[NOTE: I've posted some recent developments at the bottom. ]
I’ve been blatantly cheating at foursquare for the past week. I didn’t mean to start the week this way. Most of my friends know me as a responsible father who occasionally plays piano at local open mics, and makes puzzles.
Last Sunday, while checking into the Hill Street Cafe in Burbank using the foursquare iPhone app, I idly wondered, “Can I become the mayor of the North Pole?” So I tried checking into a nearby 7-Eleven. It worked. I tried the Griffith Observatory about 5 miles away. It worked. I tried Disneyland, which is about an hour away. It didn’t work, but I now had an afternoon hacking project.
When I got home, I looked to see if foursquare had an api. They did. So I found a venue that was close to the North Pole, the “Top of the World” hotel in Barrow Alaska, and checked myself into it.
This can be done on the command line using the curl program, like so:
curl -u EMAIL:PASSWORD -d “vid=993842″ http://api.foursquare.com/v1/checkin
Try it! You’ll need to substitute in your own email and password. 993842 is the venue id of the “Top of the World” hotel, as can be seen in the URL of this page:
This venue wasn’t actually in foursquare’s database, so I added it, using the ‘addvenue’ call. I also added a venue for the actual North Pole. It turns out it’s much easier to become the mayor of something if nobody else has ever checked into it.
[ Edit: Some folks have rightly pointed out that you can easily do the same thing with the mobile website (mobile.foursquare.com). For my purposes, as you'll see in a moment, the API was more efficient... ]
Here’s the North Pole venue I made:
Ultimately, I ended up adding a lot of venues. I used Google Earth to create KML files of interesting venues, and wrote a script to import them all into foursquare. I did the same thing with Yelp. I found that foursquare would rate-limit me if I added them too quickly, so I added them two and a half minutes apart. Later, I found that by rotating among multiple accounts while adding venues, I could add them much more quickly.
At some point last week, I devolved into a 12 year old hacker, and I spent many spare hours (and my computer’s spare cycles) abusing the system with a set of scripts operating fake accounts. Not only did I add new venues like the North Pole, but I started persistently checking into coveted landmarks, like the Statue of Liberty.
What can I say? It was fun, and foursquare’s incentives (badges and mayorships) spurred me on. Incentives invite abuse, even from mild-mannered folks like me.
Eventually I amassed a huge number of mayorships, spread among multiple accounts, including the Statue of Liberty, Mount Rushmore, the Lincoln Memorial, Stonehenge and the Taj Mahal, as can be seen in this screen snapshot.
I wrote a script that would walk through a list of venue ids, and check into them one by one. Then I created about 10 fake foursquare accounts, and had them take over different territories.
I created five “Java Monkeys” which grabbed about 120 different Starbucks in different regions (east, west, midwest, south, intl). I identified and targeted hotly contested Starbucks by searching Twitter for recent oustings. My script automatically visited those ones, to the consternation of the new mayors.
I created a fake Martha Stewart who checks into dollar stores and pawnshops when not visiting Martha Stewart Omnimedia and the set of her TV Show.
I created a fake Simon Cowell who visits massage parlors and gets lunch at Hotdog on a Stick when not visiting the Kodak theater.
I created a fake Tommy Chong who is mayor of 130 cannabis clinics.
I created a fake Sammy Davis Jr who checks into casinos and bars in Las Vegas.
I created a “random nerd” who checked into a number of large campuses in the Silicon Valley.
The “Java Monkeys” got the biggest reactions. Foursquare users get far more irate when they lose mayorship of a Starbucks, as compared to a Statue of Liberty or Mount Rushmore. People are much more attached to the small places they visit over and over, and have some personal investment in. The smaller the venue, the bigger the value.
I started collecting badges as well, by checking into places that have tags like “karaoke”, “photo booth”, “gym” and so on.
I was able to get a swarm badge by monitoring Twitter for when a particular location got up to 40 check-ins (this happens at a couple of Tokyo train stations quite regularly) and then checking-in all my accounts at once to trigger a swarm (which occurs at 50 check-ins). This RSS feed is useful for detecting impending swarms.
Finally, I started giving people free sailboats. I found that if you checked into a venue tagged “boat,” you automatically get the awesome “I’m on a boat” badge; and unlike the other badges, it only requires a single check-in. So I started identifying high-traffic places via the above Twitter search, and then adding the tag “boat”. Suddenly, visitors to metropolitan airports and various sports arenas got free sailboats for Valentine’s Day.
My juvenile crime spree is now over, and I’ve “laundered” my foursquare account, by transferring the credentials to a new one. This URL used to go to the account that stole the Statue of Liberty, but now it goes to a new account, because foursquare allows you to reassign twitter accounts, and constructs the URL using your active twitter account.
It seems clear that foursquare is going to have some massive authentication issues to deal with if they are going to grow larger than their current size. Some things to consider:
1) Provide additional measures to detect that people actually are where they say they are. I imagine this is not an easy problem to solve: if I send you a set of coordinates, it doesn’t mean I’m actually there. At a minimum, they can measure the time of travel between successive check-ins by comparing the coordinates and time stamps. If I’m traveling close to the speed of sound, something is clearly up.
2) Make it less easy to create fake accounts. Right now, there’s not even a Captcha.
3) Don’t construct a permanent-looking URL from a twitter account (which can be transferred to a different foursquare account). This provides a method of “laundering” accounts.
More generally, I think the combination of a poorly moderated and insecure folksonomy with incentives (e.g. badges, mayorships, free meals, etc.) is a fragile one. The greater the incentives, the greater the motivation for cheating.
As it stands right now, foursquare has quite a few holes. If I were a restaurateur or coffee shop owner, I would be very wary of giving free meals or lattes to foursquare mayors, unless the employees know the mayor by sight.
My story seems to be getting some picked up in a few places. Here’s some reaction on Twitter. Mostly positive, I think, although a few foursquare insiders were a bit put out, as one would expect. Dennis Crowley was quite nice about it, thank god.
If I stole your Starbucks, I’m really sorry about it, and I will gladly buy you a latte, if you find me in a Starbucks.
UPDATE #2: My story was covered on TechCrunch this morning. MG Siegler was mostly on-the-money, except for this bit:
The problem, with regard to false check-ins, is that the only solid way to do this is to a check-in to your actual GPS coordinates. The problem with this, as Gowalla knows all-too-well, is that it can be hard (and in some cases impossible) to get GPS data while users are indoors.
Um, not exactly. The problem is that you can’t trust the person who’s sending GPS coordinates to send the correct ones. This is a tough, tough problem, and it will become increasingly obvious as incentives increase.
UPDATE #3: Foursquare founder Dennis Crowley has provided some thoughtful commentary in the comments, below.
UPDATE #4: The LA Times interviewed me and got a few more details…
UPDATE #5: Alison Cummings of the Montreal Social Media Examiner posted this reaction to the whole brouhaha. I’m going to call her “perceptive” because she called TechCrunch’s tone “whiny”. :)