Currently, almost anyone in the Fediverse can see Lemmys votes. Lemmy admins can see votes, as well as mods. Only regular Lemmy users can’t. Should the Lemmy devs create a way to make the votes anonymous?
There is a discussion going on right now considering “making the Lemmy votes public” but I think that premisse is just wrong. The votes are public already, they’re just hidden from Lemmy users. Anyone from a kbin/mbin/fedia instance can check out the votes if they are so inclined.
The users right now may fall into a false sense of privacy when voting because the votes are hidden from Lemmy users. If you want to vote something and not show up on the vote list, please create another account to support that type of content and don’t tell anyone.
Wait a minute, so any admin can see which posts do I upvote/downvote?
I’m an instance owner and mod. I’ll describe what we see.
Like anyone else, I can check a post or comment and see the upvote and downvote counts. If I click on a specific menu item by a post or comment I can also see who voted which way.
I check it often and to date have only banned two users, out of thousands, who were consistently downvoting posts. These bot accounts were literally voting within seconds of the post going federated.
It’s a useful feature on my end and I think others should be able to see it.
Thamk you for the insight, instance administrator views are valuable and unique.
At the risk of sounding like I’m presenting a bad faith argument, why ban them? I don’t like the whole “free market” analogy but surely it’s one of the liberating features of federated servers, being able to to largely express your votes or content as you see fit within the legal framework of the host nation. Wouldn’t the odd one or two mass downvoters/upvoters/theyvoters ultimately be a statistical abberation or is the fediverse still small enough for this sort of shit to carry weight?
Open criticism of my view welcome, as always!
They’re purposely disruptive to the community, they are not part of the community.
That’s a strong viewpoint and I appreciate where you’re coming from, but how many votedicks does it take to derail a post? I appreciate the fediverse is reasonably small in comparison to othe headline social media sites, but does banning one or two bots or people do enough to save posts from getting bombed?
If it’s early? One.
with *nz content on my instance, very few
If votes are anonymous and federated, it’s very easy for me to add or subtract 900 votes from whatever I want.
You should consider anything you do on social media to be public. Even if Facebook tries to claim that it’s not.
Oh I like a pessimistic view - partly because it makes a discussion spicier, but also because it’s important for a user to understand the power that an instance owner wields!
Admin of a small instance, I have banned 2 accounts for another instance that were downvoting almost all content in a threads without any other interaction. They were being disruptive to the flow at the time, much like @[email protected] describes.
Oh man, this is awesome - it’s wonderful hearing from the practitioners of the art!
I’m just trying to figure out what driver establishing the tipping point for breaking or the ban hammer - is there any empirical data to drive these decisions, or is the fediverse user base small enough that you act on “feel” or “professional instinct”?
Managing emerging technologies fascinates me so any input - including the germs you’ve already volunteered - is very much appreciated 👍
For me and my (very - it may be down to just me logging in, but a couple of the communities have a few people that read/vote) small instance it comes down to feel (“Don’t be a dick”). Dave, the admin of lemmy.nz (about 80 users per week) has the same in their side board as their “Rule”. Dave and I set up our *nz instances in the same week and we chat often. He might not be quire as quick with the ban hammer as I might be though.
When you are this small even a small outside problem can have huge effects on your instance
why ban them?
They were describing someone who downvoted everything seconds within the post arriving.
Lemmy downvotes really have no consequences though, besides user ego.
I agree! I believe seeing who upvoted or downvoted a post aids in identifying rabid downvoters and bots. However, I personally use mobile Lemmy apps and am unable to access that data.
Furthermore, anyone can spin up a Lemmy server if they want to see people’s votes. It’s not very hard or load the same post in kbin/mbin.
For what it’s worth, admins/employees on Reddit (or any other website) can also see upvote records.
this is different, oc is talking about “any admin”. Anyone can make a lemmy server and become a server admin from which they might be able to see the voters
Yep. On kbin I think any user can too.
On mbin users can only see who upvoted a post. An admin can of course still go into the db and look there, but for users and mods there is no way to see who downvoted a post
There is a “Reduces” tab on mbin, which shows downvotes
There was and is not anymore
Then maybe it is still around on some instances?
Either way, it is only a matter of time for another fediverse software to show downvotes, or someone to spin up a vote info page which gets its information via undisclosed legitimate fediverse instances so you cannot defederate them.I was actually the one removing it. I implemented the support for incoming downvotes and because I and others had concerns to keep showing remote users downvotes publicly we / I removed it.
That’s a pretty reasonable compromise, and probably explains my confusion.
Why didn’t you do the same for remote upvotes?
Yep and they ban people as they see fit, across different communities, based on votes anywhere
yes, and any instance owner on any federated instance. Oh, and anyone on Kbin.
Yes, by looking in the DB or the data that’s federated as it comes through
There’s now a UI feature that allows admins to see votes without needing to manually query the database
deleted by creator
I always thought anonymous voting was preferable, or at least non-public. I don’t want “why did you downvote me bro!?”-arguments to occur, and I don’t want to know who approves of my comments or not. I think thinking of votes as an amorphous blob representing general public opinion on Lemmy is preferable to getting into the weeds of who exactly likes your posts and comments.
We could also have “karma” on Lemmy, but while technically tracked the environment is better off without it being public in my opinion. I view voting records similarly.
If botting becomes enough of an issue that regular users need to report vote manipulation bots I’ll be fine with conceding my stance.
As a comment on the other discussion says, there’s a reason ballots are secret.
In reality you should be able to get an anonymized reference number to show your vote was tabulated correctly though.
Right now it comes down to an actual official finding your paper ballot with hand marked tracking and presuming the computer read it correctly on an overall vote total.
Being able to do this anonymously and securely is where the problems lie. Which is also why digital only voting still isn’t a thing anywhere.
In reality you should be able to get an anonymized reference number to show your vote was tabulated correctly though.
The reason there is no such thing in elections, is to prevent vote buying/extortion.
In Italy it’s such an extreme problem that any ballot where the party is not marked with a cross on the party logo and (if present) a block capital name next to it on the provided line, is automatically discounted, because stuff like writing a name a specific way or using crosses, checks, dots, or other symbols was used to track vote buying/voter intimidation in mafia controlled territories.
Some vote counters and polling station overseers would be on the take and keep track of if the votes they expected to see showed up when counting ballots and report back.
If you were able in any way to prove something beyond the equivalent of an “I voted” sticker it would immediately be used to ensure people voted a certain way or to exact some sort of backlash on those who didn’t.
There’s also a reason why votes in parliaments aren’t secret.
Because they’re supposed to be responsible to and represent the people who voted for them. Irrelevant to this situation.
I agree. As long as anonymous voting doesn’t cause obvious trolling/spam issues, it should be preferred.
One of the reasons I’ve always found Facebook off-putting and never used it (even before learning about the shady practices) are the very visible votes. I tend to overanalyse any reaction and would judge people based on their votes on my posts, even if I consciously tried to avoid it. Similarly, I imagine some other people would do the same and I’d feel like I’m under surveillance.
We could also have “karma” on Lemmy, but while technically tracked the environment is better off without it being public in my opinion. I view voting records similarly.
It’s strange that they removed total account karma visibility a while back but are now thinking about making votes public.
I think a good compromise (since Lemmy already tracks that data) would have been to show the upvote/downvote ratio a user receives on their profile page, without showing their total karma. That’d help you spot toxic users without incentivising karma whoring.
Similarly, a display of how often a user upvotes versus downvotes others would help spot bots and trolls without completely obliterating privacy like their suggestion would.
(But ultimately none of this solves the problem of privacy on the Fediverse being one federated bad actor away from nonexistence)
It honestly just opens up a whole shitty can of worms. Are admins ready to weigh in every time someone fakes a vote history screenshot showing that so and so up voted a bomb threat before the post got removed?
Should the Lemmy devs create a way to make the votes anonymous?
I’m not sure if there is a good way to have the content federate anonymously. Even if there was, it would be a vector for spam.
Vote manipulation is a growing problem on Reddit. It’s only getting worse with all the AI spam bots and they don’t have an incentive to stop it. Why trust a review on Reddit if bots are upvoting/downvoting on behalf of a company, or worse what happens in news communities when a well funded group wants to change perspectives.
Admins need to know if the votes/likes coming in are legitimate, else they should block them. It’s too easy to abuse anonymous votes to affect how content is ranked.
I left a long comment in the other thread which I will link in a moment, but I think either
- We keep the current setup, but we put in more effort to make new users aware that vote records are visible to admins/mods
- We make it public for everyone and take steps to deal with the new issues that it could cause
Other comment on the benefits/issues: https://lemmy.ca/comment/11097046
Admins need to know if the votes/likes coming in are legitimate, else they should block them. It’s too easy to abuse anonymous votes to affect how content is ranked.
This is a very real problem right now. Admins that are on to it use the votes to identify swarms of users that follow each other around upvoting each other’s spam/troll posts.
And that is still possible with pseudonymous tokens votes. You just end up banning tokens for malicious voting activity, and users for malicious posting activity. It’s at best a very mild adjustment to moderation workflows.
How does this work? The community issues federates votes but with a linked token instead of a linked user? How do you track vote manipulation across different communities on different instances?
As far as I understand it all activity originates from the home instance, where users are interacting with federated copies of posts. The unique user token from a well behaving instance follows the user across the fediverse, allowing bulk moderation for voting patterns using that token. The only difference is that it is not explicitly tied to a given user string. That means moderation for vote manipulation gets tracked via a user’s vote token, and moderation for trolling/spam/rule violations happens via their display name. It may be possible that a user is banned from voting but not commenting and vice versa. It’s is a fairly minor change in moderation workflow, which brings a significant enhancement to user privacy.
Under activitypub, a lemmy community is kind of like a user (actually an activitypub group). When I post here with my lemmy.nz account to this lemmy.world community, lemmy.nz sends my comment to lemmy.world who then sends it to sh.itjust.works for you to see. The community is the controller of all interactions within the community. In this case, lemmy.world is the official source of how many upvotes this post has. And each vote is validated using the user’s public key to ensure it actually came from that specific user - a standard part of ActivityPub.
So would lemmy.world assign a token for your votes? If your instance assigned the token, Lemmy.world would not be able to validate against your user’s public key. If Lemmy.world assigns the token, it would only be valid in lemmy.world communities, as other instances would have to assign their own token. And both sh.itjust.works and lemmy.world admins could still see the real association.
Also, changing how votes work would break compatibility with other ActivityPub software (e.g. Mastodon could no longer interpret an upvote as a favourite, Mbin would’t be able to retrieve any data about the votes unless they specifically changed to work in the Lemmy way instead of using standard ActivityPub).
Worst case scenario, there is an entirely separate, tokenized identity for votes which is authenticated the exact same way, but which is only tied to an identity at the home instance. It would be as if the voting pub is coming from user:socsa-token. It’s effectively a separate user with a separate key. A well behaving instance would only ever publish votes from socsa-token, and comments from Socsa. To the rest of the fediverse socsa-token is simply a user which never comments and Socsa is a user which never votes.
I am not sure key based ID is actually core to AP anyway. The last time I read the spec it kind of hand waved identity management implementation.
Well hey, sounds like you might be able to help. Lemmy devs are actively soliciting opinions on lemmy votes, maybe you could have a say? Most of the comments are around “votes are already sort of public” therefore either a) make them actually public so we aren’t pretending they aren’t, or b) keep them hidden, a little less public is better than completely public.
Perhaps you can come in with a c) option to make votes even less public?
I will also add that I think in the long run, as we try to figure out how to differentiate between humans and machines, the only real reliably solution I see is to focus on elevating the individual. Having people with long histories validate their reality by living and documenting it.
I don’t upvote something that I’d be ashamed for someone to see I upvote. I might make an exception for pornographic content, but even with that, if it’s pseudononymous in that it’s not attached to my personal public life, I don’t mind if someone can trace through and see what a specific account I use for those purposes has liked and disliked.
The current trust model already relies on a user’s home instance accurately reporting user activity and not injecting fake activity. Hiding real user votes behind pseudonymous tokens doesn’t change that at all.
As far as I can tell, the activity ranking algorithms don’t actually differentiate between up and down votes anyway. All votes are considered engagement.
“If you have nothing to hide then you have nothing to fear.”
Given the strong presence of the privacy community on Lemmy, I have to say that I’m a bit shocked to hear so many in these discussions chiming in to support voting transparency.
I’m on board with the idea of using ring signatures to validate the legitimacy of a vote and moderating spammers based on metadata.
Or, for something (potentially) easier to implement, aggregating vote tallies at the instance level (votes visible to your instance admin and mods) and federating the votes anonymously by instance, so you might see something like:
- lemmy.world: 9 up, 2 down
- discuss.tchncs.de: 3 up, 4 down
- Etc
Up/down votes are the method of community moderation that sets Reddit apart from many other platforms. If the Lemmy community is trying to capture some of that magic, which is good for both highlighting gems AND burying turds, radical transparency isn’t the path to get there.
In fact, I’d argue that the secret ballot has already been thoroughly discussed and tested throughout history and there are plenty of legitimate examples of why it would be better if they were more secret than they are today.
Many people have brought up the idea of brigading, but would this truly get better if votes are public? Is it hard to imagine noticing that an account you generally trust has voted and matching their vote, even subconsciously?
For those who feel that they aren’t able to post on Lemmy because downvotes make you feel sad, my feeling is that if you make posts in a community and they consistently get down voted to oblivion, you’re in the wrong place. The people in that community don’t value your contributions, and you should find another place to share them. This is the system working as intended and the mods should be thankful that such a system has been implemented.
The last point I’ll make is about the potential for a chilling effect - making users less likely to interact with a post in any way due to a fear of retaliation. Look - if you’re looking for a platform where all of your activity is public, those are out there. Why should we make Lemmy look just like every other platform?
Agreed. 10/10.
And you don’t even need real crypto here to start. The home instance can just send vote actions as fixed unique tokens. The way the trust framework currently works, this is literally a drop-in replacement and introduces no new spam/brigade vulns which don’t already exist from a rogue instance. It would be imperfect, and may still make it possible to correlate and infer vote patterns for a sufficiently motivated adve, but it would raise the bar for protecting user telemetry by a huge factor with very minimal effort. I’m honestly a bit surprised it hasn’t been done already.
introduces no new spam/brigade vulns which don’t already exist from a rogue instance
It does though. Now a rogue instance would have to have “believable” profiles for the accounts that vote, because an instance of just “lurkers” who seem to suspiciously vote is a pretty big signal of vote manipulation. If you only see a random identifier (or not even that, just a tally of votes) it’d be impossible to tell if it’s truly the instance’s users just passionate about something or actual vote manipulation.
In other words it would at least make the problem way worse.
The rogue instance would still need fake users though. It would be very easy to see if you are getting votes from 300 unique tokens, but the instance only has 100 users.
Also the method I am proposing would simply be transparent in terms of user management, so if you are running core Lemmy, the only way to generate voting tokens would be to generate users.
I guess that’s true. Then you could just ask the instance admins to check their users’ voting patterns / deanonymize them / whatever, and if they don’t comply defederate them.
Is it hard to imagine noticing that an account you generally trust has voted and matching their vote, even subconsciously?
Not only is it not hard to imagine its easy to imagine the benefits of using this information automatically. I could imagine a client side script which re-ordered content based on who I trusted who had up or down voted it.
So I have users A B C D E F who are known to me who have voted on a given post. D and E are idiots I disregard their votes. F literally hates everything I love so I count his votes inversely. A and B are fantastic I count them x10 I tend to agree with C so I count his x2.
Not only can I potentially re-score threads and comments based on whom I trust I can if I really trust someone’s opinion apply their weights as well, and the weights of the folks upstream.
Yes, I too salivate at the idea that I could simply disappear all of the ideas I disagree with, but that is exactly how to turn a community into an echo chamber.
So I have users A B C D E F who are known to me who have voted on a given post. D and E are idiots I disregard their votes. F literally hates everything I love so I count his votes inversely. A and B are fantastic I count them x10 I tend to agree with C so I count his x2.
What you are suggesting here is, as I’m understanding it, a way to only get feedback from people you agree with and to never experience a critical discussion of ideas based on their merits.
Now, I’m not here to suggest that Lemmy is some kind of shining beacon of drama-free intellectualism, where every idea is discussed without bias or agenda, but I DO think it is valuable to hear from people whose lived experiences led them to a different conclusion than the one I’ve reached. Obviously there needs to be a mechanism to remove trolls from the discussion, but I fear a world where we only see content that we agree with, because then we will truly be removed from reality, and that’s not why I’m here.
There are a lot of people not worth attending to. If you do spend your time listening to these folks you don’t hear new ideas you hear the same bad ones over and over. It would be lovely that having noticed that someone is a persistent holocaust denier he could be added to a list that would disappear not only their contributions but their votes as well for thousands of users.
Sort by Top and I’m sure the crusaders of New will have everything sorted out by then. If you find these ideas being upvoted, you’re in the wrong community and you may be in a lemmygrad community. You’re on the wrong side of the train tracks and need to seek higher ground.
We don’t need to create literal echo chambers of people talking past each other because we block out any information that makes us uncomfortable. That’s not how we foster constructive dialog and
I want to have the ability to turn on my echo chamber, when I want it, and also to be able to turn it off, when I want to step outside of it for awhile. This doesn’t have to be a toggle - it could be having an alt on a different instance.
I don’t want this choice made for me by people who think they know better how to run my own life than me. They can write an appeal that I will consider, but ultimately I want to make my own choice.
Having votes be publicly viewable allows us all the freedom to do as we choose with that information - including to ignore them entirely. What I would probably do with it is make large block lists of people on lemmy.ml, since it turns out that user blocks of an instance don’t block all that much. Fwiw, for everyone I’ve blocked in the past, I look through the post history to see if they merely are being disagreeable on a particular matter but overall are capable of contributing something substantive to a conversation, or are nothing more than a troll, setting out to vomit their emotions upon everyone worldwide across the Fediverse.
I’ve been a mod before, on Reddit, and am under no illusions anymore that everyone is worth listening to - a downvote from someone rational I will give serious thought about, but an idiot is an idiot, even if a community mod hasn’t banned them (yet?).
It’s like autocorrect: feel free to make suggestions, but it would be nice if I could have control when I want it, including/especially not wasting my time.
Always in favor of taking power from mods that they can abuse and simply do not need.
The 1 “You think you can come into MY instance, and downvote ME?” post I read was 1 too many.
The infallible Admiral Patrick perma-banned me from UnpopularOpinion for downvoting his posts. What a great guy - and by great guy, I mean twat.
I’m guessing we saw the same one, and that’s literally the only instance I’ve completely blocked.
Was it midwest.social by any chance?
No, vegantheoryclub.org actually
That’s funny because I saw some initial comments made which then started this discussion. And what you’re suggesting was the intent. The issue as they (one of Lemmy’s developers) said was essentially frustration that their echo chamber had been pierced.
On Lemmy the concern isn’t even mod abuse - it’s just how much user telemetry is pushed around in plaintext which makes me uncomfortable. I’m sure there are already instances which do nothing but listen to AP traffic actively building activity and interest profiles on Lemmy users. Say what you will, but at least on reddit they have to buy that shit. And if such a rogue admin is even a little bit enterprising, there are a bunch of potential IP deanonymization attacks possible by serving up content targeted to specific users during specific times of day. And probably a bunch of other shady shit I haven’t thought of.
Honestly it’s more than a bit suspicious to me that AP and Lemmy has put seemingly zero effort into mitigating this sort of thing.
The version code hasn’t even hit 0.2 yet. Lemmy was founded by people who got banned from Reddit for being too toxic & extremist leftists, so went off to make their own replacement. They do what they like, and bc Rust is a difficult language to work with, not that many are willing to help.
Then after Huffman’s debacle, we started to see Kbin, Mbin, Piefed, Sublinks, and perhaps more - but none even as advanced as Lemmy yet.
But more to the point, that’s just the nature of an open network. Wouldn’t Wikipedia suffer from the same issues? Though less of an issue than a social media framework I would wager.
I like your funny words, magic man!
I would rather vote identities being blocked from scraping. I don’t care about other users or admins. I would rather that level of information be unavailable to outside commercial sources, especially any timings based metadata that could be used to derive dwell time and other psychological metrics.
Thats probably a complete nonstarter in a federated network. The metadata needs to be sent via Activitypub, ergo it has to be public.
I think you’re looking for a different type of community then, like an image board.
For anyone interested, there are a few papers on cryptographically secure voting, where both voter anonymity and election integrity are preserved.
Most designs consider three separate entities, where if you accumulate the information between those entities you would be able to identify a voter and his vote, but each entity on itself does not hold enough information.
The problem isn’t keeping votes anonymous, that’s easy. The problem is bots/spam. You could just create a new instance and then upvote a post from another instance a thousand times. If the votes are anonymous for the other instance it’s tough to say if they are genuine users or just bots.
That’s the main issue here, when votes are anonymous you could easily just spam votes with no way to trace it back. If it’s a rogue instance then fine, you can ban the whole instance. But imagine if lemmy.world starts using fake votes in the background towards other instances.
What keeps from doing that right now? You can just create an instance and bot accounts on that
It would be damn easy to look up the instance and their “users” and see that the users are not genuine. Then ban the whole instance.
If you are worried about duplicates, aka a single bot spamming multiple votes, then that’s feasible to mitigate.
If you are worried about multiple bots spamming one vote each, that’s harder to mitigate and it comes down to how the instances handles bot accounts in general. IMO it’s best to ignore the bot problem and instead focus on designing a vote weighting system that favors similar instances.
designing a vote weighting system that favors similar instances
Would make the whole thing even worse, as I could create several new instances with 10 bot users each, then hammer out the votes.
The entire problem is that you can’t trace back each vote to a genuine user. It would be bad in case of fake instances that create 100 user accounts and upvote/downvote stuff, but you can ban the instance. It would be a disaster if a big instance creates fake votes (like lemmy.world suddenly adds 1000 fake users and uses them to manipulate other instances, if votes were anonymous you couldn’t check if it’s genuine lemmy.world users or fake accounts).
Thanks @[email protected],
i believe many users will be interested in these papers about cryptographically secure voting.Amongst them there would be :
@[email protected]
@[email protected]
@[email protected]Not sure if you are being sarcastic or not but I found this review.
https://www.mdpi.com/2073-8994/14/5/858
I had done some research about a year ago, but I don’t have the papers saved.
No I was not sarcastic. So now i am trying to read your paper and i think that it is above my knowledge level.
As a layman i had the intuition that instead of having two accounts as i proposed for voting and commenting which was implemented by @rimu, we might have had something like blockchain or filecoin or some coin that would represent voting power and that would be based on our commenting value… so that coin would have been an intermediary to make voting anonymous.
Finally i know enough about science that i know that i don’t know much.
Edit : after a rapid overview of the article i would say that this method :
“Blind Signature-Based e-Voting”
would be most appropriate to our social media voting and i noticed the work they have done is more targeting national elections where the outcome is much more important.
This isn’t going to solve anything. Cryptographically secure voting helps when you can ensure that each person only gets to vote once. But anyone can just sign up for more accounts or make loads of bot accounts and vote multiple times. This solves nothing.
That’s interesting. I have read multiple comments to the effect that it would not be possible for lemmy to implement anonymous voting because the underlying ActivityPub protocol does not support it. So it sounds like solutions do exist, although I suppose the effort required to modify ActivityPub is too much, more likely the feature will be included in some successor to the fediverse.
Wow neat!! Eating our cake & having it
Thanks @[email protected]
They should just stay mostly hidden as they are now. I was harassed 3 times while using kbin for my voting habits. When I brought it up to ernest, him and mostly everyone else defended it, even though at the time I was actively being annoyed by someone.
It’ll make less people vote in the long run and will scare people off.
Nothing worse than hopping on something I do for leisure to realize that thread I voted on a week ago has now come back to bite me in the ass because the OP decided to go on a crusade and harass everyone that downvoted them.
Even for delusional tech bro bullshit, the idea that public voting on an anonymous forum will do anything other than create drama is pretty fucking detached from reality.
Please be vocal about this because I’ve seen two people say they didn’t see this behavior. ❤️
yep, tyranny of the majority is still tyranny. It’s worth defending the 3% who disagree with the majority opinion cause, more often than not, sometimes the majority is wrong…
Defending the secret vote is the key to a functioning democracy, without it you just get cliques and in-groups who bully the outsiders. No one wins in that scenario, as critical thinking and critique are actively discouraged.
If OP mass-downvotes you, then ban them. As it is, you have the ability to mass-downvote them, without them even knowing that it is you doing it. Or maybe you wouldn’t do that, but some would - I hope you see how unequal that relationship is.
There is enough drama as it is. This will just open the door to shadowbanning and stalking and other horrors we have escaped by leaving reddit. It’s enough that it’s party available on kbin.
The developers of Lemmy do not seem interested in anything less than banning people instance-wide, even from communities that they have never posted in before, so ironically shadowbanning is too subtle for them.
But I thought the only way someone could be shadowbanned now is at the individual user level? It would be nice to increase transparency even further - e.g. a message pops up if you try to reply to someone saying like “this user has blocked you” (possibly everyone from that instance) so that people do not waste time trying to get a message across that the recipient will never read.
With the current way that ActivityPub works, this isn’t really possible. Every vote needs to be signed by some real user; if that changed such that anonymous votes were accepted then there’s nothing to stop any random person from adding 5 or 5,000 anonymous votes.
What it the instance signs the activity? Then it propagates to others instances after local validation. That way only local admins would have access to voting data. Malicious instances could still be defederated/blocked/have votes disregarded.
The problem with that is, can you really trust most instances out there? If you’re a sketchy admin, it’s not that hard to convince a handful of people to use your instance and have a couple dozen anonymous votes at your disposal to influence certain topics. There’s no way to detect it, not even the other users.
That would then mean that small instances would have to prove themselves before being accepted in the wider network of instances and just end up centralizing the fediverse.
With the votes being public, while you can create as many accounts as you want, you still have to publicly use a bunch of bot accounts which makes it more easily detectable. And of course, there’s no way your instance can get away with impersonating you, because you could see it sneaking votes or comments.
I wish it could be more private, but I can’t think of a way you can prevent vote manipulation without revealing who actually voted for what or rely on trust. Another way to look at it would be, what if Lemmy didn’t use instances but instead some sort of decentralized system where each user is its own entity. How would we obfuscate the votes then? Anyone can publish a message to the network, so you need to tie it to some identity, and you circle right back to the problem.
For privacy, there’s always alt accounts and recycling accounts often. Or treat the votes as if you were commenting “+1” or “-1”.
Unless someone comes up with some crypto scheme to somehow anonymously prove that a user has voted, and has voted only once, and the user has credible history being a real person.
Personally, it’s a tradeoff I chose as the price of entry for being able to participate in this while being fully independent of some benevolent person/organization/company/private equity firm. Nobody can take away my API or my apps or shove me ads. I can post entire 4K HDR clips if I want. I can have an offline copy of it if I want to read on a plane trip. I can index Lemmy, I can search Lemmy.
We already depend on trusting instances for a lot of what’s going on here, I don’t see why we shouldn’t be able to defederate untrusted ones.
That would then mean that small instances would have to prove themselves before being accepted in the wider network of instances and just end up centralizing the fediverse.
Most of us want the Fediverse to eternally decentralise. Imho, this would be the optimal scenario. Whitelists would be a major obstacle to the décentralisation effort.
- You are still trusting the instance admin. What if the admin pushes a code patch that transforms every like into a dislike based on a keyword?
- Your history will never be fully portable.
- It creates some weird dynamic: are we going to start dividing ourselves into “instances that obfuscate voting” and “instances that prefer transparency”?
- What is the criteria for “malicious”?
- Currently, any admin can modify any local user activity, can’t they?
- Not really, your local instance may still hold the vote data for validation. And therefore could be ported and resigned.
- Don’t see the problem.
- Today, each instance decides whomever they want federation with. The ones who decide the criteria should be the same ones who decide whom the instance federates with.
- Admins could modify the activity, but users can verify from outside (if they so which). If the user data gets obfuscated, it becomes a complete black box.
- But then you have two different events.
- Here is one problem: the userbase on the Fediverse is already ridiculously small. If we keep dividing ourselves over every little preference, we will end up with nothing but a thousand little ghetto fiefdoms, used by people who will never ever learn how to tolerate a different point of view.
- No. What will happen is that the silent majority will want to keep federation with everyone, but the intolerant minority will keep pushing instance admins to defederate from anyone who does not want to obfuscate votes. Eventually, LW will make a decision one way or another and everyone else will just have to decide if they want to stick with their principles or follow the leader so that they are not isolated.
I bet you could do it with ring signatures
a message signed with a ring signature is endorsed by someone in a particular set of people. One of the security properties of a ring signature is that it should be computationally infeasible to determine which of the set’s members’ keys was used to produce the signature
1 I had assumed votes were private 2 If I don’t hear soon that votes are private, I’ll simply stop participating and return to lurking. I’ll eventually just wander off to the next thing that doesn’t expose my votes to potential bots and/or abusive actors.
I think most users assume votes are private and most will have a similar reaction to learning about this unintuitive negative feature of anything built on ActivityPub, including Lemmy.
I think it is worth reading the actual discussion on github. Having votes public and having them visibly public on the web interface has compelling reasons. Namely enshittification hardening.
It’s also quite natural to stand by your words (or vote). I personally don’t think people should feel like the internet is their anonimized alt character of life. And if they need/want that, just do a throwaway account and hard vpn. Otherwise NSA (or equivalents) track us anyway.
Your votes are as public as your posts. I see you have no problem posting so I don’t understand what the issue is.
Right? Big whoop, votes are public. Oh no, people might find out I’m an an-com from my voting patterns, instead of from my comments
Sometimes you might want to show support for something but do so privately, without others knowing it’s you in particular supporting that.
You are doing it privately. Nobody knows who amju_wolf is, or where they live.
It’s very easy to find my IRL identity, and even my online pseudonym (well, both of them) have so much stuff tied to them that they are effectively my real identities. They are very much public, and definitely not anonymous.
Then I’d be more concerned about that and your posts rather than if you happened to up or down vote something.
The issue is that currently someone can behave as a shithead via voting, even if not comments, with little fear of reprisal or even discovery.
How does one “behave as a shithead via voting”? If someone decided to waste their time following me around Lemmy and down voting my posts it’s not going to do very much.
The effectiveness of the shitheadiness is a separate matter from its identity:-). If someone were to say downvote literally everything you ever did, within seconds of you doing it, and regardless of content, then that would be a shitty thing to do.
When I first signed up for reddit, the upvotes and downvotes were not only separately tallied, but also showed the usernames of the most recent people who did them if you hovered over the button. Then very shortly after that they changed it so that it made votes private by default, and you could override it in the settings, but almost nobody went to check that box back on. Eventually, they completely removed that feature around the time upvotes and downvotes were combined into one. which along with vote fuzzing was one of the worst changes to reddit comments, imo.
Lemmy feels like old reddit right now, which is a great spot to be in. I don’t think you necessarily need public vote info, but maybe it could be enabled on a per-community basis? I can see some communities like politics not wanting to add additional drama to the equation while other more content driven communities might enjoy knowing who was giving the feedback.
Vote fuzzing is the worst. Reddit said their main reason for implementing it was to prevent vote manipulation… seriously? Vote fuzzing laid the groundwork for vote manipulation.
Do you mean manipulation from the admins? Because from the spammers perspective not being able to see if your votes went through is pretty inconvenient
On Kbin the votes are 100% public for anyone. I’ve migrated to Lemmy after the frequent server issues with Kbin and I miss that part dearly. It was very easy to gauge whether someone was engaging in a good or bad faith discussion by checking the votes within a discussion. That being said, personally I’m very light on my downvotes, and I can see how someone more trigger-happy would see it as worrying. Personally I see the vote transparency as healthy though.
To be fair, there’s a point to be made that someone who’s overly trigger-happy on dislike should be shamed for it. Just like you would be if you kept being snide to everyone in real life.
I agree that transparency would do much more good than harm, plus compared to the info that people already put in their profiles/comments, it’s not likely to make them anymore identifiable.
I’d even argue public votes can deescalate some situations, for example where both sides of a relatively heated discussion can see they vote each other up. They don’t necessarily agree but they appreciate the other side’s points.
As for the transparency, it’s not possible to list all the votes of a user, one rather needs to list votes on a given post. To profile a given user the attacker would need to cross-reference the data from all posts and comments which is computationally infeasible, both client-side and server-side.
Wouldn’t it be easier to leave it as an option for each user on Lemmy?
If users want anonymity, let them have it. If they want to share their vote, let them do that. Forcing one option on others without the voice of the usually silent majority isn’t going to fix anything, it’s just going to scare some people away or start posts requesting it private again; or optional.
Not to mention, using this method you will quickly see how many users really wanted this option based on how many leave privacy enabled or disabled, instead of listening to a current vocal minority.
User choice would be best indeed. The problem is that currently the votes are public but hidden from Lemmy regular users. Anonymize votes seems to be such a big problem the devs don’t even want to consider it.
I hear you, but problem or not, the devs shouldn’t be making major decisions for the user base after the fact. Anonymous voting might be a problem at first, but so will people who are broadsided by the decision. Not to mention the users who will use an open voting system to bully users they disagree with. You have to foresee problems will come with any decision, and a percentage of users will flee for each bad, meaning the safest choice is user base safety over forced decisions. Ultimately sad truth is, leaving things as they are is a much easier call for devs.
currently the votes are public but hidden from Lemmy regular users
Tough. If you think any action you take on a social media platform is private then you shouldn’t be here.
Whether it is private or not isn’t the problem. It’s people assuming any part of is. Behave or suffer. Just like the real world.
Keep the Fediverse bot- and troll-free.
The whole idea of being able to behave like a shithead without accountability needs to go.
As with all things you must behave like a shithead in moderation.