Currently, almost anyone in the Fediverse can see Lemmys votes. Lemmy admins can see votes, as well as mods. Only regular Lemmy users can’t. Should the Lemmy devs create a way to make the votes anonymous?

There is a discussion going on right now considering “making the Lemmy votes public” but I think that premisse is just wrong. The votes are public already, they’re just hidden from Lemmy users. Anyone from a kbin/mbin/fedia instance can check out the votes if they are so inclined.

The users right now may fall into a false sense of privacy when voting because the votes are hidden from Lemmy users. If you want to vote something and not show up on the vote list, please create another account to support that type of content and don’t tell anyone.

  • Otter@lemmy.ca
    link
    fedilink
    English
    arrow-up
    87
    arrow-down
    3
    ·
    edit-2
    3 months ago

    Should the Lemmy devs create a way to make the votes anonymous?

    I’m not sure if there is a good way to have the content federate anonymously. Even if there was, it would be a vector for spam.

    Vote manipulation is a growing problem on Reddit. It’s only getting worse with all the AI spam bots and they don’t have an incentive to stop it. Why trust a review on Reddit if bots are upvoting/downvoting on behalf of a company, or worse what happens in news communities when a well funded group wants to change perspectives.

    Admins need to know if the votes/likes coming in are legitimate, else they should block them. It’s too easy to abuse anonymous votes to affect how content is ranked.

    I left a long comment in the other thread which I will link in a moment, but I think either

    1. We keep the current setup, but we put in more effort to make new users aware that vote records are visible to admins/mods
    2. We make it public for everyone and take steps to deal with the new issues that it could cause

    Other comment on the benefits/issues: https://lemmy.ca/comment/11097046

    • Dave@lemmy.nz
      link
      fedilink
      English
      arrow-up
      30
      ·
      3 months ago

      Admins need to know if the votes/likes coming in are legitimate, else they should block them. It’s too easy to abuse anonymous votes to affect how content is ranked.

      This is a very real problem right now. Admins that are on to it use the votes to identify swarms of users that follow each other around upvoting each other’s spam/troll posts.

      • Socsa@sh.itjust.works
        link
        fedilink
        English
        arrow-up
        4
        ·
        3 months ago

        And that is still possible with pseudonymous tokens votes. You just end up banning tokens for malicious voting activity, and users for malicious posting activity. It’s at best a very mild adjustment to moderation workflows.

        • Dave@lemmy.nz
          link
          fedilink
          English
          arrow-up
          1
          ·
          3 months ago

          How does this work? The community issues federates votes but with a linked token instead of a linked user? How do you track vote manipulation across different communities on different instances?

          • Socsa@sh.itjust.works
            link
            fedilink
            English
            arrow-up
            2
            ·
            3 months ago

            As far as I understand it all activity originates from the home instance, where users are interacting with federated copies of posts. The unique user token from a well behaving instance follows the user across the fediverse, allowing bulk moderation for voting patterns using that token. The only difference is that it is not explicitly tied to a given user string. That means moderation for vote manipulation gets tracked via a user’s vote token, and moderation for trolling/spam/rule violations happens via their display name. It may be possible that a user is banned from voting but not commenting and vice versa. It’s is a fairly minor change in moderation workflow, which brings a significant enhancement to user privacy.

            • Dave@lemmy.nz
              link
              fedilink
              English
              arrow-up
              1
              ·
              edit-2
              3 months ago

              Under activitypub, a lemmy community is kind of like a user (actually an activitypub group). When I post here with my lemmy.nz account to this lemmy.world community, lemmy.nz sends my comment to lemmy.world who then sends it to sh.itjust.works for you to see. The community is the controller of all interactions within the community. In this case, lemmy.world is the official source of how many upvotes this post has. And each vote is validated using the user’s public key to ensure it actually came from that specific user - a standard part of ActivityPub.

              So would lemmy.world assign a token for your votes? If your instance assigned the token, Lemmy.world would not be able to validate against your user’s public key. If Lemmy.world assigns the token, it would only be valid in lemmy.world communities, as other instances would have to assign their own token. And both sh.itjust.works and lemmy.world admins could still see the real association.

              Also, changing how votes work would break compatibility with other ActivityPub software (e.g. Mastodon could no longer interpret an upvote as a favourite, Mbin would’t be able to retrieve any data about the votes unless they specifically changed to work in the Lemmy way instead of using standard ActivityPub).

              • Socsa@sh.itjust.works
                link
                fedilink
                English
                arrow-up
                4
                ·
                edit-2
                3 months ago

                Worst case scenario, there is an entirely separate, tokenized identity for votes which is authenticated the exact same way, but which is only tied to an identity at the home instance. It would be as if the voting pub is coming from user:socsa-token. It’s effectively a separate user with a separate key. A well behaving instance would only ever publish votes from socsa-token, and comments from Socsa. To the rest of the fediverse socsa-token is simply a user which never comments and Socsa is a user which never votes.

                I am not sure key based ID is actually core to AP anyway. The last time I read the spec it kind of hand waved identity management implementation.

                • Dave@lemmy.nz
                  link
                  fedilink
                  English
                  arrow-up
                  2
                  ·
                  3 months ago

                  Well hey, sounds like you might be able to help. Lemmy devs are actively soliciting opinions on lemmy votes, maybe you could have a say? Most of the comments are around “votes are already sort of public” therefore either a) make them actually public so we aren’t pretending they aren’t, or b) keep them hidden, a little less public is better than completely public.

                  Perhaps you can come in with a c) option to make votes even less public?

                  https://github.com/LemmyNet/lemmy/issues/4967

                  • Socsa@sh.itjust.works
                    link
                    fedilink
                    English
                    arrow-up
                    3
                    ·
                    3 months ago

                    Maybe. I was kind of hoping someone else would run with this flag because I don’t have a spare public GitHub account I really want to throw into this debate. I’m more likely to just implement it and then toss a PR grenade into the discussion in a few months if there’s no other progress.

    • Andy@slrpnk.net
      link
      fedilink
      English
      arrow-up
      20
      ·
      3 months ago

      I will also add that I think in the long run, as we try to figure out how to differentiate between humans and machines, the only real reliably solution I see is to focus on elevating the individual. Having people with long histories validate their reality by living and documenting it.

      I don’t upvote something that I’d be ashamed for someone to see I upvote. I might make an exception for pornographic content, but even with that, if it’s pseudononymous in that it’s not attached to my personal public life, I don’t mind if someone can trace through and see what a specific account I use for those purposes has liked and disliked.

    • Socsa@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      1
      ·
      edit-2
      3 months ago

      The current trust model already relies on a user’s home instance accurately reporting user activity and not injecting fake activity. Hiding real user votes behind pseudonymous tokens doesn’t change that at all.

      As far as I can tell, the activity ranking algorithms don’t actually differentiate between up and down votes anyway. All votes are considered engagement.