We had a really interesting discussion yesterday about voting on Lemmy/PieFed/Mbin and whether they should be private or not, whether they are already public and to what degree, if another way was possible. There was a widely held belief that votes should be private yet it was repeatedly pointed out that a quick visit to an Mbin instance was enough to see all the upvotes and that Lemmy admins already have a quick and easy UI for upvotes and downvotes (with predictable results ). Some thought that using ActivityPub automatically means any privacy is impossible (spoiler: it doesn’t).
As a response, I’m trying this out: PieFed accounts now have two profiles within them - one used for posting content and another (with no name, profile photo or bio, etc) for voting. PieFed federates content using the main profile most of the time but when sending votes to Mbin and Lemmy it uses the anonymous profile. The anonymous profile cannot be associated with its controlling account by anyone other than your PieFed instance admin(s). There is one and only one anonymous profile per account so it will still be possible to analyze voting patterns for abuse or manipulation.
ActivityPub geeks: the anonymous profile is a separate Actor with a different url. The Activity for the vote has its “actor” field set to the anonymous Actor url instead of the main Actor. PieFed provides all the usual url endpoints, WebFinger, etc for both actors but only provides user-provided PII for the main one.
That’s all it is. Pretty simple, really.
To enable the anonymous profile, go to https://piefed.social/user/settings and tick the ‘Vote privately’ checkbox. If you make a new account now it will have this ticked already.
This will be a bit controversial, for some. I’ll be listening to your feedback and here to answer any questions. Remember this is just an experiment which could be removed if it turns out to make things worse rather than better. I’ve done my best to think through the implications and side-effects but there could be things I missed. Let’s see how it goes.
I use people upvoting bigoted and transphobic content to help locate other bigoted and transphobic accounts so I can instance ban them before they post hate in to our communities.
This takes away a tool that can help protect vulnerable communities, whilst doing nothing to protect them.
It’s a step backwards
I’m going to have to come up with set criteria for when to de-anonomize, aren’t I. Dammit.
In the meantime, get in touch if you spot any bigot upvotes coming from PieFed.social and we’ll sort something out.
The problem is, it’s more than just the upvote. I don’t ban people for a single upvote, even on something bigoted, because it could be a misclick. What I normally do is have a look at the profiles of people who upvote dogwhistle transphobia, stuff that many cis admins wouldn’t always recognise. And those upvotes point me at people’s profiles, and if their profile is full of dog whistles, then they get pre-emptively instance banned.
Ahh, right, got it.
Let’s keep an eye on this. I am hopeful that with PieFed being unusually strong on moderation in other respects that we don’t harbor many people like that for long.
Yea, which is why I think the obvious solution to the whole vote visibility question is to have private votes that are visible to admins and mods for moderation purposes. It seems like the right balance.
It will be difficult to get the devs of Lemmy, Mbin, Sublinks, FutureProject, SomeOtherProject, etc to all agree to show and hide according to similar criteria. Different projects will make different decisions based on their values and priorities.
…and it still doesn’t solve the issue that literally anyone can run their own instance and just capture the data.
whilst doing nothing to protect them
Well it also takes away a tool that harassers can use for their harassing of individuals, right? This does highlight the often-requested issue of Lemmy needs better/more moderation tools though.
It actually adds a tool for harassers, in that targeted harassment can’t be tied back to a harasser without the cooperation of their instance admin.
In reality, I think a better answer might be to anonymize the username and publicize the votes.
Hmm, yes.
PieFed tracks the percentage of downvotes vs upvotes (calling it “Attitude” in the code and admin UI), making it easy to spot people like this and easy to write functionality that deals with them. Perhaps anonymous voting should only be available to accounts with a normal attitude (within a reasonable tolerance).
Feels to me that being able to link what people like/dislike to their comments and username is much more dangerous than just being able to downvote all their comments.
And I’d hope that in this new suggestion an admin would still be able to ban the user even if they only knew the anonymous/voter ID, though that’s probably an interesting question for OP.
If public voting data becomes a thing across the threadiverse, as some lemmy people want.
Which is why I think the appropriate balance is private votes visible to admins/mods.
Admins only. Letting mods see it just invites them to share it on a discord channel or some shit. The point is the number of people that can actually see the votes needs to be very small and trusted, and preferably tied to a internal standard for when those things need acted upon.
The inherent issue is public votes allow countless methods of interpreting that information, which can be acted on with impunity by bad actors of all kinds, from outside and within. Either by harassment or undue bans. It’s especially bad for the instances that fuck with vote counts. Both are problems.
I’m surprised most people are against public votes. Most people already seem to have an anonymous account via some weird username not connected to their real identity already. What difference does it make that votes can be viewed, other than for transparency during discussion?
Maybe I’m the odd one out that uses my real name on the Internet and generally try to behave/vote the same as I would in person, but it seems weird wanting a hybrid account that’s private (votes), yet not private (comments).
If votes were anonymous here, I might “come out” as my professional self and share more from my resources that can be used to Identity who I am.
I’m concerned that my voting pattern is probably already being collected to build a profile on MajorHavok, to decide whether MajorHavok should be favored or disfavored in anything owned by old Elon or Zuck or Bezos.
Elon is a fuck up, but he still owns a lot of places that I might need to use for my work.
So, for now, it’s pretty important to me that MajorHavok and John Jacob Jinglehimer Schmidt are kept as separate identities, so that John’s employability where Elon/Zuck/Bezos has influence will remain unaffected.
Hmm, I can understand how someone can be concerned about that, but personally I find it too theoretical and unlikely to matter.
Any company wanting to harvest data from the fediverse would likely just create their own instance to easily copy the databases from every major instance, private voting wouldn’t help against that. I would also say that your comment would be a thousand times more damning than upvoting every comment/post critical of Musk.
If you only lurk, you will stay anonymous as long as you use an anonymous username. If you comment, you are way more likely to “leak” your opinion through comments anyway.
But those are just my thoughts, I might be way off base and lack the full range of perspectives.
When you comment you make a conscious decision to put your opinion out there and sign it with your “name” (or alternatively you switch to a “burner” account and do it pseudonymously).
But when you vote for stuff it’s often without much thinking, and it’s private on pretty much every other platform. Where it isn’t it’s usually blatantly obvious that that is the case.
What difference does it make that votes can be viewed, other than for transparency during discussion?
There are many reasons that have been stated time and time again; one is simply that people may wish to stay anonymous when supporting certain opinions.
To me it feels like comments are what you can actually stand behind publicly, while votes also show what you think privately. And not everyone is willing to stand behind all of their opinions publicly, often for fear of backlash or harassment.
To me it feels like comments are what you can actually stand behind publicly, while votes also show what you think privately. And not everyone is willing to stand behind all of their opinions publicly, often for fear of backlash or harassment.
I guess I’m just of the opinion that if someone has that concern, they should rethink how they use social platforms and maybe look into creating a more anonymous profile that suits their need better.
But now we are just down to differing opinions, which is all fine to have, I won’t claim my thoughts are the best one.
I have felt the want to have a more anonymous profile from time to time since being an admin means I need to avoid controversial topics, but it isn’t any more difficult than simply not engaging with it.
I think this approach kinda fixes that issue though, no? You can use it the way it is now, and others can be anonymous.
I mean it would be also nice if you could log into multiple accounts and easily switch between them for each vote and comment, but this is also good, IMO.
I’m surprised most people are against public votes.
It’s okay that you don’t understand why, but it would be best to learn why anonymity is a key requirement for voting freedom, be it in the polls or on social media.
Votes doesn’t break the anonymity is my point. You achieve anonymity by using a fake name and not sharing too much personal information in your comments. No amount of voting will reveal that fj4j2l32@instance.com is Jonathan Brown from Newcastle.
The problem with this approach is trust. It works for the users, but not admins. If I run a PieFed instance with this on, how can lemmy.world for example can trust my tiny instance to be playing by the rules? I went over more details in this other comment.
Sure, right now admins can contact you, for your instance. But you can’t really do that with dozens of instances and hundreds of instances. There’s a ton of instances we tolerate the users, but would you trust the admin with anonymous votes? Be in constant contact with a dozen instance admins on a daily basis?
It’s a good attempt though. Maybe we’re all pessimistic and it will work just fine!
I can only respond in general terms because you didn’t name any specific problems.
Firstly, remember than each piefed account only has one alt account and it’s always the same alt account doing the votes with the same gibberish user name. If the person is always downvoting or always voting the same as another person you’ll see those patterns in their alt and the alt can be banned. It’s an open source project so the mechanics of it cannot be kept secret and they can be verified by anyone with intermediate Python knowledge.
Regardless, at any kind of decent scale we’re going to have to use code to detect bots and bad actors. Relying on admins to eyeball individual posts activity and manually compare them isn’t going to scale at all, regardless whether the user names are easy to read or not.
Firstly, remember than each piefed account only has one alt account and it’s always the same alt account doing the votes with the same gibberish user name. It’s an open source project so the mechanics of it cannot be kept secret and they can be verified by anyone with intermediate Python knowledge.
That implies trust in the person that operates the instance. It’s not a problem for piefed.social, because we can trust you. It will work for your instance. But can you trust other people’s PieFed instances? It’s open-source, I could just install it on my server, change the code to make me 2-3 alt accounts instead. Pick a random instance from lemmy.world’s instance list, would you blindly trust them to not fudge votes?
The availability of the source code doesn’t help much because you can’t prove that it’s the exact code that’s running with no modifications, and marking people running modified code as suspicious out of the box would be unfair and against open-source culture.
I also see some deanonymization exploits too: people commonly vote+comment, so with some time, you can do correlation attacks and narrow down the accounts. So to prevent that, you’d have to remove the users mapping 1:1 to a gibberish alt by at least letting the user rotate them on demand, or rotate them on a schedule, and now we can’t correlate votes to patterns anymore. And everyone’s database endlessly fills up with generated alt accounts (that you can’t delete).
If the person is always downvoting or always voting the same as another person you’ll see those patterns in their alt and the alt can be banned.
Sure, but you lose some visibility into who the user is. Seeing the comments is useful to get a better grasp of who they are. Maybe they’re just a serial fact checker and downvoting misinformation and posting links to reputable sources. It can also help identify if there’s other activity beside just votes, large amounts of votes are less suspicious if you see the person’s also been engaging with comments all day.
And then you circle back to, do you trust the instance admin to investigate or even respond to your messages? How is it gonna go when a big, politically aligned instance is accused of botting and the admin denies the claims but the evidence suggests it’s likely? What do we do with Threads or even an hypothetical Twitter going fediverse, with Elon still as the boss? Or Truth Social?
The bigger the instance, the easier it is to sneak a few votes in. With millions of user accounts, you can borrow a couple hundred of your long inactive user’s alts easily and it’s essentially undetectable.
I’m sorry for the pessimism but I’ve come to expect the worst from people. Anything that can be exploited, will be exploited. I do wish this problem to be solved, and it’s great that some people like you go ahead and at least try to make it work. I’m not trying to discourage anyone from experimenting with that, but I do think those what-ifs are important to discuss before everyone implements it and then oops we have a big problem.
The way things are, we don’t have to put any trust in an instance admin. It might as well not be there, it’s just a gateway and file host. But we can independently investigate accounts and ban them individually, without having to resort to banning whole instances, even if the admins are a bit sketchy. Because of the inherent transparency of the protocol.
Yes. You’re going to have to trust someone, eventually. People can modify the Lemmy source code, too. Well, I can’t because Rust looks like hieroglyphics to me but you get the idea.
I’d rather this than have to trust Lemmy admins not to abuse their access to voting data - https://lemm.ee/comment/13768482
This is excellent.
I’m curious about piefed now. Is it free of any explicit agenda?
Well… Take a look at this https://join.piefed.social/2024/06/22/piefed-features-for-growing-healthy-communities/
There are definitely values and opinions embedded in there. I would say it’s a bit more “high control” vibe than lemm.ee. If you chose that instance because of it’s more libertarian ethos then perhaps some of the features PieFed have would seem sinister or irrelevant to you.
The code of conduct for contributors is pretty vanilla IMO but would be seen as “left wing” by people from USA.
If you look in the sidebar of https://piefed.social you’ll see a random collection of links (they change every page refresh) which are intentionally chosen to combat extremist ideologies and make PieFed instances uncomfortable places for cult-like groups (mostly on the right). That’s a political decision which few projects would make.
Thanks for being so upfront about how you run your instance. I think it’s disingenuous when people claim that there is “no agenda” or “no moderation” or whatever, because there is always some - even if unintended - just by the pure nature of people running it. So being explicit and opinionated about it is great.
Is “Deredicalisation” intended? I’m not sure if it’s a bit of a play on words or if it’s a typo.
Yeah, it’s a real thing https://en.wikipedia.org/wiki/Deradicalization although Americans would spell it with a z.
I spent years and years researching and documenting fascism, QAnon and MAGA. During that time I created a blocklist of 3000+ website URLs which are automatically imported into the PieFed domain blocklist when a new instance is created. Another one of those political choices that define PieFed.
Its strange to see one of my posts being used as a reference. All I was trying to do was share something cool.
I do agree though. When up/downvotes (especially downvotes) are fully public, it leads to trolls getting angry and lashing out on individuals in a semi-public way. And if you can see ALL of that individuals voting patterns, then we get people strategically making tools to go after people that vote certain ways. Theres a reason anonymous voting is a thing outside of the internet as well.
If this goes live in lemmy.world i will be looking at other places to post/interact with. Love lemmy (and contributed to the codebase as a dev) but I cant be bothered with trolls.
It’s vice versa. In the old good times there was a saying “don’t feed the troll”. Just block him. Downvoting is just a cheap solution for people who cannot justify their argument. Btw, I love to read downvoted comments which are by default ‘hidden’. Most of them are trash but sometimes it’s a valid point but not the very popular one
I’m not sure what you are suggesting. Are you suggesting never using downvotes?
Yes, exactly my thoughts on this. Downvoting is only a measure of crowd censorship based on opinion popularity. If you see some trolls, just block them but don’t hide their posts for other ones who may think on that person views otherwise
