Currently, almost anyone in the Fediverse can see Lemmys votes. Lemmy admins can see votes, as well as mods. Only regular Lemmy users can’t. Should the Lemmy devs create a way to make the votes anonymous?
There is a discussion going on right now considering “making the Lemmy votes public” but I think that premisse is just wrong. The votes are public already, they’re just hidden from Lemmy users. Anyone from a kbin/mbin/fedia instance can check out the votes if they are so inclined.
The users right now may fall into a false sense of privacy when voting because the votes are hidden from Lemmy users. If you want to vote something and not show up on the vote list, please create another account to support that type of content and don’t tell anyone.
You must log in or register to comment.
Should the Lemmy devs create a way to make the votes anonymous?
I’m not sure if there is a good way to have the content federate anonymously. Even if there was, it would be a vector for spam.
Vote manipulation is a growing problem on Reddit. It’s only getting worse with all the AI spam bots and they don’t have an incentive to stop it. Why trust a review on Reddit if bots are upvoting/downvoting on behalf of a company, or worse what happens in news communities when a well funded group wants to change perspectives.
Admins need to know if the votes/likes coming in are legitimate, else they should block them. It’s too easy to abuse anonymous votes to affect how content is ranked.
I left a long comment in the other thread which I will link in a moment, but I think either
- We keep the current setup, but we put in more effort to make new users aware that vote records are visible to admins/mods
- We make it public for everyone and take steps to deal with the new issues that it could cause
Other comment on the benefits/issues: https://lemmy.ca/comment/11097046
The current trust model already relies on a user’s home instance accurately reporting user activity and not injecting fake activity. Hiding real user votes behind pseudonymous tokens doesn’t change that at all.
As far as I can tell, the activity ranking algorithms don’t actually differentiate between up and down votes anyway. All votes are considered engagement.
I will also add that I think in the long run, as we try to figure out how to differentiate between humans and machines, the only real reliably solution I see is to focus on elevating the individual. Having people with long histories validate their reality by living and documenting it.
I don’t upvote something that I’d be ashamed for someone to see I upvote. I might make an exception for pornographic content, but even with that, if it’s pseudononymous in that it’s not attached to my personal public life, I don’t mind if someone can trace through and see what a specific account I use for those purposes has liked and disliked.
Admins need to know if the votes/likes coming in are legitimate, else they should block them. It’s too easy to abuse anonymous votes to affect how content is ranked.
This is a very real problem right now. Admins that are on to it use the votes to identify swarms of users that follow each other around upvoting each other’s spam/troll posts.
And that is still possible with pseudonymous tokens votes. You just end up banning tokens for malicious voting activity, and users for malicious posting activity. It’s at best a very mild adjustment to moderation workflows.
How does this work? The community issues federates votes but with a linked token instead of a linked user? How do you track vote manipulation across different communities on different instances?
As far as I understand it all activity originates from the home instance, where users are interacting with federated copies of posts. The unique user token from a well behaving instance follows the user across the fediverse, allowing bulk moderation for voting patterns using that token. The only difference is that it is not explicitly tied to a given user string. That means moderation for vote manipulation gets tracked via a user’s vote token, and moderation for trolling/spam/rule violations happens via their display name. It may be possible that a user is banned from voting but not commenting and vice versa. It’s is a fairly minor change in moderation workflow, which brings a significant enhancement to user privacy.
Under activitypub, a lemmy community is kind of like a user (actually an activitypub group). When I post here with my lemmy.nz account to this lemmy.world community, lemmy.nz sends my comment to lemmy.world who then sends it to sh.itjust.works for you to see. The community is the controller of all interactions within the community. In this case, lemmy.world is the official source of how many upvotes this post has. And each vote is validated using the user’s public key to ensure it actually came from that specific user - a standard part of ActivityPub.
So would lemmy.world assign a token for your votes? If your instance assigned the token, Lemmy.world would not be able to validate against your user’s public key. If Lemmy.world assigns the token, it would only be valid in lemmy.world communities, as other instances would have to assign their own token. And both sh.itjust.works and lemmy.world admins could still see the real association.
Also, changing how votes work would break compatibility with other ActivityPub software (e.g. Mastodon could no longer interpret an upvote as a favourite, Mbin would’t be able to retrieve any data about the votes unless they specifically changed to work in the Lemmy way instead of using standard ActivityPub).
Worst case scenario, there is an entirely separate, tokenized identity for votes which is authenticated the exact same way, but which is only tied to an identity at the home instance. It would be as if the voting pub is coming from user:socsa-token. It’s effectively a separate user with a separate key. A well behaving instance would only ever publish votes from socsa-token, and comments from Socsa. To the rest of the fediverse socsa-token is simply a user which never comments and Socsa is a user which never votes.
I am not sure key based ID is actually core to AP anyway. The last time I read the spec it kind of hand waved identity management implementation.
Well hey, sounds like you might be able to help. Lemmy devs are actively soliciting opinions on lemmy votes, maybe you could have a say? Most of the comments are around “votes are already sort of public” therefore either a) make them actually public so we aren’t pretending they aren’t, or b) keep them hidden, a little less public is better than completely public.
Perhaps you can come in with a c) option to make votes even less public?
If that were to happen, the receiving end wouldn’t know who sent which vote, thus making spamming extremely easy.
I did think of a few ways round it (in kbin/mbin) a year or so ago. But, it wouldn’t work unless everyone using ActivityPub recognized it. It’s also really a small problem in reality. It’s likes and dislikes.
Sure, if and when we get the ability to ignore federated votes
1 I had assumed votes were private 2 If I don’t hear soon that votes are private, I’ll simply stop participating and return to lurking. I’ll eventually just wander off to the next thing that doesn’t expose my votes to potential bots and/or abusive actors.
I think most users assume votes are private and most will have a similar reaction to learning about this unintuitive negative feature of anything built on ActivityPub, including Lemmy.
I think it is worth reading the actual discussion on github. Having votes public and having them visibly public on the web interface has compelling reasons. Namely enshittification hardening.
It’s also quite natural to stand by your words (or vote). I personally don’t think people should feel like the internet is their anonimized alt character of life. And if they need/want that, just do a throwaway account and hard vpn. Otherwise NSA (or equivalents) track us anyway.
Your votes are as public as your posts. I see you have no problem posting so I don’t understand what the issue is.
The issue is that currently someone can behave as a shithead via voting, even if not comments, with little fear of reprisal or even discovery.
How does one “behave as a shithead via voting”? If someone decided to waste their time following me around Lemmy and down voting my posts it’s not going to do very much.
The effectiveness of the shitheadiness is a separate matter from its identity:-). If someone were to say downvote literally everything you ever did, within seconds of you doing it, and regardless of content, then that would be a shitty thing to do.
Sometimes you might want to show support for something but do so privately, without others knowing it’s you in particular supporting that.
You are doing it privately. Nobody knows who amju_wolf is, or where they live.
It’s very easy to find my IRL identity, and even my online pseudonym (well, both of them) have so much stuff tied to them that they are effectively my real identities. They are very much public, and definitely not anonymous.
Then I’d be more concerned about that and your posts rather than if you happened to up or down vote something.
Right? Big whoop, votes are public. Oh no, people might find out I’m an an-com from my voting patterns, instead of from my comments
One benefit to vote transparency for admins is mod monitoring options.
Reddit is infested with vote manipulation via bots. At least on the Fediverse it seems like both admins and mods might have more options.
Overall my opinion is irrelevant, however, I think there is a huge difference in knowing a person votes vs how a person votes. The how should not be public, imo.
No, but they should be public to everyone, and not hidden unless you jump through hoops.
At least NOW I can find out exactly who can call me out for saying something stupid, and thank that person for providing me with valuable information and knowledge.
Downvotes are actually kinda useful, even I benefit from them.
In LiveLeak all votes were public. What happened was a lot less downvoting, but also aggrevated users would stalk your page and leave mean messages if you downvoted their comment.
On the other hand, it was really easy to spot trolls trying to manipulate the narratives, Hasbarah and Russian trolls were really active on LiveLeak. This allowed me to block them and keep them from bombing my comments anytime I said something critical.
I actually didn’t notice that it could REALLY go wrong.
How about pseudonymous as a compromise? Votes could be publicly federated but tied to some uuid instead of the username. That way you still have the same anti spam ability (can see that a user upvoted these things from this instance at this time) but can’t tie it directly to comments or actual user accounts without some extra osint.
It might be theoretically possible to correlate the uuids with an account’s activity and dox the user in some cases, especially with some instances having a single user, but it would be very difficult or impossible to do on larger instances and would add an extra layer. Single user instances would be kind of impossible to make totally private anyway because they can be identified by instance.
Votes could be publicly federated but tied to some uuid instead of the username. That way you still have the same anti spam ability (can see that a user upvoted these things from this instance at this time) but can’t tie it directly to comments or actual user accounts without some extra osint.
The issue with that is with malicious instances that could engage with vote manipulation by just generating new IDs and voting for whatever they want. If you can’t look back at the profile and determine whether it’s a real, non-spam account, it’s a pretty big issue unfortunately.
You also have an issue where someone could potentially vote with “your” ID without any way to detect that it’s not actually “you” who sent the vote.
Yeah, that’s fair enough, though I’m not sure it’s very different from malicious instances creating normal user accounts?
You can see when users from an instance are all suspiciously voting the same way at the same time regardless of whether they are usernames or IDs.
There’s lots of legitimate users that only vote but never post so doing it based on that doesn’t seem very effective?
The second problem is solved using public key cryptography, the same way that you can’t impersonate someone else’s username to post comments. Votes and comments are digitally signed (There would need to be a different public key for voting to maintain pseudonymity though).
they could do similar to another platform had done, which is tie voting to a shadow account that only the instance admin team can link to a user, this allows for moderation while providing the ability for obscurity.
I still disagree it should be public in the first place, but I know it’s a hard requirement for federation so it’s unlikely to become more concealed
Keep the Fediverse bot- and troll-free.
The whole idea of being able to behave like a shithead without accountability needs to go.
As with all things you must behave like a shithead in moderation.
Votes should be transparent for everyone. Right now the system assumes that mods/admins are somehow inherently more responsible than the average user, but well, just look at the garbage clusterfuck admin/mod teams of certain instances. You’re telling me you’re gonna trust these people with this information and not everyone else? Get the fuck outta here.
Wait a minute, so any admin can see which posts do I upvote/downvote?
Furthermore, anyone can spin up a Lemmy server if they want to see people’s votes. It’s not very hard or load the same post in kbin/mbin.
yes, and any instance owner on any federated instance. Oh, and anyone on Kbin.
I’m an instance owner and mod. I’ll describe what we see.
Like anyone else, I can check a post or comment and see the upvote and downvote counts. If I click on a specific menu item by a post or comment I can also see who voted which way.
I check it often and to date have only banned two users, out of thousands, who were consistently downvoting posts. These bot accounts were literally voting within seconds of the post going federated.
It’s a useful feature on my end and I think others should be able to see it.
I agree! I believe seeing who upvoted or downvoted a post aids in identifying rabid downvoters and bots. However, I personally use mobile Lemmy apps and am unable to access that data.
Thamk you for the insight, instance administrator views are valuable and unique.
At the risk of sounding like I’m presenting a bad faith argument, why ban them? I don’t like the whole “free market” analogy but surely it’s one of the liberating features of federated servers, being able to to largely express your votes or content as you see fit within the legal framework of the host nation. Wouldn’t the odd one or two mass downvoters/upvoters/theyvoters ultimately be a statistical abberation or is the fediverse still small enough for this sort of shit to carry weight?
Open criticism of my view welcome, as always!
If votes are anonymous and federated, it’s very easy for me to add or subtract 900 votes from whatever I want.
You should consider anything you do on social media to be public. Even if Facebook tries to claim that it’s not.
Oh I like a pessimistic view - partly because it makes a discussion spicier, but also because it’s important for a user to understand the power that an instance owner wields!
Lemmy downvotes really have no consequences though, besides user ego.
They’re purposely disruptive to the community, they are not part of the community.
That’s a strong viewpoint and I appreciate where you’re coming from, but how many votedicks does it take to derail a post? I appreciate the fediverse is reasonably small in comparison to othe headline social media sites, but does banning one or two bots or people do enough to save posts from getting bombed?
If it’s early? One.
with *nz content on my instance, very few
why ban them?
They were describing someone who downvoted everything seconds within the post arriving.
Admin of a small instance, I have banned 2 accounts for another instance that were downvoting almost all content in a threads without any other interaction. They were being disruptive to the flow at the time, much like @ericjmorey@discuss.online describes.
Oh man, this is awesome - it’s wonderful hearing from the practitioners of the art!
I’m just trying to figure out what driver establishing the tipping point for breaking or the ban hammer - is there any empirical data to drive these decisions, or is the fediverse user base small enough that you act on “feel” or “professional instinct”?
Managing emerging technologies fascinates me so any input - including the germs you’ve already volunteered - is very much appreciated 👍
For me and my (very - it may be down to just me logging in, but a couple of the communities have a few people that read/vote) small instance it comes down to feel (“Don’t be a dick”). Dave, the admin of lemmy.nz (about 80 users per week) has the same in their side board as their “Rule”. Dave and I set up our *nz instances in the same week and we chat often. He might not be quire as quick with the ban hammer as I might be though.
When you are this small even a small outside problem can have huge effects on your instance
Yes, by looking in the DB or the data that’s federated as it comes through
There’s now a UI feature that allows admins to see votes without needing to manually query the database
For what it’s worth, admins/employees on Reddit (or any other website) can also see upvote records.
this is different, oc is talking about “any admin”. Anyone can make a lemmy server and become a server admin from which they might be able to see the voters
Yep and they ban people as they see fit, across different communities, based on votes anywhere
Yep. On kbin I think any user can too.
On mbin users can only see who upvoted a post. An admin can of course still go into the db and look there, but for users and mods there is no way to see who downvoted a post
There is a “Reduces” tab on mbin, which shows downvotes
There was and is not anymore
Then maybe it is still around on some instances?
Either way, it is only a matter of time for another fediverse software to show downvotes, or someone to spin up a vote info page which gets its information via undisclosed legitimate fediverse instances so you cannot defederate them.I was actually the one removing it. I implemented the support for incoming downvotes and because I and others had concerns to keep showing remote users downvotes publicly we / I removed it.
That’s a pretty reasonable compromise, and probably explains my confusion.
Why didn’t you do the same for remote upvotes?
What you upvote/downvote, when you upvote/downvote. With some database queries, they can also read DMs that are on their server (i.e. if you message someone on my server).
You can see who upvoted a post by putting the URL to the post or comment into any connected mbin server and clicking “favorites”. Downvotes are restricted by default (but admins can see those of course).
The only information admins can see is the information on their server. For Lemmy, that means a server would need to be subscribed to all communities you’re active in for that information to be available. If you want I can DM what upvotes of yours my server knows about.
Votes should absolutely be public. They were on KBin, and it made people more civil for it because you could be shamed if you were dislike trolling or liking all of your own posts/comments to make them look better (which is something you actively have to do on here, unlike Reddit).
Given this place is pseudo-anonymous anyways, and people comment far more personal and identifiable info here anyways (which tbf you should be careful about), I think public votes would do much more good than harm.
Eh, I don’t personally care.
But it could lead to nastiness as lemmy expands. If enough people go to the trouble of looking it up, you get some of them being assholes because people are prone to being assholes. That leads to drama. Drama leads to nastiness and worse things sometimes.
If that’s going to be part of how lemmy works, so be it, I’m way too old to skip using a block list for assholes. But it might bite federated services in the ass, so it probably should be on the list to get implemented.
The users right now may fall into a false sense of privacy when voting because the votes are hidden from Lemmy users.
Why would you even want anonymous votes but not anonymous comments?
The former is as good\bad as the latter.
I know they were already technically public. I think they should be shown.
