Lemmy votes ARE public, should they be anonymous?

Lemminary , 9 hours ago

Make the author of the comment/post see who voted for them.

otter , 9 hours ago (edited 8 hours ago)

Should the Lemmy devs create a way to make the votes anonymous?

I’m not sure if there is a good way to have the content federate anonymously. Even if there was, it would be a vector for spam.

Vote manipulation is a growing problem on Reddit. It’s only getting worse with all the AI spam bots and they don’t have an incentive to stop it. Why trust a review on Reddit if bots are upvoting/downvoting on behalf of a company, or worse what happens in news communities when a well funded group wants to change perspectives.

Admins need to know if the votes/likes coming in are legitimate, else they should block them. It’s too easy to abuse anonymous votes to affect how content is ranked.

I left a long comment in the other thread which I will link in a moment, but I think either

1. We keep the current setup, but we put in more effort to make new users aware that vote records are visible to admins/mods
2. We make it public for everyone and take steps to deal with the new issues that it could cause

Other comment on the benefits/issues: lemmy.ca/comment/11097046

andrewrgross , 8 hours ago

I will also add that I think in the long run, as we try to figure out how to differentiate between humans and machines, the only real reliably solution I see is to focus on elevating the individual. Having people with long histories validate their reality by living and documenting it.

I don’t upvote something that I’d be ashamed for someone to see I upvote. I might make an exception for pornographic content, but even with that, if it’s pseudononymous in that it’s not attached to my personal public life, I don’t mind if someone can trace through and see what a specific account I use for those purposes has liked and disliked.

Dave , 8 hours ago

Admins need to know if the votes/likes coming in are legitimate, else they should block them. It’s too easy to abuse anonymous votes to affect how content is ranked.

This is a very real problem right now. Admins that are on to it use the votes to identify swarms of users that follow each other around upvoting each other’s spam/troll posts.

Carrolade , 9 hours ago

No, there is no real need. An account is already pseudo-anonymous. Full anonymity adds no real value beyond making it easier to manipulate vote tallies with bot accounts undetected.

edit: As a side note, this is one of the more transparent social media communities. It’s not terribly privacy-oriented in general. The enhanced transparency is part of its appeal.

mozz , 9 hours ago

With the current way that ActivityPub works, this isn’t really possible. Every vote needs to be signed by some real user; if that changed such that anonymous votes were accepted then there’s nothing to stop any random person from adding 5 or 5,000 anonymous votes.

lalo OP , 9 hours ago

What it the instance signs the activity? Then it propagates to others instances after local validation. That way only local admins would have access to voting data. Malicious instances could still be defederated/blocked/have votes disregarded.

rglullis , 8 hours ago

1. You are still trusting the instance admin. What if the admin pushes a code patch that transforms every like into a dislike based on a keyword?
2. Your history will never be fully portable.
3. It creates some weird dynamic: are we going to start dividing ourselves into “instances that obfuscate voting” and “instances that prefer transparency”?
4. What is the criteria for “malicious”?

lalo OP , 7 hours ago

1. Currently, any admin can modify any local user activity, can’t they?
2. Not really, your local instance may still hold the vote data for validation. And therefore could be ported and resigned.
3. Don’t see the problem.
4. Today, each instance decides whomever they want federation with. The ones who decide the criteria should be the same ones who decide whom the instance federates with.

rglullis , 7 hours ago (edited 4 hours ago)

1. Admins could modify the activity, but users can verify from outside (if they so which). If the user data gets obfuscated, it becomes a complete black box.
2. But then you have two different events.
3. Here is one problem: the userbase on the Fediverse is already ridiculously small. If we keep dividing ourselves over every little preference, we will end up with nothing but a thousand little ghetto fiefdoms, used by people who will never ever learn how to tolerate a different point of view.
4. No. What will happen is that the silent majority will want to keep federation with everyone, but the intolerant minority will keep pushing instance admins to defederate from anyone who does not want to obfuscate votes. Eventually, LW will make a decision one way or another and everyone else will just have to decide if they want to stick with their principles or follow the leader so that they are not isolated.

Max_P , 8 hours ago

The problem with that is, can you really trust most instances out there? If you’re a sketchy admin, it’s not that hard to convince a handful of people to use your instance and have a couple dozen anonymous votes at your disposal to influence certain topics. There’s no way to detect it, not even the other users.

That would then mean that small instances would have to prove themselves before being accepted in the wider network of instances and just end up centralizing the fediverse.

With the votes being public, while you can create as many accounts as you want, you still have to publicly use a bunch of bot accounts which makes it more easily detectable. And of course, there’s no way your instance can get away with impersonating you, because you could see it sneaking votes or comments.

I wish it could be more private, but I can’t think of a way you can prevent vote manipulation without revealing who actually voted for what or rely on trust. Another way to look at it would be, what if Lemmy didn’t use instances but instead some sort of decentralized system where each user is its own entity. How would we obfuscate the votes then? Anyone can publish a message to the network, so you need to tie it to some identity, and you circle right back to the problem.

For privacy, there’s always alt accounts and recycling accounts often. Or treat the votes as if you were commenting “+1” or “-1”.

Unless someone comes up with some crypto scheme to somehow anonymously prove that a user has voted, and has voted only once, and the user has credible history being a real person.

Personally, it’s a tradeoff I chose as the price of entry for being able to participate in this while being fully independent of some benevolent person/organization/company/private equity firm. Nobody can take away my API or my apps or shove me ads. I can post entire 4K HDR clips if I want. I can have an offline copy of it if I want to read on a plane trip. I can index Lemmy, I can search Lemmy.

lalo OP , 7 hours ago

We already depend on trusting instances for a lot of what’s going on here, I don’t see why we shouldn’t be able to defederate untrusted ones.

ricdeh , 5 hours ago

That would then mean that small instances would have to prove themselves before being accepted in the wider network of instances and just end up centralizing the fediverse.

Most of us want the Fediverse to eternally decentralise. Imho, this would be the optimal scenario. Whitelists would be a major obstacle to the décentralisation effort.

chicken , 7 hours ago

I bet you could do it with ring signatures

a message signed with a ring signature is endorsed by someone in a particular set of people. One of the security properties of a ring signature is that it should be computationally infeasible to determine which of the set’s members’ keys was used to produce the signature

ZDL , 9 hours ago

To me the anonymity of voting is the problem, so the solution is to make them public for all, not to find ways of making them more private.

halm , 9 hours ago

The point of privacy is pretty shaky in this context, tbh. Anybody using the fediverse is ensured pseudonymity already, the privacy issue should be whether your account(s) can be linked to your real life identity against your will.

In that regard I can only see positives to making voting public. Foremost it could create some accountability to the system, and maybe minimise the lazier drive-by, doom scroll votes?

lalo OP , 8 hours ago

I completely agree with the idea of more accountability. We are real people in acting public right here, we should be constantly aware that our actions have consequences. If you don’t want your pseudonym associated with a vote, don’t do it. It’s kinda like the opposite of 4chan, where instand of anonymous controversial content on top, here we have human-curated content being pushed up.

halm , 8 hours ago

Couldn’t agree more, and if we passed around imaginary gold on Lemmy, I’d give you a dubloon for this.

rglullis , 8 hours ago

I’m so, so glad to see I am not the only one that thinks this way.

ZDL , 7 hours ago

It’s the lazy drive-by and rage votes specifically that I would love to see eliminated. If you’re too much a coward to defend a position, maybe you shouldn’t express it.

halm , 51 minutes ago

And now I definitely want to see whoever downvoted your post outed as cowards 👍👍

Xirup , 9 hours ago

Wait a minute, so any admin can see which posts do I upvote/downvote?

bamboo , 9 hours ago

Yep. On kbin I think any user can too.

BentiGorlich , 5 hours ago

On mbin users can only see who upvoted a post. An admin can of course still go into the db and look there, but for users and mods there is no way to see who downvoted a post

Redjard , 1 hour ago (edited 16 minutes ago)

There is a “Reduces” tab on mbin, which shows downvotes

BentiGorlich , 1 hour ago

There was and is not anymore

Redjard , 59 minutes ago

Then maybe it is still around on some instances?
Either way, it is only a matter of time for another fediverse software to show downvotes, or someone to spin up a vote info page which gets its information via undisclosed legitimate fediverse instances so you cannot defederate them.

BentiGorlich , 55 minutes ago

I was actually the one removing it. I implemented the support for incoming downvotes and because I and others had concerns to keep showing remote users downvotes publicly we / I removed it.

Redjard , 51 minutes ago

That’s a pretty reasonable compromise, and probably explains my confusion.
Why didn’t you do the same for remote upvotes?

BentiGorlich , 49 minutes ago

Upvotes were already implemented when we did the fork. I guess we just never really thought about it. I honestly just have no opinion on whether upvotes should be public or not, so I don't mind them being public, but I basically never check who upvoted my posts anyway, so might as well be removed... If people care about this I'd say it is just up for discussion...

Redjard , 41 minutes ago

In my case I would like them to be private, but currently they are not. I don’t think it is good to try to hinder the visibility into a fundamentally transparent system.

I don’t see a technical way to make votes private either, that doesn’t prevent bad actor instances abusing the vote system. As an admin of an instance I could just add 5-10 votes to all of my interactions whenever I feel like it, and noone would be able to tell it didn’t come from legitimate users on my instance. The accounts of vote origin are needed as proof, hence moderators on lemmy having access to them.

Do you perhaps have any idea how this could be accomplished?

Munkisquisher , 9 hours ago

Yes, by looking in the DB or the data that’s federated as it comes through

ericjmorey , 9 hours ago

There's now a UI feature that allows admins to see votes without needing to manually query the database

Link , 9 hours ago

Furthermore, anyone can spin up a Lemmy server if they want to see people’s votes. It’s not very hard or load the same post in kbin/mbin.

otter , 9 hours ago

For what it’s worth, admins/employees on Reddit (or any other website) can also see upvote records.

Jumuta , 41 minutes ago

this is different, oc is talking about “any admin”. Anyone can make a lemmy server and become a server admin from which they might be able to see the voters

FiskFisk33 , 9 hours ago

yes, and any instance owner on any federated instance. Oh, and anyone on Kbin.

GBU_28 , 9 hours ago

Yep and they ban people as they see fit, across different communities, based on votes anywhere

skullgiver , 8 hours ago

What you upvote/downvote, when you upvote/downvote. With some database queries, they can also read DMs that are on their server (i.e. if you message someone on my server).

You can see who upvoted a post by putting the URL to the post or comment into any connected mbin server and clicking “favorites”. Downvotes are restricted by default (but admins can see those of course).

The only information admins can see is the information on their server. For Lemmy, that means a server would need to be subscribed to all communities you’re active in for that information to be available. If you want I can DM what upvotes of yours my server knows about.