Banned or Back in a Minute?
When you are a child and you misbehave in front of your parents you get caught. More importantly, however, you also get punished for your behavior. You are not going to get that ice-cream cone you have had your heart set on all day. The presence of your mother is a clear incentive to be on your best behavior. When you’re online, however, it’s a completely different story.
Often there is someone watching, just as mother would be, however there are no consequences to getting caught. The troll still gets his ice cream and worse they can continue to cause issues for legitimate users. If an anti-social user is reported or identified in an online community the transgression needs to be punished. Otherwise, the bad behavior will continue and any user reporting or user monitoring functions become useless.
Why are there no consequences? It doesn't seem that web admins and community managers would want to encourage bad behavior? The issue lies with the technologies used by websites to punish malicious users. These solutions are either very easy for the troll to work around, or they are a headache to implement and drive away users.
One of the most common ways web admins try to deter anti-social behavior is through a combination of an account ban and a verified email address. Once the users account is banned he will need a verified email address to create a new account. This verified email must be different from the banned users previous email address since that email is already in the website’s user database. The problem with this system is that most people have more than one email address, and even if they don’t, it takes about 10 seconds to create another one. A troll can just continue to generate new emails and then presto, they can create new accounts.
Unlike verified email, IP bans can be a very effective way of preventing people from accessing your site — sometimes they can be a little too effective, however. Banning an IP address prevents a user from accessing your site from that address. IP addresses are also tied to geographic locations so if a site is having a large problem with users from a certain region they can even ban the entire IP range of that region. This can be very effective, especially, if you do have a very concentrated group of anti-social users, such as a group of scammers from Nigeria.
As with email, however, IP bans do have their issues. The biggest issue is it is not very difficult to changes your IP address. Download a free VPN or hop on a proxy sever and poof, you just got passed the IP ban.
Furthermore, an IP address may represent multiple users. Multiple people may share a computer or have one IP address for their entire household. A school or university for example might have only three or four IP addresses for a community of thousands. This opens up the potential for accidental bans. By banning a certain IP address you may block the problem user, but you may also block a significant amount of legitimate users. For example, Africa is one of the fastest growing mobile markets. If a web admin blocks traffic from Nigeria to prevent scams they may loose a lot of legitimate traffic. That’s a risk many web admins won’t be ready to take.
The answer: account creation needs to be tied to something that you can’t get a new one of, and is easily verifiable. A user can go to the library or
change their IP, they can clear their cache to get rid of cookies, but they can’t get a different SSN. Plus information like your SSN or your loving mother’s maiden name are easily verifiable through credit databases. This type of information, called absolute information, is one of the only effective measures to prevent banned users from re-accessing a website. Additionally this type of verification is relatively hassle free. It only takes a couple of seconds to fill out another field and enter the last four digits of your social. Unlike IP bans which can cause headaches for innocent users, or client certificates which require an installation, using absolute identifiers is quick and painless.
For example a website requires a user to enter their legal name and the last four digits of their SSN to register. This combination of SSN and name is unique so the website can easily verify that it is valid using a credit database. Then, if the user is banned they will have to re-enter their SSN and personal information to create a new account. This is bad news for the banned user. The user’s non-sensitive information is already stored in the websites user database so they can’t re-register with their real personal information. The problem is that their SSN will only match the banned users true personal information. Unless they are committing some serious felonies the banned user won’t have access to someone else’s social security number. Absolute identifiers have done their job and prevented the troll from creating a second account. The result: no ice cream.