We had a really interesting discussion yesterday about voting on Lemmy/PieFed/Mbin and whether they should be private or not, whether they are already public and to what degree, if another way was possible. There was a widely held belief that votes should be private yet it was repeatedly pointed out that a quick visit to an Mbin instance was enough to see all the upvotes and that Lemmy admins already have a quick and easy UI for upvotes and downvotes (with predictable results ). Some thought that using ActivityPub automatically means any privacy is impossible (spoiler: it doesn’t).
As a response, I’m trying this out: PieFed accounts now have two profiles within them - one used for posting content and another (with no name, profile photo or bio, etc) for voting. PieFed federates content using the main profile most of the time but when sending votes to Mbin and Lemmy it uses the anonymous profile. The anonymous profile cannot be associated with its controlling account by anyone other than your PieFed instance admin(s). There is one and only one anonymous profile per account so it will still be possible to analyze voting patterns for abuse or manipulation.
ActivityPub geeks: the anonymous profile is a separate Actor with a different url. The Activity for the vote has its “actor” field set to the anonymous Actor url instead of the main Actor. PieFed provides all the usual url endpoints, WebFinger, etc for both actors but only provides user-provided PII for the main one.
That’s all it is. Pretty simple, really.
To enable the anonymous profile, go to https://piefed.social/user/settings and tick the ‘Vote privately’ checkbox. If you make a new account now it will have this ticked already.
This will be a bit controversial, for some. I’ll be listening to your feedback and here to answer any questions. Remember this is just an experiment which could be removed if it turns out to make things worse rather than better. I’ve done my best to think through the implications and side-effects but there could be things I missed. Let’s see how it goes.
You must log in or register to comment.
Cool solution. It’s great to have multiple projects in the fediverse that can experiment with different features/formats.
For those who are concerned about possible downsides, I think it’s important to understand that
- PieFed has a small userbase
- Rimu is an active admin, so if you are attempting to combat brigading or other bad behavior and this makes it more difficult, just send them a DM and they will be happy to help out
This is a good environment to test this feature because Rimu can keep a close watch over everything. We can’t become paralyzed by the hypothetical ways that bad actors might abuse new features or systems. The only way forward is through trial and error, and the fact that PieFed exists makes that process significantly faster and less disruptive.
This is an attempt to add more privacy to the fediverse. If the consequences turn out for the worse, then we can either try something else, or live with the lack of privacy. Either way, we’ll be better off than having never tried anything at all.
Just upvoted myself but nobody else knows 🤫
Edit: Actually I forgot to toggle the setting before voting on my own comment, so admins will see my @imaqtpie@piefed.social account upvoted the parent comment. Worth noting that it needs to be manually enabled.
Then I turned the setting on and voted on a bunch of other comments in this post. My anonymized voting account appears as @hED5TzoZomb@piefed.social, admins should be able to see it by checking the votes in this thread.
Point being, you can still track serial downvoters and harassment just as easily. But now you will need to take an extra step and message the instance admin (Rimu) and ask that they either reveal the identity of the linked profile or deal with it themselves. And that’s a good thing, imho.
Point being, you can still track serial downvoters and harassment just as easily. But now you will need to take an extra step and message the instance admin (Rimu) and ask that they either reveal the identity of the linked profile or deal with it themselves. And that’s a good thing, imho.
This puts the privacy shield in the hands of a users instance admin. I like that approach, but I’m sure others will disagree.
This is more or less how it worked on Reddit. The admins handled vote spam or abuse, there was absolutely no expectation for moderators to have that information because the admins were dealing with the abuse cases. Moderators only concerned themselves with content and comments, the voting was the heart of how the whole thing works, and therefore only admins could see and affect them. Least privilege, basically.
I think a side effect of this, though, is that it increases the responsibility on admins to only federate with instances that have active and cooperative admins. It increases their responsibilities and demands active monitoring, which isn’t a bad thing, but I worry about how the instances that federates openly by default will continue to operate.
If you have to trust the admins, how do you handle new admins, or increasingly absent ones? What if their standards for what constitutes “harassment” don’t match yours? Does the whole instances get defederated? What if it’s a large instance, where communities will be cut off?
I don’t ask any of this as a way to put down this effort because I very, very much want to see this change, but there’s gonna be hurtles that have to be overcome
Ultimately I think the best solution would need assistance from the devs but I’m lieu of that, we have to make due.
You wouldn’t dare!
You don’t even need to message an admin. You can just ban the agent doing the voting.
All I see through lemmy.ca View Vote option as an instance admin on the comment I’m replying to.
You’re a hero for making this happen in… 24 hours? 48?
The issue won’t go away, we’ll see how well everyone else deals with it, but this is a super strong argument for your system / server.
(Advertise it. Advertise it HARD. “piefed, we have private votes”.)
While not a perfect solution, this seems very smart. It’s a great mitigation tactic to try to keep user’s privacy intact.
Seems to me there’s still routes to deanonymization:
- Pull posts that a user has posted or commented in
- Do an analysis of all actors in these posts. The poster’s voting actor will be over represented (if they act like I assume most users do. I upvote people I reply to etc)
- if the results aren’t immediately obvious, statistical analysis might reveal your target.
Piefed is smaller than lemmy, right? So if only one targeted posting account is voting somewhat consistently in posts where few piefed users vote/post/view, you got your guy.
Obviously this is way harder than just viewing votes. Not sure who would go to the trouble. But a deanonymization attack is still possible. Perhaps rotate the ids of the voting accounts periodically?
It will never be foolproof for users coming from smaller instances, even with changing IDs. If you see a downvote coming from PieFed.social you already have it narrowed down to not too many users, and the rest you can probably infer based on who contributes to a given discussion.
Still, I think it’s enough to be effective most of the time.
Yea, I agree. It’s good enough. Sorry, I didn’t mean to sound like it was a bad solution, it’s just not perfect and people ought to be aware of limitations.
I used a small instance in my example so the problem was easier to understand, but a motivated person could target someone on a large instance, too, so long as that person tended to vote in the posts they commented on.
Just for example (and I feel like I should mention, I have no bad feelings towards this guy), Flying Squid on lemmy.world posts all over the place, even on topics with few upvotes. If you pull all his posts, and all votes left in those posts from all users, I bet you could find one voter who stands out from the crowd. You just need to find the guy following him everywhere: himself.
I mean, if he tends to leave votes in topics he comments on, which I assume he does.
It would have to be a very targeted attack and that’s much better than the system lemmy uses right now. I’m remembering the mass tagger on Reddit, I thought that add on was pretty toxic sometimes.
Also, it just occurred to me, on Lemmy, when you post you start with one vote, your own. I can even remove this vote (and I’ll do it and start this post off with score 0). I wonder how this vote is handled internally? That would be an immediate flaw in this attempt to protect people’s privacy.
Yeah, I think your point is absolutely well made. And it’s a good reason to, even if features like this are implemented widely, we shouldn’t boast too much about voting being anonymous. It’s just too difficult or impossible to make it bullet proof.
I don’t think the automatic upvotes to your own posts count as real upvotes. At least they don’t federate, so they shouldn’t pose too much of a problem. I think they’re just there to keep people from trying to upvote their own content.
Not familiar with how piefed handles it specifically but aren’t posts/comments self-upvoted by default?
You could probably figure it out pretty easily just by looking at a user’s posts, no?
(This is unless piefed makes it so the main actor up votes their own posts, and the anonymous actor upvotes others’ posts, but then it would still be possible to do analysis on others’ comments to get a pretty accurate guess)
Nice, @A_A@lemmy.world, we feeling heard? 😉
Great trial! Will see if you end up feeling a need to iterate sometime later!
@rimu@piefed.social did great on my simple idea and this is very nice to know. He did not implement his other idea of having a pool of available robots that would vote one time each for each one vote of each one user(s) … also I thought it might be implemented in the frontend but he did implement it in the backend.
i did not say before but i was also thinking about complex mechanisms involving some kind of coin that would represent voting power that could be spent when voting or accumulated maybe with some loss of value with time … but then i read about the many research paper that were published about such things … in conclusion i believe we will see many other iterations of such social media.
thanks for the feedback 😌
Awesome! This is the exact stopgap implementation I was arguing for, and I’m surprised how many people kept insisting it was impossible. You should try and get this integrated into mainline Lemmy asap. Definitely joining piefed in the meantime though.
You keep delivering, thank you so much!
Very interesting development, I’ll be curious to see how it ends up working out.
Its strange to see one of my posts being used as a reference. All I was trying to do was share something cool.
I do agree though. When up/downvotes (especially downvotes) are fully public, it leads to trolls getting angry and lashing out on individuals in a semi-public way. And if you can see ALL of that individuals voting patterns, then we get people strategically making tools to go after people that vote certain ways. Theres a reason anonymous voting is a thing outside of the internet as well.
If this goes live in lemmy.world i will be looking at other places to post/interact with. Love lemmy (and contributed to the codebase as a dev) but I cant be bothered with trolls.
It’s vice versa. In the old good times there was a saying “don’t feed the troll”. Just block him. Downvoting is just a cheap solution for people who cannot justify their argument. Btw, I love to read downvoted comments which are by default ‘hidden’. Most of them are trash but sometimes it’s a valid point but not the very popular one
I’m not sure what you are suggesting. Are you suggesting never using downvotes?
Yes, exactly my thoughts on this. Downvoting is only a measure of crowd censorship based on opinion popularity. If you see some trolls, just block them but don’t hide their posts for other ones who may think on that person views otherwise
Downvotes are part of the whole curation aspect of the site, and it’s a valid part of the democratic system. For all the whining about being “censored” because you got downvoted, there’s countless cases where downvotes influence the sorting algorithm positively.
Garbage shouldn’t sit on the same level as fluff comments no one bothered to vote on.
Millions flies cannot be mistaken. Democratic mob cannot be mistaken. Mobs have never lynched anybody. How ignorant you are in your ego with your “whining” argument
So why be on lemmy then? I really don’t agree with showing votes.
I think it’s better to present a valid point against somebody’s statement than straight down voting without giving a reason “just because don’t like him”. I think it would create positive discussion environment in lemmy. We are here after all to exchange ideas on lemmy. Aren’t we?
While engaging in discussion can be beneficial, it’s important to recognize that not everyone is comfortable/interested in debating every point they disagree with. Downvoting allows users to express their disagreement without feeling pressured to engage in a back-and-forth that might not be constructive.
Additionally, some statements may not merit a detailed response, especially if they are inflammatory, misleading, or irrelevant. Encouraging only counter-arguments could lead to an environment where people feel obligated to justify every opinion, which stifles participation rather than promote a positive discussion.
Look mom, I’m famous!
Is it possible for an instance to send out false vote data that can’t be verified? Lemmy doesn’t seem like a plausible target for it at the moment (and i dont pretend to know how this works beyond a conceptual level) but I can imagine a bad actor at some point seeking to manipulate voting.
I guess that can happen now anyway as the bad actor can just create their own instance with as many fake accounts as they like. Ultimately it’s still on other instance admins to block the dodgy ones either way.
Yes, a fake instance can spam votes over federation. But usually it’s pretty obvious and easy to block.
Interesting solution 👍 Curious to see how this plays out!
That’s super cool and amazing that you implemented it so quickly.
So now I have a PieFed account :)
That’s pseudonymous!
But all kidding aside, it sounds good
I missed the discussion on voting the other day it seems, but for what it’s worth, I like the voting system. In real life discussions happen in open air, and don’t hang there in posterity for people to stumble upon after. When we come to a consensus in conversation it is then left at that and we move on.
When online, these discussions stay as they are, and I think voting gives a way of people to come to a consensus, to leave a mark upon the conversation such that the people who come behind understand how everyone felt about it.
This is helpful I think, because it does not hide the down votes on nasty comments or ideas that hurt others.
One of the most interesting and horrible things about the internet is that every village has a “crazy Bob” but because they were the minority the good of the people outnumbered their outlandish or hateful ideas.
Now they can and do find each other online, forming a vocal and damaging minority. Without the majority able to show their dislike, human nature means more will fall in line with them and their ideals.
Neat
