If you want to pressure TripAdvisor into improving security and verifying its reviews properly, please read then Tweet this post or post a link on Facebook. Shortlink http://wp.me/pS2vC-Hj
Creating a Fake ID on TripAdvisor
A Fake Reviewer
I’ve occasionally mentioned how easy it is for unscrupulous owners to fake reviews of their own or of their competitor’s business if they wish to do so. It is not necessary for them to employ someone else to do it, though that is an approach taken by some of them.
I’ve never actually spelled out how “bad” owners trick TripAdvisor to post their own reviews, as I don’t want to encourage it. However, another site has recently spilled most of the beans (though it included one critical error!) and TripAdvisor has responded, so perhaps it is time to reveal all.
1. How TripAdvisor currently Catches Fakes
Every time you visit a website, the site logs your IP address (the identity of the computer that you are using at the time) and places HTTP cookies on the computer or other device you’re using to access the Internet.
This means that every time you visit TripAdvisor you leave behind information that reveals where you are, what kind of Internet browser you are using, what size of screen, what pages of the site you visit, and many other details about your computer and your actions. At the same time TripAdvisor places cookies on your computer so that you can be identified when you return to the website.
This is the “hard” information that Tripadvisor uses in its “automated checking procedures” to identify who is posting reviews – and to catch people using multiple (fake) identities.
In addition TripAdvisor relies on “soft” information from users of its website to alert it to “suspicious” reviews. I’ve done this myself and 4 reviews were deleted from a particular property, though the property was never “red-flagged” as a result. I suspect, though cannot be sure, that properties are only “red flagged” where “hard” information is available.
2. How Fake Reviewers avoid being caught
I do not condone or encourage the use of the following information; but if the tricks become widely known perhaps TripAdvisor will verify its reviews properly, instead of dismissing concerns about the loopholes in its security.
1. Download an IP Changer such as Easy-Hide IP or Cyberghost to hide your real IP – there are dozens of products available, some of them free. An alternative to the fake IP address wheeze is to use free WiFi like McDonalds, or to use an Internet café.
2. Obtain an email address using hotmail, yahoo, gmail, or any other free email.
3. Clear cookies from your machine – this varies according to the browser you are using (e.g. Internet Explorer or Firefox or Chrome). It is best to remove only TripAdvisor cookies rather than all cookies as some contain useful information like remembering favourite pages, login IDs on particular sites etc.
4. Go to TripAdvisor (using the IP changer) and create a new TripAdvisor account using the free email address.
5. Post a review.
That’s all that is needed. The faker can now post as many reviews as he wishes under his new identity, BUT ONLY ONE REVIEW FOR ANY PARTICULAR PROPERTY.
3. Posting Multiple reviews for the same property
Anyone who wants to post several fake reviews for the same property has to work a little harder.
To review the same property again they need to cover their previous tracks and create a new identity. So they need another new IP address (NB some of the free IP changers only give one IP to hide behind), a new email address, then they clear TripAdvisor cookies and create another TripAdvisor account using their latest email address. This can be repeated ad infinitum.
4. How cheats further Cover their tracks and Make Fake Reviews Convincing
None of the following are strictly necessary, but here’s how the professional faker or the keen cheater might further cover his trail and make his fake identities and reviews more convincing.
1. They might vary browser between Firefox, Internet Explorer, Chrome and Safari.
2. They can give their identity credibility by posting a reviews about other places over a period of time before posting the review that counts, and vary their star ratings.
3. They don’t draw attention by posting a lot of reviews at once, but spread them over weeks and even months.
4. If posting for the same property more than once, they might try to change writing style and vocabulary e.g. by converting reviews to another language then back into English using Google Translate – only correcting horrible gaffes, not bad grammar. NB Don’t post reviews in a foreign language using Google Translate – appaling translation is how I uncovered the fake reviewer I exposed.
10. Those who create multiple accounts on TripAdvisor must keep a careful record of TA identities and log-ins, plus the associated IP addresses and email addresses.
Further Reading
Here is the recent article on http://www.visionarydining.com/tripadvisor which prompted me to set the record straight; it is Point 4 that is at fault, where it says to clear the Internet CACHE from the computer: it should say clear COOKIES.
Here is TripAdvisor’s response:
“We cannot emphasise enough our concern about this article; the activity it promotes is illegal and is strictly against our terms of use. Whilst the article in question does not condone the fraudulent use of TripAdvisor, it’s extremely disappointing to see anything which diminishes the high levels of integrity and respect for their customers that the vast majority of those working in the hospitality industry maintain.
“We also believe the vast majority of hoteliers understand the tremendous risk to their reputation and their business if they attempt to post fraudulent information on review sites like TripAdvisor. We take serious steps to penalise businesses who are caught attempting to manipulate the system.”
TripAdvisorWatch: Hotel Reviews in Focus 
Tripadvisor uses ip addresses and cookies and email addresses and Facebook so does eBay
There is a shocking expose available about Tripadvisor’s massive surveillance of its members. It’s TripAdvisor’s Privacy Policy! It details all the stuff they monitor with candor and your jaw will drop when you read it.
hi do ipaddress need to be from the same country as the property being reviewed? can outside ipadresses mark false positives?
Hello everybody!
I find this article very helpful and I tried to make some positive comments to several accounts, by changing my ip adress,cleaning cookies with the program “cc cleaner” and of course by using an inprivate internet connection. However I am not satisfied from the results. Only 2 of my 10 reviews were finally posted and the other ones are still “pending”.For some of them there is not even the notification “pending”, although I confirmed them via the confirmation link that tripadv sends via e-mail. Any idea,why it doesn’t really work in my case?
My husband and I strongly suspect that our business has been attacked several times in some manner by competitors. In fact, we don’t only suspect, we have incontrovertible proof (some of their former employees have validated these suspicions), but we suspect that some of our strangest bad reviews were also a product of fraudulent (mafioso style) behavior on their part. They mention sides that we don’t serve, facts that don’t make sense, such as “We were given the lunch menu, not the dinner menu”, an impossibility given the fact that they are and always have been together in one menu booklet arrangement. I have also observed that there are defunct restaurants in our small tourist town that continue to get suspicious random bad reviews despite the fact that they have been closed for over a year, leading me to believe that these same competitors, or maybe others, have hired outsiders to enhance their standing by attacking others. I have been avidly researching this topic and everything I read has convinced me that they can and have been doing this. The combination of attacks against their competitors and their own pos fake reviews has made them untouchable in the TA world, though locals and tourists alike tell us we are way better in every aspect. I am seriously considering a Cyber attorney group to launch an investigation and possible prosecution. Any advice?
I’m tired of ta in general. The Boston de’s have nothing to do so they quote lmt and hot wire deals all day. There seems to be a conspiracy to dislike the seaport district. Anyone suggesting to go there is accused of blogging under many names and is booted.
They caught up with my multiple accounts and I’ve used the info you posted to setup a new one. So far it’s working great. I don’t see how it can be illegal to have multiple accounts. I don’t have a businees to promote and I don’t want to bad-mouth anyone’s business, so who am I hurting. I just like to be very anonymous.
PMSL! Not what I intended but it’s up to you – happy hunting 🙂
Maybe TripAdvisor saw my “name” in this blog and killed my “Richard Winters” account, so of course I set up another one. This time I was more careful with masking of my IP address using a VPN subscription service that I have, and controlling my cookies. A tip for your viewers might be to suggest using Firefox and the “Private Browsing” feature so that cookies and other info are not stored when they visit the TripAdvisor site. Of course they will then have to log in each time they visit, but with my new TripAdvisor account all is working great so far and I’ve been able to contribute to articles over the past few days. I really believe that it was my cookie settings in Firefox that caused them to detect my last account. Internet Explorer also has a similar privacy feature called “InPrivate Browsing” that may also prove helpful in preventing them from booting you out. Again, let me emphasize that I have no intention of posting fake or malicious reviews and that my goal is simply to remain anonymous from TripAdvisor. I hope that they don’t spend too much time chasing me and killing my fake accounts because it really only takes me a few minutes to setup a new one.
In this recent interview Christine Petersen of TripAdvisor confirms they use IP addresses to detect fraud:
http://www.caterersearch.com/Articles/10/11/2011/341016/caterer-and-hotelkeeper-interview-christine-petersen-tripadvisor.htm
Hidden away on an obscure page TripAdvisor says:
Information for TripAdvisor Owners
We recommend that guests submit a review when they return home from their trip. A review submitted from a hotel lobby computer may appear to be written by staff.
http://www.tripadvisor.co.uk/help/can_my_guests_write_reviews_from_lobby
Bizarrely, this information is addressed to owners; reviewers themselves receive no such warning when posting reviews.
Phil
Hi Phil,
“Most people’s IP addresses aren’t hidden – I can see the IP address of everyone who visits my B&B website in the logfiles.” – I think you will find that what you are seeing is the ‘NAT address’ of everyone who visits your B&B site. In some cases this will uniquely identify a person but in a lot of cases it will only identify the organisation or household. (edited for brevity)
I suppose what I am trying to say is that monitoring IP addresses just wouldn’t be a reliable way for TA to identify a user. It would generate thousands of false results. Think of the scenario of a Travel Lodge (or any big hotel chain). How many people leave reviews while they are at the hotel? They will all be using the same IP address.
Don’t get me wrong. I am not saying I know the answer. Its just that it doesn’t seem a sensible approach for TA to take. But then they may have used IP address monitoring as a political way of convincing themselves and others that they are on top of things.
Chris
No, I never meant an IP address would always identify an individual – I meant it will identify a household or a business location. That an IP address will not necessarily identify an individual is irrelevant – despite that, it is an indicator of identity and it is used by TripAdvisor. This is also why TA warns reviewers not to use an Internet connection while staying at the place they are reviewing.
Phil
PS Nor does it matter if the location given for an IP address is inaccurate – mine always shows as Paris!
Hi Phil,
“This is also why TA warns reviewers not to use an Internet connection while staying at the place they are reviewing.” – I hadn’t realised TA had that warning. I wonder how many people are aware of it. From this statement I would agree that TA probably do use IP addresses as a ‘indicator of identity”. I would still, however maintain that it is a pointless exercise and more politically driven (so they can say they are doing something) than technically driven.
Hi,
What you explained here is the way I had always assumed TripAdvisor worked, with the exception of the necessity to change IP address. I had assumed TA wouldn’t be able to use IP addresses as a check as:
a) most if not all businesses security use a firewall with NAT (network address translation). It would therefore be impossible for two people within the same organisation to leave a review.
b) Most home computers work from behind a NAT firewall where ADSL addresses can and does change (negating TA check).
Any thoughts.
Hi Chris
Most people’s IP addresses aren’t hidden – I can see the IP address of everyone who visits my B&B website in the logfiles. This information is used by Google Analytics to provide statistics on visitor location etc. The logfiles and hence IP addresses of individual visitors can be accessed by the website owner if they wish.
Several machines can appear to share IP addresses if a network address translator (NAT) is used, as is usually the case in workplaces. But the NAT address will be the same. This is a potential problem for TA if several workers in the same workplace post reviews – they all appear to have the same address. I guess this may cause “false positives” in TA’s detection system.
To see if your own IP address is traceable, try this link and see if the IP is one provided by your Internet Service Provider. http://whatismyipaddress.com/
IP address is not always a 100% reliable way of identifying an individual machine connecting on different occasions because some IP addresses aren’t fixed – the user may be assigned a different address on different occasions by their ISP. However, other IP addresses are fixed and are exactly the same every time a person logs on from a particular machine. Even those that aren’t fixed will be part of a block of addresses that can be identified by the website owner.
Phil
Hello Phil,
May I bring your attention to this announcement today: http://b2b.reevoo.com/press/2011/11/reevoo-brings-authentic-travel-reviews-to-the-travel-sector
There are far better models for reviews collection than allowing anyone to leave a review for any hotel; Reevoo’s model, which eliminates fake reviews, is already used by 140+ brands in the retail sector including the likes of Tesco, Orange, Jessops & Dixons. Today’s announcement brings it to the travel sector. I hope it’s of interest.
Disclosure: I work with Reevoo.
Tim.