Pubdate: Wed, 24 Aug 2016
Source: Los Angeles Times (CA)
Copyright: 2016 Los Angeles Times
Contact:  http://www.latimes.com/
Details: http://www.mapinc.org/media/248
Author: Paresh Dave

WEEDMAPS MAY HAVE FAKE REVIEWS

Many Glowing Remarks Come From the Same Ip Address, a Software Flaw Shows.

Millions of consumers treat Weedmaps like the Yelp for pot, relying 
on the Irvine company as their definitive guide to marijuana 
dispensaries, varieties and doctors.

But a key feature - user reviews of pot businesses - may be tainted 
by thousands of potentially fraudulent comments, a flaw in the 
company's software revealed.

Reviews on the site are pseudonymous, and visitors reasonably expect 
that each is written by a unique customer. But data that Weedmaps 
mistakenly leaked suggests that a large proportion of glowing remarks 
come from individual users leaving multiple reviews of a single business.

Of 598 businesses examined by the Los Angeles Times and a software 
developer, 70% had at least one batch of reviews originating from the 
same IP address.

The repetition is suspicious because IP addresses are typically 
associated with a single device for up to years. One address 
contributing several reviews for the same dispensary raises questions 
about their validity.

Weedmaps Media Inc. President Chris Beals disputed that his company's 
user-generated ratings lead consumers to improper conclusions. The 
firm also has virtual tours and menus, including sometimes 
lab-verified chemistry details of items, whose accuracy he says is 
more important to customers.

"The reviews are definitely part of the picture," Beals said. "We 
don't want to neglect anything, but to be honest, it's critical to 
have accurate menu and lab information. That's the No. 1 complaint."

A separate analysis looking at the text in reviews estimates that 62% 
of all dispensary comments on Weedmaps are fake.

Beals said that the percentage of problematic reviews is much lower 
and that the company will catch more questionable submissions as it 
develops automated tools to help its 15 moderators.

In some cases, multiple reviews from a single IP address may be 
explained by someone reviewing different menu items separately or 
several roommates critiquing the same business.

Weedmaps stopped exposing reviewers' IP addresses in its publicly 
accessible code Friday, the day after The Times questioned the 
security lapse but weeks after a person speaking on the condition of 
anonymity notified the company about the issue.

The lax design and policing should concern Weedmaps users, technical 
experts said. Though Internet companies often store IP addresses to 
help filter spammers or robots that leave fake posts, revealing them 
publicly poses a threat.

An IP address isn't enough on its own to definitively identify a 
user, but the string of numbers could be the first clue to unmask 
marijuana users. It can be enough to match a physical address, hack 
into someone's Wi-Fi network or lure them into a cyberattack, 
computer security experts said.

"It's personal information that should be stored in a secure way," 
said Andrew Komarov, chief intelligence officer at data security firm 
InfoArmor Inc.

A person close to Weedmaps described the long-known bugs as 
symptomatic of wider growing pains. Like many companies, Weedmaps has 
experienced a rocky transition from a self-funded, loosely organized 
start-up to an industry leader with more than 200 employees, middle 
management and increased controls. It has shred through several 
technology leaders and only recently beefed up its engineering team.

"The foundation cracked, but they kept building," said the person, 
speaking on the condition of anonymity. Now, "trying to fix the 
foundation with a house on top of it is a huge undertaking."

The technology issues also show how operating on the fringes hampers 
the industry. Marijuana use remains illegal under federal law, 
against many employment contracts and a sensitive discussion for 
many. Such concerns give users reason to stay in the shadows. The 
taboo may have turned the services into an afterthought for security 
researchers who scour the Internet for software bugs. And stigmas 
kept away potential software engineers and investors until recently, 
Beals said.

Launched eight years ago by a marijuana advocate paired with a young, 
potsmoking software programmer, Weedmaps is crucial for marketing 
medicinal and recreational marijuana operations. Facebook and Google 
ban ads that promote drugs. Yelp allows dispensary ads, but doesn't 
yet have features tailored to them, a spokeswoman said. That leaves 
6-year-old Seattle start-up Leafly as Weedmaps' chief rival.

Weedmaps has long been controversial. Co-founder and Chairman Justin 
Hartfield once called the medical marijuana industry a "farce" in 
which he was complicit. In regions with regulatory gray areas, 
Weedmaps maintains listings of unlicensed businesses, causing a mix 
of delight and frustration for dispensaries.

But the closely held company remains a megaforce, generating millions 
of dollars in revenue annually from charging businesses for listings, 
prominence or extra features. Profits have gone into event 
sponsorship, pot legalization campaigns, producing YouTube videos and 
feature development.

At The Times' request, software developer Norman Scoullar scrubbed 
the listings of about 300 top dispensaries and 300 top delivery 
services using a tool he launched, Weed Blacklist. Forty-three 
businesses had more than 100 questionable reviews because of IP 
address commonality. For most, about 20% of reviews came from a 
single batch of users.

Scoullar said he plans to launch a rival because Weedmaps isn't 
adequately addressing the potential ratings inflation.

"Without patients that trust the industry, there is no market for 
dispensaries or listing services and people slowly go back to the 
black market," he said.

Fakespot, a New York City start-up that picks out suspicious 
Amazon.com and Yelp reviews based on text and user analysis, found 
problems with 62% of Weedmaps' reviews. Fakespot Chief Strategy 
Officer Ming Ooi called that nearly an F grade by online shopping 
standards, given that the service flags 40% of Amazon reviews.

Using data that Scoullar gathered, Fakespot discovered that a 
significant amount of reviews originated from three universities: 
USC, UC Irvine and Cal State Long Beach. Looked at critically, that 
could be a sign of a program that incentivized college students to 
leave reviews, Ooi said. Beals described it as a testament to the 
service's popularity among millennials.

In one of the most glaring instances, Southwest Patient Group's 
delivery service in San Diego has earned a 4.9 rating out of a 
possible 5.0 on Weedmaps. But five IP addresses accounted for 40 of 
the 53 reviews. Weedmaps' review-filtering policies are apparently 
weak enough that a pair of identical reviews from the same user have 
both been allowed to stand.

Dispensary manager Alex Adelo said the findings could be a 
consequence of offering consumers a free joint or free delivery if 
they leave reviews. He acknowledged that the practice violated 
Weedmaps' ban on compensation for reviews but he described it as 
normal for dispensaries.

"Weedmaps' reviews have been a standard for the industry, and they 
are helpful in improving our services," Adelo said. Weedmaps' 
shortcomings are "unfortunate" but somewhat "normal for a growing industry."

Another person involved in the industry said dispensary managers ask 
employees to leave reviews too - again a potential policy violation 
and explanation for the high volume of flagged reviews.

Moderators and sales representatives contact dispensaries suspected 
of gaming the system, Beals said.

He noted that upgrades are coming, which would bring Weedmaps' 
reviews system to Internet norms.
- ---
MAP posted-by: Jay Bergstrom