Blog  |   Puzzles  |   Books  |   About

Mayor of the North Pole

[NOTE: I’ve posted some recent developments at the bottom. ]

I’ve been blatantly cheating at foursquare for the past week. I didn’t mean to start the week this way. Most of my friends know me as a responsible father who occasionally plays piano at local open mics, and makes puzzles.

Last Sunday, while checking into the Hill Street Cafe in Burbank using the foursquare iPhone app, I idly wondered, “Can I become the mayor of the North Pole?” So I tried checking into a nearby 7-Eleven. It worked. I tried the Griffith Observatory about 5 miles away. It worked. I tried Disneyland, which is about an hour away. It didn’t work, but I now had an afternoon hacking project.

When I got home, I looked to see if foursquare had an api. They did. So I found a venue that was close to the North Pole, the “Top of the World” hotel in Barrow Alaska, and checked myself into it.

This can be done on the command line using the curl program, like so:

curl -u EMAIL:PASSWORD -d “vid=993842” http://api.foursquare.com/v1/checkin

Try it! You’ll need to substitute in your own email and password. 993842 is the venue id of the “Top of the World” hotel, as can be seen in the URL of this page:

http://foursquare.com/venue/993842

This venue wasn’t actually in foursquare’s database, so I added it, using the ‘addvenue’ call. I also added a venue for the actual North Pole. It turns out it’s much easier to become the mayor of something if nobody else has ever checked into it.

[ Edit: Some folks have rightly pointed out that you can easily do the same thing with the mobile website (mobile.foursquare.com). For my purposes, as you’ll see in a moment, the API was more efficient… ]

Here’s the North Pole venue I made:

http://foursquare.com/venue/995274

Ultimately, I ended up adding a lot of venues. I used Google Earth to create KML files of interesting venues, and wrote a script to import them all into foursquare. I did the same thing with Yelp. I found that foursquare would rate-limit me if I added them too quickly, so I added them two and a half minutes apart. Later, I found that by rotating among multiple accounts while adding venues, I could add them much more quickly.

At some point last week, I devolved into a 12 year old hacker, and I spent many spare hours (and my computer’s spare cycles) abusing the system with a set of scripts operating fake accounts. Not only did I add new venues like the North Pole, but I started persistently checking into coveted landmarks, like the Statue of Liberty.

What can I say? It was fun, and foursquare’s incentives (badges and mayorships) spurred me on. Incentives invite abuse, even from mild-mannered folks like me.

Eventually I amassed a huge number of mayorships, spread among multiple accounts, including the Statue of Liberty, Mount Rushmore, the Lincoln Memorial, Stonehenge and the Taj Mahal, as can be seen in this screen snapshot.

I wrote a script that would walk through a list of venue ids, and check into them one by one. Then I created about 10 fake foursquare accounts, and had them take over different territories.

I created five “Java Monkeys” which grabbed about 120 different Starbucks in different regions (east, west, midwest, south, intl). I identified and targeted hotly contested Starbucks by searching Twitter for recent oustings. My script automatically visited those ones, to the consternation of the new mayors.

I created a fake Martha Stewart who checks into dollar stores and pawnshops when not visiting Martha Stewart Omnimedia and the set of her TV Show.

I created a fake Simon Cowell who visits massage parlors and gets lunch at Hotdog on a Stick when not visiting the Kodak theater.

I created a fake Tommy Chong who is mayor of 130 cannabis clinics.

I created a fake Sammy Davis Jr who checks into casinos and bars in Las Vegas.

I created a “random nerd” who checked into a number of large campuses in the Silicon Valley.

The “Java Monkeys” got the biggest reactions. Foursquare users get far more irate when they lose mayorship of a Starbucks, as compared to a Statue of Liberty or Mount Rushmore. People are much more attached to the small places they visit over and over, and have some personal investment in. The smaller the venue, the bigger the value.

I started collecting badges as well, by checking into places that have tags like “karaoke”, “photo booth”, “gym” and so on.

I was able to get a swarm badge by monitoring Twitter for when a particular location got up to 40 check-ins (this happens at a couple of Tokyo train stations quite regularly) and then checking-in all my accounts at once to trigger a swarm (which occurs at 50 check-ins). This RSS feed is useful for detecting impending swarms.

Finally, I started giving people free sailboats. I found that if you checked into a venue tagged “boat,” you automatically get the awesome “I’m on a boat” badge; and unlike the other badges, it only requires a single check-in. So I started identifying high-traffic places via the above Twitter search, and then adding the tag “boat”. Suddenly, visitors to metropolitan airports and various sports arenas got free sailboats for Valentine’s Day.

My juvenile crime spree is now over, and I’ve “laundered” my foursquare account, by transferring the credentials to a new one. This URL used to go to the account that stole the Statue of Liberty, but now it goes to a new account, because foursquare allows you to reassign twitter accounts, and constructs the URL using your active twitter account.

This is my original account, which is now inactive.

It seems clear that foursquare is going to have some massive authentication issues to deal with if they are going to grow larger than their current size. Some things to consider:

1) Provide additional measures to detect that people actually are where they say they are. I imagine this is not an easy problem to solve: if I send you a set of coordinates, it doesn’t mean I’m actually there. At a minimum, they can measure the time of travel between successive check-ins by comparing the coordinates and time stamps. If I’m traveling close to the speed of sound, something is clearly up.

2) Make it less easy to create fake accounts. Right now, there’s not even a Captcha.

3) Don’t construct a permanent-looking URL from a twitter account (which can be transferred to a different foursquare account). This provides a method of “laundering” accounts.

More generally, I think the combination of a poorly moderated and insecure folksonomy with incentives (e.g. badges, mayorships, free meals, etc.) is a fragile one. The greater the incentives, the greater the motivation for cheating.

As it stands right now, foursquare has quite a few holes. If I were a restaurateur or coffee shop owner, I would be very wary of giving free meals or lattes to foursquare mayors, unless the employees know the mayor by sight.

UPDATE

My story seems to be getting some picked up in a few places. Here’s some reaction on Twitter. Mostly positive, I think, although a few foursquare insiders were a bit put out, as one would expect. Dennis Crowley was quite nice about it, thank god.

If I stole your Starbucks, I’m really sorry about it, and I will gladly buy you a latte, if you find me in a Starbucks.

UPDATE #2: My story was covered on TechCrunch this morning. MG Siegler was mostly on-the-money, except for this bit:

The problem, with regard to false check-ins, is that the only solid way to do this is to a check-in to your actual GPS coordinates. The problem with this, as Gowalla knows all-too-well, is that it can be hard (and in some cases impossible) to get GPS data while users are indoors.

Um, not exactly. The problem is that you can’t trust the person who’s sending GPS coordinates to send the correct ones. This is a tough, tough problem, and it will become increasingly obvious as incentives increase.

UPDATE #3: Foursquare founder Dennis Crowley has provided some thoughtful commentary in the comments, below.

UPDATE #4: The LA Times interviewed me and got a few more details…

UPDATE #5: Alison Cummings of the Montreal Social Media Examiner posted this reaction to the whole brouhaha. I’m going to call her “perceptive” because she called TechCrunch’s tone “whiny”. :)

78 Responses to “Mayor of the North Pole”

  1. jbum Says:

    Elise – yes, dishonest people suck.

    However, it’s going to be hard to find five hundred thousand people with the same core values, or who agree what is and what isn’t fair. This is why the application needs to enforce it to *some* degree (more so than it currently does). You can’t expect a crowd this large to behave rationally (or cohesively).

  2. Tamooj Says:

    It’s wryly amusing to people in the online video game industry to watch the casual-games and web services (foursquare, twitter, etc.) learn the hard lessons about hacking and griefing that we skinned our collective knees on about ten years ago. The techniques, motivations, and core psychology of people who tweak with your system is pretty constant and predictable, in much the same way MTBF works for hardware. Eventually you just start to grok the mindset and make sure you design around the hot buttons. This is not about better algorithms for detecting cheating – this is about the psychology of getting-attention (a core need for all social animals) and the rewards for play. In the game industry we call these emergent behaviors ‘interesting failure states’. The reality is that 500,000 people will find a lot more bugs, loopholes and exploits than your five internal testers could ever dream of uncovering, especially when there are incentives involved… even if that reward is only attention.

  3. Man Checks-In Everywhere But Foursquare Rehab « Christian Hershberger Says:

    […] Earlier today, I was ousted as the mayor of the Googleplex Patio on  Foursquare. Turns out, it was this guy. KrazyDad was a man on a mission: to show the holes in Foursquare’s check-in based system. […]

  4. jimhop Says:

    Well done! You should have crated some vague “hot spots” like “NobodoyGivesADamn” and become “Mayor” – I would be funny to see “You are the Mayor of NobodyGivesADamn”. Thanks for pointing out the time drain that is FourSquare

  5. Petites réflexions sur la géolocalisation | Nicolas Roos Says:

    […] Foursquare et Gowalla, deux services quasimment similaires ont introduit sur ce marché la notion de jeu et de classement. Chaque action (localisation, ajout de lieu, …) est récompensé par des points et des badges. Une façon de récompenser les utilisateurs pour leur activité sur le réseau. Ce système a, selon moi, des limites. En effet, en dehors d’un public de technophiles et de geeks avertis, l’utilisateur lambda n’a que faire de ces points virtuels. Même les utilisateurs assidus perdent vite intérêt  à ce système. Une fois le sommet du classement atteint (ou au contraire, la stagnation en bas de l’échelle), les utilisateurs s’essoufflent, et l’effort demandé devient alors supérieur aux bénéfices. On peut parler ici de ROI pour l’utilisateur final. L’autre aspect négatif de cette notion de jeu et de classement est le fait qu’elle génère une fausse activité dans l’unique but de gagner des places. Un utilisateur a récemment démontré qu’il était même possible de tricher de manière automatique via l’API. Vous pouvez voir un de ses profil Foursquare et lire son article sur les méthodes utilisées et les différents comptes créés. […]

  6. Nu kan man fuska i GPS också « Kraschkurs Says:

    […] allt det här bygger ju på att systemet funkar. Och nu har en användare visat att det är rätt lätt att fuska. Jim Bumgardner, programmerare som har bloggen KrazyDad började med att bli Mayor för […]

  7. Gotanda @4square Says:

    Wondered why all of a sudden I got random badges like “I’m on a Boat!” when I checked in to Shinjuku Station the other day. Now all is revealed. Thanks!

  8. @HHOTELCONSULT Says:

    Very interesting.

    I think less deviously, if SMS isn’t recording proper location… and you set it up so that it looks like you are going to and from airports…. you can create a relative level of legitimacy by making your tracks look sanguine and logical…. “well yes you can go from that landmark to an airport to another landmark”

    I will likely delete it, but I just got my swarm badge – I just got back from DC yesterday, and live in SF. My last check in was Dulles…. and it isn’t illogical to think I flew to NY (not sfo), got my swarm in brooklyn, then went to La Guardia and flew back to SF. I was just experimenting, but I got addicted to foursquare from the business practicality side… I work in hotels and was VERY excited.

    I am now not so excited.

    This is a major problem. One that will put me off of it.

    In the end, a real community is about really knowing people. Until these loopholes are closed I don’t know if this is meaningful….

    It isn’t the 90% of the users not cheating, it’s the 10% that are. And like irrevocably broken yelp, there’s a lot of incentive to cheat.

    These people don’t think the internet is serious bussiness, they think it’s Candyland. Why not cheat at Candyland? It’s not a big deal…….

  9. inya face Says:

    I just wanted you to know
    You’ve seen better days
    And no matter what happens
    You’re a waste of space

    Have a horrible day!

    Oh and by the way, your websites are horribly designed. Maybe you should hire out help? Looks like you need it. Good luck!

  10. Jeff Ballweg Web Design // Christchurch » Balance in the Economy of Foursquare Says:

    […] snag with the game: it’s easy to cheat. You don’t have to be a hacker to do it either, though some have gone that route. You simply check into places you’re not really at. Because your GPS is only so accurate, and […]

  11. The Web Outside » Blog Archive » Place-Based Screens Encourage Authentic Check-Ins with Location Relevant Messaging Says:

    […] has been fairly heavily criticized for their lack of lockdown on whether or not users “cheat,” while Gowalla has been getting slammed for being almost too strict, in that GPS […]

  12. Montgomery Burns Says:

    KrazyDad, why build when you can buy?? Buy your way into office that is. http://www.getmayor.com Want to get mayorship of that starbucks down the street, well now you can!

  13. jbum Says:

    Oh jeez. And so it begins..

  14. I’m a Foursquare Cheater | MikeKey.com Says:

    […] of places like the Taj Mahal, the Pyrmaids and the PlayBoy Mansion. I was inspired by a guy called Dr. Cheat who also blogged about it and become the mayor of dozens of places. The problem with Foursuare and […]

  15. » Realtime Datamining Of Location Data Karl Reinsch’s Blog Says:

    […] also Jim Bumgardner’s “Mayor Of The North Pole” for a perspective on forging location […]

  16. Perpetual Work in Progress » Blog Archive » Foursquare- Is it more than just a game? Says:

    […] about it, you have one who is out there to take advantage of the platform.  Recently there was a guy who, through the Foursquare API, was able to become mayor of places without ever being there among […]

  17. Gaming FourSquare with Bill Brasky Says:

    […] confess however, that this idea isn’t original. I have to give credit to Jim Bumgardner of KrazyDad.com who began similarly gaming FourSquare some time ago. Though this isn’t a new idea, I’m […]

  18. Foursquare Cops « Thoughts Says:

    […] Comment! The problem of policing location-based check-ins is actually not an easy one to solve, especially since many of the locations themselves are user-created in the first place. Although GPS is accurate enough, not all mobile phone triangulation techniques are (and GPS won’t work indoors), so Foursquare had chosen to be lenient in making check-in honesty a matter of honour rather than validating it themselves. Combined with an open API, this led to a certain amount of abuse, including from the Mayor of the North Pole. […]

  19. How Foursquare Is Changing The “Game” « Danielle Ricks' Social Media Update Says:

    […] to earn those coveted Superstar and Overshare badges. And you may even start cheating, just so you can make outrageous claims like, “I’m the mayor of the North Pole.” The whole time, you’ve also got one eye on the Leaderboard, so you can prove, once and for […]

  20. Brian Jones Says:

    Looks like we’ve got our first actual checkin on Mt. Everest. From Fourquare’s official twitter stream: “RT @AndeanHealth: John Rudolf, First person to Check in on @Foursquare from Everest Base Camp! He’s climbing the 7 Summits for @AndeanHealth”

    There’s going to be a new mayor in town. haha.

  21. Joe Rosenberg Says:

    Recently joined foursquare and figured I might meet some local people who eat at the same places I do who otherwise would remain nameless and maybe even faceless. Now my world wide friends are asking to be my friend and it becomes just another site where the intended purpose gets devalued. Brilliant expose by the mayor of all places.
    Joe

  22. jbum Says:

    Chris Gwynne sent in the following comment:

    Couldn’t post due to proxy, but wanted to add my 2 cents:

    The topic of hacking Mayorships came up today amongst my friends as a way to potentially decrease someones social standing in an ironic twist of Foursquare’s intention. As we live in Bangkok, if say a politician was to become mayor of a very well known brothel such as Poseidon Entertainment Complex, it would have some ramifications during the pseudo civil war we are having here now. And of course given the high probability that the politico is hobnobbing with a general (who probably owns the place) this would be be fantastic to abuse.

    Thanks for showing me how! Don’t worry, I won’t do it as I don’t have the time to spare with all that scripting, but I was curious about pulling off this kind of prank.

    But now surely someone else with political motivation will for far more nefarious purposes.

  23. Paul Evans Says:

    Just curious, for a tech dolt like me looking to just help a client add multiple locations (several hundred actually, same name/different address) … is there a way to do that without laboriously typing them all into “add venue” in Foursquare?

  24. jbum Says:

    There is a way to do it with scripts, for sure, but perhaps out of direct reach for neophytes. Perhaps you could hire someone?

  25. Stephen Tong Says:

    I wonder if foursquare is gonna fix these “holes” now.

  26. jbum Says:

    I’ve heard they’ve already fixed some of them, but I haven’t messed around to find out the extent of the fixes.

  27. Chris Smowton Says:

    To all of you who’re suggesting that GPS or other geolocation is the answer: you just can’t do it.

    How’re you going to find out where a given user is? They could send their GPS coordinates, but the scripts pulling that data out of the phone are written in Javascript, meaning the source is wholly visible to the user. There’s nothing to stop you from figuring out what the script does with the coords and doing it yourself manually.

    The second way many sites try to locate users is by consulting your IP address. This doesn’t work, however, as mobile operators typically have a single large pool of IPs that gives little or no hint about your true location (could give a good hint that a desktop user is cheating, though).

    The third thing we could use is nearby cell towers, wifi hotspots, and other things Google has a list of :) Again if we rely on a client-side Javascript to harvest the data then it *won’t* work, as there’s no way for the server to differentiate the results of its own scripts from a malicious user generating server-side calls directly. This would work, however, if it were possible to e.g. query the mobile operator, asking a suitably vague question like “is this IP address associated with a device near this cell tower?” I wouldn’t want my mobile operator to answer that question, though — too much potential for abuse, as it’s be possible to harvest your location fairly precisely without the site asking permission.

    There is one solution: phones with a Trusted Platform Module could generate trusted data. This is essentially a physical device which holds a secret private key, to which the corresponding public key is well known (e.g. can be looked up given the device’s serial number). Then at the OS kernel / hardware level you support an operation which queries the GPS chipset (or mobile chipset to discover a list of nearby cell towers, etc) and encrypts that information using the TPM. Then you have an unforgable blob of data which can be sent to FourSquare or whoever which attests to your location.

    Of course even this is somewhat vulnerable; depending on the level at which the “secure-get-location” operation is implemented you might be able to get around the restriction by rewriting the OS kernel to permit TPM-encryption of arbitrary data or by physically messing with the hardware. It’d certainly make it a heck of a lot harder though.

  28. Dave McKinney Says:

    Hi,

    I am a big fan of your site. You’ve always got great info. Anyway, I know that you are interested in Foursquare, so I thought you might like to check out the Foursquare app I’ve just built for Facebook and WordPress.

    “My Foursquare makes it easy to show off your badges, mayorships and checkins on Facebook, your blog or your website”.

    http://www.myfoursquare.net/

    If you want more info I can send you a detailed blurb and screenshots etc. Thanks, and keep the good info coming!

    Dave McKinney
    My Foursquare