We had a really interesting discussion yesterday about voting on Lemmy/PieFed/Mbin and whether they should be private or not, whether they are already public and to what degree, if another way was possible. There was a widely held belief that votes should be private yet it was repeatedly pointed out that a quick visit to an Mbin instance was enough to see all the upvotes and that Lemmy admins already have a quick and easy UI for upvotes and downvotes (with predictable results ). Some thought that using ActivityPub automatically means any privacy is impossible (spoiler: it doesn’t).
As a response, I’m trying this out: PieFed accounts now have two profiles within them - one used for posting content and another (with no name, profile photo or bio, etc) for voting. PieFed federates content using the main profile most of the time but when sending votes to Mbin and Lemmy it uses the anonymous profile. The anonymous profile cannot be associated with its controlling account by anyone other than your PieFed instance admin(s). There is one and only one anonymous profile per account so it will still be possible to analyze voting patterns for abuse or manipulation.
ActivityPub geeks: the anonymous profile is a separate Actor with a different url. The Activity for the vote has its “actor” field set to the anonymous Actor url instead of the main Actor. PieFed provides all the usual url endpoints, WebFinger, etc for both actors but only provides user-provided PII for the main one.
That’s all it is. Pretty simple, really.
To enable the anonymous profile, go to https://piefed.social/user/settings and tick the ‘Vote privately’ checkbox. If you make a new account now it will have this ticked already.
This will be a bit controversial, for some. I’ll be listening to your feedback and here to answer any questions. Remember this is just an experiment which could be removed if it turns out to make things worse rather than better. I’ve done my best to think through the implications and side-effects but there could be things I missed. Let’s see how it goes.
You must log in or register to comment.
Is it possible for an instance to send out false vote data that can’t be verified? Lemmy doesn’t seem like a plausible target for it at the moment (and i dont pretend to know how this works beyond a conceptual level) but I can imagine a bad actor at some point seeking to manipulate voting.
I guess that can happen now anyway as the bad actor can just create their own instance with as many fake accounts as they like. Ultimately it’s still on other instance admins to block the dodgy ones either way.
Yes, a fake instance can spam votes over federation. But usually it’s pretty obvious and easy to block.
Look mom, I’m famous!
Why do you downvote all the stuff anyways?
PieFed shows us that he has an “attitude” of -40%, which I guess means that of 200 catloaf votes 160 will point downwards. So I guess at least it’s nothing personal, he or she is just an active downvoter of things. I guess we all enjoy spending our time differently.
A cool potential feature would be weighted downvotes - giving downvotes form users with higher attitude scores (in PieFed terms) greater significance. But I’m derailing.
I’ve always wanted to ask such a person what their deal is. I mean they could be miserable, or one of the people who always complain about everything. Or it’s supposed to be some form of trolling that no one gets… Maybe I shouldn’t ask because it’s not gonna be a healthy discussion… And I don’t care if that happens in an argument. But I really wonder why someone downvotes something like an innocent computer question. Or some comment with correct and uncontroversial advise. Or other people during a healty conversation. It doesn’t happen often to me, but I had all of that happen. And maybe thoughts like this lead to the current situation. And some people think about exposing such people and some think it should be protected.
And i think weighing the votes is a realistic idea. We could also not count votes of people with bad attitude at all.
I’ve always wanted to ask such a person what their deal is.
I can’t answer for other people but I’m probably in the “low attitude” group, since my older account is at -9% and the current one at +42%. And at least for me it’s the result of two factors.
One of them is that old Reddit habits die hard. In Reddit I used to have uBlock Origin hiding the voting buttons from the platform, as a way to avoid contributing with it altogether except in ways that subjectively benefitted me, such as commenting (as I’m verbose, I feel good writing). The exception to the above was typically things so stupid/reddit-like/idiotic that I couldn’t help but downvote.
Another is that my “core” values is rather different from what most people in social networks value. As such, a lot of posts/comments are from my PoV overrated (that get downvoted) or underrated (that get upvoted). And due to sorting algorithms I’m seeing high score comments more often, so this yields a higher amount of downvotes.
Then again, if there’s a method to it and logic behind it, maybe these active downvoters are doing everybody a favour by screening content and downvoting things they consider to be of little value?
I don’t know. It would be interesting to hear their motivation for sure.
How does this work with moderation? I.e. what happens if I ban the real user from a Lemmy instance? What if I ban the alternate user?
Also, what happens if on Piefed, a user votes for something, then they change the setting and then they vote for the same thing again? How would a Lemmy instance know if it should count the vote or not, since the original user didn’t actually vote from Lemmy’s point of view?
The ‘real user’ and the ‘private voter’ are 2 different accounts as far a external instances are concerned, but only 1 as far as piefed.social is concerned. So if you banned either one, it would have the same effect, because PF would locate the same account from the information provided.
Likewise, a piefed user can’t vote twice on something, they make one vote, and then the ‘private voting’ setting determines how it is sent out. The local system has tracked that they have voted, and changing the setting won’t change that.
There’s always more work to do of course, but piefed.social is a small instance, with manual approval required for registration, no API to script things like mass downvoting, and concepts such as ‘attitude’ which would prevent that anyway, so I can’t foresee anything too disastrous happening from this little experiment.
I’m a little concerned about the precedent this sets. An instance could use this technique to facilitate anonymous commenting or posting in addition to votes.
Who cares? Generating an infinite number of tokenized identities to facilitate ban evasion will just result in an instance getting defederated. This introduces no real risk as long as the instance is generally abiding by the rules.
Most of us here are fairly anonymous anyway. I dont think being able to add an additional layer of privacy to our activity is really a big deal.
So I’ve been thinking about this and I would go for a different approach.
Admins can set voting to be public or private on a server wide level.
When users vote, a key is created as the userid
The votes table is essentially: voteid, postid, userid, timestamp, salt, public
If the vote is private, userid is salt(userid, password)
And it’s that simple.
With the user id being salted it’s going to be different every time. This means it’ll be difficult if not impossible to monitor voting trends or abuse.
Also how would you use the password unless it was stored in the clear. If it’s based on a pre-salted tuple, how does one handle password changes?
Dammit! Okay, cancel the salt idea. How about just a simple md5() and then it should remain a static value right?
Let me change my password real quick…
Just add a function so when you change your profile, it also pulls all records that match md5(userid, password) and then update them records too.
Though I’m convinced the overarching logic is correct, this is not my wheelhouse, so I’m probably wrong.
You’d need to federate that, and I don’t think AP allows you to change federated user IDs.
@dullbananas@lemmy.ca does the design hold up?
I missed the discussion on voting the other day it seems, but for what it’s worth, I like the voting system. In real life discussions happen in open air, and don’t hang there in posterity for people to stumble upon after. When we come to a consensus in conversation it is then left at that and we move on.
When online, these discussions stay as they are, and I think voting gives a way of people to come to a consensus, to leave a mark upon the conversation such that the people who come behind understand how everyone felt about it.
This is helpful I think, because it does not hide the down votes on nasty comments or ideas that hurt others.
One of the most interesting and horrible things about the internet is that every village has a “crazy Bob” but because they were the minority the good of the people outnumbered their outlandish or hateful ideas.
Now they can and do find each other online, forming a vocal and damaging minority. Without the majority able to show their dislike, human nature means more will fall in line with them and their ideals.
Oh god…I’m Charlie Kelly.
I read that as “Pirate voting”.
Its strange to see one of my posts being used as a reference. All I was trying to do was share something cool.
I do agree though. When up/downvotes (especially downvotes) are fully public, it leads to trolls getting angry and lashing out on individuals in a semi-public way. And if you can see ALL of that individuals voting patterns, then we get people strategically making tools to go after people that vote certain ways. Theres a reason anonymous voting is a thing outside of the internet as well.
If this goes live in lemmy.world i will be looking at other places to post/interact with. Love lemmy (and contributed to the codebase as a dev) but I cant be bothered with trolls.
It’s vice versa. In the old good times there was a saying “don’t feed the troll”. Just block him. Downvoting is just a cheap solution for people who cannot justify their argument. Btw, I love to read downvoted comments which are by default ‘hidden’. Most of them are trash but sometimes it’s a valid point but not the very popular one
I’m not sure what you are suggesting. Are you suggesting never using downvotes?
Yes, exactly my thoughts on this. Downvoting is only a measure of crowd censorship based on opinion popularity. If you see some trolls, just block them but don’t hide their posts for other ones who may think on that person views otherwise
So why be on lemmy then? I really don’t agree with showing votes.
I think it’s better to present a valid point against somebody’s statement than straight down voting without giving a reason “just because don’t like him”. I think it would create positive discussion environment in lemmy. We are here after all to exchange ideas on lemmy. Aren’t we?
While engaging in discussion can be beneficial, it’s important to recognize that not everyone is comfortable/interested in debating every point they disagree with. Downvoting allows users to express their disagreement without feeling pressured to engage in a back-and-forth that might not be constructive.
Additionally, some statements may not merit a detailed response, especially if they are inflammatory, misleading, or irrelevant. Encouraging only counter-arguments could lead to an environment where people feel obligated to justify every opinion, which stifles participation rather than promote a positive discussion.
Downvotes are part of the whole curation aspect of the site, and it’s a valid part of the democratic system. For all the whining about being “censored” because you got downvoted, there’s countless cases where downvotes influence the sorting algorithm positively.
Garbage shouldn’t sit on the same level as fluff comments no one bothered to vote on.
Millions flies cannot be mistaken. Democratic mob cannot be mistaken. Mobs have never lynched anybody. How ignorant you are in your ego with your “whining” argument
You’re a hero for making this happen in… 24 hours? 48?
The issue won’t go away, we’ll see how well everyone else deals with it, but this is a super strong argument for your system / server.
(Advertise it. Advertise it HARD. “piefed, we have private votes”.)
This is excellent.
I’m curious about piefed now. Is it free of any explicit agenda?
Well… Take a look at this https://join.piefed.social/2024/06/22/piefed-features-for-growing-healthy-communities/
There are definitely values and opinions embedded in there. I would say it’s a bit more “high control” vibe than lemm.ee. If you chose that instance because of it’s more libertarian ethos then perhaps some of the features PieFed have would seem sinister or irrelevant to you.
The code of conduct for contributors is pretty vanilla IMO but would be seen as “left wing” by people from USA.
If you look in the sidebar of https://piefed.social you’ll see a random collection of links (they change every page refresh) which are intentionally chosen to combat extremist ideologies and make PieFed instances uncomfortable places for cult-like groups (mostly on the right). That’s a political decision which few projects would make.
Thanks for being so upfront about how you run your instance. I think it’s disingenuous when people claim that there is “no agenda” or “no moderation” or whatever, because there is always some - even if unintended - just by the pure nature of people running it. So being explicit and opinionated about it is great.
Is “Deredicalisation” intended? I’m not sure if it’s a bit of a play on words or if it’s a typo.
Yeah, it’s a real thing https://en.wikipedia.org/wiki/Deradicalization although Americans would spell it with a z.
I spent years and years researching and documenting fascism, QAnon and MAGA. During that time I created a blocklist of 3000+ website URLs which are automatically imported into the PieFed domain blocklist when a new instance is created. Another one of those political choices that define PieFed.
Oh okay, if it’s not a pun then it is a typo. I wasn’t referring to the British spelling, the “e” should be an “a”: “Deredicalisation”
Oops, thank you!
Cool solution!
That’s pseudonymous!
But all kidding aside, it sounds good
While not a perfect solution, this seems very smart. It’s a great mitigation tactic to try to keep user’s privacy intact.
Seems to me there’s still routes to deanonymization:
- Pull posts that a user has posted or commented in
- Do an analysis of all actors in these posts. The poster’s voting actor will be over represented (if they act like I assume most users do. I upvote people I reply to etc)
- if the results aren’t immediately obvious, statistical analysis might reveal your target.
Piefed is smaller than lemmy, right? So if only one targeted posting account is voting somewhat consistently in posts where few piefed users vote/post/view, you got your guy.
Obviously this is way harder than just viewing votes. Not sure who would go to the trouble. But a deanonymization attack is still possible. Perhaps rotate the ids of the voting accounts periodically?
It could be mitigated further by having a different Actor per community you engage in, but that is definitely a bigger change in how voting works currently, and might have issues detecting vote brigading.
It will never be foolproof for users coming from smaller instances, even with changing IDs. If you see a downvote coming from PieFed.social you already have it narrowed down to not too many users, and the rest you can probably infer based on who contributes to a given discussion.
Still, I think it’s enough to be effective most of the time.
Yea, I agree. It’s good enough. Sorry, I didn’t mean to sound like it was a bad solution, it’s just not perfect and people ought to be aware of limitations.
I used a small instance in my example so the problem was easier to understand, but a motivated person could target someone on a large instance, too, so long as that person tended to vote in the posts they commented on.
Just for example (and I feel like I should mention, I have no bad feelings towards this guy), Flying Squid on lemmy.world posts all over the place, even on topics with few upvotes. If you pull all his posts, and all votes left in those posts from all users, I bet you could find one voter who stands out from the crowd. You just need to find the guy following him everywhere: himself.
I mean, if he tends to leave votes in topics he comments on, which I assume he does.
It would have to be a very targeted attack and that’s much better than the system lemmy uses right now. I’m remembering the mass tagger on Reddit, I thought that add on was pretty toxic sometimes.
Also, it just occurred to me, on Lemmy, when you post you start with one vote, your own. I can even remove this vote (and I’ll do it and start this post off with score 0). I wonder how this vote is handled internally? That would be an immediate flaw in this attempt to protect people’s privacy.
Yeah, I think your point is absolutely well made. And it’s a good reason to, even if features like this are implemented widely, we shouldn’t boast too much about voting being anonymous. It’s just too difficult or impossible to make it bullet proof.
I don’t think the automatic upvotes to your own posts count as real upvotes. At least they don’t federate, so they shouldn’t pose too much of a problem. I think they’re just there to keep people from trying to upvote their own content.
That’s super cool and amazing that you implemented it so quickly.
So now I have a PieFed account :)
You keep delivering, thank you so much!
The problem with this approach is trust. It works for the users, but not admins. If I run a PieFed instance with this on, how can lemmy.world for example can trust my tiny instance to be playing by the rules? I went over more details in this other comment.
Sure, right now admins can contact you, for your instance. But you can’t really do that with dozens of instances and hundreds of instances. There’s a ton of instances we tolerate the users, but would you trust the admin with anonymous votes? Be in constant contact with a dozen instance admins on a daily basis?
It’s a good attempt though. Maybe we’re all pessimistic and it will work just fine!
I can only respond in general terms because you didn’t name any specific problems.
Firstly, remember than each piefed account only has one alt account and it’s always the same alt account doing the votes with the same gibberish user name. If the person is always downvoting or always voting the same as another person you’ll see those patterns in their alt and the alt can be banned. It’s an open source project so the mechanics of it cannot be kept secret and they can be verified by anyone with intermediate Python knowledge.
Regardless, at any kind of decent scale we’re going to have to use code to detect bots and bad actors. Relying on admins to eyeball individual posts activity and manually compare them isn’t going to scale at all, regardless whether the user names are easy to read or not.
Firstly, remember than each piefed account only has one alt account and it’s always the same alt account doing the votes with the same gibberish user name. It’s an open source project so the mechanics of it cannot be kept secret and they can be verified by anyone with intermediate Python knowledge.
That implies trust in the person that operates the instance. It’s not a problem for piefed.social, because we can trust you. It will work for your instance. But can you trust other people’s PieFed instances? It’s open-source, I could just install it on my server, change the code to make me 2-3 alt accounts instead. Pick a random instance from lemmy.world’s instance list, would you blindly trust them to not fudge votes?
The availability of the source code doesn’t help much because you can’t prove that it’s the exact code that’s running with no modifications, and marking people running modified code as suspicious out of the box would be unfair and against open-source culture.
I also see some deanonymization exploits too: people commonly vote+comment, so with some time, you can do correlation attacks and narrow down the accounts. So to prevent that, you’d have to remove the users mapping 1:1 to a gibberish alt by at least letting the user rotate them on demand, or rotate them on a schedule, and now we can’t correlate votes to patterns anymore. And everyone’s database endlessly fills up with generated alt accounts (that you can’t delete).
If the person is always downvoting or always voting the same as another person you’ll see those patterns in their alt and the alt can be banned.
Sure, but you lose some visibility into who the user is. Seeing the comments is useful to get a better grasp of who they are. Maybe they’re just a serial fact checker and downvoting misinformation and posting links to reputable sources. It can also help identify if there’s other activity beside just votes, large amounts of votes are less suspicious if you see the person’s also been engaging with comments all day.
And then you circle back to, do you trust the instance admin to investigate or even respond to your messages? How is it gonna go when a big, politically aligned instance is accused of botting and the admin denies the claims but the evidence suggests it’s likely? What do we do with Threads or even an hypothetical Twitter going fediverse, with Elon still as the boss? Or Truth Social?
The bigger the instance, the easier it is to sneak a few votes in. With millions of user accounts, you can borrow a couple hundred of your long inactive user’s alts easily and it’s essentially undetectable.
I’m sorry for the pessimism but I’ve come to expect the worst from people. Anything that can be exploited, will be exploited. I do wish this problem to be solved, and it’s great that some people like you go ahead and at least try to make it work. I’m not trying to discourage anyone from experimenting with that, but I do think those what-ifs are important to discuss before everyone implements it and then oops we have a big problem.
The way things are, we don’t have to put any trust in an instance admin. It might as well not be there, it’s just a gateway and file host. But we can independently investigate accounts and ban them individually, without having to resort to banning whole instances, even if the admins are a bit sketchy. Because of the inherent transparency of the protocol.
This is literally already the Lemmy trust model. I can easily just spin up my own instance and send out fake pub actions to brigade. The method detecting and resolving this is no different.
Yes. You’re going to have to trust someone, eventually. People can modify the Lemmy source code, too. Well, I can’t because Rust looks like hieroglyphics to me but you get the idea.
I’d rather this than have to trust Lemmy admins not to abuse their access to voting data - https://lemm.ee/comment/13768482
You can even question if the compiled version running on an instano is the same as the version posted to GitHub. There’s no way to even check what’s running on the server you don’t have access to.
Trust is necessary at some level if your going to participate on any hosted or federated service as you pointed out.
