Currently, almost anyone in the Fediverse can see Lemmys votes. Lemmy admins can see votes, as well as mods. Only regular Lemmy users can’t. Should the Lemmy devs create a way to make the votes anonymous?
There is a discussion going on right now considering “making the Lemmy votes public” but I think that premisse is just wrong. The votes are public already, they’re just hidden from Lemmy users. Anyone from a kbin/mbin/fedia instance can check out the votes if they are so inclined.
The users right now may fall into a false sense of privacy when voting because the votes are hidden from Lemmy users. If you want to vote something and not show up on the vote list, please create another account to support that type of content and don’t tell anyone.
How do mods see them? As far as I am aware, you have to be an instance admin. But it’s not difficult or time consuming to spin one up and I doubt the average user of Lemmy is technically incapable; most of the Fediverse users in general seem to be IT people and developers.
Making a browser addon/extension wouldn’t be too hard if you can get the data somewhere. And then it’s just a click of a button to get the functionality.
Barring setting up an instance or viewing through mbin, I don’t think mods can see them. Only admins.
This is all I see as lead mod of 3d printing. I also checked and desktop is the same both in desktop mobile view and on my laptop.
Yeah, I moderate a few communities and have no idea how to see vote identities.
I suspect you need access to the database.
Looking at the source, “comment_like” seems to be where they’re stored.
someone commented on github (I think it was Desallines) that the vote viewing feature has been available since 0.19.4 . Lemmy world is still on 0.19.3 .
Being able to see the moderation history linked directly to a post was added then - but I don’t see vote viewing nor recall hearing about it, which would have been a huge deal.
Nothing4You commented Aug 14, 2024 •
mods can already see votes in communities they moderate since 0.19.4, so this would be reducing what is visible today:
and
Dessalines commented 5 days ago
I’d like to clarify that mods should only be able to see votes for the communities they mod only.
Admins can see all votes.
I dunno, we’re on 0.19.3 so I don’t see it but I guess it’s there.
https://github.com/LemmyNet/lemmy/issues/4967#issuecomment-2289596923
Ah, mods only, and then only for their own communities - well, still, that’s something (though I’d prefer prefer it opened up for everyone). Thanks for the link.
Wouldn’t it be easier to leave it as an option for each user on Lemmy?
If users want anonymity, let them have it. If they want to share their vote, let them do that. Forcing one option on others without the voice of the usually silent majority isn’t going to fix anything, it’s just going to scare some people away or start posts requesting it private again; or optional.
Not to mention, using this method you will quickly see how many users really wanted this option based on how many leave privacy enabled or disabled, instead of listening to a current vocal minority.
User choice would be best indeed. The problem is that currently the votes are public but hidden from Lemmy regular users. Anonymize votes seems to be such a big problem the devs don’t even want to consider it.
currently the votes are public but hidden from Lemmy regular users
Tough. If you think any action you take on a social media platform is private then you shouldn’t be here.
Whether it is private or not isn’t the problem. It’s people assuming any part of is. Behave or suffer. Just like the real world.
I hear you, but problem or not, the devs shouldn’t be making major decisions for the user base after the fact. Anonymous voting might be a problem at first, but so will people who are broadsided by the decision. Not to mention the users who will use an open voting system to bully users they disagree with. You have to foresee problems will come with any decision, and a percentage of users will flee for each bad, meaning the safest choice is user base safety over forced decisions. Ultimately sad truth is, leaving things as they are is a much easier call for devs.
If votes became truly public, what would stop a malicious user from automating crawling the fediverse to get a list of every up and down vote a targeted user has ever made? Admins can currently do this, I assume given enough time and intent? Yuck.
I really hope a solution is found and if Lemmy goes the way of truly public votes, it would probably turn this into a nonparticipatory medium for me, I’d still read posts but not vote or comment.
Edit: also, most casual Lemmy users aren’t aware of public votes and would be upset that it already works this way, and only particularly invested or curious users are even reading this thread.
If votes became truly public
There’s no ‘if’, they already are.
what would stop a malicious user from automating crawling the fediverse to get a list of every up and down vote a targeted user has ever made?
The same thing currently stopping them: nothing but time and effort.
Admins can currently do this, I assume given enough time and intent? Yuck.
No, anybody can currently do this.
That’s the issue with decentralisation. The info is out there. It’s that or trust a megacorp with it.
There’s nothing stopping a malicious user from doing that right now. Be aware that anyone who wants can already see your votes.
No, it would encourage irresponsibility which already seems a major issue with lemmy.
if I leave it there. It’s because it’s not foul enough to warrant a ban but I don’t want to press a little green check box explicitly endorsing its existence. I have been here the whole time :/ Yal couped me
deleted by creator
They should just stay mostly hidden as they are now. I was harassed 3 times while using kbin for my voting habits. When I brought it up to ernest, him and mostly everyone else defended it, even though at the time I was actively being annoyed by someone.
It’ll make less people vote in the long run and will scare people off.
Nothing worse than hopping on something I do for leisure to realize that thread I voted on a week ago has now come back to bite me in the ass because the OP decided to go on a crusade and harass everyone that downvoted them.
yep, tyranny of the majority is still tyranny. It’s worth defending the 3% who disagree with the majority opinion cause, more often than not, sometimes the majority is wrong…
Defending the secret vote is the key to a functioning democracy, without it you just get cliques and in-groups who bully the outsiders. No one wins in that scenario, as critical thinking and critique are actively discouraged.
Even for delusional tech bro bullshit, the idea that public voting on an anonymous forum will do anything other than create drama is pretty fucking detached from reality.
If OP mass-downvotes you, then ban them. As it is, you have the ability to mass-downvote them, without them even knowing that it is you doing it. Or maybe you wouldn’t do that, but some would - I hope you see how unequal that relationship is.
Please be vocal about this because I’ve seen two people say they didn’t see this behavior. ❤️
Yes, and this would be fairly easy to make them at least pseudonymous without even needing to modify activitypub itself.
That said, I still don’t support anything which lowers the friction of vote stalking like exposing votes in even more places. Technically people can look up my address from my license plate number if they really care to, but that doesn’t mean I want to list it in bold letters on my windshield.
I still don’t support anything which lowers the friction of vote stalking
I don’t follow, what are people going to do from being able to see votes that they can’t do by seeing your posts?
For starters datamining my voting patterns for building a deeper interest profile. It should be pretty obvious how this works in terms of user fingerprinting, and the ultimate monetization of Lemmy data. It would be super naive to think that Lemmy will be the one web space immune to this kind of thing. I guarantee you meta already has an army of silent instances doing this.
Worst case scenario, legit state actors use it to target deanonymization attacks at dissidents. I would not be shocked if the …usual suspects… Are engaged in this kind of thing.
datamining my voting patterns for building a deeper interest profile.
They can already datamine your posts.
But not my votes.
If I understand correctly they already can. It’s not user-facing, but votes are federated if I understand correctly.
Yes, that is why I am arguing in favor of an additional layer of pseudonymous voting.
Incorporating that in a way that doesn’t allow for vote manipulation by just lying to a server that different “anonymous” users have up or down voted a post sounds incredibly difficult, and not worth it for the narrow use case of “prevent my votes from being data mined even though all my comments can.”
For anyone interested, there are a few papers on cryptographically secure voting, where both voter anonymity and election integrity are preserved.
Most designs consider three separate entities, where if you accumulate the information between those entities you would be able to identify a voter and his vote, but each entity on itself does not hold enough information.
The problem isn’t keeping votes anonymous, that’s easy. The problem is bots/spam. You could just create a new instance and then upvote a post from another instance a thousand times. If the votes are anonymous for the other instance it’s tough to say if they are genuine users or just bots.
That’s the main issue here, when votes are anonymous you could easily just spam votes with no way to trace it back. If it’s a rogue instance then fine, you can ban the whole instance. But imagine if lemmy.world starts using fake votes in the background towards other instances.
What keeps from doing that right now? You can just create an instance and bot accounts on that
It would be damn easy to look up the instance and their “users” and see that the users are not genuine. Then ban the whole instance.
If you are worried about duplicates, aka a single bot spamming multiple votes, then that’s feasible to mitigate.
If you are worried about multiple bots spamming one vote each, that’s harder to mitigate and it comes down to how the instances handles bot accounts in general. IMO it’s best to ignore the bot problem and instead focus on designing a vote weighting system that favors similar instances.
designing a vote weighting system that favors similar instances
Would make the whole thing even worse, as I could create several new instances with 10 bot users each, then hammer out the votes.
The entire problem is that you can’t trace back each vote to a genuine user. It would be bad in case of fake instances that create 100 user accounts and upvote/downvote stuff, but you can ban the instance. It would be a disaster if a big instance creates fake votes (like lemmy.world suddenly adds 1000 fake users and uses them to manipulate other instances, if votes were anonymous you couldn’t check if it’s genuine lemmy.world users or fake accounts).
That’s interesting. I have read multiple comments to the effect that it would not be possible for lemmy to implement anonymous voting because the underlying ActivityPub protocol does not support it. So it sounds like solutions do exist, although I suppose the effort required to modify ActivityPub is too much, more likely the feature will be included in some successor to the fediverse.
Thanks @[email protected],
i believe many users will be interested in these papers about cryptographically secure voting.Amongst them there would be :
@[email protected]
@[email protected]
@[email protected]Not sure if you are being sarcastic or not but I found this review.
https://www.mdpi.com/2073-8994/14/5/858
I had done some research about a year ago, but I don’t have the papers saved.
No I was not sarcastic. So now i am trying to read your paper and i think that it is above my knowledge level.
As a layman i had the intuition that instead of having two accounts as i proposed for voting and commenting which was implemented by @rimu, we might have had something like blockchain or filecoin or some coin that would represent voting power and that would be based on our commenting value… so that coin would have been an intermediary to make voting anonymous.
Finally i know enough about science that i know that i don’t know much.
Edit : after a rapid overview of the article i would say that this method :
“Blind Signature-Based e-Voting”
would be most appropriate to our social media voting and i noticed the work they have done is more targeting national elections where the outcome is much more important.
This isn’t going to solve anything. Cryptographically secure voting helps when you can ensure that each person only gets to vote once. But anyone can just sign up for more accounts or make loads of bot accounts and vote multiple times. This solves nothing.
Wow neat!! Eating our cake & having it
Thanks @[email protected]
I am the admin of a website where we have a place where our users can post custom content and rate the content of others.
We have discussed how it works and should work many times and came to the conclusion that we’d never want it to be public. Any report of abuse will be checked by the website owner directly in the database and even admins don’t have full access. Everybody tries to stay as far away from the personal ratings as possible.
We also noticed that it would be a lot more fragile when there are not many voters. A whole group that is negative about something wouldn’t get as much harassment as a single person having a unique opinion.
On our website we have a comment section that isn’t anonymous, and we even noticed that people often don’t post something negative when it would be obvious that they are the only one who has voted/rated something. (“Negative” is almost always constructive in our case)
These are just a few things that I think add to this discussion.
When I first signed up for reddit, the upvotes and downvotes were not only separately tallied, but also showed the usernames of the most recent people who did them if you hovered over the button. Then very shortly after that they changed it so that it made votes private by default, and you could override it in the settings, but almost nobody went to check that box back on. Eventually, they completely removed that feature around the time upvotes and downvotes were combined into one. which along with vote fuzzing was one of the worst changes to reddit comments, imo.
Lemmy feels like old reddit right now, which is a great spot to be in. I don’t think you necessarily need public vote info, but maybe it could be enabled on a per-community basis? I can see some communities like politics not wanting to add additional drama to the equation while other more content driven communities might enjoy knowing who was giving the feedback.
Vote fuzzing is the worst. Reddit said their main reason for implementing it was to prevent vote manipulation… seriously? Vote fuzzing laid the groundwork for vote manipulation.
Do you mean manipulation from the admins? Because from the spammers perspective not being able to see if your votes went through is pretty inconvenient
Unlike commenting and posting, which offers the who, what, where, and when parts of the message passing process, voting on Lemmy (now, for non-admins) is inherently an unequal process. Imagine if someone could send you an email whenever they wanted, but you were prevented from knowing who or even from what instance it is from, or when it was sent, do you think that could open up a potential for some variety of abuse? Or texting, phone calls, showing up at your door, etc.
Knowing the identity of the voter is an important part of properly receiving the “message”. It also increases freedom of choice, b/c otherwise the only way to prevent such messages (if, let’s take it as a given that some people find them annoying) would be to turn off voting entirely, either by going to one of the instances that does that, or just ignoring all (down-)votes yourself.
If we want the Fediverse to grow, and in particular to include less emotionally stunted humans that actually care when someone says something about them, good or bad, this will be a necessity. (Also, I was speaking tongue-in-cheek there, but genuinely social standards do vary across this wide world, and it really would increase content if there were not only more but different types of people, especially those most likely to generate quality content.)
And as other non-Lemmy methods of access to the Fediverse provide that feature - k/mbin, piefed, sublinks - Lemmy will fall increasingly behind if it were to ignore this very basic feature.
Making the votes public also increases honesty, since they are already public now. And if you don’t want to know who down-(up?-)votes you then… don’t look? But for those who want to know, it will be a great feature to have.
I would rather vote identities being blocked from scraping. I don’t care about other users or admins. I would rather that level of information be unavailable to outside commercial sources, especially any timings based metadata that could be used to derive dwell time and other psychological metrics.
I think you’re looking for a different type of community then, like an image board.
Thats probably a complete nonstarter in a federated network. The metadata needs to be sent via Activitypub, ergo it has to be public.
Eh, I don’t personally care.
But it could lead to nastiness as lemmy expands. If enough people go to the trouble of looking it up, you get some of them being assholes because people are prone to being assholes. That leads to drama. Drama leads to nastiness and worse things sometimes.
If that’s going to be part of how lemmy works, so be it, I’m way too old to skip using a block list for assholes. But it might bite federated services in the ass, so it probably should be on the list to get implemented.
How about pseudonymous as a compromise? Votes could be publicly federated but tied to some uuid instead of the username. That way you still have the same anti spam ability (can see that a user upvoted these things from this instance at this time) but can’t tie it directly to comments or actual user accounts without some extra osint.
It might be theoretically possible to correlate the uuids with an account’s activity and dox the user in some cases, especially with some instances having a single user, but it would be very difficult or impossible to do on larger instances and would add an extra layer. Single user instances would be kind of impossible to make totally private anyway because they can be identified by instance.
Votes could be publicly federated but tied to some uuid instead of the username. That way you still have the same anti spam ability (can see that a user upvoted these things from this instance at this time) but can’t tie it directly to comments or actual user accounts without some extra osint.
The issue with that is with malicious instances that could engage with vote manipulation by just generating new IDs and voting for whatever they want. If you can’t look back at the profile and determine whether it’s a real, non-spam account, it’s a pretty big issue unfortunately.
You also have an issue where someone could potentially vote with “your” ID without any way to detect that it’s not actually “you” who sent the vote.
Yeah, that’s fair enough, though I’m not sure it’s very different from malicious instances creating normal user accounts?
You can see when users from an instance are all suspiciously voting the same way at the same time regardless of whether they are usernames or IDs.
There’s lots of legitimate users that only vote but never post so doing it based on that doesn’t seem very effective?
The second problem is solved using public key cryptography, the same way that you can’t impersonate someone else’s username to post comments. Votes and comments are digitally signed (There would need to be a different public key for voting to maintain pseudonymity though).
they could do similar to another platform had done, which is tie voting to a shadow account that only the instance admin team can link to a user, this allows for moderation while providing the ability for obscurity.
I still disagree it should be public in the first place, but I know it’s a hard requirement for federation so it’s unlikely to become more concealed
