Edit: obligatory explanation (thanks mods for squaring me away)…
What you see via the UI isn’t “all that exists”. Unlike Reddit, where everything is a black box, there are a lot more eyeballs who can see “under the hood”. Any instance admin, proper or rogue, gets a ton of information that users won’t normally see. The attached example demonstrates that while users will only see upvote/downvote tallies, admins can see who actually performed those actions.
Edit: To clarify, not just YOUR instance admin gets this info. This is ANY instance admin across the Fediverse.
To anyone surprised at this: welcome to the fediverse, please treat everyhing you do or say as public.
The way to achieve privacy around here is by following the long forgotten arts of the old internet before Facebook was a thing:
use a Nick name and don't tell strangers on the internet your real identity.Your home instance will act as a proxy and only they have access to your email and IP address. That does stay private.
So, as long as you trust your home instance to not leak or disclose your connection or sign up data (which would be illegal in EU countries), just sign up with an alias.
A very positive aspects of this is that it should allow us to detect voting manipulation by correlating the activity of certain potentially malicious actors. If Lemmy instances take vote manipulation seriously and do their best to block bots this has the chance to make Lemmy / Kbin much more transparent and credible than Reddit ever was.
Lol. kids these days would post their bank info online if the banks didn’t prevent them from doing so.
You say that like A/S/L wasn’t a thing back in the day.
19/f/Cali was the only acceptable response
I think we cybered
As I put on my robe and wizard hat…
Depends, could I have talked some vanilla WoW gold out of you?
puts on wizard’s hat
666/D/Hell
Yall remember those “your stripper name is the street you grew up on and your pet’s name” challenges? Literally phishing for password recovery keys.
Even back then we were told never to reveal that sort of stuff online. How many of us do you think were telling the truth?
You think someone would do that?
Just go on the internet and tell lies?
Lol yeah but we were 12 back then and we still understood the internet better than anyone else 🙃
I got a virus.
Flagrant System Error
Computer Over.
Virus = Very Yes
I don’t want to shame anyone, but I’ve had people sign up give me their full DoB and offering to show me their ID. I know of people who disclose their id to get access to nsfw discord communities.
DUDE MY GIRLFRIEND FUCKING DID THAT AND I JUST LOOKED AT HER AND ASKED HER IF SHE THOUGHT THAT WAS A GOOD IDEA. In hindsight no, thankfully she’s gonna be moving soonish. This was from before we were together, otherwise I would have warned her not to do that. It was the same discord she got a cyberstalker from, thankfully the stalker wasn’t a friend of the owner because otherwise he totally could have gotten her address and irl info.
so would my grandpa
Wasn’t there a twitter account that retweeted people posting photos of their credit cards?
I whole heartedly agree with this perspective.
Additionally, and this is an unpopular opinion, but trying to maintain a Nick or online identity over many years is folly. You end up with a huge repository of personal information, increasing the risk that it can be connected to you personally.
This has come up as part of those requests to migrate accounts between instances. “I want a persona that stays with me for years”… Is that actually a good idea though!?
Your home instance will act as a proxy and only they have access to your email and IP address.
Your home image typically doesn’t proxy image loading, those are hotlinked to the Lemmy server that the image was uploaded to. So your IP address and browser string are going to other Lemmy servers.
The posts just contain a URL which doesn’t include the uploader’s ip address or their browser string.
When the browser loads that URL, hotlinked image, that server has to have your IP address to return the results. Just browsing posts those images are being loaded.
Of course. They dont get any info to associate your IP with your lemmy account. You could even not have a lemmy account at all.
Of course. They dont get any info to associate your IP with your lemmy account. You could even not have a lemmy account at all.
No, an alias will only give you pseudo-anonymity. Even trivial analysis like counting which words occur together frequently in your writings can reveal with very good accuracy any other alt of you, so the available information of you is basically everything you have shared online with enough accompanying self-written text.
Also, it’s not just about privacy, it’s about retaliation. It will be the easiest thing in the world for people to put together bots that will track the downvotes on every post they make and automate adding those people to block lists. Suddenly a whole fleet of alts is invisible to the people that would disagree with them.
What about post views? Are those also stored?
That is why I am as my username states: intentionally anonymous
The thing is, there is really no way to know is trustworthy as a home instance…?
deleted by creator
This person internets. 👏
To illustrate op’s point I’m going to spin up an instance, federate with everyone, and not tell anyone what that instance is.
Then I’m going to feed all that data into my new website, called Open Lemmy Stats, where anyone can query the user data ive accumulated. The homepage will be ripe with insights, leaderboards and all kinds of data on prolific users.
Additionally, I’ll display a snapshot/profile of a random user by feeding that users data to GPT4 to make inferences about the user’s political affiliations and display the results.
Worst of all, I’m not going to out my instance for everyone to know it as the one to defederate. In fact I’m spinning up a few instances that will host innocuous communities that I plan to mod and support to give my instances cover for their true purpose: redundant fediverse datastreams for my site, Open Lemmy Stats.
I’ll also have a store where anyone can buy my collected fediverse data for a handsome sum.
Just kidding I’m not doing any of this. But someone absolutely will or already is.
Edit: Obligatory RIP my inbox.
Can we leave this kinda stuff behind? It is NOT obligatory.
Not to sound harsh or anything, but those of you saying that it’s okay that all this data is public are insane. This completely goes against the entire philosophy of the Fediverse and FOSS in general. The reason we all are fleeing from Big Tech is because they collect so much data on us. At least, they keep it hidden from public view. This is a major issue in my opinion, and needs to be addressed ASAP before we can claim to have superior platforms on the Fediverse. Why can’t this data at least be encrypted?
Agreed, I am incredibly confused by what seems to be the majority reaction to this.
I’ve never been particularly involved with the FOSS community, though I do use a few FOSS apps and generally appreciate their view on what FOSS means. I also strongly appreciate data privacy, and it was my observation that the FOSS community was (generally) relatively the same way. So to see this reaction is very surprising. It’s quite literally the same terrible argument of “Why fear it if you have nothing to hide” used against multiple data privacy concerns throughout the years.
I think the worst are the bad faith “But Reddit…!” arguments. For one, we’re not on Reddit anymore, this is about Lemmy’s issues that can be corrected. And for two, whilst Reddit potentially outsourcing that data to the highest bidder is far from ideal, at the very least the data wasn’t outright PUBLIC to anyone who wishes to set up a simple server.
You say these issues can be corrected but I am not sure they can. ActivityPub is a protocol managed by the W3C. So to have different behavior You’d have to change the specification there. That is possible but it will take some time. Still you’d need a way to make votes not bound to a user and still hard to spoof. That sounds hard. Apart from that upvotes and downvotes are not really the most interesting datapoints you can gather. You can still collect posts. These can’t be obfuscated. There is simply no way to have an open network where you can share data between servers where you can make sure that no one harvests the data. It is simply not possible. As soon as it is public it is public. This has nothing to do with FOSS. If you have a solution you can implement it. That is what it means. If you have one then go ahead.
You’d have to change the specification there. That is possible but it will take some time.
Then they should do so, these issues need to be fixed ASAP.
Still you’d need a way to make votes not bound to a user and still hard to spoof.
Obfuscating user IDs via a hash or something would seem like the way to make it work. I’m not a professional programmer, I only know a little bit of python, so I have no idea if I’m talking nonsense on that front. And whilst still not an ideal solution, but sharing non-private votes with your own instance admin and have them share only the total vote count with other instances is another solution. That way you need only trust your instance admin, which is choosable and can also be yourself.
That is what it means. If you have one then go ahead.
Putting the onus on me is a shitty thing to do. I’m not the one running this site in any capacity, but this is an issue that many users are unhappy with. If the issue with the site won’t or even can’t be fixed, then I will simply not use the site. I don’t know how many people feel the same on that front, but I’d imagine there’s quite a few.
Putting the onus on me is a shitty thing to do
You are the person who has a problem with that and you mentioned FOSS. It is easy to complain. FOSS gives you the tools to change things. But you have to put in the work. You are the one putting the burden the change something to your liking on others instead of doing to yourself.
Obfuscating user IDs via a hash or something would seem like the way to make it work. I’m not a coder, so I have no idea if I’m talking nonsense on that front. And whilst still not an ideal solution, but sharing non-private votes with your own instance admin and have them share only the total vote count with other instances is another solution. That way you need only trust your instance admin, which is choosable and can also be yourself.
Both of your ideas are not compatible with ActivityPub as far is I can see. So you first need to change the specification and then make everyone adopt the specification. Before that any change would make your software incompatible with the rest of fediverse which is counter the idea.
And all of that because people could be mad about a downvote. I am an instance admin. I was downvoted before. I never even thought about looking up who downvoted me. I know people are different but to be honest if someone looks it up and harasses you then you block them. And I really can’t imagine that your vote on a post with a pseudonym is really a very useful datapoint for anyone.
I agree that these things have to be communicated better but I don’t even know how we would make people aware of this. No one reads disclaimers.
You are the one putting the burden the change something to your liking on others instead of doing to yourself.
To some degree yes. However, I am simply a user. I have no idea where to even begin with attempting such a thing, and whilst I’m sure I could probably find out, even if I did it would take far longer to learn, nevermind getting it adopted. It’s a lot easier for the people running the site and who have knowledge of how to do so. It’s like going to a restaurant, not liking the way they’ve done the food, so the restaurant comes back with “Cook it yourself then”. The other “solution” is of course going to a different restaurant or simply not going to a restaurant. which if:
your ideas are not compatible with ActivityPub
is truly the case, then it would seem that that is the only viable option for me personally.
And all of that because people could be mad about a downvote
I don’t care how people vote me. This isn’t strictly about downvotes, it’s about specifc content engagement.
And I really can’t imagine that your vote on a post with a pseudonym is really a very useful datapoint for anyone.
It’s potentially useful to someone. And I’d just rather not have that data public anyway, it’s just that simple. Enough data is already public, what types of content you actively engage with and how you engage with it also being public is just a bad idea in my opinion. These are core analytics almost any site collects, which imply they must have a purpose. Except here it’s public, and can also be swooped up by big companies should they dedicate a tiny fraction of computing power to run an instance.
I agree that these things have to be communicated better but I don’t even know how we would make people aware of this.
Making these things directly accessible to end users would be a start. Have a stats button that shows who precisely voted what. Hiding this shit in the backend is just blatant obfuscation.
It seems you have a few options:
- Put in the work yourself and change it.
- Finde someone who puts in their work to change it
- Accept that this is how it works
- Leave the fediverse
Option 1. has the highest chance of getting your changes but option 2. might work as well. I wish you luck if you choose these options.
Option 3. seems unlikely from your comments.
Option 4. is maybe the easiest option for you then. And I say that without wanting you gone. I’d like you to stay but I don’t think the fediverse can accommodate your demands.
I’d like to point out a flaw with your analogy though: if you go to a restaurant you pay the people to make what you want. The Lemmy Devs do this for free for you. A better analogy is going to a potluck without bringing anything and being unhappy about the lack of steak.
Option 4. is maybe the easiest option for you then. And I say that without wanting you gone.
Oh no, don’t take this the wrong way. You’ve been perfectly amiable about this throughout this discussion, I have no reason to believe you’d want me gone. I am currently considering Option 4 indeed, though I want to stay for a bit to see how this all pans out. I have other issues and concerns with the fediverse anyway.
I’d like to point out a flaw with your analogy though: if you go to a restaurant you pay the people to make what you want. … A better analogy is going to a potluck without bringing anything and being unhappy about the lack of steak.
That is a fair point, but this is a free service. There isn’t any expectancy about one contributing to it.
Perhaps a more apt analogy from my perspective would be going to a free art museum and being disappointed there isn’t any art I like, and several other people agree with me. I can ask the museum team to maybe get some more art in I and the others like, but it’s up to the museum to do so, and I can’t make art for shit and would take years to make something worthwhile. At worst, I just leave the museum, it owes me nothing, and I owe nothing to it.
I am generally shit at analogies though, so y’know, making an analogy is probably a bad idea.
then I will simply not use the site
Maybe that’s what you should do. But don’t do it as a protest. Do it because you don’t want to share that data publicly.
The entire point of social media is sharing things publicly. If you’re worried about people collecting that data, then you shouldn’t have put it in public.
There aren’t good ways to keep a public secret. That’s inherent to how information works and not a failing of ActivityPub. It’s the same reason media will never stop being pirated. If I can see/hear it, I can repeat it.
But don’t do it as a protest. Do it because you don’t want to share that data publicly.
I mean yeah, that’s what I’d do it for. It’s a suggestion for the site and it’s a sentiment that seems to be shared by several people here, but it ultimately falls down to me to decide whether or not I want to continue using it, much the same as with my usage of Reddit.
If you’re worried about people collecting that data, then you shouldn’t have put it in public.
Voting is a core functionality of the site. It’s something I don’t think should be public as it puts more emphasis on what content I interact with in what is now apparently a public manner. If you want to debate that a mere vote is something I shouldn’t put in public, then fine, you do you. But for me, it defeats half the point of me even having an account here. What one comments on are often an incredibly small portion of what one actually votes on simply by ease of voting.
And I know I said “But Reddit…!” is a bad argument earlier, but even so, I’d like to say that even Reddit’s voting is not publicly accessible (as in not accessible by other users, even if Reddit almost certainly collects and sells such data), so clearly there should be ways to do it. If ActivityPub requires public voting and the people who have the ability to change it are unwilling or even unable to do so, then fair enough. But equally, I will refrain from contributing to such a site, which seems like a bit of a shame when it seems close to ideal otherwise.
clearly there should be ways to do it
Your votes on Reddit are public to Reddit admins. On Lemmy anyone can be an admin.
Giving vote totals without names makes the system ripe for fraud and abuse. In real life votes the decision to make votes public or private is a major one. In a system like Lemmy, the problems with private votes are exaggerated, and the problems with public votes are much smaller. Your Lemmy name shouldn’t be tied to your real name. It’s unlikely anyone is going to coerce your vote like they might coerce your political vote.
If you’re concerned about anonymity, maybe use more than one name or a different name so that your account isn’t so easily tied back to you.
The purpose behind having votes be more public is to have some kind of reputation behind those votes. It’s still possible to shill, but it requires more depth and and effort, and the shills may still be discovered if there are too many.
Your votes on Reddit are public to Reddit admins. On Lemmy anyone can be an admin.
Which is my concern. I don’t like Reddit having and selling that data, but it’s easier for me to trust-ish a singular entity than some entire web of random people, which probably includes some corporate people siphoning data anyway. I know some would likely find that a tad paradoxical, but that’s how my brain works. At least then the corporation can be held accountable per the standards of the region they’re based in should there be issues, or users can mass target the corporation rather than go “Don’t like it, just move to another instance.”.
For reference, it’s still not ideal, but I’d somewhat trust my instance’s admin. Why can’t my vote history be shared purely with them? Then give other admins the raw upvote/downvote data of the post/comment. After all, the instance I choose my account to be on is my decision.
Your Lemmy name shouldn’t be tied to your real name.
It’s not. I am careful about what I put online. Whilst I’m uncertain as I’ve never particularly tried to do so beyond some cursory Googling, I’m pretty sure you can’t tie my username back to me IRL. But even so, there’s no need to add to the pile of potentially traceable publically available data.
The purpose behind having votes be more public is to have some kind of reputation behind those votes.
That can still be anonymised behind a hashed ID. If all my votes were registed to some User-XXXX and it wasn’t possible to retrieve my username from that, I’d have no issues. Though from my discussion with other people, it seems that’s counter to how ActivityPub intrinsically works. I’m increasingly working towards the opinion that the fediverse isn’t for me, if it’s all set up in a similar fashion and apparently unchangeable. As they say, “different strokes for different folks” I guess.
Exactly. When data like that is public, I can guarantee you 10000% that Big Tech and governments are harvesting ALL of it as we speak. If this issue is not resolved and TRUE privacy is not implemented sooner rather than later, Lemmy will not succeed in the Fediverse, period.
If you want privacy you need to use an encrypted chat. You can’t have privacy in a public space. That is like stand in the middle of a market place, screaming out your thoughts and then being upset that someone writes them down. It sure would be nice if our data wasn’t harvested, but that is not the world we live in. So if you want to say something in private you need to choose a private platform. Otherwise assume that Big Tech and World Governments are listening.
There’s a huge difference between what I choose to put out in public vs. data that’s being collected on me just by browsing the site. Saying “it’s just the world we live in” is just an excuse to ignore the real issues. It is more crucial now than ever that we create a system that’s by and for the people, not Big Tech and governments.
It seems that what you would like is something like 4chan, where the post will get deleted if it’s not popular. But even that, there is no way to prevent data harvesting. If it’s public, then it is public. There is nothing you can do about it. Encryption wouldn’t solve anything either because you want this data to be read by everyone so you cannot really encrypt it.
The fediverse is kind of the same as a public room where anyone can come in and just listen, take note, see who is talking and respond in the same way.
This is the point of social media. If you don’t want to participate in it because of privacy, then don’t and just lurk (or listen) like most people do.
By definition, if it’s on the internet, it’s pretty much there forever. People need to be careful on what they share on the public space, in the same way you would when talking to a big crowd. You are not talking with your friends here, you are talking to the world. If you are any privacy, you just cannot have it here. That’s impossible.
But on the Fediverse you literally can only see what you put out in the public. Your votes, your posts, your faves. That is your action in public. It is not federated what you look at. There are no trackers here that profile you. It is just your real interactions that count.
There are trackers though
Where? Not on my instance.
It depends on the instance.
I think you make a valid point about Lemmy, but “hidden from public”? Big tech literally sells your data for profit.
I don’t think you’re been harsh lol, the right to secrete ballot is literally in the universal declaration of human rights.
Open ballot is a well known method for intimidating and blackmailing participants, it’s absolutely crazy that Fedivese operates this way. But even worse, seeing so many people here supports it.
I don’t think it’s possible to encrypt the data.
Say we have a rogue user that sends to the server multiple upvote requests for the same comment, how can the server reject the subsequent requests? After all, we can’t let a user upvote a post or comment multiple times.
If that data is encrypted, the server cannot tell whether the user has upvoted a comment before.
There might be possible technical solutions to this using hashing. Hashing is like encryption in that the original cannot be extracted, but the hashed result is unique.
For example, a solution would be to have a VOTES table with an indexed column that is a hash of a combination of the user ID, post ID, (and perhaps another “salt”, not sure). When a vote is made, the VOTES table is checked that the record (vote) does not already exist, gets an insert, and then a COUNTER is triggered for the actual vote count. (COUNTER is a db command that simply updates a counter). The hash would prevent multiple votes from the same user (as the salted hash is unique), and it would also prevent identifying who the user is from the table.
Yeah, I admit that sounds reasonable.
Although that still leaves the question of “is it scalable/performant?” on the table… Lemmy already suffers a lot from server overloading, adding the overhead of cryptographic hashing (anything less than that is not going to ensure uniqueness/true anonymity) to each act of voting surely isn’t going to help.
deleted by creator
Hashing is a normal part of the web, it’s easily scalable.
I really don’t even think the votes table would need to itself be federated; it could just be on the user’s instance. Upvote/downvote would be a call, but it should really only require the post or comment ID and voter instance. If an instance spams votes, those upvotes/downvotes could be deleted and the instance defederated
Still you can easily and quickly check if a user has voted on a particular post. While your method makes the tracking process quite a bit slower, it doesn’t make it unrealistic. There just aren’t that many users and posts as is the case with passwords. Still 100% better than the current approach, I hope this gets implemented.
Well, I am not a developer in this field, so I don’t know what’s possible, and what’s not. All I know is that this needs to be fixed one way or another, or this whole platform will fail. If our information is all available publicly, we will be better off just using Facebook/Reddit/Twitter - at least these platforms don’t leave our data out in public view. We need to stop saying what’s not possible, and instead talk about what is possible.
deleted by creator
So you think this is just my problem? No, this is the entire community’s problem. Sticking your head in the sand and pretending like everything is okay is the mindset that has caused so many great freedom-oriented software projects to fail. If you are not on board with creating a better system for the future internet, then why are you even here?
deleted by creator
I don’t see a problem with leaving data out in public view. Hiding behind anonymity has already turned most of the internet into a dumpster fire. Maybe we’ll see less trolls and hate publicly blasted with impunity from this. It will also put ‘keeping private shit private’ in the forefront of people’s minds. What personal data are you worried about revealing on a glorified chat forum that you aren’t directly responsible for publishing? edit: before this data was available mostly to the provider and anyone willing to pay for it. At least this way the data might become so publicly available it becomes worthless and the market dries up.
Anonymity is not the reason why many platforms have turned into “dumpster fires”. Have you checked Facebook lately? People literally use their real names while lighting the whole dumpster on fire. No, privacy is more important now than ever. If I had to list all the ways our data is being used against us nowadays, I would exceed the character allowance on here. The short version is that historically, time periods were named after the materials civilization made their weapons out of (stone age, bronze age, etc.). That’s the reason why the current time period is called the Information Age. Data/information is the biggest weapon we have nowadays, and that’s why it’s critical that we protect it with all means possible if we want to retain our freedom.
Good point about FB (I’ve been off that shithole for years now and forgot). You know what, you’re right. Our only real hope now is laws for a right to online privacy. The market needs to be destroyed and I’m just hoping we can brainstorm a solution at this point. As for Lemmy: I don’t think it can be fixed. The data is there for the taking. At least it’s not being horded by a site owner?
Maybe there is a way to keep you votes hidden but there sure is no way to keep your posts hidden. The whole point of federation is to distribute your post to the other instances. You want eat your cake and have it too. You want to post publicly but stay in control of the message. You are not better off using BigTech because there someone can scrape your data as well. And you don’t even know to how many parties your data is sent without your knowledge. There is no privacy in social media.
I am not talking about the posts. Of course those are public, as they should. There’s a big difference between data I willingly put out vs. metadata and the likes.
You mean it is worse here on lemmy with the unknown number of people who can see your votes if they are interested then on [BigTech-Site-X] where an unknown number of people can see your votes if they are interested? If you or someone else you know has a nice idea how to make votes possible without the information of who did it, then you are very welcome to submit your idea to the W3C for consideration. ActivityPub is an open standard and everyone can contribute.
Surely the server should be able to identity users “under the hood” without having to publicly announce everything to everyone? I’m not a programmer myself so correct me if I’m wrong, but isn’t preventing unauthorized or otherwise unwelcome actions while permitting intended ones without having to announce it most of what the programming controlling a server DOES?
Surely it should be possible to write code to tell whether someone has already upvoted something and then blocking further upvote requests for that specific thing without letting all the admins of lemmygrad and lemmynsfw, for example, snoop on all users?
PS: my apologies for calling you Shirley twice, u/orangeboats. I’m sure your name is just Shirley, not Shirley Shirley.
Yeah exactly. And I am not an expert in this field either, but of course there’s a solution, one way or another. The purpose of my above comment was simply just to call out the mindset of a lot of the people on here, whom obviously have no clue about FOSS and privacy, but simply just came over from Reddit. We are at war against Big Tech these days. Our privacy is at risk and our data is being used for population control. It is vital that we have projects like the Fediverse that can counter this, but we will only be successful and win this war if we can implement some true privacy.
You call us insane but you don’t want to be harsh? I wonder what would you call people that are not panicking at even a possibility that anything personal becomes public if you were trying to be harsh.
On a more serious note, I am happy that people like you exist that care about privacy as it benefits everyone overall I guess. But you have to remember that some people, like me, don’t have issues with having their opinions and even some personal data public as long as we are aware that this is the case (which is how I treat all the social media).
For instance, durning my Reddit 7-year tenure I always wrote my comments in a way that if suddenly my employers or friend brought it up, I would not be ashamed of what I wrote.
I am not saying it’s not good to think and discuss about things like that but I would appreciate if you didn’t call people insane that have a very different attitude to you if it comes to internet privacy.
Some people freak out about internet privacy, GMO, sweeteners causing cancer, etc. There are others that don’t.
What information is stored/publicly accessible for our accounts?
I don’t see it being a problem that your votes are public so long as there’s no way to tie the account to you irl. Like, so long as the instance (? I’m very new here I don’t really understand the data structure) doesn’t store your IP address or anything does it matter?
Like yeah you can see that u/randomdickhead (again, not familiar with naming conventions) upvote some weird shit but so long as that’s where the bill ends that user could just make another account aaaaaaaaaaand… No issue?
If I have the wrong idea please let me know I’m genuinely confused about this
I agree as in “we need to assure anonymity” although I find complete transperency better than corporate overlords deciding what happens with your data
now atleast you know that everyone that does want to know the information is going to get it [so you can behave yourself ;) ]
This completely goes against the entire philosophy of the Fediverse
Care to elaborate on that? As far as I know this is built in to all the ActivityPub applications.
Reading these comments, seeing so many excuses, sarcastic responses, and handwaving, makes me realize a great deal of users really need to develop some imagination.
This is not about privacy. It’s about data that can easily be used for targeting and profiling users, and how that creates countless avenues for targeted harassment and wide scale retaliation. It’s about all of the innumerable ways public vote information can and will be abused to manipulate scoring across the site with targeted/automated shadow banning and shared blocklists. Raise your hand if you trust every single admin to never abuse such a tool to curate the outward appearance of an instance to fit a narrative.
For a different example: I could say something about how great Nazis are right now, and have a bot programmed to read every single person that downvoted me, add those names to a shared blocklist, and viola, I’ve made myself and all my alts invisible to the people that would challenge me on a massive scale.
I promise you this is going to be a big issue as tools for this site get more sophisticated over time.
alternatively, if votes were private, you could spin up a bot network to mass upvote your comment; making it far more influential as most people are more inclined to believe statements they think others also feel. thankfully, votes are open, so you can’t
as long as there is a system, people will try to game the system; and when there is a new system, people will come up with new games
I could say something about how great Nazis are right now, and have a bot programmed to read every single person that downvoted me, add those names to a shared blocklist, and viola, I’ve made myself and all my alts invisible to the people that would challenge me on a massive scale.
Damn
While I agree this shouldn’t be so publicly accessible, I’m curious about the possible benefits of limited sharing between instances to give spam/bot detection tool’s more power.
Users on A vote on a post on B. The admins from A and B can see the fine details of who did what, but the admins of C (and all of the general users regardless of instance) just see totals of up/down votes.
Ideally, detecting bots should be up to the Admins. They should have access to the vote information, and they can share the tools with other admins to detect it. But the average user should not have unrestricted access to this data.
The average user can run their own instance as an admin.
Let me be a little more clear, the Admins of your account’s particular instance should be the only ones that have access to your votes.
Now the question remains about when your account posts/comments into a different instance, who should have access to those votes? Perhaps your instance has a way of obfuscating the votes of any user coming from your instance, or else only the admins of the community that you’re posting into will have access to your votes?
The problem really comes down to how we avoid the problem with duplicating votes. Currently this is easy as each vote is public so every instance can verify the correct vote count. But implementing either of the solutions above will need a way to verify the correct number of votes.
To top it off you would also need a way to detect if a malicious instance had come along and started lying about how many votes had been cast.
One thing we can look at under the hood would be how cryptocurrency works as they have solved both the problem of duplicate values as well as the ability to trust those values being sent. All of the code is free and open source so we can pick out the parts that we need and reuse it. (And no, I’m not telling people to go out and buy crypto).
Z Cash would be a particularly good one to look at as it ensures a “zero knowledge” (or “zero trust”) method of sending the values across “nodes” (or in our case “instances”). Using this, who is voting on what would be hidden, but we could ensure that the values are correct.
Additionally you could probably throw out the second hashing algorithm altogether and just keep the Blake2b hashing algorithm as this one is far more efficient and quick to compute (and that second algorithm was mostly thrown in to prevent people with specialized hardware from being able to come in and beat anyone else running on just a GPU/CPU). https://github.com/zcash/zcash
However, using this particular method would make it so that not even the instance admins would be able to view the details of anyone’s votes (which may be a good thing after all if we decide that any random instance admin is not to be trusted).
There’s no need to complicate things by bringing crypto buzzwords into it. It’s already been solved faster, better, and easier just like everything else cryptobros invent a problem for.
The crypto example was only a suggestion because they have simply solved the exact same problem we are looking at: duplicate votes (transactions) and verifying the results while being able to hide it.
I would love to hear any other suggestions that people may have that solve these problems. Copying open source code from crypto isn’t the only option. So let’s look for solutions instead of dismissals (unless you’re arguing for keeping votes public of course).
deleted by creator
Removed by mod
I agree with you about harassment issues, and the importance of controlling the transfer of admin-level data between instances, but for your last scenario, doesn’t blocking only apply to users who are logged in? Assuming your hypothetical tankies and Nazis were actually posting as well as blocking, it would be easy to find them just by logging out, and there are a lot of ways to get them banned or otherwise counteract their activities that don’t require someone to interact directly with them while logged in. The case you’re describing is not the kind of situation where the most important action is to argue with them. Arguing with extremists usually just validates their delusions, and encourages them to keep doing what they’re doing.
Couldn’t we just use a hash for the usernames instead?
Nothing too over the top, but just a simple hash and match that instead?
Also, there’s way too much trust in instances. Like, one person could easily make a post on lemmy.world, go on their personal instance, and just give themselves, say, 2000 upvotes.
Instances should have their own settings on what instances are allowed to keep a local copy. (Default behavior should be to get the post itself from the instance “hosting” it).
If that is a solution you’d need to change the ActivityPub specification. You are more than welcome to submit your idea.
Also, there’s way too much trust in instances. Like, one person could easily make a post on lemmy.world, go on their personal instance, and just give themselves, say, 2000 upvotes.
I’d first have to create 2000 users, then I’d have to send 2000 upvotes. And then I’d get blocked by all instances.
Instances should have their own settings on what instances are allowed to keep a local copy.
This is also not compatible with the ActivityPub spec but even if it were you’d win nothing because as soon as you fetch the post it is still on the server.
Hey, just curious: how would all the instances discover this type of fraud?
They’d have to check the upvotes, notice most of them came from one instance, look at the instance, check multiple users, and if they realize that these users were just created to get upvotes then they can defederate. However, it’s too big of an assumption that moderators will go through that kind of effort to validate all the upvotes.
If that is a solution you’d need to change the ActivityPub specification. You are more than welcome to submit your idea.
AFAIK, the ActivityPub specification has no requirements on how likes should be stored. The two things that is requires are that likes are added to the user’s liked collection, and that the post’s like count is updated.
This is also not compatible with the ActivityPub spec but even if it were you’d win nothing because as soon as you fetch the post it is still on the server.
Mastodon actually just stores all this data on the server containing the post itself. Instance admins get as much information about the post as the client does. Both Lemmy and Mastodon use the same protocol, but Mastodon chooses to only to trust the server the user is using, and not the third-party servers.
I’d first have to create 2000 users, then I’d have to send 2000 upvotes. And then I’d get blocked by all instances.
Creating that many users wouldn’t be hard to do(you don’t need to use the GUI, just a little SQL is all that’s needed). And you don’t need to “send” the upvotes; you can sidestep the protocol entirely and just update the database. That’s the problem.
And while yeah, the instances would block me, they probably wouldn’t notice if I did it at a much smaller scale. In fact, there’s no real easy way to check whether these upvotes from an instance are actually real.
Couldn’t we just use a hash for the usernames instead?
The hash function would still need to be public to share data between instances.
That’s the point of a hash function. You have a public hash function, say SHA-256. It’s easy to check a username against it’s hash, but virtually impossible to reverse the hash back to the username.
Edit: Instead of storing, say,
eddie, we’d store3b9d8298f1b5086d012618feebb2da1a394357c1dab7523443c9f6a743c4c84d. Then when the instance gets aLikefromeddie, it hashes his username to get3b9d8298f1b5086d012618feebb2da1a394357c1dab7523443c9f6a743c4c84d, realizes there’s a match, and doesn’t update the count.Note that when given
3b9d8298f1b5086d012618feebb2da1a394357c1dab7523443c9f6a743c4c84d, it would take millions of CPU years to compute the original username from it. Therefore, we can check for duplicates without actually checking the name itself (a similar method is used for checking passwords; Lemmy is open source, we know the hashing algorithm, but we can’t unhash user passwords, only check them).While there is an enormous amount of possible passwords, there is only a limited (and quite small) amount of users. Couldn’t you just hash all the usernames one by one and map the hashes to the usernames? So you could still reverse engineer the usernames of those who voted on a post.
Edit: Salting with the post id would make this attacking process harder, but still realistic. Probably the only real solution is to hide the votes table from federated instances, I’m not sure if that brings technical problems.
That was what I was implying, yes.
Just hash each username and store it. Then just check the usernames hash to see if it matches.
I was more comnenting that you could still reverse engineer the users who voted on a post
Actually, you’re not really wrong.
All the more reason to give out limited data to all other instances. Why do these instances really need this data? Mastodon doesn’t need it, not quite sure why Lemmy does it.
Yeah I don’t understand why every instance can’t keep track of their own votes privately. Sure, voting manipulation is a thing, but it’s possible regardless.
Honestly I really hope Lemmy does something to address this issue. Otherwise it’s kind of a dealbreaker for me.
If anything, wouldn’t that make vote abuse even easier? Just send 100 upvotes with 100 random hashes.
Also, there’s way too much trust in instances.
I say there’s too much care about votes. Because someone can just give themselves infinite votes from their private instance, it makes it all the more worthless.
Instances should have their own settings on what instances are allowed to keep a local copy.
There’s a setting for that, it’s called the allowed list - configures who are allowed to federate with you. Beyond that - if it’s out, it’s out.
Votes are the only real way currently to gauge opinion about the post itself. IMO, if the votes system is so bad that people are starting to completely disregard it, there’s something wrong.
It’s a lot easier to fake a hash than a username. If I’m an instance owner and I suspect another instance of this, I can grab a random username and check their post history. Pretty easy to see rampant fraud that way.
If you’re putting something out on the internet, even upvotes or clicks, expect it to be public.
People raise a good point that in countries where political dissent can actually be dangerous, this would very much dissuade people from voting on things they believe in, or even coming anywhere near Lemmy period.
A better approach I think would be to have the user’s host instance save their votes (the database obviously needs to remember what you voted on), but when federating those votes with other instances just hand over a cumulative total, e.g., “here on vlemmy.net we have +18 votes for this comment”, which the other instances can then add. There’s no need to send user information with that data.
The problem that Reddit realized early on is that user voting is the engine behind the content aggregation. That aggregation is one of the main selling points of Reddit. The more users vote on what they see, the more information Reddit has for how to aggregate that content. That’s what keeps the front page fresh, that’s what keeps content moving up and down on the site. In a very real sense, the voting is the heart pumping blood through the site.
So it behooves the site to not give any reason for users not to vote how they feel. Keeping votes private was part of that. It is one of the most basic tenets of democracy: the only way to give people the freedom to vote honestly and frequently is to give them the privacy to do it.
The potential for retaliation against users, in any number of conceivable ways, far outweighs any benefits that come from making votes public.
The voting information also makes it insanely easy to automate mass blocking of any opinion under the sun. Nobody in this thread seems to grasp all the things you can do with that data to manipulate user interactions on this site. If you think troll armies are bad, wait till those troll armies have a shared automated block list of every single person that has ever downvoted them.
Agreed, especially because I believe we’re headed for a repressive regime here in the US in about 2 years.
Places like this will need to get very careful if they want to remain bastions of free speech and places where people can come to find the information that will no longer be available in mainstream channels.
Lemmy is not a bastion of free speech lmfao
Pretty easy to make an instance that would auto vote certain things with suspicious amounts of votes
As it stands now, they have to fake the origin of some of those votes. Not much of a barrier, the fediverse generally accepts any user an instance says exists, but still, it’s a barrier
And of course any instance thats blatantly manipulating votes is going to be defederated, but I’m more concerned with an instance that behaves normally until it encounters a keyword or user is been set to, and then gives their posts a -5 or whatever
This was my thoughts as well. I understand the need for an audit trail.
Would be very easy to build up an interaction graph with this data that could be used for fingerprinting. If this is an issue for you, though, just browse without signing in/interacting
Was just thinking about this more though, and unfortunately there can also be rogue instances that allow bot users to be created and interact with other instances posts, so this issue could still persist.
Could replace the usernames with UUIDs, and keep the username-UUID map back on the source instance? Then you get an audit trail, but not associated with user identity. There’s also no guarantee that people don’t use bob_jones as their username, and this is Personally Identifiable Information, which brings up some GDPR stuff too.
The problem with that is that every interaction that any user has with a post or a comment would require calls back to the home instance in order to lookup those usernames. That’s a LOT of extra load
There is no reason you couldn’t only do it for votes and not for posts and comments.
Yeah I just meant for the votes. If you make a comment with your username it’s pretty clear you consented for the input and the username to be visible side by side.
deleted by creator
I think those users who live under oppressive governments should be used to using tools like Tor and accounts with a proton email to interact on the internet.
Fair point. Though if nothing else stripping out usernames from vote counts would maybe save some bandwidth or database queries for the instance.
This. And make accounts with name generators so they’re not traceable to you through patterns. And train yourself to not say things that are identifiable across accounts. 🚉
That would allow to fake votes, as I can tweak my instance to spew any number I want.
Can probably fake votes anyway by faking usernames right? Harder, but still doable 🤔
There is a fundamental misunderstanding here.
Our data has never been ‘invisible’… We’ve just trusted that places like Reddit and their staff will do the right thing. That’s literally how it already works.
If you sign up for Reddit, Reddit staff can see your posts and votes if they want to.
If you sign up for a private forum the admin there can also see database contents.
One way encryption is not possible without stopping functionality… If data about you was encrypted then posts you make couldn’t be displayed. If you include a means to decrypt then there was no point encrypting anyway.
This is how it’s always been, and Lemmy doesn’t change this status quo much.
A faceless corporation that has had access to your data is just replaced by a variety of admins distributed across instances.
This isn’t a good or bad thing, the potential for abuse does exist, but when we have literally made agreements with places like Reddit that they can use and sell our data… then what difference does it make it an admin takes a peek?
It wouldn’t be great… but nothing is perfect.
It’s still worth working on however, to see if a better solution can be found, but at this time I’d say just be aware that it is possible that your data can be seen and understand the only safeguard against that if you need to communicate something private would be to use direct messaging with end to end encryption.
Holy shit. HOLY SHIT.
I just realized what this actually MEANS.
It means that when you like or dislike something so much that you unvote and then vote a second time, people can tell. This will change karma forever.
Back in my day everyone knew that once you put something on the internet it’s there forever to be seen by all. Has everyone already forgotten this? This is nothing new and in fact the way it’s always been! Now get off my lawn!
I’m already questioning the whole system behind it, not just votes.
Say you have critical information that you want to delete but other instances can just ignore this deletion request, than I could technically write a plugin that uses an extra instance, to always display all deleted comments to me, despite me being a regular user.
For other sites you’d need a crawler, catching this information and all this in a rapid fashion to be usable, with a lot of programming extra work.
At this point we can as well remove the option to delete or edit a comment as everyone can host their own, which wouldn’t be possible with proprietary tools.
If someone can simply see votes the same way, we can as well add a mouse hover function that will display the username of whoever upvoted.
Displaying the internal information publicly is indeed the more honest approach. Still, people need to understand that Social Media is Public Media. Deleting and editing depends on the goodwill of the receiver. Just imagine you were sending an email when you send something here. It is about the same level of control. It is not like you had much more control on Facebook or Reddit.
Sure, I agree but less technically versed people don’t see it that way. It’s obfuscated, that delete doesn’t mean deleted. If I delete something on Reddit or Twitter, it’s hidden for anyone but the owner and maybe a crawler that happen to have snacked it. People try to circumvent this by using sites that cache Reddit, but even there it most often is not available if you deleted it fast enough. It costs money and there’s a delay to have a crawler everywhere all at once.
Of course nothing is ever truly deleted on the web but we have levels of hiding it. I don’t think that alone justifies ignoring that issue. It makes a difference if someone can find it with one click or needs effort. One is much easier to abuse to dogpile someone. Sure, you might not agree with me, I still though it was important to voice my concerns.
I think the problem is that people post things without informing themselves. I don’t know how to change that. People don’t read disclaimers. How do you make them know these things? You can’t put big red warning labels everywhere. People need to inform themselves.
Which is an education problem and has nothing to do with lemmy.
It is fucking 2023 if you don’t understand how the internet works by now, it’s out of ignorance and likely has to do with this societal aristocratic attitude towards “techy” subjects.
It is your responsibility to be informed and to understand the consequences of your actions. We’re finally wakin up a bit :)
While I agree with others that it is perfectly fine for everything to be irrevocable like email is (there’s no real way the system could work otherwise), I do think the Lemmy web UI and popular Lemmy native clients could do a better job making sure users are aware of that. Maybe when writing a comment there could be a little info bar that says “Content posted to Lemmy cannot be permanently deleted. (Learn more)”. And then when you click Delete on something, it could have a similar explanation, adding something like “Deleting this comment will remove it from the feed/thread, but it can still be retrieved from the federated database by any instance administrator. (Learn more)”
I think it is still useful to have a Delete function, or maybe rename it to “Remove” or something, because maybe you realize what you wrote isn’t contributing to the discussion or for some other reason isn’t useful for most people to have in their feed. There’s a difference between deleting data and removing content from the canonical “discussion”, and just because we can’t have the former doesn’t mean there’s no value in the latter. Also, the delete function does have meaningful effects like making it impossible for people to reply to the deleted comment, which can still help with harassment. 99.9% of users will never see that comment again.
I agree that it’s good to have some kind of deletion, even if it’s not really getting rid of the content. Nothing is ever really gone on the internet, but there is value in communicating to others that you meant to retract a comment.
Which is why either
- Votes should be publicly viewable like they are in kbin. Not necessarily readily viewable to save server resources, but through a click through or something. No need to hide something that is, in essence, public info.
- Votes should not be federated at all, but that would be awful for very small instances, though this is how Mastodon has always done it.
- Votes should be federated in aggregate, but this would kind of break federation because it’s a new type of Activity.
Another option is assigning an id per user that’s only used for tracking votes. Only the user’s server would know who did the voting, but you still get moderation where you could block votes from a certain id on another server if you believe it’s being abusive in some form.
As long as you don’t delete the voting id when the user’s account is deleted, you can avoid the votes ever being associated with the user on another server. (Since a snooping party could correlate the timing of the two deletion requests and associate the user with the votes at that time). If you did want to delete them, you could say voting id deletion happens in batches. So accounts get deleted immediately, but votes only get deleted when there’s some group size N available for deletion.
Your idea assumes that you can just change the protocol. The ActivityPub protocol is developed under the W3C. If you just change something you are no longer compatible with other services.
This part of the protocol is not explicitly defined. In fact, section 3.1 of the AP spec says that null may be used to signify an anonymous identifier, then additionally these activities could be tagged using extensions to contain a unique identifier that isn’t the actor. The more you look at AP, the more you see how loosely it’s defined, and for good reason, it allows it to be applicable to many different scenarios (a twitter, a FB, and now a Reddit). What he’s suggesting would make it not interoperable with things like Mastodon which require an actor for a Like, but it’s not changing anything about the protocol.
EDIT: By the way, other things don’t work when viewing Lemmy comments on Mastodon too, like downvotes don’t do anything on the Mastodon end. And you can follow Lemmy users from Mastodon but not the other way around.
I didn’t intend to imply that only one server changes something. I was intending to imply that the protocol should be updated (after review, ratification, etc.). I’m sure there’s edge cases I haven’t considered.
Say you have critical information that you want to delete
Then you shouldn’t have uploaded it publicly.
other instances can just ignore this deletion request, than I could technically write a plugin that uses an extra instance, to always display all deleted comments to me
The same was always possible with Reddit and was even implemented. Why is this a problem now?
For other sites you’d need a crawler
Only if they don’t have an API.
People can accidentally reveal there identity or post something, notice this is too private edit or delete it. The chance for someone to have seen it in 1 second is low. The chance for a bit to have crawled that thread, with that comment, is higher but still low as it requires infrastructure, that costs money and a little skill to setup. Something someone for a simple plugin won’t do.
If anyone can host a Lemmy instance and you just need to filter that one line of code that’s for forwarding delete or edit requests, you can just push that info into a separate view. You now just need a plugin that will poll from the instance that’s not complying to delete requests and display them to the user. Hell that’s something even I could do quickly if I ever feel bored.
Hosting (or simply just using) a crawler takes less resources and skill than hosting Lemmy let alone modify it the way you intend.
Yes, I know, every CS student can program a crawler. I explained in another comment why it’s still a huge difference.
Maybe if hosting a Lemmy instance is that hard, it’s enough? I don’t know.
I found hosting a Lemmy instance pretty easy but I admit I have the experience to readily recognize how fucked the Lemmy docker-compose example is.
No clue whatsoever how to write a crawler.
deleted by creator
Woah woah woah. Hold the phone. You’re telling me that things that I post… on the internet… are… PUBLIC???
Activities are public and easily viewable on kbin. It’s been interesting. Seems mostly positive other than people harassing those who down-vote them demanding explanations.
Knowing they’re visible on kbin made me realize that most Lemmy users probably weren’t aware, as it’s non-obvious.
Yeah, I had a good natured discussion with a Lemmy user on feddit.uk the other day where they were still inexplicably downvoting my responses each time, despite us both being polite and constructive.
It made me realise that a) they use the downvote button quite differently to how I use it and b) they probably didn’t know that I, as a kbinaut, could literally see they were the one downvoting.
I started a discussion on feddit.de about good discussion practice citing Karl Poppers rules of discussion and the use of the down and upvote buttons.
I think discussion culture in the Fedivers is quite healthy at the moment.
It’s so weird when people do that!
Yea, good call. I wonder if kbin makes them viewable because the activity pub protocol does not allow them to be easily hidden.
Seems to be Ernest’s attitude about that sort of thing, he doesn’t like to hide things from the average user that someone more technically inclined would still be able to access
And I like it. It’s pretty earnest :)
Excuse my ignorance, still super new to Lemmy. What’s kbin?
Excuse my ignorance, still super new to Lemmy. What’s kbin?
Kbin is another open source link aggregation program with a different developer that uses the same protocol as Lemmy (ActivityPub), so kbin and Lemmy instances can communicate with each other. If you see anyone with “@kbin.social” after their name then that’s where they’re from. You can check it out yourself here as well kbin.social
Spot on:
https://kbin.social/m/youshouldknow@lemmy.world/t/82174/YSK-You-can-view-upvote-and-downvote-information-through-kbin#entry-comment-349825
It’s apparently because it’s Twitter based and Twitter shows likes and such. Kbin doesn’t really have a like upvote downvotes thing. It’s like a favorite and a boost. It’s weird
Not true.
Both Lemmy and KBin map the same activitypub activities to the same upvote and downvote actions.
One thing I really like is that it makes it easy to identify users to block. If there’s a post stating that “Nazis are bad” and it has ten downvotes, it’s very easy to use that to block future content from trolls and people I’m not interested in hearing from.
Yeah, and guess what? They can do that to you.
Effectively, every single person can use a bot that will automate the blocking of any user that ever downvotes them ever.
Like if I made a post that says I like Nazis, and then waited for the downvotes to pour in. Add every single one of those names to a block list, share that block list with all of my alts and all of my friends, and suddenly you have a whole army of Nazi sympathizers that are invisible to the users that would downvote them.
These hand waving excuses about votes being public are really lacking imagination. This is extremely abusable information, and cursory tools can will be put together to make abusing them simple.
I think there are some problems about voting being public. I don’t think this is one of them.
I don’t mind people blocking me, and if I don’t appreciate the type of content people provide I’ll block them liberally. It’s not necessarily anything personal, I’m just cirating my experience.
Furthermore, I strive to be on instances where nazi sympathisers would be banned, and where instances tolerating them would be defederated. The only issue is identifying and weeding out troll accounts.
You wouldn’t know that your instance is infested with tankies and fascists. You can’t see their posts because you’re on the block list.
Depends on where it’s posted in. Also this example is pretty low effort. I would downvote it too
There’s something amusing about people feeling violated by their activity being made public, but not necessarily by corporations hoarding and capitalizing on that activity & data. I mean, one of them is out in the open. The other is pure abuse.
Oh no, so my upvotes on c/spacedicks aren’t private?
/s
