Currently, almost anyone in the Fediverse can see Lemmys votes. Lemmy admins can see votes, as well as mods. Only regular Lemmy users can’t. Should the Lemmy devs create a way to make the votes anonymous?
There is a discussion going on right now considering “making the Lemmy votes public” but I think that premisse is just wrong. The votes are public already, they’re just hidden from Lemmy users. Anyone from a kbin/mbin/fedia instance can check out the votes if they are so inclined.
The users right now may fall into a false sense of privacy when voting because the votes are hidden from Lemmy users. If you want to vote something and not show up on the vote list, please create another account to support that type of content and don’t tell anyone.
You must log in or register to comment.
I always thought anonymous voting was preferable, or at least non-public. I don’t want “why did you downvote me bro!?”-arguments to occur, and I don’t want to know who approves of my comments or not. I think thinking of votes as an amorphous blob representing general public opinion on Lemmy is preferable to getting into the weeds of who exactly likes your posts and comments.
We could also have “karma” on Lemmy, but while technically tracked the environment is better off without it being public in my opinion. I view voting records similarly.
If botting becomes enough of an issue that regular users need to report vote manipulation bots I’ll be fine with conceding my stance.
As a comment on the other discussion says, there’s a reason ballots are secret.
In reality you should be able to get an anonymized reference number to show your vote was tabulated correctly though.
Right now it comes down to an actual official finding your paper ballot with hand marked tracking and presuming the computer read it correctly on an overall vote total.
Being able to do this anonymously and securely is where the problems lie. Which is also why digital only voting still isn’t a thing anywhere.
There’s also a reason why votes in parliaments aren’t secret.
Because they’re supposed to be responsible to and represent the people who voted for them. Irrelevant to this situation.
I agree. As long as anonymous voting doesn’t cause obvious trolling/spam issues, it should be preferred.
One of the reasons I’ve always found Facebook off-putting and never used it (even before learning about the shady practices) are the very visible votes. I tend to overanalyse any reaction and would judge people based on their votes on my posts, even if I consciously tried to avoid it. Similarly, I imagine some other people would do the same and I’d feel like I’m under surveillance.
We could also have “karma” on Lemmy, but while technically tracked the environment is better off without it being public in my opinion. I view voting records similarly.
It’s strange that they removed total account karma visibility a while back but are now thinking about making votes public.
I think a good compromise (since Lemmy already tracks that data) would have been to show the upvote/downvote ratio a user receives on their profile page, without showing their total karma. That’d help you spot toxic users without incentivising karma removed.
Similarly, a display of how often a user upvotes versus downvotes others would help spot bots and trolls without completely obliterating privacy like their suggestion would.
(But ultimately none of this solves the problem of privacy on the Fediverse being one federated bad actor away from nonexistence)
Should the Lemmy devs create a way to make the votes anonymous?
I’m not sure if there is a good way to have the content federate anonymously. Even if there was, it would be a vector for spam.
Vote manipulation is a growing problem on Reddit. It’s only getting worse with all the AI spam bots and they don’t have an incentive to stop it. Why trust a review on Reddit if bots are upvoting/downvoting on behalf of a company, or worse what happens in news communities when a well funded group wants to change perspectives.
Admins need to know if the votes/likes coming in are legitimate, else they should block them. It’s too easy to abuse anonymous votes to affect how content is ranked.
I left a long comment in the other thread which I will link in a moment, but I think either
- We keep the current setup, but we put in more effort to make new users aware that vote records are visible to admins/mods
- We make it public for everyone and take steps to deal with the new issues that it could cause
Other comment on the benefits/issues: https://lemmy.ca/comment/11097046
Admins need to know if the votes/likes coming in are legitimate, else they should block them. It’s too easy to abuse anonymous votes to affect how content is ranked.
This is a very real problem right now. Admins that are on to it use the votes to identify swarms of users that follow each other around upvoting each other’s spam/troll posts.
I will also add that I think in the long run, as we try to figure out how to differentiate between humans and machines, the only real reliably solution I see is to focus on elevating the individual. Having people with long histories validate their reality by living and documenting it.
I don’t upvote something that I’d be ashamed for someone to see I upvote. I might make an exception for pornographic content, but even with that, if it’s pseudononymous in that it’s not attached to my personal public life, I don’t mind if someone can trace through and see what a specific account I use for those purposes has liked and disliked.
“If you have nothing to hide then you have nothing to fear.”
Given the strong presence of the privacy community on Lemmy, I have to say that I’m a bit shocked to hear so many in these discussions chiming in to support voting transparency.
I’m on board with the idea of using ring signatures to validate the legitimacy of a vote and moderating spammers based on metadata.
Or, for something (potentially) easier to implement, aggregating vote tallies at the instance level (votes visible to your instance admin and mods) and federating the votes anonymously by instance, so you might see something like:
- lemmy.world: 9 up, 2 down
- discuss.tchncs.de: 3 up, 4 down
- Etc
Up/down votes are the method of community moderation that sets Reddit apart from many other platforms. If the Lemmy community is trying to capture some of that magic, which is good for both highlighting gems AND burying turds, radical transparency isn’t the path to get there.
In fact, I’d argue that the secret ballot has already been thoroughly discussed and tested throughout history and there are plenty of legitimate examples of why it would be better if they were more secret than they are today.
Many people have brought up the idea of brigading, but would this truly get better if votes are public? Is it hard to imagine noticing that an account you generally trust has voted and matching their vote, even subconsciously?
For those who feel that they aren’t able to post on Lemmy because downvotes make you feel sad, my feeling is that if you make posts in a community and they consistently get down voted to oblivion, you’re in the wrong place. The people in that community don’t value your contributions, and you should find another place to share them. This is the system working as intended and the mods should be thankful that such a system has been implemented.
The last point I’ll make is about the potential for a chilling effect - making users less likely to interact with a post in any way due to a fear of retaliation. Look - if you’re looking for a platform where all of your activity is public, those are out there. Why should we make Lemmy look just like every other platform?
Is it hard to imagine noticing that an account you generally trust has voted and matching their vote, even subconsciously?
Not only is it not hard to imagine its easy to imagine the benefits of using this information automatically. I could imagine a client side script which re-ordered content based on who I trusted who had up or down voted it.
So I have users A B C D E F who are known to me who have voted on a given post. D and E are idiots I disregard their votes. F literally hates everything I love so I count his votes inversely. A and B are fantastic I count them x10 I tend to agree with C so I count his x2.
Not only can I potentially re-score threads and comments based on whom I trust I can if I really trust someone’s opinion apply their weights as well, and the weights of the folks upstream.
Yes, I too salivate at the idea that I could simply disappear all of the ideas I disagree with, but that is exactly how to turn a community into an echo chamber.
So I have users A B C D E F who are known to me who have voted on a given post. D and E are idiots I disregard their votes. F literally hates everything I love so I count his votes inversely. A and B are fantastic I count them x10 I tend to agree with C so I count his x2.
What you are suggesting here is, as I’m understanding it, a way to only get feedback from people you agree with and to never experience a critical discussion of ideas based on their merits.
Now, I’m not here to suggest that Lemmy is some kind of shining beacon of drama-free intellectualism, where every idea is discussed without bias or agenda, but I DO think it is valuable to hear from people whose lived experiences led them to a different conclusion than the one I’ve reached. Obviously there needs to be a mechanism to remove trolls from the discussion, but I fear a world where we only see content that we agree with, because then we will truly be removed from reality, and that’s not why I’m here.
There are a lot of people not worth attending to. If you do spend your time listening to these folks you don’t hear new ideas you hear the same bad ones over and over. It would be lovely that having noticed that someone is a persistent holocaust denier he could be added to a list that would disappear not only their contributions but their votes as well for thousands of users.
Sort by Top and I’m sure the crusaders of New will have everything sorted out by then. If you find these ideas being upvoted, you’re in the wrong community and you may be in a lemmygrad community. You’re on the wrong side of the train tracks and need to seek higher ground.
We don’t need to create literal echo chambers of people talking past each other because we block out any information that makes us uncomfortable. That’s not how we foster constructive dialog and
I want to have the ability to turn on my echo chamber, when I want it, and also to be able to turn it off, when I want to step outside of it for awhile. This doesn’t have to be a toggle - it could be having an alt on a different instance.
I don’t want this choice made for me by people who think they know better how to run my own life than me. They can write an appeal that I will consider, but ultimately I want to make my own choice.
Having votes be publicly viewable allows us all the freedom to do as we choose with that information - including to ignore them entirely. What I would probably do with it is make large block lists of people on lemmy.ml, since it turns out that user blocks of an instance don’t block all that much. Fwiw, for everyone I’ve blocked in the past, I look through the post history to see if they merely are being disagreeable on a particular matter but overall are capable of contributing something substantive to a conversation, or are nothing more than a troll, setting out to vomit their emotions upon everyone worldwide across the Fediverse.
I’ve been a mod before, on Reddit, and am under no illusions anymore that everyone is worth listening to - a downvote from someone rational I will give serious thought about, but an idiot is an idiot, even if a community mod hasn’t banned them (yet?).
It’s like autocorrect: feel free to make suggestions, but it would be nice if I could have control when I want it, including/especially not wasting my time.
Always in favor of taking power from mods that they can abuse and simply do not need.
The 1 “You think you can come into MY instance, and downvote ME?” post I read was 1 too many.
The infallible Admiral Patrick perma-banned me from UnpopularOpinion for downvoting his posts. What a great guy - and by great guy, I mean twat.
I’m guessing we saw the same one, and that’s literally the only instance I’ve completely blocked.
Was it midwest.social by any chance?
No, vegantheoryclub.org actually
That’s funny because I saw some initial comments made which then started this discussion. And what you’re suggesting was the intent. The issue as they (one of Lemmy’s developers) said was essentially frustration that their echo chamber had been pierced.
I would rather vote identities being blocked from scraping. I don’t care about other users or admins. I would rather that level of information be unavailable to outside commercial sources, especially any timings based metadata that could be used to derive dwell time and other psychological metrics.
Thats probably a complete nonstarter in a federated network. The metadata needs to be sent via Activitypub, ergo it has to be public.
I think you’re looking for a different type of community then, like an image board.
For anyone interested, there are a few papers on cryptographically secure voting, where both voter anonymity and election integrity are preserved.
Most designs consider three separate entities, where if you accumulate the information between those entities you would be able to identify a voter and his vote, but each entity on itself does not hold enough information.
The problem isn’t keeping votes anonymous, that’s easy. The problem is bots/spam. You could just create a new instance and then upvote a post from another instance a thousand times. If the votes are anonymous for the other instance it’s tough to say if they are genuine users or just bots.
That’s the main issue here, when votes are anonymous you could easily just spam votes with no way to trace it back. If it’s a rogue instance then fine, you can ban the whole instance. But imagine if lemmy.world starts using fake votes in the background towards other instances.
What keeps from doing that right now? You can just create an instance and bot accounts on that
It would be damn easy to look up the instance and their “users” and see that the users are not genuine. Then ban the whole instance.
If you are worried about duplicates, aka a single bot spamming multiple votes, then that’s feasible to mitigate.
If you are worried about multiple bots spamming one vote each, that’s harder to mitigate and it comes down to how the instances handles bot accounts in general. IMO it’s best to ignore the bot problem and instead focus on designing a vote weighting system that favors similar instances.
designing a vote weighting system that favors similar instances
Would make the whole thing even worse, as I could create several new instances with 10 bot users each, then hammer out the votes.
The entire problem is that you can’t trace back each vote to a genuine user. It would be bad in case of fake instances that create 100 user accounts and upvote/downvote stuff, but you can ban the instance. It would be a disaster if a big instance creates fake votes (like lemmy.world suddenly adds 1000 fake users and uses them to manipulate other instances, if votes were anonymous you couldn’t check if it’s genuine lemmy.world users or fake accounts).
Thanks @souperk@reddthat.com,
i believe many users will be interested in these papers about cryptographically secure voting.Amongst them there would be :
@rimu@piefed.social
@SorteKanin@feddit.dk
@brbposting@sh.itjust.worksNot sure if you are being sarcastic or not but I found this review.
https://www.mdpi.com/2073-8994/14/5/858
I had done some research about a year ago, but I don’t have the papers saved.
No I was not sarcastic. So now i am trying to read your paper and i think that it is above my knowledge level.
As a layman i had the intuition that instead of having two accounts as i proposed for voting and commenting which was implemented by @rimu, we might have had something like blockchain or filecoin or some coin that would represent voting power and that would be based on our commenting value… so that coin would have been an intermediary to make voting anonymous.
Finally i know enough about science that i know that i don’t know much.
Edit : after a rapid overview of the article i would say that this method :
“Blind Signature-Based e-Voting”
would be most appropriate to our social media voting and i noticed the work they have done is more targeting national elections where the outcome is much more important.
This isn’t going to solve anything. Cryptographically secure voting helps when you can ensure that each person only gets to vote once. But anyone can just sign up for more accounts or make loads of bot accounts and vote multiple times. This solves nothing.
That’s interesting. I have read multiple comments to the effect that it would not be possible for lemmy to implement anonymous voting because the underlying ActivityPub protocol does not support it. So it sounds like solutions do exist, although I suppose the effort required to modify ActivityPub is too much, more likely the feature will be included in some successor to the fediverse.
Wow neat!! Eating our cake & having it
Thanks @A_A@lemmy.world
They should just stay mostly hidden as they are now. I was harassed 3 times while using kbin for my voting habits. When I brought it up to ernest, him and mostly everyone else defended it, even though at the time I was actively being annoyed by someone.
It’ll make less people vote in the long run and will scare people off.
Nothing worse than hopping on something I do for leisure to realize that thread I voted on a week ago has now come back to bite me in the ass because the OP decided to go on a crusade and harass everyone that downvoted them.
Please be vocal about this because I’ve seen two people say they didn’t see this behavior. ❤️
If OP mass-downvotes you, then ban them. As it is, you have the ability to mass-downvote them, without them even knowing that it is you doing it. Or maybe you wouldn’t do that, but some would - I hope you see how unequal that relationship is.
yep, tyranny of the majority is still tyranny. It’s worth defending the 3% who disagree with the majority opinion cause, more often than not, sometimes the majority is wrong…
Defending the secret vote is the key to a functioning democracy, without it you just get cliques and in-groups who bully the outsiders. No one wins in that scenario, as critical thinking and critique are actively discouraged.
There is enough drama as it is. This will just open the door to shadowbanning and stalking and other horrors we have escaped by leaving reddit. It’s enough that it’s party available on kbin.
The developers of Lemmy do not seem interested in anything less than banning people instance-wide, even from communities that they have never posted in before, so ironically shadowbanning is too subtle for them.
But I thought the only way someone could be shadowbanned now is at the individual user level? It would be nice to increase transparency even further - e.g. a message pops up if you try to reply to someone saying like “this user has blocked you” (possibly everyone from that instance) so that people do not waste time trying to get a message across that the recipient will never read.
With the current way that ActivityPub works, this isn’t really possible. Every vote needs to be signed by some real user; if that changed such that anonymous votes were accepted then there’s nothing to stop any random person from adding 5 or 5,000 anonymous votes.
What it the instance signs the activity? Then it propagates to others instances after local validation. That way only local admins would have access to voting data. Malicious instances could still be defederated/blocked/have votes disregarded.
The problem with that is, can you really trust most instances out there? If you’re a sketchy admin, it’s not that hard to convince a handful of people to use your instance and have a couple dozen anonymous votes at your disposal to influence certain topics. There’s no way to detect it, not even the other users.
That would then mean that small instances would have to prove themselves before being accepted in the wider network of instances and just end up centralizing the fediverse.
With the votes being public, while you can create as many accounts as you want, you still have to publicly use a bunch of bot accounts which makes it more easily detectable. And of course, there’s no way your instance can get away with impersonating you, because you could see it sneaking votes or comments.
I wish it could be more private, but I can’t think of a way you can prevent vote manipulation without revealing who actually voted for what or rely on trust. Another way to look at it would be, what if Lemmy didn’t use instances but instead some sort of decentralized system where each user is its own entity. How would we obfuscate the votes then? Anyone can publish a message to the network, so you need to tie it to some identity, and you circle right back to the problem.
For privacy, there’s always alt accounts and recycling accounts often. Or treat the votes as if you were commenting “+1” or “-1”.
Unless someone comes up with some crypto scheme to somehow anonymously prove that a user has voted, and has voted only once, and the user has credible history being a real person.
Personally, it’s a tradeoff I chose as the price of entry for being able to participate in this while being fully independent of some benevolent person/organization/company/private equity firm. Nobody can take away my API or my apps or shove me ads. I can post entire 4K HDR clips if I want. I can have an offline copy of it if I want to read on a plane trip. I can index Lemmy, I can search Lemmy.
We already depend on trusting instances for a lot of what’s going on here, I don’t see why we shouldn’t be able to defederate untrusted ones.
That would then mean that small instances would have to prove themselves before being accepted in the wider network of instances and just end up centralizing the fediverse.
Most of us want the Fediverse to eternally decentralise. Imho, this would be the optimal scenario. Whitelists would be a major obstacle to the décentralisation effort.
- You are still trusting the instance admin. What if the admin pushes a code patch that transforms every like into a dislike based on a keyword?
- Your history will never be fully portable.
- It creates some weird dynamic: are we going to start dividing ourselves into “instances that obfuscate voting” and “instances that prefer transparency”?
- What is the criteria for “malicious”?
- Currently, any admin can modify any local user activity, can’t they?
- Not really, your local instance may still hold the vote data for validation. And therefore could be ported and resigned.
- Don’t see the problem.
- Today, each instance decides whomever they want federation with. The ones who decide the criteria should be the same ones who decide whom the instance federates with.
- Admins could modify the activity, but users can verify from outside (if they so which). If the user data gets obfuscated, it becomes a complete black box.
- But then you have two different events.
- Here is one problem: the userbase on the Fediverse is already ridiculously small. If we keep dividing ourselves over every little preference, we will end up with nothing but a thousand little ghetto fiefdoms, used by people who will never ever learn how to tolerate a different point of view.
- No. What will happen is that the silent majority will want to keep federation with everyone, but the intolerant minority will keep pushing instance admins to defederate from anyone who does not want to obfuscate votes. Eventually, LW will make a decision one way or another and everyone else will just have to decide if they want to stick with their principles or follow the leader so that they are not isolated.
I bet you could do it with ring signatures
a message signed with a ring signature is endorsed by someone in a particular set of people. One of the security properties of a ring signature is that it should be computationally infeasible to determine which of the set’s members’ keys was used to produce the signature
When I first signed up for reddit, the upvotes and downvotes were not only separately tallied, but also showed the usernames of the most recent people who did them if you hovered over the button. Then very shortly after that they changed it so that it made votes private by default, and you could override it in the settings, but almost nobody went to check that box back on. Eventually, they completely removed that feature around the time upvotes and downvotes were combined into one. which along with vote fuzzing was one of the worst changes to reddit comments, imo.
Lemmy feels like old reddit right now, which is a great spot to be in. I don’t think you necessarily need public vote info, but maybe it could be enabled on a per-community basis? I can see some communities like politics not wanting to add additional drama to the equation while other more content driven communities might enjoy knowing who was giving the feedback.
Vote fuzzing is the worst. Reddit said their main reason for implementing it was to prevent vote manipulation… seriously? Vote fuzzing laid the groundwork for vote manipulation.
Do you mean manipulation from the admins? Because from the spammers perspective not being able to see if your votes went through is pretty inconvenient
1 I had assumed votes were private 2 If I don’t hear soon that votes are private, I’ll simply stop participating and return to lurking. I’ll eventually just wander off to the next thing that doesn’t expose my votes to potential bots and/or abusive actors.
I think most users assume votes are private and most will have a similar reaction to learning about this unintuitive negative feature of anything built on ActivityPub, including Lemmy.
I think it is worth reading the actual discussion on github. Having votes public and having them visibly public on the web interface has compelling reasons. Namely enshittification hardening.
It’s also quite natural to stand by your words (or vote). I personally don’t think people should feel like the internet is their anonimized alt character of life. And if they need/want that, just do a throwaway account and hard vpn. Otherwise NSA (or equivalents) track us anyway.
Your votes are as public as your posts. I see you have no problem posting so I don’t understand what the issue is.
Sometimes you might want to show support for something but do so privately, without others knowing it’s you in particular supporting that.
You are doing it privately. Nobody knows who amju_wolf is, or where they live.
It’s very easy to find my IRL identity, and even my online pseudonym (well, both of them) have so much stuff tied to them that they are effectively my real identities. They are very much public, and definitely not anonymous.
Then I’d be more concerned about that and your posts rather than if you happened to up or down vote something.
Right? Big whoop, votes are public. Oh no, people might find out I’m an an-com from my voting patterns, instead of from my comments
The issue is that currently someone can behave as a shithead via voting, even if not comments, with little fear of reprisal or even discovery.
How does one “behave as a shithead via voting”? If someone decided to waste their time following me around Lemmy and down voting my posts it’s not going to do very much.
The effectiveness of the shitheadiness is a separate matter from its identity:-). If someone were to say downvote literally everything you ever did, within seconds of you doing it, and regardless of content, then that would be a shitty thing to do.
No, there is no real need. An account is already pseudo-anonymous. Full anonymity adds no real value beyond making it easier to manipulate vote tallies with bot accounts undetected.
edit: As a side note, this is one of the more transparent social media communities. It’s not terribly privacy-oriented in general. The enhanced transparency is part of its appeal.
One situation I’ve repeatedly faced that could be solved by fully public voting is having those debates when someone puts a single downvote on my opponent’s comments.
Silly, yes, but it may look like I am downvoting a person to aggravate. I am not, it’s not me! :D
deleted by creator
~you too :3~
I solve that by sometimes saying “upvoted” so it is clear that I am not downvoting them even if we disagree
Upvoted!
On Kbin the votes are 100% public for anyone. I’ve migrated to Lemmy after the frequent server issues with Kbin and I miss that part dearly. It was very easy to gauge whether someone was engaging in a good or bad faith discussion by checking the votes within a discussion. That being said, personally I’m very light on my downvotes, and I can see how someone more trigger-happy would see it as worrying. Personally I see the vote transparency as healthy though.
To be fair, there’s a point to be made that someone who’s overly trigger-happy on dislike should be shamed for it. Just like you would be if you kept being snide to everyone in real life.
I agree that transparency would do much more good than harm, plus compared to the info that people already put in their profiles/comments, it’s not likely to make them anymore identifiable.
I’d even argue public votes can deescalate some situations, for example where both sides of a relatively heated discussion can see they vote each other up. They don’t necessarily agree but they appreciate the other side’s points.
As for the transparency, it’s not possible to list all the votes of a user, one rather needs to list votes on a given post. To profile a given user the attacker would need to cross-reference the data from all posts and comments which is computationally infeasible, both client-side and server-side.
Keep the Fediverse bot- and troll-free.
The whole idea of being able to behave like a shithead without accountability needs to go.
As with all things you must behave like a shithead in moderation.
