Lemmy votes ARE public, should they be anonymous?

Xirup , 9 hours ago

Wait a minute, so any admin can see which posts do I upvote/downvote?

bamboo , 9 hours ago

Yep. On kbin I think any user can too.

BentiGorlich , 5 hours ago

On mbin users can only see who upvoted a post. An admin can of course still go into the db and look there, but for users and mods there is no way to see who downvoted a post

Redjard , 53 minutes ago (edited 6 minutes ago)

There is a “Reduces” tab on mbin, which shows downvotes

BentiGorlich , 52 minutes ago

There was and is not anymore

Redjard , 49 minutes ago

Then maybe it is still around on some instances?
Either way, it is only a matter of time for another fediverse software to show downvotes, or someone to spin up a vote info page which gets its information via undisclosed legitimate fediverse instances so you cannot defederate them.

BentiGorlich , 45 minutes ago

I was actually the one removing it. I implemented the support for incoming downvotes and because I and others had concerns to keep showing remote users downvotes publicly we / I removed it.

Redjard , 41 minutes ago

That’s a pretty reasonable compromise, and probably explains my confusion.
Why didn’t you do the same for remote upvotes?

BentiGorlich , 38 minutes ago

Upvotes were already implemented when we did the fork. I guess we just never really thought about it. I honestly just have no opinion on whether upvotes should be public or not, so I don't mind them being public, but I basically never check who upvoted my posts anyway, so might as well be removed... If people care about this I'd say it is just up for discussion...

Redjard , 30 minutes ago

In my case I would like them to be private, but currently they are not. I don’t think it is good to try to hinder the visibility into a fundamentally transparent system.

I don’t see a technical way to make votes private either, that doesn’t prevent bad actor instances abusing the vote system. As an admin of an instance I could just add 5-10 votes to all of my interactions whenever I feel like it, and noone would be able to tell it didn’t come from legitimate users on my instance. The accounts of vote origin are needed as proof, hence moderators on lemmy having access to them.

Do you perhaps have any idea how this could be accomplished?

Munkisquisher , 9 hours ago

Yes, by looking in the DB or the data that’s federated as it comes through

ericjmorey , 9 hours ago

There's now a UI feature that allows admins to see votes without needing to manually query the database

Link , 9 hours ago

Furthermore, anyone can spin up a Lemmy server if they want to see people’s votes. It’s not very hard or load the same post in kbin/mbin.

otter , 9 hours ago

For what it’s worth, admins/employees on Reddit (or any other website) can also see upvote records.

Jumuta , 31 minutes ago

this is different, oc is talking about “any admin”. Anyone can make a lemmy server and become a server admin from which they might be able to see the voters

FiskFisk33 , 9 hours ago

yes, and any instance owner on any federated instance. Oh, and anyone on Kbin.

GBU_28 , 9 hours ago

Yep and they ban people as they see fit, across different communities, based on votes anywhere

skullgiver , 8 hours ago

What you upvote/downvote, when you upvote/downvote. With some database queries, they can also read DMs that are on their server (i.e. if you message someone on my server).

You can see who upvoted a post by putting the URL to the post or comment into any connected mbin server and clicking “favorites”. Downvotes are restricted by default (but admins can see those of course).

The only information admins can see is the information on their server. For Lemmy, that means a server would need to be subscribed to all communities you’re active in for that information to be available. If you want I can DM what upvotes of yours my server knows about.

otter , 9 hours ago (edited 8 hours ago)

Should the Lemmy devs create a way to make the votes anonymous?

I’m not sure if there is a good way to have the content federate anonymously. Even if there was, it would be a vector for spam.

Vote manipulation is a growing problem on Reddit. It’s only getting worse with all the AI spam bots and they don’t have an incentive to stop it. Why trust a review on Reddit if bots are upvoting/downvoting on behalf of a company, or worse what happens in news communities when a well funded group wants to change perspectives.

Admins need to know if the votes/likes coming in are legitimate, else they should block them. It’s too easy to abuse anonymous votes to affect how content is ranked.

I left a long comment in the other thread which I will link in a moment, but I think either

1. We keep the current setup, but we put in more effort to make new users aware that vote records are visible to admins/mods
2. We make it public for everyone and take steps to deal with the new issues that it could cause

Other comment on the benefits/issues: lemmy.ca/comment/11097046

andrewrgross , 8 hours ago

I will also add that I think in the long run, as we try to figure out how to differentiate between humans and machines, the only real reliably solution I see is to focus on elevating the individual. Having people with long histories validate their reality by living and documenting it.

I don’t upvote something that I’d be ashamed for someone to see I upvote. I might make an exception for pornographic content, but even with that, if it’s pseudononymous in that it’s not attached to my personal public life, I don’t mind if someone can trace through and see what a specific account I use for those purposes has liked and disliked.

Dave , 8 hours ago

Admins need to know if the votes/likes coming in are legitimate, else they should block them. It’s too easy to abuse anonymous votes to affect how content is ranked.

This is a very real problem right now. Admins that are on to it use the votes to identify swarms of users that follow each other around upvoting each other’s spam/troll posts.

Coelacanth , 3 hours ago

I always thought anonymous voting was preferable, or at least non-public. I don’t want “why did you downvote me bro!?”-arguments to occur, and I don’t want to know who approves of my comments or not. I think thinking of votes as an amorphous blob representing general public opinion on Lemmy is preferable to getting into the weeds of who exactly likes your posts and comments.

We could also have “karma” on Lemmy, but while technically tracked the environment is better off without it being public in my opinion. I view voting records similarly.

If botting becomes enough of an issue that regular users need to report vote manipulation bots I’ll be fine with conceding my stance.

ChaoticNeutralCzech , 3 hours ago

I agree. As long as anonymous voting doesn’t cause obvious trolling/spam issues, it should be preferred.

One of the reasons I’ve always found Facebook off-putting and never used it (even before learning about the shady practices) are the very visible votes. I tend to overanalyse any reaction and would judge people based on their votes on my posts, even if I consciously tried to avoid it. Similarly, I imagine some other people would do the same and I’d feel like I’m under surveillance.

corsicanguppy , 1 hour ago

As a comment on the other discussion says, there’s a reason ballots are secret.

blanketswithsmallpox , 52 minutes ago

In reality you should be able to get an anonymized reference number to show your vote was tabulated correctly though.

Right now it comes down to an actual official finding your paper ballot with hand marked tracking and presuming to the computer read it correctly on an overall vote total.

Being able to do this anonymously and securely is where the problems lie. Which is also why digital only voting still isn’t a thing anywhere.

j4k3 , 8 hours ago

I would rather vote identities being blocked from scraping. I don’t care about other users or admins. I would rather that level of information be unavailable to outside commercial sources, especially any timings based metadata that could be used to derive dwell time and other psychological metrics.

Microw , 4 hours ago

Thats probably a complete nonstarter in a federated network. The metadata needs to be sent via Activitypub, ergo it has to be public.

Damage , 4 hours ago

I think you’re looking for a different type of community then, like an image board.

troed , 8 hours ago

Keep the Fediverse bot- and troll-free.

The whole idea of being able to behave like a shithead without accountability needs to go.

roguetrick , 4 hours ago

As with all things you must behave like a shithead in moderation.

TheEntity , 7 hours ago

On Kbin the votes are 100% public for anyone. I’ve migrated to Lemmy after the frequent server issues with Kbin and I miss that part dearly. It was very easy to gauge whether someone was engaging in a good or bad faith discussion by checking the votes within a discussion. That being said, personally I’m very light on my downvotes, and I can see how someone more trigger-happy would see it as worrying. Personally I see the vote transparency as healthy though.

Th4tGuyII , 6 hours ago

To be fair, there's a point to be made that someone who's overly trigger-happy on dislike should be shamed for it.
Just like you would be if you kept being snide to everyone in real life.

I agree that transparency would do much more good than harm, plus compared to the info that people already put in their profiles/comments, it's not likely to make them anymore identifiable.

TheEntity , 5 hours ago

I’d even argue public votes can deescalate some situations, for example where both sides of a relatively heated discussion can see they vote each other up. They don’t necessarily agree but they appreciate the other side’s points.

As for the transparency, it’s not possible to list all the votes of a user, one rather needs to list votes on a given post. To profile a given user the attacker would need to cross-reference the data from all posts and comments which is computationally infeasible, both client-side and server-side.

souperk , 8 hours ago

For anyone interested, there are a few papers on cryptographically secure voting, where both voter anonymity and election integrity are preserved.

Most designs consider three separate entities, where if you accumulate the information between those entities you would be able to identify a voter and his vote, but each entity on itself does not hold enough information.

wazoobonkerbrain , 5 hours ago

That’s interesting. I have read multiple comments to the effect that it would not be possible for lemmy to implement anonymous voting because the underlying ActivityPub protocol does not support it. So it sounds like solutions do exist, although I suppose the effort required to modify ActivityPub is too much, more likely the feature will be included in some successor to the fediverse.

Vlyn , 3 hours ago

The problem isn’t keeping votes anonymous, that’s easy. The problem is bots/spam. You could just create a new instance and then upvote a post from another instance a thousand times. If the votes are anonymous for the other instance it’s tough to say if they are genuine users or just bots.

That’s the main issue here, when votes are anonymous you could easily just spam votes with no way to trace it back. If it’s a rogue instance then fine, you can ban the whole instance. But imagine if lemmy.world starts using fake votes in the background towards other instances.

nimpnin , 1 hour ago

What keeps from doing that right now? You can just create an instance and bot accounts on that

Vlyn , 1 minute ago

It would be damn easy to look up the instance and their “users” and see that the users are not genuine. Then ban the whole instance.

souperk , 1 hour ago

If you are worried about duplicates, aka a single bot spamming multiple votes, then that’s feasible to mitigate.

If you are worried about multiple bots spamming one vote each, that’s harder to mitigate and it comes down to how the instances handles bot accounts in general. IMO it’s best to ignore the bot problem and instead focus on designing a vote weighting system that favors similar instances.

A_A , 21 minutes ago

Thanks @souperk,
i believe many users will be interested in these papers about cryptographically secure voting.

Amongst them there would be :
@rimu
@SorteKanin
@brbposting

brbposting , 14 minutes ago

Wow neat!! Eating our cake & having it

Thanks @A_A

Tudsamfa , 2 hours ago

Always in favor of taking power from mods that they can abuse and simply do not need.

The 1 “You think you can come into MY instance, and downvote ME?” post I read was 1 too many.

mozz , 9 hours ago

With the current way that ActivityPub works, this isn’t really possible. Every vote needs to be signed by some real user; if that changed such that anonymous votes were accepted then there’s nothing to stop any random person from adding 5 or 5,000 anonymous votes.

lalo OP , 9 hours ago

What it the instance signs the activity? Then it propagates to others instances after local validation. That way only local admins would have access to voting data. Malicious instances could still be defederated/blocked/have votes disregarded.

rglullis , 8 hours ago

1. You are still trusting the instance admin. What if the admin pushes a code patch that transforms every like into a dislike based on a keyword?
2. Your history will never be fully portable.
3. It creates some weird dynamic: are we going to start dividing ourselves into “instances that obfuscate voting” and “instances that prefer transparency”?
4. What is the criteria for “malicious”?

lalo OP , 7 hours ago

1. Currently, any admin can modify any local user activity, can’t they?
2. Not really, your local instance may still hold the vote data for validation. And therefore could be ported and resigned.
3. Don’t see the problem.
4. Today, each instance decides whomever they want federation with. The ones who decide the criteria should be the same ones who decide whom the instance federates with.

rglullis , 7 hours ago (edited 4 hours ago)

1. Admins could modify the activity, but users can verify from outside (if they so which). If the user data gets obfuscated, it becomes a complete black box.
2. But then you have two different events.
3. Here is one problem: the userbase on the Fediverse is already ridiculously small. If we keep dividing ourselves over every little preference, we will end up with nothing but a thousand little ghetto fiefdoms, used by people who will never ever learn how to tolerate a different point of view.
4. No. What will happen is that the silent majority will want to keep federation with everyone, but the intolerant minority will keep pushing instance admins to defederate from anyone who does not want to obfuscate votes. Eventually, LW will make a decision one way or another and everyone else will just have to decide if they want to stick with their principles or follow the leader so that they are not isolated.

Max_P , 8 hours ago

The problem with that is, can you really trust most instances out there? If you’re a sketchy admin, it’s not that hard to convince a handful of people to use your instance and have a couple dozen anonymous votes at your disposal to influence certain topics. There’s no way to detect it, not even the other users.

That would then mean that small instances would have to prove themselves before being accepted in the wider network of instances and just end up centralizing the fediverse.

With the votes being public, while you can create as many accounts as you want, you still have to publicly use a bunch of bot accounts which makes it more easily detectable. And of course, there’s no way your instance can get away with impersonating you, because you could see it sneaking votes or comments.

I wish it could be more private, but I can’t think of a way you can prevent vote manipulation without revealing who actually voted for what or rely on trust. Another way to look at it would be, what if Lemmy didn’t use instances but instead some sort of decentralized system where each user is its own entity. How would we obfuscate the votes then? Anyone can publish a message to the network, so you need to tie it to some identity, and you circle right back to the problem.

For privacy, there’s always alt accounts and recycling accounts often. Or treat the votes as if you were commenting “+1” or “-1”.

Unless someone comes up with some crypto scheme to somehow anonymously prove that a user has voted, and has voted only once, and the user has credible history being a real person.

Personally, it’s a tradeoff I chose as the price of entry for being able to participate in this while being fully independent of some benevolent person/organization/company/private equity firm. Nobody can take away my API or my apps or shove me ads. I can post entire 4K HDR clips if I want. I can have an offline copy of it if I want to read on a plane trip. I can index Lemmy, I can search Lemmy.

lalo OP , 7 hours ago

We already depend on trusting instances for a lot of what’s going on here, I don’t see why we shouldn’t be able to defederate untrusted ones.

ricdeh , 5 hours ago

That would then mean that small instances would have to prove themselves before being accepted in the wider network of instances and just end up centralizing the fediverse.

Most of us want the Fediverse to eternally decentralise. Imho, this would be the optimal scenario. Whitelists would be a major obstacle to the décentralisation effort.

chicken , 7 hours ago

I bet you could do it with ring signatures

a message signed with a ring signature is endorsed by someone in a particular set of people. One of the security properties of a ring signature is that it should be computationally infeasible to determine which of the set’s members’ keys was used to produce the signature

ZDL , 9 hours ago

To me the anonymity of voting is the problem, so the solution is to make them public for all, not to find ways of making them more private.

halm , 9 hours ago

The point of privacy is pretty shaky in this context, tbh. Anybody using the fediverse is ensured pseudonymity already, the privacy issue should be whether your account(s) can be linked to your real life identity against your will.

In that regard I can only see positives to making voting public. Foremost it could create some accountability to the system, and maybe minimise the lazier drive-by, doom scroll votes?

lalo OP , 8 hours ago

I completely agree with the idea of more accountability. We are real people in acting public right here, we should be constantly aware that our actions have consequences. If you don’t want your pseudonym associated with a vote, don’t do it. It’s kinda like the opposite of 4chan, where instand of anonymous controversial content on top, here we have human-curated content being pushed up.

halm , 8 hours ago

Couldn’t agree more, and if we passed around imaginary gold on Lemmy, I’d give you a dubloon for this.

rglullis , 8 hours ago

I’m so, so glad to see I am not the only one that thinks this way.

ZDL , 7 hours ago

It’s the lazy drive-by and rage votes specifically that I would love to see eliminated. If you’re too much a coward to defend a position, maybe you shouldn’t express it.

halm , 51 minutes ago

And now I definitely want to see whoever downvoted your post outed as cowards 👍👍

snek , 2 hours ago

There is enough drama as it is. This will just open the door to shadowbanning and stalking and other horrors we have escaped by leaving reddit. It’s enough that it’s party available on kbin.

DoctorButts , 8 hours ago

Votes should be transparent for everyone. Right now the system assumes that mods/admins are somehow inherently more responsible than the average user, but well, just look at the garbage clusterfuck admin/mod teams of certain instances. You're telling me you're gonna trust these people with this information and not everyone else? Get the fuck outta here.

Carrolade , 9 hours ago

No, there is no real need. An account is already pseudo-anonymous. Full anonymity adds no real value beyond making it easier to manipulate vote tallies with bot accounts undetected.

edit: As a side note, this is one of the more transparent social media communities. It’s not terribly privacy-oriented in general. The enhanced transparency is part of its appeal.

Tywele , 4 hours ago

I think votes shouldn’t be anonymous. Transparency is important to weed out trolls and bots. And public votes should be made easier accessible to every user not only admins/mods.

mihnt , 2 hours ago

They should just stay mostly hidden as they are now. I was harassed 3 times while using kbin for my voting habits. When I brought it up to ernest, him and mostly everyone else defended it, even though at the time I was actively being annoyed by someone.

It’ll make less people vote in the long run and will scare people off.

Nothing worse than hopping on something I do for leisure to realize that thread I voted on a week ago has now come back to bite me in the ass because the OP decided to go on a crusade and harass everyone that downvoted them.