How to mitigate sockpuppeting?

Social voting is absolutely broken.

As you, and countless others, I'm sure, have observed: the "vote" means precisely bupkis.

The problem with online “voting” (or “liking”, or “plussing”, etc) is that it is a dimensionless data point.

Does getting 300 “likes” on a post make it “good”? Does it reflect on its quality in any way? How about getting nearly 400 upvotes (and only a handful of downvotes) on a question about MySQL (along with 100+ “favorites”) mean the question is good? Does it show something is popular? Are people clicking the vote mechanism out of peer pressure, because they actually agree, or because they think it needs more visibility? Or something else entirely?

What do you think a "vote" means? Was it "good"? Did it "help"? Was it "funny"? Do you just like the user who posted it?

Why do you even think you need any form of "voting"? (Outside of peer pressure, because "everyone else does it"?)

If you really want to obtain something that even resembles value for a vote, you need to include a lot more data:

And the total of each type of click should be shown – show me 10,000 people disagreed with what I said, 15,000 agreed; 20,000 upvoted, and 30,000 downvoted; 12,000 reshared it (with, or without, comment).

Because "voting" - especially so-called "sockpuppeting" or "revenge voting" has some nasty side-effects:

Using voting as a means of hiding things (and trying to prevent others from seeing them) can be somewhat akin to online bullying – revenge voting has its problems; as does blindly upvoting anything a particular person says/does. Which is why assigning (and then displaying) dimensionless data anything more than a count is dangerous.

Unless you have an unusually strong need to have something that resembles a "vote" (or like, or +1, or ♥️, etc), DON'T even put it in!

Proactively: bind the registration to something that your users cannot easily replicate. Instead of using an e-mail, use a phone number to confirm registrations. Or if you are really serious verify registration using a digital signature (whose certificate signed by an authority trusted by you).

Reactively: monitor all activity your users do. Including all page views, posting and voting activity. And have a heuristics to determine if the activity is legit. A normal user would browse the site, make posts, vote on many posts. While a sockpuppet would go straight to the desired post and vote it. You should silently roll back the votes that trigger your heuristics.

The only real way to solve the problem is to filter the users who are allowed to vote. You need to be honest with your community and say that you are not interested in opinions of unestablished users. There are many reasons that might make you think this way, for example, but not limited to:

1. People who just pass by are likely to leave soon and not be affected by the decision they are supporting.
2. New users may not understand the scope of the problem being discussed, even if they have all good intentions (that was the reason of me not voting in the last moderator elections of RPG.SE).
3. Allowing new users to vote promotes sockpuppeting.

So, you need to choose a method to filter the users. Some methods are usually just bad and ineffective, for example:

1. Allowing only one vote per IP allows people with dynamic IP vote more than once, while people who share IP for whatever reason cannot share their possibly different opinions.
2. Only allowing votes from accounts that are at least N days old. It does not protect you from prepared attacks (one could carefully register a lot of sockpuppet accounts that you won't notice until the D-day). It also does not really distinguish an active user who is just kinda new to the scene, but very active, and someone who has just registered sometime ago, forgot about their account and remembered about it yesterday. This method can be valid sometimes, but clearly not on its own.
3. Filtering by the amount of content they have created. It encourages spam.

They might not be inherently bad, but from my experience in various communities, they usually don't work and do way more harm than good.

Methods that work if implemented well:

1. Accepting votes only from people who have shared their personal information, including their names and photos: it is hard to fake real-life identities. This also helps if they lose their password and e-mail: they would be able to show you a filled password restoration paper with a real ID attached to prove the ownership of the account. Note that you are not allowed to do it in some jurisdictions! Sadly, a prepared attack can bypass this countermeasure.
2. Accepting votes only from people who have been manually selected as trustworthy. That might sound mean, but this really, really works.
3. Only accepting votes if you write a comment explaining why you think this way. Takes more effort than voting, and you will be able to find sockpuppets by their similar writing style, similar mistakes, etc.
4. Only accepting votes from people who have measurably contributed to the community in some way. For example, StackExchange network uses reputation for that, and it works -- I would increase the thresholds, though, because it takes just a tiny amount of rep to be able to vote. One popular Russian IT web-site makes you contribute at least one well-received article for your opinion to count. Obviously, it's not easy to generate useful content for each sockpuppet you create, and it's even harder not to get caught (see above).
5. Only accepting votes from people that were invited by other established users. Works if the number of possible invitations is limited.
6. Disclosing the names of every voter. This way it might be easier to find out the sockpuppeting.
7. Make a bot that will automatically find and notify you of strange patterns in users' behaviour: same IP, similar activity hours, same machine (you can use cookies to find that out), using different IPs under the same machine, with a different IP for different account, etc. Manually recheck those cases, and apply measures that you need.

Those are some of the ways you can use. Many more exist, and the exact set that you need heavily depends on your community's needs and size.

For example, a small web-site with only 10 users is a place where any sockpuppet attempt will be quickly discovered. Everyone knows everyone. You don't even need polls in such a system, such a forum can just discuss stuff.

A forum with 5,000 active users is the opposite of this, and many anti-fraud systems are needed.

You can do a few things to mitigate against users creating multiple logins to skew the voting. None will prevent it completely but will go a long way to reduce vote fraud.

1. Disallow signups from throwaway e-mail domains like mailinator etc. People will have to use "real" e-mails to sign up with. You will need to keep the list of banned domains up-to-date as new services come online.
2. Require that voting accounts are verified by sending out an e-mail. This will also discourage people from using throwaway e-mail addresses.

3. Strip out modifiers from e-mail addresses when checking if they've already been used. For example GMail allows you to create addresses of the form:

   [email protected]

   Strip out the "+modifier" and they won't be able to use their GMail address more than once. Obviously you need to keep the full address the user entered as they're probably using the "+modifier" to filter their e-mails.

4. Require that the user participate in some way, posting content etc. before they can vote. While this isn't foolproof it does require that the putative puppet master has to run several accounts as though they were real accounts. Few people are going to be that determined.

Even with these ideas in place you're still going to get people who want to game the system. As a fail-safe make sure you have a mechanism that can remove the fraudulent votes. Either make sure the votes are removed when accounts are deleted or have a manual "remove votes" option in your admin pages. Again it won't stop the most determined puppet master, but will help reduce the problems they cause.

The most effective way to mitigate sockpuppeting would be to make registering multiple accounts more difficult - require captcha, track IP addresses and sessions. In most cases trespassers would be quite easy to block.