We had a really interesting discussion yesterday about voting on Lemmy/PieFed/Mbin and whether they should be private or not, whether they are already public and to what degree, if another way was possible. There was a widely held belief that votes should be private yet it was repeatedly pointed out that a quick visit to an Mbin instance was enough to see all the upvotes and that Lemmy admins already have a quick and easy UI for upvotes and downvotes (with predictable results ). Some thought that using ActivityPub automatically means any privacy is impossible (spoiler: it doesn’t).
As a response, I’m trying this out: PieFed accounts now have two profiles within them - one used for posting content and another (with no name, profile photo or bio, etc) for voting. PieFed federates content using the main profile most of the time but when sending votes to Mbin and Lemmy it uses the anonymous profile. The anonymous profile cannot be associated with its controlling account by anyone other than your PieFed instance admin(s). There is one and only one anonymous profile per account so it will still be possible to analyze voting patterns for abuse or manipulation.
ActivityPub geeks: the anonymous profile is a separate Actor with a different url. The Activity for the vote has its “actor” field set to the anonymous Actor url instead of the main Actor. PieFed provides all the usual url endpoints, WebFinger, etc for both actors but only provides user-provided PII for the main one.
That’s all it is. Pretty simple, really.
To enable the anonymous profile, go to https://piefed.social/user/settings and tick the ‘Vote privately’ checkbox. If you make a new account now it will have this ticked already.
This will be a bit controversial, for some. I’ll be listening to your feedback and here to answer any questions. Remember this is just an experiment which could be removed if it turns out to make things worse rather than better. I’ve done my best to think through the implications and side-effects but there could be things I missed. Let’s see how it goes.
You must log in or register to comment.
Neat
Interesting solution 👍 Curious to see how this plays out!
I’m surprised most people are against public votes. Most people already seem to have an anonymous account via some weird username not connected to their real identity already. What difference does it make that votes can be viewed, other than for transparency during discussion?
Maybe I’m the odd one out that uses my real name on the Internet and generally try to behave/vote the same as I would in person, but it seems weird wanting a hybrid account that’s private (votes), yet not private (comments).
When you comment you make a conscious decision to put your opinion out there and sign it with your “name” (or alternatively you switch to a “burner” account and do it pseudonymously).
But when you vote for stuff it’s often without much thinking, and it’s private on pretty much every other platform. Where it isn’t it’s usually blatantly obvious that that is the case.
What difference does it make that votes can be viewed, other than for transparency during discussion?
There are many reasons that have been stated time and time again; one is simply that people may wish to stay anonymous when supporting certain opinions.
To me it feels like comments are what you can actually stand behind publicly, while votes also show what you think privately. And not everyone is willing to stand behind all of their opinions publicly, often for fear of backlash or harassment.
To me it feels like comments are what you can actually stand behind publicly, while votes also show what you think privately. And not everyone is willing to stand behind all of their opinions publicly, often for fear of backlash or harassment.
I guess I’m just of the opinion that if someone has that concern, they should rethink how they use social platforms and maybe look into creating a more anonymous profile that suits their need better.
But now we are just down to differing opinions, which is all fine to have, I won’t claim my thoughts are the best one.
I have felt the want to have a more anonymous profile from time to time since being an admin means I need to avoid controversial topics, but it isn’t any more difficult than simply not engaging with it.
I think this approach kinda fixes that issue though, no? You can use it the way it is now, and others can be anonymous.
I mean it would be also nice if you could log into multiple accounts and easily switch between them for each vote and comment, but this is also good, IMO.
Admins need a way to track votes to detect abuse/bots though. And anyone can be an admin if they set up an instance, so votes will still be public.
That’s what PieFed changes though. You can still track how someone votes, but you can’t tie it to a specific profile (without doing some extra analysis and even then you can’t be completely sure).
Or, with my suggestion, you could track how that specific account votes, but it would be easy to obfuscate who exactly it is and (hopefully) impossible to track to the user’s other identities.
That’s what PieFed changes though. You can still track how someone votes
You need a way to identify which profile is tied to the vote profile so that you can deal with the root account.
Ok, then you can keep your votes public and other who don’t want that have an option as well. Everyone is happy. There is no conflict here.
If votes were anonymous here, I might “come out” as my professional self and share more from my resources that can be used to Identity who I am.
I’m concerned that my voting pattern is probably already being collected to build a profile on MajorHavok, to decide whether MajorHavok should be favored or disfavored in anything owned by old Elon or Zuck or Bezos.
Elon is a fuck up, but he still owns a lot of places that I might need to use for my work.
So, for now, it’s pretty important to me that MajorHavok and John Jacob Jinglehimer Schmidt are kept as separate identities, so that John’s employability where Elon/Zuck/Bezos has influence will remain unaffected.
Hmm, I can understand how someone can be concerned about that, but personally I find it too theoretical and unlikely to matter.
Any company wanting to harvest data from the fediverse would likely just create their own instance to easily copy the databases from every major instance, private voting wouldn’t help against that. I would also say that your comment would be a thousand times more damning than upvoting every comment/post critical of Musk.
If you only lurk, you will stay anonymous as long as you use an anonymous username. If you comment, you are way more likely to “leak” your opinion through comments anyway.
But those are just my thoughts, I might be way off base and lack the full range of perspectives.
I would also say that your comment would be a thousand times more damning than upvoting every comment/post critical of Musk.
Yeah. If I were out as my real name, John Jacob Jinglehimer Schmidt, then I wouldn’t make these comments.
In addition to that, I guarantee you that meta and the like are already running data mining instances on here. Being publicly tied to votes is just more telemetry for the machine. I don’t quite understand why people seem to think that is no big deal.
I’m surprised most people are against public votes.
It’s okay that you don’t understand why, but it would be best to learn why anonymity is a key requirement for voting freedom, be it in the polls or on social media.
Votes doesn’t break the anonymity is my point. You achieve anonymity by using a fake name and not sharing too much personal information in your comments. No amount of voting will reveal that fj4j2l32@instance.com is Jonathan Brown from Newcastle.
Awesome! This is the exact stopgap implementation I was arguing for, and I’m surprised how many people kept insisting it was impossible. You should try and get this integrated into mainline Lemmy asap. Definitely joining piefed in the meantime though.
Oh god…I’m Charlie Kelly.
I read that as “Pirate voting”.
You’re a hero for making this happen in… 24 hours? 48?
The issue won’t go away, we’ll see how well everyone else deals with it, but this is a super strong argument for your system / server.
(Advertise it. Advertise it HARD. “piefed, we have private votes”.)
I missed the discussion on voting the other day it seems, but for what it’s worth, I like the voting system. In real life discussions happen in open air, and don’t hang there in posterity for people to stumble upon after. When we come to a consensus in conversation it is then left at that and we move on.
When online, these discussions stay as they are, and I think voting gives a way of people to come to a consensus, to leave a mark upon the conversation such that the people who come behind understand how everyone felt about it.
This is helpful I think, because it does not hide the down votes on nasty comments or ideas that hurt others.
One of the most interesting and horrible things about the internet is that every village has a “crazy Bob” but because they were the minority the good of the people outnumbered their outlandish or hateful ideas.
Now they can and do find each other online, forming a vocal and damaging minority. Without the majority able to show their dislike, human nature means more will fall in line with them and their ideals.
Very interesting development, I’ll be curious to see how it ends up working out.
That’s super cool and amazing that you implemented it so quickly.
So now I have a PieFed account :)
So I’ve been thinking about this and I would go for a different approach.
Admins can set voting to be public or private on a server wide level.
When users vote, a key is created as the userid
The votes table is essentially: voteid, postid, userid, timestamp, salt, public
If the vote is private, userid is salt(userid, password)
And it’s that simple.
@dullbananas@lemmy.ca does the design hold up?
This might work well with a separate per-user random secret value instead of the password.
Overall the vote privacy issue is a tough dilemma for me.
With the user id being salted it’s going to be different every time. This means it’ll be difficult if not impossible to monitor voting trends or abuse.
Also how would you use the password unless it was stored in the clear. If it’s based on a pre-salted tuple, how does one handle password changes?
Dammit! Okay, cancel the salt idea. How about just a simple md5() and then it should remain a static value right?
Let me change my password real quick…
Just add a function so when you change your profile, it also pulls all records that match md5(userid, password) and then update them records too.
Though I’m convinced the overarching logic is correct, this is not my wheelhouse, so I’m probably wrong.
You’d need to federate that, and I don’t think AP allows you to change federated user IDs.
This is quite a smart solution, good job !
I use people upvoting bigoted and transphobic content to help locate other bigoted and transphobic accounts so I can instance ban them before they post hate in to our communities.
This takes away a tool that can help protect vulnerable communities, whilst doing nothing to protect them.
It’s a step backwards
I’m going to have to come up with set criteria for when to de-anonomize, aren’t I. Dammit.
In the meantime, get in touch if you spot any bigot upvotes coming from PieFed.social and we’ll sort something out.
The problem is, it’s more than just the upvote. I don’t ban people for a single upvote, even on something bigoted, because it could be a misclick. What I normally do is have a look at the profiles of people who upvote dogwhistle transphobia, stuff that many cis admins wouldn’t always recognise. And those upvotes point me at people’s profiles, and if their profile is full of dog whistles, then they get pre-emptively instance banned.
Ahh, right, got it.
Let’s keep an eye on this. I am hopeful that with PieFed being unusually strong on moderation in other respects that we don’t harbor many people like that for long.
This is great
So you can still ban the voting agent. Worst case scenario you have to wait for a single rule breaking comment to ban the user. That seems like a small price to pay for a massive privacy enhancement.
I don’t think you do. Admins can just ban the voting agent for bad voting behavior and the user for bad posting behavior. All of this conflict is imagined.
Yea, which is why I think the obvious solution to the whole vote visibility question is to have private votes that are visible to admins and mods for moderation purposes. It seems like the right balance.
It will be difficult to get the devs of Lemmy, Mbin, Sublinks, FutureProject, SomeOtherProject, etc to all agree to show and hide according to similar criteria. Different projects will make different decisions based on their values and priorities.
…and it still doesn’t solve the issue that literally anyone can run their own instance and just capture the data.
The OP discusses exactly a solution to the anyone setting up an instance to capture the data, because the users home instance federates their votes anonymously.
There maybe flaws in it, not that’s exactly what it aims to solve.
Plus, if you know your votes are public, maybe it’ll incentivise some people to maybe skip upvoting that kind of content. People use anonymity to say and promote absolute vile things that would never dare say or support openly otherwise.
whilst doing nothing to protect them
Well it also takes away a tool that harassers can use for their harassing of individuals, right? This does highlight the often-requested issue of Lemmy needs better/more moderation tools though.
If public voting data becomes a thing across the threadiverse, as some lemmy people want.
Which is why I think the appropriate balance is private votes visible to admins/mods.
Admins only. Letting mods see it just invites them to share it on a discord channel or some shit. The point is the number of people that can actually see the votes needs to be very small and trusted, and preferably tied to a internal standard for when those things need acted upon.
The inherent issue is public votes allow countless methods of interpreting that information, which can be acted on with impunity by bad actors of all kinds, from outside and within. Either by harassment or undue bans. It’s especially bad for the instances that fuck with vote counts. Both are problems.
I can see this argument, at least in general. As for community mods, I feel like it’d be generally fruitful and useful for them to be and feel empowered to create their own spaces. While I totally hear your argument about the size of the “mod” layer being too large to be trustworthy, I feel like some other mitigating mechanisms might be helpful. Maybe the idea of a “senior” mod, of which any community can only have one? Maybe “earning” seniority through being on the platform for a long time or something, not sure. But generally, I think enabling mods to moderate effectively is a generally good idea.
It actually adds a tool for harassers, in that targeted harassment can’t be tied back to a harasser without the cooperation of their instance admin.
In reality, I think a better answer might be to anonymize the username and publicize the votes.
Hmm, yes.
PieFed tracks the percentage of downvotes vs upvotes (calling it “Attitude” in the code and admin UI), making it easy to spot people like this and easy to write functionality that deals with them. Perhaps anonymous voting should only be available to accounts with a normal attitude (within a reasonable tolerance).
PieFed tracks the percentage of downvotes vs upvotes (calling it “Attitude” in the code and admin UI)
That’s cool. I wonder what my attitude is and I wonder how accurate the score is, if our federations don’t overlap super well. What happens if I have a ton of interactions on an instance that yours is completely unaware of?
(I think “Attitude” is a perfect word, because it’s perceptive. Like, “you say they’re great but all I see them do is get drunk and complain about how every Pokemon after Mewtwo isn’t ‘legit’,” sort of thing.)
I’ve intentionally subscribed to every active community I can find (so I can populate a comprehensive topics hierarchy ) making piefed.social get a fairly complete picture. Your attitude is only 3% below the global average, nowhere near the point where I’d take notice.
Feels to me that being able to link what people like/dislike to their comments and username is much more dangerous than just being able to downvote all their comments.
And I’d hope that in this new suggestion an admin would still be able to ban the user even if they only knew the anonymous/voter ID, though that’s probably an interesting question for OP.
Hey, Lemmy admin here. If I ban an anonymous account, does the account it’s tethered to also get banned?
Do you ben based on voting behaviour?
If the same account is voting in the same direction on every single post and comment in an entire community in a matter of seconds while contributing neither posts nor comments? Yes, vote manipulation.
If one user is following another around, down voting their content across a wide range of topics? Yes, targeted harassment.
Is that really harassment considering Lemmy votes have no real consequences besides feels?
I think a ban based on those criteria should apply to main acct but I’m not sure how it’s implemented.
Sure, but by the same token, mods are just as capable of manipulation and targeted harassment when they can curate the voting and react based on votes.
On reddit, votes are only visible to the admins, and the admins would take care of this type of thing when they saw it (or it tripped some kind of automated something or other). But they still had the foresight not to let moderators or users see those votes.
Complete anonymity across the board won’t work but they’re definitely needs to be something better than it is now.
mods are just as capable of manipulation and targeted harassment when they can curate the voting and react based on votes
I’m not sure what you’re trying to say.
I’m speaking as an admin, not as a mod. I own the servers. I have direct access to the databases. When law enforcement comes a’knockin’, it’s my ass that gets arrested. I have total control over my instances and can completely sever them from the fediverse if I feel it necessary. Mods are mall cops that can lock posts and deal with problem users one at a time.
On reddit, votes are only visible to the admins, and the admins would take care of this type of thing when they saw it (or it tripped some kind of automated something or other)
There are no built in automations. Decoupling votes from the users that cast them interferes with my ability to “take care of this type of thing.”
Yeah, I see that and it does concern me now that it has been brought up.
However. In the last 6 months of being active in the ‘Lemmy.world defense hq’ matrix room where we coordinate admin actions against bad people, vote manipulation has come up once or twice. The other 99% of the time it’s posts that are spam, racist or transphobic. The vote manipulation we found detected using some scripts and spreadsheets, not looking at the admin UI. After all, using code is the only way to scan through millions of records.
Downvote abuse/harassment coming from PieFed will be countered by monitoring “attitude” and I have robust tools for that. I can tell you with complete confidence that not one PieFed user downvotes more than they upvote. I can provide 12 other accounts on Lemmy instances that do, tho. Lemmy’s lack of a similar admin tool is unfortunate but not something I can do anything about.
What I’ve done with developing this feature is taken advantage of a weakness of ActivityPub - anyone can make accounts and have them do stuff. Even though I’ve done it in a very controlled and limited way and released all the code for it, having this exposed feels pretty uncomfortable. There were many many people droning on about “votes must be public because they need to come from an account” blah blah and that secure safe illusion has been ripped away now. That sucks, but we were going to have to grapple with it eventually one way or another.
Anyway. I’m not wedded to this or motivated by a fixed ideology (e.g. privacy über alles) so removing this is an option. It didn’t even take that long to code, I spent more time explaining it than coding it.
Would banning the voting half of the pseudonymous account not mitigate the immediate issue? Then asking their instance admin to later lookup and ban the associated commentating account.
Well, doesn’t that fly in the face of federated autonomy and privacy?
On one end, if it’s my instance and I want to ban a user, I want the whole fucking user banned – not just remove their ability to vote anonymously. If one of my communities or users is being attacked, it’s my responsibility to react. If I can’t remove the whole problem with a ban, then I have to remove the whole problem with a de-federation. (A thing I fundamentally don’t want to do.)
On the other, if some other admin says, “one of your users is being problematic, please tell me who they are,” I’m going to tell that other admin to fuck right off because I just implemented a feature that made their votes anonymous. I’m not about to out my users to some rando because they’re raining downvotes on MeinHitler69@nazi.hut.
It’s a philosophical difference of opinion.
On one end, if it’s my instance and I want to ban a user, I want the whole fucking user banned – not just remove their ability to vote anonymously.
I mean, is that truly the case? If a user only engages in vote manipulation, but otherwise they have insightful comments/posts, is it really that big of a deal that you will ban only their option to vote?
I think you’re conflating my two separate concerns. One’s automated vote manipulation. The other is targeted harassment.
Looks like it’s kinda hard to spin up a piefed bot. Not impossible, but it’s a bitch without an API.
If I have an insightful contributer who’s going out of their way and outside of their normal communities to be a dick to another user, maybe they’re not so insightful after all. Or they’ve got a great reason!
Either way, I want to be able to point to their behavior - without the extra step of having to de-anonymize their activity - and tell them to chill the fuck out or get the fuck out. Out means out. Totally and forever.
Looks like it’s kinda hard to spin up a piefed bot. Not impossible, but it’s a bitch without an API.
What you would actually want to do if you want to bot is take one of the existing apps and modify it to make spamming easy.
Either way, I want to be able to point to their behavior - without the extra step of having to de-anonymize their activity - and tell them to chill the fuck out or get the fuck out. Out means out. Totally and forever.
I can see why you would want that, but my question is is that such a big deal compared to people being harassed for their voting? I don’t think user privacy should be violated - especially en masse / by default just because of some (in my opinion fairly minor) moderation concerns.
And if they are a dick overall, then you will figure it out anyway, ban their “main” account and that will prevent them from voting, too (unless the instance is malicious, but then a malicious instance can do much more harm in general).
But if the only bad behavior is voting and you can that agent then you’ve solved the core issue. The utility is to remove the bad behavior, no?
No, the utility is to remove bad users.
To prevent them from engaging in bad behavior.
It’s against the CoC of programming.dev and we have issued warnings to abusers before. Last warning given for that was 13 days ago and was spotted by a normal user.
I think you forgot to say what is against the CoC. It’s implied though.
Vote manipulation
No but perhaps it should!
PieFed lacks an API, making it an unattractive tool for scripting bots with. I don’t think you’ll see any PieFed-based attacks anytime soon.
If the pseudo account is banned for it’s vote choices, does that really address the issue of vote-banning?
What about PieFed-based shitty humans?
PieFed tracks the percentage of downvotes vs upvotes (calling it “Attitude” in the code and admin UI ), making it easy to spot people who downvote excessively and easy to write functionality that deals with them. Perhaps anonymous voting should only be available to accounts with a normal attitude (within a reasonable tolerance).
I was wondering what attitude was, but I never got around to checking it out in the documentation. I was wondering why PieFed insisted my attitude wasn’t 100%. Makes sense now - I guess it just isn’t!
(maybe a clickable question mark next to the attitude score explaining briefly what it is could be useful at some point)
Wow your documentation is so much better than ours.
That’s nice of you to say. I’ve tried to focus well on certain areas that seem important but I really admire the breadth of https://join-lemmy.org/docs/ which I could never hope to cover.
Do you have a link? The Piefed docs page is empty for me.
Yes but … Navigation icon at the top right of the pages leads to these :
https://join.piefed.social/docs/piefed-mobile/ https://join.piefed.social/docs/developers/ https://join.piefed.social/docs/admin-guide/ https://join.piefed.social/docs/installation/
https://join.piefed.social/2024/06/22/piefed-features-for-growing-healthy-communities/Ah fuck! I mistook the piefed docs for the pixelfed docs.
I swear there was documentation there.
So no app?
Kind of but technically, no. Please see https://join.piefed.social/docs/piefed-mobile/
Do you really think it would matter to a malicious botter if they have a documented API or simply look at the requests the browser makes?
Look mom, I’m famous!
Why do you downvote all the stuff anyways?
PieFed shows us that he has an “attitude” of -40%, which I guess means that of 200 catloaf votes 140 will point downwards. So I guess at least it’s nothing personal, he or she is just an active downvoter of things. I guess we all enjoy spending our time differently.
A cool potential feature would be weighted downvotes - giving downvotes form users with higher attitude scores (in PieFed terms) greater significance. But I’m derailing.
I’ve always wanted to ask such a person what their deal is. I mean they could be miserable, or one of the people who always complain about everything. Or it’s supposed to be some form of trolling that no one gets… Maybe I shouldn’t ask because it’s not gonna be a healthy discussion… And I don’t care if that happens in an argument. But I really wonder why someone downvotes something like an innocent computer question. Or some comment with correct and uncontroversial advise. Or other people during a healty conversation. It doesn’t happen often to me, but I had all of that happen. And maybe thoughts like this lead to the current situation. And some people think about exposing such people and some think it should be protected.
And i think weighing the votes is a realistic idea. We could also not count votes of people with bad attitude at all.
Then again, if there’s a method to it and logic behind it, maybe these active downvoters are doing everybody a favour by screening content and downvoting things they consider to be of little value?
I don’t know. It would be interesting to hear their motivation for sure.
I’ve always wanted to ask such a person what their deal is.
I can’t answer for other people but I’m probably in the “low attitude” group, since my older account is at -9% and the current one at +42%. And at least for me it’s the result of two factors.
One of them is that old Reddit habits die hard. In Reddit I used to have uBlock Origin hiding the voting buttons from the platform, as a way to avoid contributing with it altogether except in ways that subjectively benefitted me, such as commenting (as I’m verbose, I feel good writing). The exception to the above was typically things so stupid/reddit-like/idiotic that I couldn’t help but downvote.
Another is that my “core” values is rather different from what most people in social networks value. As such, a lot of posts/comments are from my PoV overrated (that get downvoted) or underrated (that get upvoted). And due to sorting algorithms I’m seeing high score comments more often, so this yields a higher amount of downvotes.
Is it possible to double vote this way (once on each account)? On second thought, would it even matter? A malicious actor could have multiple accounts.
No, the other account isn’t something you can log into or interact with. PieFed knows whether I’ve already voted on something, so it won’t let me vote again by changing the ‘vote privately’ setting.
