in all this: the retailers themselves (and the service providers that put ratings on most major Web sites). Think about this: If you were a real Nigerian prince trying to launder money, you’d be shocked at how hard it is. Most people have figured out that scam, and if you were legitimate, people would still assume you were a scammer. If scam reviews become common, the value of reviews will disappear. So the companies like Amazon, Bazaarvoice, and PowerReviews all have a vested interest in protecting the integrity of reviews. For companies like Amazon, that could lead to reduced sales. For the others, a failure of online reviews could put them out of business.
Scanning for Fakes
There have been a few academic papers about spotting fake reviews. Apparently, fake reviewers are more likely to talk about themselves instead of the product. Other ways to spot fake reviews focus on the reviewer. Common sense tells you that a reviewer who has posted just one review or that only reviews one company is suspect. Reviewers that have all 5-star reviews is another tip-off.
There are automated websites now putting some of these algorithms into use. There’s one for hotel reviews from Cornell. Another recent site, fakespot.com, only works with Amazon. The fakespot site is especially interesting because it lets you view some of the reviews it is calling out as fake and explains its analysis. On the other hand, I plugged in a Kindle book that clearly had fake reviews (a ten-page pamphlet universally panned except by the first eight reviewers who all posted on the same day). The site told it me it thought the reviews were real.
While it doesn’t get as much press as, say, credit card hacking, review hacking can be pretty disastrous to consumers (then again, there has been some news coverage like the video below). We’ve long had the idea of white-hat hacking. Maybe part of that is developing these algorithms and tools to detect suspicious reviews. Perhaps the “good” hacker community will take up that challenge.
One thing is for certain: cyberspace crime and physical world crime are closely related. We’ve had breaking and entering, fraud, scams, and everything else way before we had computers. Nothing so far has stopped all crime, so it is unlikely we’ll squelch all computer-based shady activity, including review tampering. However, just because bolt cutters will open a padlock doesn’t mean you don’t padlock your shed. We just need more tools to help people make informed decisions about the validity of things they read online.
Thanks to [Patrick Williams] for pointing out fakespot.com and providing some background for this post.