Lemmy votes ARE public, should they be anonymous?

Xirup , 5 hours ago

Wait a minute, so any admin can see which posts do I upvote/downvote?

bamboo , 5 hours ago

Yep. On kbin I think any user can too.

BentiGorlich , 1 hour ago

On mbin users can only see who upvoted a post. An admin can of course still go into the db and look there, but for users and mods there is no way to see who downvoted a post

Munkisquisher , 5 hours ago

Yes, by looking in the DB or the data that’s federated as it comes through

ericjmorey , 5 hours ago

There's now a UI feature that allows admins to see votes without needing to manually query the database

Link , 5 hours ago

Furthermore, anyone can spin up a Lemmy server if they want to see people’s votes. It’s not very hard or load the same post in kbin/mbin.

otter , 5 hours ago

For what it’s worth, admins/employees on Reddit (or any other website) can also see upvote records.

FiskFisk33 , 5 hours ago

yes, and any instance owner on any federated instance. Oh, and anyone on Kbin.

GBU_28 , 5 hours ago

Yep and they ban people as they see fit, across different communities, based on votes anywhere

skullgiver , 4 hours ago

What you upvote/downvote, when you upvote/downvote. With some database queries, they can also read DMs that are on their server (i.e. if you message someone on my server).

You can see who upvoted a post by putting the URL to the post or comment into any connected mbin server and clicking “favorites”. Downvotes are restricted by default (but admins can see those of course).

The only information admins can see is the information on their server. For Lemmy, that means a server would need to be subscribed to all communities you’re active in for that information to be available. If you want I can DM what upvotes of yours my server knows about.

otter , 5 hours ago (edited 3 hours ago)

Should the Lemmy devs create a way to make the votes anonymous?

I’m not sure if there is a good way to have the content federate anonymously. Even if there was, it would be a vector for spam.

Vote manipulation is a growing problem on Reddit. It’s only getting worse with all the AI spam bots and they don’t have an incentive to stop it. Why trust a review on Reddit if bots are upvoting/downvoting on behalf of a company, or worse what happens in news communities when a well funded group wants to change perspectives.

Admins need to know if the votes/likes coming in are legitimate, else they should block them. It’s too easy to abuse anonymous votes to affect how content is ranked.

I left a long comment in the other thread which I will link in a moment, but I think either

1. We keep the current setup, but we put in more effort to make new users aware that vote records are visible to admins/mods
2. We make it public for everyone and take steps to deal with the new issues that it could cause

Other comment on the benefits/issues: lemmy.ca/comment/11097046

andrewrgross , 4 hours ago

I will also add that I think in the long run, as we try to figure out how to differentiate between humans and machines, the only real reliably solution I see is to focus on elevating the individual. Having people with long histories validate their reality by living and documenting it.

I don’t upvote something that I’d be ashamed for someone to see I upvote. I might make an exception for pornographic content, but even with that, if it’s pseudononymous in that it’s not attached to my personal public life, I don’t mind if someone can trace through and see what a specific account I use for those purposes has liked and disliked.

Dave , 4 hours ago

Admins need to know if the votes/likes coming in are legitimate, else they should block them. It’s too easy to abuse anonymous votes to affect how content is ranked.

This is a very real problem right now. Admins that are on to it use the votes to identify swarms of users that follow each other around upvoting each other’s spam/troll posts.

j4k3 , 4 hours ago

I would rather vote identities being blocked from scraping. I don’t care about other users or admins. I would rather that level of information be unavailable to outside commercial sources, especially any timings based metadata that could be used to derive dwell time and other psychological metrics.

Microw , 48 minutes ago

Thats probably a complete nonstarter in a federated network. The metadata needs to be sent via Activitypub, ergo it has to be public.

Damage , 27 minutes ago

I think you’re looking for a different type of community then, like an image board.

troed , 4 hours ago

Keep the Fediverse bot- and troll-free.

The whole idea of being able to behave like a shithead without accountability needs to go.

roguetrick , 18 minutes ago

As with all things you must behave like a shithead in moderation.

ZDL , 5 hours ago

To me the anonymity of voting is the problem, so the solution is to make them public for all, not to find ways of making them more private.

halm , 5 hours ago

The point of privacy is pretty shaky in this context, tbh. Anybody using the fediverse is ensured pseudonymity already, the privacy issue should be whether your account(s) can be linked to your real life identity against your will.

In that regard I can only see positives to making voting public. Foremost it could create some accountability to the system, and maybe minimise the lazier drive-by, doom scroll votes?

lalo OP , 4 hours ago

I completely agree with the idea of more accountability. We are real people in acting public right here, we should be constantly aware that our actions have consequences. If you don’t want your pseudonym associated with a vote, don’t do it. It’s kinda like the opposite of 4chan, where instand of anonymous controversial content on top, here we have human-curated content being pushed up.

halm , 4 hours ago

Couldn’t agree more, and if we passed around imaginary gold on Lemmy, I’d give you a dubloon for this.

rglullis , 4 hours ago

I’m so, so glad to see I am not the only one that thinks this way.

ZDL , 3 hours ago

It’s the lazy drive-by and rage votes specifically that I would love to see eliminated. If you’re too much a coward to defend a position, maybe you shouldn’t express it.

TheEntity , 3 hours ago

On Kbin the votes are 100% public for anyone. I’ve migrated to Lemmy after the frequent server issues with Kbin and I miss that part dearly. It was very easy to gauge whether someone was engaging in a good or bad faith discussion by checking the votes within a discussion. That being said, personally I’m very light on my downvotes, and I can see how someone more trigger-happy would see it as worrying. Personally I see the vote transparency as healthy though.

Th4tGuyII , 2 hours ago

To be fair, there's a point to be made that someone who's overly trigger-happy on dislike should be shamed for it.
Just like you would be if you kept being snide to everyone in real life.

I agree that transparency would do much more good than harm, plus compared to the info that people already put in their profiles/comments, it's not likely to make them anymore identifiable.

TheEntity , 59 minutes ago

I’d even argue public votes can deescalate some situations, for example where both sides of a relatively heated discussion can see they vote each other up. They don’t necessarily agree but they appreciate the other side’s points.

As for the transparency, it’s not possible to list all the votes of a user, one rather needs to list votes on a given post. To profile a given user the attacker would need to cross-reference the data from all posts and comments which is computationally infeasible, both client-side and server-side.

Carrolade , 5 hours ago

No, there is no real need. An account is already pseudo-anonymous. Full anonymity adds no real value beyond making it easier to manipulate vote tallies with bot accounts undetected.

edit: As a side note, this is one of the more transparent social media communities. It’s not terribly privacy-oriented in general. The enhanced transparency is part of its appeal.

mozz , 5 hours ago

With the current way that ActivityPub works, this isn’t really possible. Every vote needs to be signed by some real user; if that changed such that anonymous votes were accepted then there’s nothing to stop any random person from adding 5 or 5,000 anonymous votes.

lalo OP , 5 hours ago

What it the instance signs the activity? Then it propagates to others instances after local validation. That way only local admins would have access to voting data. Malicious instances could still be defederated/blocked/have votes disregarded.

rglullis , 4 hours ago

1. You are still trusting the instance admin. What if the admin pushes a code patch that transforms every like into a dislike based on a keyword?
2. Your history will never be fully portable.
3. It creates some weird dynamic: are we going to start dividing ourselves into “instances that obfuscate voting” and “instances that prefer transparency”?
4. What is the criteria for “malicious”?

lalo OP , 3 hours ago

1. Currently, any admin can modify any local user activity, can’t they?
2. Not really, your local instance may still hold the vote data for validation. And therefore could be ported and resigned.
3. Don’t see the problem.
4. Today, each instance decides whomever they want federation with. The ones who decide the criteria should be the same ones who decide whom the instance federates with.

rglullis , 3 hours ago (edited 53 minutes ago)

1. Admins could modify the activity, but users can verify from outside (if they so which). If the user data gets obfuscated, it becomes a complete black box.
2. But then you have two different events.
3. Here is one problem: the userbase on the Fediverse is already ridiculously small. If we keep dividing ourselves over every little preference, we will end up with nothing but a thousand little ghetto fiefdoms, used by people who will never ever learn how to tolerate a different point of view.
4. No. What will happen is that the silent majority will want to keep federation with everyone, but the intolerant minority will keep pushing instance admins to defederate from anyone who does not want to obfuscate votes. Eventually, LW will make a decision one way or another and everyone else will just have to decide if they want to stick with their principles or follow the leader so that they are not isolated.

Max_P , 3 hours ago

The problem with that is, can you really trust most instances out there? If you’re a sketchy admin, it’s not that hard to convince a handful of people to use your instance and have a couple dozen anonymous votes at your disposal to influence certain topics. There’s no way to detect it, not even the other users.

That would then mean that small instances would have to prove themselves before being accepted in the wider network of instances and just end up centralizing the fediverse.

With the votes being public, while you can create as many accounts as you want, you still have to publicly use a bunch of bot accounts which makes it more easily detectable. And of course, there’s no way your instance can get away with impersonating you, because you could see it sneaking votes or comments.

I wish it could be more private, but I can’t think of a way you can prevent vote manipulation without revealing who actually voted for what or rely on trust. Another way to look at it would be, what if Lemmy didn’t use instances but instead some sort of decentralized system where each user is its own entity. How would we obfuscate the votes then? Anyone can publish a message to the network, so you need to tie it to some identity, and you circle right back to the problem.

For privacy, there’s always alt accounts and recycling accounts often. Or treat the votes as if you were commenting “+1” or “-1”.

Unless someone comes up with some crypto scheme to somehow anonymously prove that a user has voted, and has voted only once, and the user has credible history being a real person.

Personally, it’s a tradeoff I chose as the price of entry for being able to participate in this while being fully independent of some benevolent person/organization/company/private equity firm. Nobody can take away my API or my apps or shove me ads. I can post entire 4K HDR clips if I want. I can have an offline copy of it if I want to read on a plane trip. I can index Lemmy, I can search Lemmy.

lalo OP , 3 hours ago

We already depend on trusting instances for a lot of what’s going on here, I don’t see why we shouldn’t be able to defederate untrusted ones.

ricdeh , 1 hour ago

That would then mean that small instances would have to prove themselves before being accepted in the wider network of instances and just end up centralizing the fediverse.

Most of us want the Fediverse to eternally decentralise. Imho, this would be the optimal scenario. Whitelists would be a major obstacle to the décentralisation effort.

chicken , 3 hours ago

I bet you could do it with ring signatures

a message signed with a ring signature is endorsed by someone in a particular set of people. One of the security properties of a ring signature is that it should be computationally infeasible to determine which of the set’s members’ keys was used to produce the signature

souperk , 4 hours ago

For anyone interested, there are a few papers on cryptographically secure voting, where both voter anonymity and election integrity are preserved.

Most designs consider three separate entities, where if you accumulate the information between those entities you would be able to identify a voter and his vote, but each entity on itself does not hold enough information.

wazoobonkerbrain , 1 hour ago

That’s interesting. I have read multiple comments to the effect that it would not be possible for lemmy to implement anonymous voting because the underlying ActivityPub protocol does not support it. So it sounds like solutions do exist, although I suppose the effort required to modify ActivityPub is too much, more likely the feature will be included in some successor to the fediverse.

DoctorButts , 4 hours ago

Votes should be transparent for everyone. Right now the system assumes that mods/admins are somehow inherently more responsible than the average user, but well, just look at the garbage clusterfuck admin/mod teams of certain instances. You're telling me you're gonna trust these people with this information and not everyone else? Get the fuck outta here.

ianovic69 , 4 hours ago

I’m not technical and I’m also not young.

I think anyone coming into an online social platform who thinks that any part of it is private, is too naive and/or uneducated to be using that type of platform.

I’m sure there’s parts of platforms which are private, I just don’t think it’s advisable to assume that at any point.

You’re online, interacting with people. If you wanted privacy, don’t be there doing that. Post and behave as if you are publishing everything to a major commercial physical publication. Every post, every comment, every vote, every blocked user. On every one of your accounts.

Otherwise, you’ll get what’s coming to you. And I’m fine with that.

Th4tGuyII , 1 hour ago

Yeah. If you're on a public forum accessible to anyone, which the whole fediverse is, then you should never assume privacy.

Honestly transparency in this regard would be better - they're already visible to much of the community, so they might as well be visible to everyone.

RustyShackleford , 5 hours ago

Wouldn’t it be easier to leave it as an option for each user on Lemmy?

If users want anonymity, let them have it. If they want to share their vote, let them do that. Forcing one option on others without the voice of the usually silent majority isn’t going to fix anything, it’s just going to scare some people away or start posts requesting it private again; or optional.

Not to mention, using this method you will quickly see how many users really wanted this option based on how many leave privacy enabled or disabled, instead of listening to a current vocal minority.

lalo OP , 4 hours ago

User choice would be best indeed. The problem is that currently the votes are public but hidden from Lemmy regular users. Anonymize votes seems to be such a big problem the devs don’t even want to consider it.

ianovic69 , 4 hours ago

currently the votes are public but hidden from Lemmy regular users

Tough. If you think any action you take on a social media platform is private then you shouldn’t be here.

Whether it is private or not isn’t the problem. It’s people assuming any part of is. Behave or suffer. Just like the real world.

Cephalotrocity , 5 hours ago

The more I spend time on Lemmy, the more I think it is in a lot of trouble. There are many serious issues that need to be addressed and I don’t see how most of them can be.

Federation is touted as a Good, but has many drawbacks. Privacy (as listed in this post for example) for one, instead of algorithm curated/focused content federated servers each enforce (subconsciously or overtly) a theme, rampant user generation off multiple servers rendering moderation pointless, and so on.

Then there is the rampant issue of moderation abuse. It seems that the only reason to be a moderator is to not be annoyed at other people forcing their opinions on you. This reminder that admins/mods get yet another way to subject the users to their biases is the nail in the coffin IMO. “You vote this way? Banned because my feelings matter more”.

Privacy is important for a lot of people and that is impossible to get on Lemmy unless something drastically changes, but it doesn’t sound like this is will ever happen. The people that can see your data is not under your control at all and I think this fact alone will never allow Lemmy to grow to a place we can be happy with.

If admins can see data without limits, everyone should be able to. All 5 of us once that realization sinks in.

;tldr I don’t think even admins should see peoples data but that seems impossible so…

MagicShel , 4 hours ago

I’ve been thinking about this for several hours since I first became aware of the debate.

I don’t care that much in theory if anyone sees my votes. They aren’t anything I’m particularly private about. I care about conversation way more than up/down votes.

However, some people get a little upset about being downvoted. I think it will result in retaliatory downvotes. You already see that when two folks are arguing. I don’t normally waste my time downvoting a post I’m writing a rebuttal to, but when they are downvoting me I tend to do it back. I think if everyone had easy access, they would hunt down their down voters posts and retaliate regardless of the quality of the comments.

Lastly, I wonder if this will give rise to a client that lets you use one account to post/comment and a different one to vote. And if it does, will that be better all around? Then no one will be able to associate votes with a user. But it seems unnecessarily wasteful to create a whole account that does nothing but vote. It seems like it would deny mods (and everyone) a useful tool for identifying bad actors.

Technically, anyone could get access to the voters identity if they try hard enough but 99% of the users won’t put in that much effort. And technically someone could already use different accounts for different activities, but without reason to create a client to support that it’s too much of a pain to be worth the effort.

So I really think I’m on team status quo here.

rglullis , 2 hours ago

I don’t normally waste my time downvoting a post I’m writing a rebuttal to, but when they are downvoting me I tend to do it back. I think if everyone had easy access, they would hunt down their down voters posts and retaliate regardless of the quality of the comments

That would stop as soon as people start reporting this behavior to mods who felt enabled to ban users based on unjustified downvoting.

MagicShel , 2 hours ago (edited 51 minutes ago)

I’m really skeptical about that. Either that they would do it or that such “justified” downvoting would be a clear cut or fair decision. Most people don’t vote the right way. How many people downvote content they agree with or find funny but doesn’t add to the discussion? How many people upvote content they disagree with that does add to the discussion?

And am I really going to take up a mod’s time because someone got mad at me and downvoted—the most accessible and innocuous was to express displeasure with someone? How many more complaints about downvote bullying are mods going to have to field?

I don’t know. You could be right, but I’d want to see it successful in a small scale, if possible, before deploying it everywhere. Maybe the folks suggesting it should be up to the server admin are right. That would be another differentiator and people could go to communities on servers that have their preferred visibility policy. That would serve as an A/B test and let people vote with their feet.

rglullis , 1 hour ago

How many people downvote content they agree with or find funny but doesn’t add to the discussion?

Again, this is only a problem because we have lost this sense of shared culture. If we really want to have an established “community”, these guidelines will have to be one way or another be restored and enforced.

How many more complaints about downvote bullying are mods going to have to field?

Here is an idea: instead of trying to remove power from people, let’s give more of it. Hiding votes is hard, but creating a finer-grained permission system for moderation is not. Let’s build a system where mods can assign other mods for specific types of reports. Then, we can have few mods who would be “all powerful” like they are now and we could have a bunch of “issue-specific” trusted users who could access/triage specific reports.

We shouldn’t need mods to figure out what is “basic” spam and we shouldn’t need powerful mods to say “user A is reporting that B has downvoted their last 5 posts in different conversations. This is a violation of the community rules and therefore should be banned.”

Th4tGuyII , 2 hours ago

Votes should absolutely be public. They were on KBin, and it made people more civil for it because you could be shamed if you were dislike trolling or liking all of your own posts/comments to make them look better (which is something you actively have to do on here, unlike Reddit).

Given this place is pseudo-anonymous anyways, and people comment far more personal and identifiable info here anyways (which tbf you should be careful about), I think public votes would do much more good than harm.