Voting in ESPN's College GameDay Campus Commercial Contest was halted Tuesday after a inauspicious first day of voting. Voting was fast and furious in the early stages, and the numbers were staggering. By 11:00 pm Monday night, North Carolina State and Texas A&M were well out in the lead with over 400,000 votes each. For comparison, Nebraska only had 56,771 votes at that point. Was that a sign of the fervor of Wolfpack or Aggie fans? Hardly.
It was a sign of just how badly ESPN implemented this contest. It was just begging to be hacked, and that's just what a few N.C. State and Texas A&M fans did. Within a few hours, ESPN began restricting voting, but the damage was done. Tuesday morning, ESPN completely stopped the voting, posting the following message:
We've Been Overwhelmed With The Fan Response! We're Taking a Time Out to Ensure the Integrity of the Vote. Check Back for Updates.
And voting is still halted at this time. What went wrong?Simply put, ESPN's web site had bigger holes than Nebraska's defensive line in the 2007 game against Southern Cal. Voting was easy... too easy. Even Chicago election commissioners thought it was a flawed process. You could vote in one of two ways: you could use your Facebook login or provide an e-mail address. Note I said that all you had to do was provide an e-mail address. You didn't have to prove it was your e-mail address - or even prove that it was a real e-mail address. Just give ESPN something that looks kind of like an e-mail address. See the problem?
So some enterprising script hackers wrote some quick scripts, and fired at will at ESPN's contest. All you had to do was enter an e-mail address and select your school. Easy as pie. All you had to do was change the e-mail address each time you voted. So the first vote was from, oh, firstname.lastname@example.org. The next vote was from, email@example.com. And, of course...the vote was for Texas A&M. Start the script, and grab a beverage. Send it to some friends, and let them join in the fun.
In a matter of hours, ESPN shut down the e-mail voting option, but the damage was done. ESPN probably has been spending the last two days trying to do two things: (1) determine which, if any, votes can be salvaged and (2) plugging the hole. The first is probably more difficult, depending on whether ESPN actually bothered to keep any logs of the voting. If ESPN bothered to track which computers generated each vote, it might be fairly easy to filter out all of the bogus votes that each computer generated. If not, it may be impossible to salvage.
Fixing the problem with e-mail is fairly simple. When someone votes with their e-mail address, you simply send an e-mail back to confirm the vote. The e-mail message contains a link, and the voter must click on the link to confirm the vote. That ensures the e-mail address is valid, and it's the voters e-mail address. Is that foolproof? Nope, but it's a start. People can have multiple e-mail addresses, so you have to track voting patterns to identify people with multiple e-mail addresses. You also have to keep an eye out for services that allow you to create temporary e-mail accounts, and have a plan to deal with those.
What's surprising to me is that an organization like ESPN allowed a contest like this to start in the first place. It's likely that the people who set this up had never participated in, let alone actually helped develop, an online contest like this. That lack of experience is another hurdle that must be cleared even before the problems with the contest can be corrected. When the backstory about this contest finally emerges, it's sure to be remembered on future lists of epic failures.