Currently, almost anyone in the Fediverse can see Lemmys votes. Lemmy admins can see votes, as well as mods. Only regular Lemmy users can’t. Should the Lemmy devs create a way to make the votes anonymous?
There is a discussion going on right now considering “making the Lemmy votes public” but I think that premisse is just wrong. The votes are public already, they’re just hidden from Lemmy users. Anyone from a kbin/mbin/fedia instance can check out the votes if they are so inclined.
The users right now may fall into a false sense of privacy when voting because the votes are hidden from Lemmy users. If you want to vote something and not show up on the vote list, please create another account to support that type of content and don’t tell anyone.
You must log in or register to comment.
Its best if the rules are the same for anyone, but public votes is something power hungry mods will eventually abuse. If you dare upvote the wrong post you will get banned.
It sounds like everyone but mods should be able to see voters. But of course they will use straw accounts. What if only votes on your own post/comment were revealed to you? Like some pointed out, they are already not anonymous to anyone who wants to try hard enough to get the data because of federation. So the question is who do we want to be able to see that data easily? It’s a GUI modification in any case. Who are we making the gui modification for?
All it will take is for folks to look and see you voted in something and they won’t see the context or will misunderstand your intentions and they’ll ban you. This shit happened back on Reddit too and it sucked. They’d blanket ban people who interacted in a community without looking at what you actually did.
Sounds like mods and admins can already do this, and if the barrier to entry to being an admin is firing up a Docker container, I don’t see the purpose in restricting users from seeing it
I typically operate under the assumption that basically anything I decide to post on a public forum is not private.
Call me crazy, but I care less about the instance admins being able to see my vote history than regular users. For me the latter will produce a chilling effect on how I operate with the site moreso than the former, even if admins have more power that can be abused. I was already aware of the votes not actually being public and the idea admins could see that info seemed to be a given, but I still think there’s a difference between having a motivated malicious user go out of their way to look (making an instance, looking on a different platform, etc) vs making it simple for lay users to see that info within the platform itself (which I what I think is under discussion, currently).
And honestly, if a solution could be determined to help make votes anonymous but still allow admins/mods to deal with bots/trolls, then I’d be all for it.
For me the latter will produce a chilling effect on how I operate with the site
Why?
Because if lay users can see how I vote, then I might start being harassed by people for daring to downvote them or daring to upvote someone. And may stay tracking my voting habits.
In which case, I’d probably stop voting.
Having a barrier to that info is better than no better even if it’s not impossible, imo.
If someone tries to harass me about how I vote I’ll just block them.
All it takes is some API calls and some simple python scripting and you could data mine a person. Maybe they subconsciously only upvote LGBT posts. Maybe they downvote leftwing posts.
Then, oops, one day they post something that can doxx them and now they’re getting targeted ads or worst case a stalker or someone who wants to get them fired/thrown in jail.
Now imagine a machine learning algorithm or AI has done all the data mining and it took just a couple days to work through all users on lemmy.world.
If there’s any data that could be used to make money someone will eventually try it.
The same argument could be made about your posts. Maybe a user tends to post things that aligns with a certain group, just as easy to track that (if not easier) for targeting.
Not to mention anyone with the tech to do this already can by creating their own instance so they can view votes.
okay but you make posts with the expectation they are public. Votes only change a number, and are a way for you to show support/disagreement for something without broadcasting it to everyone.
If you want to broadcast it and make it public you can reply to a comment
same thing you should teach your kids…
anything you put online can (and probably will) be used to identify you, as ad and ip tracking has done for a long time.
and once it’s on the webs, it’s always on the internet. no erasing pictures or tweets.that’s how it has been, that’s how it’ll always be
With the current way that ActivityPub works, this isn’t really possible. Every vote needs to be signed by some real user; if that changed such that anonymous votes were accepted then there’s nothing to stop any random person from adding 5 or 5,000 anonymous votes.
What it the instance signs the activity? Then it propagates to others instances after local validation. That way only local admins would have access to voting data. Malicious instances could still be defederated/blocked/have votes disregarded.
- You are still trusting the instance admin. What if the admin pushes a code patch that transforms every like into a dislike based on a keyword?
- Your history will never be fully portable.
- It creates some weird dynamic: are we going to start dividing ourselves into “instances that obfuscate voting” and “instances that prefer transparency”?
- What is the criteria for “malicious”?
- Currently, any admin can modify any local user activity, can’t they?
- Not really, your local instance may still hold the vote data for validation. And therefore could be ported and resigned.
- Don’t see the problem.
- Today, each instance decides whomever they want federation with. The ones who decide the criteria should be the same ones who decide whom the instance federates with.
- Admins could modify the activity, but users can verify from outside (if they so which). If the user data gets obfuscated, it becomes a complete black box.
- But then you have two different events.
- Here is one problem: the userbase on the Fediverse is already ridiculously small. If we keep dividing ourselves over very little preference, we will end up with nothing but a thousand little ghetto fiefdoms, used by people who will never ever learn how to tolerate a different point of view.
- No. What will happen is that the silent majority will want to keep federation with everyone, but the intolerant minority will keep pushing instance admins to defederate from anyone who does not want to obfuscate votes. Eventually, LW will make a decision one way or another and everyone else will just have to decide if they want to stick with their principles or follow the leader so that they are not isolated.
The problem with that is, can you really trust most instances out there? If you’re a sketchy admin, it’s not that hard to convince a handful of people to use your instance and have a couple dozen anonymous votes at your disposal to influence certain topics. There’s no way to detect it, not even the other users.
That would then mean that small instances would have to prove themselves before being accepted in the wider network of instances and just end up centralizing the fediverse.
With the votes being public, while you can create as many accounts as you want, you still have to publicly use a bunch of bot accounts which makes it more easily detectable. And of course, there’s no way your instance can get away with impersonating you, because you could see it sneaking votes or comments.
I wish it could be more private, but I can’t think of a way you can prevent vote manipulation without revealing who actually voted for what or rely on trust. Another way to look at it would be, what if Lemmy didn’t use instances but instead some sort of decentralized system where each user is its own entity. How would we obfuscate the votes then? Anyone can publish a message to the network, so you need to tie it to some identity, and you circle right back to the problem.
For privacy, there’s always alt accounts and recycling accounts often. Or treat the votes as if you were commenting “+1” or “-1”.
Unless someone comes up with some crypto scheme to somehow anonymously prove that a user has voted, and has voted only once, and the user has credible history being a real person.
Personally, it’s a tradeoff I chose as the price of entry for being able to participate in this while being fully independent of some benevolent person/organization/company/private equity firm. Nobody can take away my API or my apps or shove me ads. I can post entire 4K HDR clips if I want. I can have an offline copy of it if I want to read on a plane trip. I can index Lemmy, I can search Lemmy.
We already depend on trusting instances for a lot of what’s going on here, I don’t see why we shouldn’t be able to defederate untrusted ones.
That would then mean that small instances would have to prove themselves before being accepted in the wider network of instances and just end up centralizing the fediverse.
Most of us want the Fediverse to eternally decentralise. Imho, this would be the optimal scenario. Whitelists would be a major obstacle to the décentralisation effort.
I bet you could do it with ring signatures
a message signed with a ring signature is endorsed by someone in a particular set of people. One of the security properties of a ring signature is that it should be computationally infeasible to determine which of the set’s members’ keys was used to produce the signature
Make the author of the comment/post see who voted for them.
Wouldn’t it be easier to leave it as an option for each user on Lemmy?
If users want anonymity, let them have it. If they want to share their vote, let them do that. Forcing one option on others without the voice of the usually silent majority isn’t going to fix anything, it’s just going to scare some people away or start posts requesting it private again; or optional.
Not to mention, using this method you will quickly see how many users really wanted this option based on how many leave privacy enabled or disabled, instead of listening to a current vocal minority.
User choice would be best indeed. The problem is that currently the votes are public but hidden from Lemmy regular users. Anonymize votes seems to be such a big problem the devs don’t even want to consider it.
I hear you, but problem or not, the devs shouldn’t be making major decisions for the user base after the fact. Anonymous voting might be a problem at first, but so will people who are broadsided by the decision. Not to mention the users who will use an open voting system to bully users they disagree with. You have to foresee problems will come with any decision, and a percentage of users will flee for each bad, meaning the safest choice is user base safety over forced decisions. Ultimately sad truth is, leaving things as they are is a much easier call for devs.
currently the votes are public but hidden from Lemmy regular users
Tough. If you think any action you take on a social media platform is private then you shouldn’t be here.
Whether it is private or not isn’t the problem. It’s people assuming any part of is. Behave or suffer. Just like the real world.
No, there is no real need. An account is already pseudo-anonymous. Full anonymity adds no real value beyond making it easier to manipulate vote tallies with bot accounts undetected.
edit: As a side note, this is one of the more transparent social media communities. It’s not terribly privacy-oriented in general. The enhanced transparency is part of its appeal.
Yes, they should ideally. But it’s hard to properly implement them in a way that will guarantee anonymity and be sybil-resistant at the same time.
Should the Lemmy devs create a way to make the votes anonymous?
I’m not sure if there is a good way to have the content federate anonymously. Even if there was, it would be a vector for spam.
Vote manipulation is a growing problem on Reddit, and it’s only getting worse with all the AI spam bots. They don’t have an incentive to stop it and it’s only going to get worse. Why trust a review on Reddit if bots are upvoting/downvoting on behalf of a company, or worse what happens in news communities when a well funded group wants to change perspectives.
Admins need to know if the votes/likes coming in are legitimate, else they should block them. It’s too easy to abuse anonymous votes to affect how content is ranked.
I left a long comment in the other thread which I will link in a moment, but I think either
- We keep the current setup, but we put in more effort to make new users aware that vote records are visible to admins/mods
- We make it public for everyone and take steps to deal with the new issues that it could cause
The current trust model already relies on a user’s home instance accurately reporting user activity and not injecting fake activity. Hiding real user votes behind pseudonymous tokens doesn’t change that at all.
As far as I can tell, the activity ranking algorithms don’t actually differentiate between up and down votes anyway. All votes are considered engagement.
Admins need to know if the votes/likes coming in are legitimate, else they should block them. It’s too easy to abuse anonymous votes to affect how content is ranked.
This is a very real problem right now. Admins that are on to it use the votes to identify swarms of users that follow each other around upvoting each other’s spam/troll posts.
And that is still possible with pseudonymous tokens votes. You just end up banning tokens for malicious voting activity, and users for malicious posting activity. It’s at best a very mild adjustment to moderation workflows.
How does this work? The community issues federates votes but with a linked token instead of a linked user? How do you track vote manipulation across different communities on different instances?
As far as I understand it all activity originates from the home instance, where users are interacting with federated copies of posts. The unique user token from a well behaving instance follows the user across the fediverse, allowing bulk moderation for voting patterns using that token. The only difference is that it is not explicitly tied to a given user string. That means moderation for vote manipulation gets tracked via a user’s vote token, and moderation for trolling/spam/rule violations happens via their display name. It may be possible that a user is banned from voting but not commenting and vice versa. It’s is a fairly minor change in moderation workflow, which brings a significant enhancement to user privacy.
Under activitypub, a lemmy community is kind of like a user (actually an activitypub group). When I post here with my lemmy.nz account to this lemmy.world community, lemmy.nz sends my comment to lemmy.world who then sends it to sh.itjust.works for you to see. The community is the controller of all interactions within the community. In this case, lemmy.world is the official source of how many upvotes this post has. And each vote is validated using the user’s public key to ensure it actually came from that specific user - a standard part of ActivityPub.
So would lemmy.world assign a token for your votes? If your instance assigned the token, Lemmy.world would not be able to validate against your user’s public key. If Lemmy.world assigns the token, it would only be valid in lemmy.world communities, as other instances would have to assign their own token. And both sh.itjust.works and lemmy.world admins could still see the real association.
Also, changing how votes work would break compatibility with other ActivityPub software (e.g. Mastodon could no longer interpret an upvote as a favourite, Mbin would’t be able to retrieve any data about the votes unless they specifically changed to work in the Lemmy way instead of using standard ActivityPub).
Worst case scenario, there is an entirely separate, tokenized identity for votes which is authenticated the exact same way, but which is only tied to an identity at the home instance. It would be as if the voting pub is coming from user:socsa-token. It’s effectively a separate user with a separate key. A well behaving instance would only ever publish votes from socsa-token, and comments from Socsa. To the rest of the fediverse socsa-token is simply a user which never comments and Socsa is a user which never votes.
I am not sure key based ID is actually core to AP anyway. The last time I read the spec it kind of hand waved identity management implementation.
Well hey, sounds like you might be able to help. Lemmy devs are actively soliciting opinions on lemmy votes, maybe you could have a say? Most of the comments are around “votes are already sort of public” therefore either a) make them actually public so we aren’t pretending they aren’t, or b) keep them hidden, a little less public is better than completely public.
Perhaps you can come in with a c) option to make votes even less public?
I will also add that I think in the long run, as we try to figure out how to differentiate between humans and machines, the only real reliably solution I see is to focus on elevating the individual. Having people with long histories validate their reality by living and documenting it.
I don’t upvote something that I’d be ashamed for someone to see I upvote. I might make an exception for pornographic content, but even with that, if it’s pseudononymous in that it’s not attached to my personal public life, I don’t mind if someone can trace through and see what a specific account I use for those purposes has liked and disliked.
To me the anonymity of voting is the problem, so the solution is to make them public for all, not to find ways of making them more private.
The point of privacy is pretty shaky in this context, tbh. Anybody using the fediverse is ensured pseudonymity already, the privacy issue should be whether your account(s) can be linked to your real life identity against your will.
In that regard I can only see positives to making voting public. Foremost it could create some accountability to the system, and maybe minimise the lazier drive-by, doom scroll votes?
I completely agree with the idea of more accountability. We are real people in acting public right here, we should be constantly aware that our actions have consequences. If you don’t want your pseudonym associated with a vote, don’t do it. It’s kinda like the opposite of 4chan, where instand of anonymous controversial content on top, here we have human-curated content being pushed up.
The problem with every system is it will eventually be broken down by someone smarter and used to manipulate the user-base that grew to trust its safety to market something. Be it ideas or products, the only true safety net we have is a choice in the decision. The second a choice is forced, is the second groups split away. Each user at least deserves the safety of choice if we expect them to trust in any larger system. Decisions being made by a smaller group of individuals for the larger whole, doesn’t exactly have the best history if we look at the world around us. Don’t get me wrong… Trust would be great, but we have to trust that going from one extreme to another will inevitably create a another new problem.
Couldn’t agree more, and if we passed around imaginary gold on Lemmy, I’d give you a dubloon for this.
I’m so, so glad to see I am not the only one that thinks this way.
It’s the lazy drive-by and rage votes specifically that I would love to see eliminated. If you’re too much a coward to defend a position, maybe you shouldn’t express it.
And now I definitely want to see whoever downvoted your post outed as cowards 👍👍
I know, right? It’s like irony is a lost art.
The more I spend time on Lemmy, the more I think it is in a lot of trouble. There are many serious issues that need to be addressed and I don’t see how most of them can be.
Federation is touted as a Good, but has many drawbacks. Privacy (as listed in this post for example) for one, instead of algorithm curated/focused content federated servers each enforce (subconsciously or overtly) a theme, rampant user generation off multiple servers rendering moderation pointless, and so on.
Then there is the rampant issue of moderation abuse. It seems that the only reason to be a moderator is to not be annoyed at other people forcing their opinions on you. This reminder that admins/mods get yet another way to subject the users to their biases is the nail in the coffin IMO. “You vote this way? Banned because my feelings matter more”.
Privacy is important for a lot of people and that is impossible to get on Lemmy unless something drastically changes, but it doesn’t sound like this is will ever happen. The people that can see your data is not under your control at all and I think this fact alone will never allow Lemmy to grow to a place we can be happy with.
If admins can see data without limits, everyone should be able to. All 5 of us once that realization sinks in.
;tldr I don’t think even admins should see peoples data but that seems impossible so…
Keep the Fediverse bot- and troll-free.
The whole idea of being able to behave like a shithead without accountability needs to go.
As with all things you must behave like a shithead in moderation.
Votes should be transparent for everyone. Right now the system assumes that mods/admins are somehow inherently more responsible than the average user, but well, just look at the garbage clusterfuck admin/mod teams of certain instances. You’re telling me you’re gonna trust these people with this information and not everyone else? Get the fuck outta here.
I’m not technical and I’m also not young.
I think anyone coming into an online social platform who thinks that any part of it is private, is too naive and/or uneducated to be using that type of platform.
I’m sure there’s parts of platforms which are private, I just don’t think it’s advisable to assume that at any point.
You’re online, interacting with people. If you wanted privacy, don’t be there doing that. Post and behave as if you are publishing everything to a major commercial physical publication. Every post, every comment, every vote, every blocked user. On every one of your accounts.
Otherwise, you’ll get what’s coming to you. And I’m fine with that.
Yeah. If you’re on a public forum accessible to anyone, which the whole fediverse is, then you should never assume privacy.
Honestly transparency in this regard would be better - they’re already visible to much of the community, so they might as well be visible to everyone.
레미에 대한 공개 투표는 커뮤니티 내에서 투명성과 책임성을 강화하여 사용자가 특정 콘텐츠를 지지하거나 반대하는 사람을 확인할 수 있게 해줍니다. 그러나 이는 또래의 압력이나 원치 않는 감시로 이어질 수도 있습니다. 온라인 상호작용에서 프라이버시와 자유를 원하는 사용자에게는 익명성이 더 바람직할 수 있습니다. 온라인 개인정보 보호 도구에 대해 자세히 알아보려면 챗GPT 를 방문하세요.
레미에 대한 공개 투표는 커뮤니티 내에서 투명성과 책임성을 강화하여 사용자가 특정 콘텐츠를 지지하거나 반대하는 사람을 확인할 수 있게 해줍니다. 그러나 이는 또래의 압력이나 원치 않는 감시로 이어질 수도 있습니다. 온라인 상호작용에서 프라이버시와 자유를 원하는 사용자에게는 익명성이 더 바람직할 수 있습니다. 온라인 개인정보 보호 도구에 대해 자세히 알아보려면 챗GPT 를 방문하세요.
lemie daehan gong-gae tupyoneun keomyuniti naeeseo tumyeongseong-gwa chaeg-imseong-eul ganghwahayeo sayongjaga teugjeong kontencheuleul jijihageona bandaehaneun salam-eul hwag-inhal su issge haejubnida. geuleona ineun ttolaeui ablyeog-ina wonchi anhneun gamsilo ieojil sudo issseubnida. onlain sanghojag-yong-eseo peulaibeosiwa jayuleul wonhaneun sayongja-egeneun igmyeongseong-i deo balamjighal su issseubnida. onlain gaeinjeongbo boho dogue daehae jasehi al-abolyeomyeon chaesGPT leul bangmunhaseyo.
Public voting for Remi increases transparency and accountability within the community, allowing users to see who supports or opposes certain content. However, it can also lead to peer pressure or unwanted surveillance. For users who want privacy and freedom in their online interactions, anonymity may be preferable. Visit ChatGPT to learn more about online privacy tools.
I’m sorry, what?
Spambot
I would rather vote identities being blocked from scraping. I don’t care about other users or admins. I would rather that level of information be unavailable to outside commercial sources, especially any timings based metadata that could be used to derive dwell time and other psychological metrics.
Thats probably a complete nonstarter in a federated network. The metadata needs to be sent via Activitypub, ergo it has to be public.
I think you’re looking for a different type of community then, like an image board.
