We had a really interesting discussion yesterday about voting on Lemmy/PieFed/Mbin and whether they should be private or not, whether they are already public and to what degree, if another way was possible. There was a widely held belief that votes should be private yet it was repeatedly pointed out that a quick visit to an Mbin instance was enough to see all the upvotes and that Lemmy admins already have a quick and easy UI for upvotes and downvotes (with predictable results ). Some thought that using ActivityPub automatically means any privacy is impossible (spoiler: it doesn’t).
As a response, I’m trying this out: PieFed accounts now have two profiles within them - one used for posting content and another (with no name, profile photo or bio, etc) for voting. PieFed federates content using the main profile most of the time but when sending votes to Mbin and Lemmy it uses the anonymous profile. The anonymous profile cannot be associated with its controlling account by anyone other than your PieFed instance admin(s). There is one and only one anonymous profile per account so it will still be possible to analyze voting patterns for abuse or manipulation.
ActivityPub geeks: the anonymous profile is a separate Actor with a different url. The Activity for the vote has its “actor” field set to the anonymous Actor url instead of the main Actor. PieFed provides all the usual url endpoints, WebFinger, etc for both actors but only provides user-provided PII for the main one.
That’s all it is. Pretty simple, really.
To enable the anonymous profile, go to https://piefed.social/user/settings and tick the ‘Vote privately’ checkbox. If you make a new account now it will have this ticked already.
This will be a bit controversial, for some. I’ll be listening to your feedback and here to answer any questions. Remember this is just an experiment which could be removed if it turns out to make things worse rather than better. I’ve done my best to think through the implications and side-effects but there could be things I missed. Let’s see how it goes.
If the same account is voting in the same direction on every single post and comment in an entire community in a matter of seconds while contributing neither posts nor comments? Yes, vote manipulation.
If one user is following another around, down voting their content across a wide range of topics? Yes, targeted harassment.
Would banning the voting half of the pseudonymous account not mitigate the immediate issue? Then asking their instance admin to later lookup and ban the associated commentating account.
Well, doesn’t that fly in the face of federated autonomy and privacy?
On one end, if it’s my instance and I want to ban a user, I want the whole fucking user banned – not just remove their ability to vote anonymously. If one of my communities or users is being attacked, it’s my responsibility to react. If I can’t remove the whole problem with a ban, then I have to remove the whole problem with a de-federation. (A thing I fundamentally don’t want to do.)
On the other, if some other admin says, “one of your users is being problematic, please tell me who they are,” I’m going to tell that other admin to fuck right off because I just implemented a feature that made their votes anonymous. I’m not about to out my users to some rando because they’re raining downvotes on MeinHitler69@nazi.hut.
It’s a philosophical difference of opinion.
I mean, is that truly the case? If a user only engages in vote manipulation, but otherwise they have insightful comments/posts, is it really that big of a deal that you will ban only their option to vote?
I think you’re conflating my two separate concerns. One’s automated vote manipulation. The other is targeted harassment.
Looks like it’s kinda hard to spin up a piefed bot. Not impossible, but it’s a removed without an API.
If I have an insightful contributer who’s going out of their way and outside of their normal communities to be a dick to another user, maybe they’re not so insightful after all. Or they’ve got a great reason!
Either way, I want to be able to point to their behavior - without the extra step of having to de-anonymize their activity - and tell them to chill the fuck out or get the fuck out. Out means out. Totally and forever.
What you would actually want to do if you want to bot is take one of the existing apps and modify it to make spamming easy.
I can see why you would want that, but my question is is that such a big deal compared to people being harassed for their voting? I don’t think user privacy should be violated - especially en masse / by default just because of some (in my opinion fairly minor) moderation concerns.
And if they are a dick overall, then you will figure it out anyway, ban their “main” account and that will prevent them from voting, too (unless the instance is malicious, but then a malicious instance can do much more harm in general).
I think a ban based on those criteria should apply to main acct but I’m not sure how it’s implemented.
Sure, but by the same token, mods are just as capable of manipulation and targeted harassment when they can curate the voting and react based on votes.
On reddit, votes are only visible to the admins, and the admins would take care of this type of thing when they saw it (or it tripped some kind of automated something or other). But they still had the foresight not to let moderators or users see those votes.
Complete anonymity across the board won’t work but they’re definitely needs to be something better than it is now.
I’m not sure what you’re trying to say.
I’m speaking as an admin, not as a mod. I own the servers. I have direct access to the databases. When law enforcement comes a’knockin’, it’s my ass that gets arrested. I have total control over my instances and can completely sever them from the fediverse if I feel it necessary. Mods are mall cops that can lock posts and deal with problem users one at a time.
There are no built in automations. Decoupling votes from the users that cast them interferes with my ability to “take care of this type of thing.”
Yeah, I see that and it does concern me now that it has been brought up.
However. In the last 6 months of being active in the ‘Lemmy.world defense hq’ matrix room where we coordinate admin actions against bad people, vote manipulation has come up once or twice. The other 99% of the time it’s posts that are spam, racist or transphobic. The vote manipulation we found detected using some scripts and spreadsheets, not looking at the admin UI. After all, using code is the only way to scan through millions of records.
Downvote abuse/harassment coming from PieFed will be countered by monitoring “attitude” and I have robust tools for that. I can tell you with complete confidence that not one PieFed user downvotes more than they upvote. I can provide 12 other accounts on Lemmy instances that do, tho. Lemmy’s lack of a similar admin tool is unfortunate but not something I can do anything about.
What I’ve done with developing this feature is taken advantage of a weakness of ActivityPub - anyone can make accounts and have them do stuff. Even though I’ve done it in a very controlled and limited way and released all the code for it, having this exposed feels pretty uncomfortable. There were many many people droning on about “votes must be public because they need to come from an account” blah blah and that secure safe illusion has been ripped away now. That sucks, but we were going to have to grapple with it eventually one way or another.
Anyway. I’m not wedded to this or motivated by a fixed ideology (e.g. privacy über alles) so removing this is an option. It didn’t even take that long to code, I spent more time explaining it than coding it.