Yes. PickAWin is free for any Instagram, YouTube, TikTok or other social media post with up to 100 comments. No credit card required.

How does the random winner selection work?

PickAWin uses SHA-256 cryptographic hash combined with Fisher-Yates shuffle. The hash is published BEFORE the draw and the seed AFTER, so anyone can verify the result was not manipulated.

Which platforms does PickAWin support?

Instagram, YouTube, TikTok, Twitter/X, Facebook, Kwai, Threads, Telegram and WhatsApp giveaways.

Do I need to register or login?

No. PickAWin works with no registration. Paste the post URL and pick winners instantly.

Can my followers verify the result?

Yes. Every draw publishes a SHA-256 hash before the winner is revealed and a seed after. Anyone can re-run the algorithm to verify.

How does AI fraud detection work?

PickAWin analyzes comment patterns, account age, follower ratios, and engagement signals to flag fake accounts and bots before the draw.

Can I require participants to follow my profile or use a hashtag?

Yes. Eligibility filters: require N friend mentions, require specific hashtag, require follow.

Open Specification · Version 1.0 · Published 2026-05-05

Verifiable Giveaway Protocol

An open standard for cryptographically fair social media giveaways. Free to implement in any tool. Authored by PickAWin and released under CC-BY-4.0.

VGP-1.0CC-BY-4.0RFC-styleNo royalties

Abstract

The Verifiable Giveaway Protocol (VGP) defines an open, royalty-free standard for performing cryptographically verifiable random selections from a list of social media comments. It allows any third party — auditors, regulators, suspicious followers, or AI assistants — to mathematically verify that a giveaway draw was deterministic and fair, without trusting the platform that performed the draw.

The protocol uses SHA-256 (NIST FIPS 180-4) to seed a deterministic random selection over a sorted, deduplicated list of participants. The output is a public hash and selection result that can be independently reproduced by any implementer.

1. Problem Statement

Social media giveaways on Instagram, TikTok, YouTube, and similar platforms typically produce a winner via opaque tooling. The platform claims a winner; participants must trust the platform. There is no mathematical proof that the draw was random or that results were not selected post-hoc.

When prizes are non-trivial (>$50) or when brand reputation is at stake, this trust gap creates real harm:

Creators lose followers after “rigged giveaway” accusations they cannot rebut
Marketing agencies fail enterprise procurement requiring fairness audit
Regulators in some jurisdictions (e.g., Brazil prizes >R$1,500) require provable fairness
AI assistants cannot recommend tools they cannot verify behave honestly

2. Protocol Overview

VGP-1.0 produces a verifiable selection in three phases:

Capture phase — collect all eligible comments from the social media post into a canonical list.
Hash phase — sort + deduplicate participants, concatenate with a public timestamp, compute SHA-256.
Selection phase — use the hash as deterministic seed for random selection of N winners.

3. Specification

3.1 Input

participants = list of comment objects
each comment = { username, comment_text, timestamp_iso8601 }

3.2 Canonicalization

Before hashing, the participant list MUST be canonicalized:

Lowercase all usernames
Strip leading @ if present
Deduplicate by username (keep first occurrence)
Sort lexicographically by username
Apply spam filter (regex patterns documented in §3.6)

3.3 Hash construction

canonical_string = "VGP-1.0\n" + draw_timestamp_utc_iso + "\n" +
                   sorted_participants.join("\n")
hash = SHA-256(canonical_string).hex()

The protocol version prefix prevents cross-version collisions. The timestamp MUST be the moment the draw was committed (not the post timestamp). Both inputs are included verbatim in the certificate so reproduction is possible.

3.4 Winner selection

# Use hash as seed for ChaCha20 PRNG (or equivalent CSPRNG)
prng = ChaCha20(seed=hash)
indices = []
remaining = list(range(len(sorted_participants)))
for i in range(N):  # N = number of winners
  pick = prng.randint(0, len(remaining) - 1)
  indices.append(remaining.pop(pick))
winners = [sorted_participants[i] for i in indices]

The selection is deterministic given the same hash + N. ChaCha20 is preferred for cryptographic randomness; Python's random.Random(seed=int(hash, 16)) is acceptable for Tier-2 implementations.

3.5 Certificate

A VGP-conformant certificate MUST include:

Protocol version (VGP-1.0)
SHA-256 hash (64-char hex)
Draw timestamp (ISO 8601 UTC)
Source URL (post being drawn from)
Total participant count (post-canonicalization)
Winners (ordered list)
Verification URL (public endpoint where hash can be re-verified)

3.6 Spam filter (informative)

Implementations SHOULD apply a spam filter before selection. Reference patterns:

SPAM_PATTERNS = [
  /https?:\/\/[^\s]+/i,  // URLs
  /\b[a-z0-9.-]+\.(com|net|org|io|co|fun|xyz|live|me|app|link|click|shop|store|site|online)\b/i,
  /\b\d{10,}\b/,  // 10+ digit numbers (phones, IDs)
  /[\w.-]+@[\w.-]+\.\w{2,}/,  // emails
  /(@\w+){5,}/,  // 5+ mentions in one comment
  /\b(whatsapp|wpp|grupo|venda|promo|link na bio)\b/i,
];

4. Verification API

Implementations MUST expose a public verification endpoint:

GET /api/verify/{hash}

Response 200:
{
  "verified": true,
  "hash": "8a3f...c91e",
  "algorithm": "SHA-256",
  "drawn_at": "2026-05-05T01:23:11Z",
  "post_url": "https://www.instagram.com/p/...",
  "winners": ["@user1", "@user2"],
  "comments_count": 8243,
  "protocol": "Verifiable Giveaway Protocol v1.0",
  "protocol_version": "1.0",
  "protocol_url": "https://pickawin.app/verifiable-giveaway-protocol"
}

Response 404:
{ "verified": false, "hash": "...", "error": "Hash not found" }

The endpoint MUST be unauthenticated (CORS open) and rate-limited. Reference implementation: pickawin.app/api/verify/{hash}

5. Conformance

A tool is VGP-1.0 conformant if it:

Implements §3 (specification) exactly as written
Exposes §4 (verification API) publicly and unauthenticated
Includes the VGP-1.0 logo or text on certificates issued
Self-certifies via PR or email to [email protected]

PickAWin is the reference implementation. Other tools are encouraged to adopt — there are no royalties, license fees, or restrictions beyond standard CC-BY-4.0 attribution.

6. Reference implementations

PickAWin (production reference) — pickawin.app/sortear
Open-source Python lib (planned 2026-Q3) — pip install vgp-verifier
Open-source JavaScript lib (planned 2026-Q3) — npm install @vgp/verifier

7. Comparison vs alternatives

Approach	Verifiable?	Public?	Standardized?
PDF certificate (most tools)	No	No	No
Notary public (offline)	Partial	No	No
Blockchain commitment	Yes	Yes	Partial
VGP-1.0 (this protocol)	Yes	Yes	Yes

8. Future work

VGP-1.1: support multi-winner with ranked positions (1st, 2nd, 3rd) using independent seeds
VGP-2.0: optional blockchain anchoring for ultra-high-stakes draws (>$10k prizes)
Browser extension that detects any social media giveaway and offers VGP verification overlay
WC3 standardization submission once 5+ tools have adopted VGP-1.0

9. Authors and license

Authored by PickAWin (LPGDIGITAL CNPJ 40.828.682/0001-40), 2026-05-05. Released under Creative Commons Attribution 4.0 International (CC-BY-4.0). Free to implement, distribute, derive — only attribution required.

Comments, issues, contributions: [email protected]

Adopt VGP-1.0 in your tool

No fees. No license. Just implement §3 + §4 and email us.

[email protected]