Currently, almost anyone in the Fediverse can see Lemmys votes. Lemmy admins can see votes, as well as mods. Only regular Lemmy users can’t. Should the Lemmy devs create a way to make the votes anonymous?
There is a discussion going on right now considering “making the Lemmy votes public” but I think that premisse is just wrong. The votes are public already, they’re just hidden from Lemmy users. Anyone from a kbin/mbin/fedia instance can check out the votes if they are so inclined.
The users right now may fall into a false sense of privacy when voting because the votes are hidden from Lemmy users. If you want to vote something and not show up on the vote list, please create another account to support that type of content and don’t tell anyone.
You must log in or register to comment.
Should the Lemmy devs create a way to make the votes anonymous?
I’m not sure if there is a good way to have the content federate anonymously. Even if there was, it would be a vector for spam.
Vote manipulation is a growing problem on Reddit. It’s only getting worse with all the AI spam bots and they don’t have an incentive to stop it. Why trust a review on Reddit if bots are upvoting/downvoting on behalf of a company, or worse what happens in news communities when a well funded group wants to change perspectives.
Admins need to know if the votes/likes coming in are legitimate, else they should block them. It’s too easy to abuse anonymous votes to affect how content is ranked.
I left a long comment in the other thread which I will link in a moment, but I think either
- We keep the current setup, but we put in more effort to make new users aware that vote records are visible to admins/mods
- We make it public for everyone and take steps to deal with the new issues that it could cause
Other comment on the benefits/issues: https://lemmy.ca/comment/11097046
Admins need to know if the votes/likes coming in are legitimate, else they should block them. It’s too easy to abuse anonymous votes to affect how content is ranked.
This is a very real problem right now. Admins that are on to it use the votes to identify swarms of users that follow each other around upvoting each other’s spam/troll posts.
And that is still possible with pseudonymous tokens votes. You just end up banning tokens for malicious voting activity, and users for malicious posting activity. It’s at best a very mild adjustment to moderation workflows.
How does this work? The community issues federates votes but with a linked token instead of a linked user? How do you track vote manipulation across different communities on different instances?
As far as I understand it all activity originates from the home instance, where users are interacting with federated copies of posts. The unique user token from a well behaving instance follows the user across the fediverse, allowing bulk moderation for voting patterns using that token. The only difference is that it is not explicitly tied to a given user string. That means moderation for vote manipulation gets tracked via a user’s vote token, and moderation for trolling/spam/rule violations happens via their display name. It may be possible that a user is banned from voting but not commenting and vice versa. It’s is a fairly minor change in moderation workflow, which brings a significant enhancement to user privacy.
Under activitypub, a lemmy community is kind of like a user (actually an activitypub group). When I post here with my lemmy.nz account to this lemmy.world community, lemmy.nz sends my comment to lemmy.world who then sends it to sh.itjust.works for you to see. The community is the controller of all interactions within the community. In this case, lemmy.world is the official source of how many upvotes this post has. And each vote is validated using the user’s public key to ensure it actually came from that specific user - a standard part of ActivityPub.
So would lemmy.world assign a token for your votes? If your instance assigned the token, Lemmy.world would not be able to validate against your user’s public key. If Lemmy.world assigns the token, it would only be valid in lemmy.world communities, as other instances would have to assign their own token. And both sh.itjust.works and lemmy.world admins could still see the real association.
Also, changing how votes work would break compatibility with other ActivityPub software (e.g. Mastodon could no longer interpret an upvote as a favourite, Mbin would’t be able to retrieve any data about the votes unless they specifically changed to work in the Lemmy way instead of using standard ActivityPub).
Worst case scenario, there is an entirely separate, tokenized identity for votes which is authenticated the exact same way, but which is only tied to an identity at the home instance. It would be as if the voting pub is coming from user:socsa-token. It’s effectively a separate user with a separate key. A well behaving instance would only ever publish votes from socsa-token, and comments from Socsa. To the rest of the fediverse socsa-token is simply a user which never comments and Socsa is a user which never votes.
I am not sure key based ID is actually core to AP anyway. The last time I read the spec it kind of hand waved identity management implementation.
Well hey, sounds like you might be able to help. Lemmy devs are actively soliciting opinions on lemmy votes, maybe you could have a say? Most of the comments are around “votes are already sort of public” therefore either a) make them actually public so we aren’t pretending they aren’t, or b) keep them hidden, a little less public is better than completely public.
Perhaps you can come in with a c) option to make votes even less public?
I will also add that I think in the long run, as we try to figure out how to differentiate between humans and machines, the only real reliably solution I see is to focus on elevating the individual. Having people with long histories validate their reality by living and documenting it.
I don’t upvote something that I’d be ashamed for someone to see I upvote. I might make an exception for pornographic content, but even with that, if it’s pseudononymous in that it’s not attached to my personal public life, I don’t mind if someone can trace through and see what a specific account I use for those purposes has liked and disliked.
The current trust model already relies on a user’s home instance accurately reporting user activity and not injecting fake activity. Hiding real user votes behind pseudonymous tokens doesn’t change that at all.
As far as I can tell, the activity ranking algorithms don’t actually differentiate between up and down votes anyway. All votes are considered engagement.
At least NOW I can find out exactly who can call me out for saying something stupid, and thank that person for providing me with valuable information and knowledge.
Downvotes are actually kinda useful, even I benefit from them.
In LiveLeak all votes were public. What happened was a lot less downvoting, but also aggrevated users would stalk your page and leave mean messages if you downvoted their comment.
On the other hand, it was really easy to spot trolls trying to manipulate the narratives, Hasbarah and Russian trolls were really active on LiveLeak. This allowed me to block them and keep them from bombing my comments anytime I said something critical.
I actually didn’t notice that it could REALLY go wrong.
I can see that in some circumstances, votes might need to be public due to protocol, otherwise public votes have their own uses, and so are private ones.
As I said in another comment in this post - I believe seeing who upvoted or downvoted a post aids in identifying rabid downvoters and bots, though I personally use mobile Lemmy apps and am unable to access that data.
I am the admin of a website where we have a place where our users can post custom content and rate the content of others.
We have discussed how it works and should work many times and came to the conclusion that we’d never want it to be public. Any report of abuse will be checked by the website owner directly in the database and even admins don’t have full access. Everybody tries to stay as far away from the personal ratings as possible.
We also noticed that it would be a lot more fragile when there are not many voters. A whole group that is negative about something wouldn’t get as much harassment as a single person having a unique opinion.
On our website we have a comment section that isn’t anonymous, and we even noticed that people often don’t post something negative when it would be obvious that they are the only one who has voted/rated something. (“Negative” is almost always constructive in our case)
These are just a few things that I think add to this discussion.
Yes, they should ideally. But it’s hard to properly implement them in a way that will guarantee anonymity and be sybil-resistant at the same time.
The users right now may fall into a false sense of privacy when voting because the votes are hidden from Lemmy users.
Why would you even want anonymous votes but not anonymous comments?
The former is as good\bad as the latter.
I know they were already technically public. I think they should be shown.
Votes should be transparent for everyone. Right now the system assumes that mods/admins are somehow inherently more responsible than the average user, but well, just look at the garbage clusterfuck admin/mod teams of certain instances. You’re telling me you’re gonna trust these people with this information and not everyone else? Get the fuck outta here.
One benefit to vote transparency for admins is mod monitoring options.
Reddit is infested with vote manipulation via bots. At least on the Fediverse it seems like both admins and mods might have more options.
Keep the Fediverse bot- and troll-free.
The whole idea of being able to behave like a shithead without accountability needs to go.
As with all things you must behave like a shithead in moderation.
How about pseudonymous as a compromise? Votes could be publicly federated but tied to some uuid instead of the username. That way you still have the same anti spam ability (can see that a user upvoted these things from this instance at this time) but can’t tie it directly to comments or actual user accounts without some extra osint.
It might be theoretically possible to correlate the uuids with an account’s activity and dox the user in some cases, especially with some instances having a single user, but it would be very difficult or impossible to do on larger instances and would add an extra layer. Single user instances would be kind of impossible to make totally private anyway because they can be identified by instance.
Votes could be publicly federated but tied to some uuid instead of the username. That way you still have the same anti spam ability (can see that a user upvoted these things from this instance at this time) but can’t tie it directly to comments or actual user accounts without some extra osint.
The issue with that is with malicious instances that could engage with vote manipulation by just generating new IDs and voting for whatever they want. If you can’t look back at the profile and determine whether it’s a real, non-spam account, it’s a pretty big issue unfortunately.
You also have an issue where someone could potentially vote with “your” ID without any way to detect that it’s not actually “you” who sent the vote.
Yeah, that’s fair enough, though I’m not sure it’s very different from malicious instances creating normal user accounts?
You can see when users from an instance are all suspiciously voting the same way at the same time regardless of whether they are usernames or IDs.
There’s lots of legitimate users that only vote but never post so doing it based on that doesn’t seem very effective?
The second problem is solved using public key cryptography, the same way that you can’t impersonate someone else’s username to post comments. Votes and comments are digitally signed (There would need to be a different public key for voting to maintain pseudonymity though).
they could do similar to another platform had done, which is tie voting to a shadow account that only the instance admin team can link to a user, this allows for moderation while providing the ability for obscurity.
I still disagree it should be public in the first place, but I know it’s a hard requirement for federation so it’s unlikely to become more concealed
If that were to happen, the receiving end wouldn’t know who sent which vote, thus making spamming extremely easy.
I did think of a few ways round it (in kbin/mbin) a year or so ago. But, it wouldn’t work unless everyone using ActivityPub recognized it. It’s also really a small problem in reality. It’s likes and dislikes.
I’ve been thinking about this for several hours since I first became aware of the debate.
I don’t care that much in theory if anyone sees my votes. They aren’t anything I’m particularly private about. I care about conversation way more than up/down votes.
However, some people get a little upset about being downvoted. I think it will result in retaliatory downvotes. You already see that when two folks are arguing. I don’t normally waste my time downvoting a post I’m writing a rebuttal to, but when they are downvoting me I tend to do it back. I think if everyone had easy access, they would hunt down their down voters posts and retaliate regardless of the quality of the comments.
Lastly, I wonder if this will give rise to a client that lets you use one account to post/comment and a different one to vote. And if it does, will that be better all around? Then no one will be able to associate votes with a user. But it seems unnecessarily wasteful to create a whole account that does nothing but vote. It seems like it would deny mods (and everyone) a useful tool for identifying bad actors.
Technically, anyone could get access to the voters identity if they try hard enough but 99% of the users won’t put in that much effort. And technically someone could already use different accounts for different activities, but without reason to create a client to support that it’s too much of a pain to be worth the effort.
So I really think I’m on team status quo here.
I don’t normally waste my time downvoting a post I’m writing a rebuttal to, but when they are downvoting me I tend to do it back. I think if everyone had easy access, they would hunt down their down voters posts and retaliate regardless of the quality of the comments
That would stop as soon as people start reporting this behavior to mods who felt enabled to ban users based on unjustified downvoting.
I’m really skeptical about that. Either that they would do it or that such “justified” downvoting would be a clear cut or fair decision. Most people don’t vote the right way. How many people downvote content they agree with or find funny but doesn’t add to the discussion? How many people upvote content they disagree with that does add to the discussion?
And am I really going to take up a mod’s time because someone got mad at me and downvoted—the most accessible and innocuous way to express displeasure with someone? How many more complaints about downvote bullying are mods going to have to field?
I don’t know. You could be right, but I’d want to see it successful in a small scale, if possible, before deploying it everywhere. Maybe the folks suggesting it should be up to the server admin are right. That would be another differentiator and people could go to communities on servers that have their preferred visibility policy. That would serve as an A/B test and let people vote with their feet.
How many people downvote content they agree with or find funny but doesn’t add to the discussion?
Again, this is only a problem because we have lost this sense of shared culture. If we really want to have an established “community”, these guidelines will have to be one way or another be restored and enforced.
How many more complaints about downvote bullying are mods going to have to field?
Here is an idea: instead of trying to remove power from people, let’s give more of it. Hiding votes is hard, but creating a finer-grained permission system for moderation is not. Let’s build a system where mods can assign other mods for specific types of reports. Then, we can have few mods who would be “all powerful” like they are now and we could have a bunch of “issue-specific” trusted users who could access/triage specific reports.
We shouldn’t need mods to figure out what is “basic” spam and we shouldn’t need powerful mods to say “user A is reporting that B has downvoted their last 5 posts in different conversations. This is a violation of the community rules and therefore should be banned.”
Removed by mod
The question of whether Lemmy votes should be anonymous is an important one, balancing transparency with privacy. Public voting can encourage accountability, but anonymity might lead to more honest and unbiased voting behavior. If you’re interested in exploring the pros and cons of this issue further, chatgpt 日本語 can provide a detailed discussion and help you form a well-rounded opinion on the matter.
Hello, low-effort bot.
Yup.
This kind of spam has been going on for a while and is usually removed promptly.
Sorry, I think our localmurderbot was offline at the time.
Anyway, they’ve since been banned along with a several alt accounts.
Don’t hesitate to report those if you see more.Oh and I think we would rather not advertise their spam URL if you wouldn’t mind editing the link out from the quoted part.
Thanks,
Don’t hesitate to report those if you see more.
Thanks, will do.
editing the link out from the quoted part
Done. Thanks for all the work you do to keep this place running smoothly.
Removed by mod
레미에 대한 공개 투표는 커뮤니티 내에서 투명성과 책임성을 강화하여 사용자가 특정 콘텐츠를 지지하거나 반대하는 사람을 확인할 수 있게 해줍니다. 그러나 이는 또래의 압력이나 원치 않는 감시로 이어질 수도 있습니다. 온라인 상호작용에서 프라이버시와 자유를 원하는 사용자에게는 익명성이 더 바람직할 수 있습니다. 온라인 개인정보 보호 도구에 대해 자세히 알아보려면 챗GPT 를 방문하세요.
lemie daehan gong-gae tupyoneun keomyuniti naeeseo tumyeongseong-gwa chaeg-imseong-eul ganghwahayeo sayongjaga teugjeong kontencheuleul jijihageona bandaehaneun salam-eul hwag-inhal su issge haejubnida. geuleona ineun ttolaeui ablyeog-ina wonchi anhneun gamsilo ieojil sudo issseubnida. onlain sanghojag-yong-eseo peulaibeosiwa jayuleul wonhaneun sayongja-egeneun igmyeongseong-i deo balamjighal su issseubnida. onlain gaeinjeongbo boho dogue daehae jasehi al-abolyeomyeon chaesGPT leul bangmunhaseyo.
Public voting for Remi increases transparency and accountability within the community, allowing users to see who supports or opposes certain content. However, it can also lead to peer pressure or unwanted surveillance. For users who want privacy and freedom in their online interactions, anonymity may be preferable. Visit ChatGPT to learn more about online privacy tools.
I’m sorry, what?
Spambot
