We had a really interesting discussion yesterday about voting on Lemmy/PieFed/Mbin and whether they should be private or not, whether they are already public and to what degree, if another way was possible. There was a widely held belief that votes should be private yet it was repeatedly pointed out that a quick visit to an Mbin instance was enough to see all the upvotes and that Lemmy admins already have a quick and easy UI for upvotes and downvotes (with predictable results ). Some thought that using ActivityPub automatically means any privacy is impossible (spoiler: it doesn’t).

As a response, I’m trying this out: PieFed accounts now have two profiles within them - one used for posting content and another (with no name, profile photo or bio, etc) for voting. PieFed federates content using the main profile most of the time but when sending votes to Mbin and Lemmy it uses the anonymous profile. The anonymous profile cannot be associated with its controlling account by anyone other than your PieFed instance admin(s). There is one and only one anonymous profile per account so it will still be possible to analyze voting patterns for abuse or manipulation.

ActivityPub geeks: the anonymous profile is a separate Actor with a different url. The Activity for the vote has its “actor” field set to the anonymous Actor url instead of the main Actor. PieFed provides all the usual url endpoints, WebFinger, etc for both actors but only provides user-provided PII for the main one.

That’s all it is. Pretty simple, really.

To enable the anonymous profile, go to https://piefed.social/user/settings and tick the ‘Vote privately’ checkbox. If you make a new account now it will have this ticked already.

This will be a bit controversial, for some. I’ll be listening to your feedback and here to answer any questions. Remember this is just an experiment which could be removed if it turns out to make things worse rather than better. I’ve done my best to think through the implications and side-effects but there could be things I missed. Let’s see how it goes.

  • mesamune@lemmy.world
    link
    fedilink
    English
    arrow-up
    1
    ·
    edit-2
    3 months ago

    Its strange to see one of my posts being used as a reference. All I was trying to do was share something cool.

    I do agree though. When up/downvotes (especially downvotes) are fully public, it leads to trolls getting angry and lashing out on individuals in a semi-public way. And if you can see ALL of that individuals voting patterns, then we get people strategically making tools to go after people that vote certain ways. Theres a reason anonymous voting is a thing outside of the internet as well.

    If this goes live in lemmy.world i will be looking at other places to post/interact with. Love lemmy (and contributed to the codebase as a dev) but I cant be bothered with trolls.

    • endofline@lemmy.ca
      link
      fedilink
      English
      arrow-up
      0
      arrow-down
      1
      ·
      edit-2
      3 months ago

      It’s vice versa. In the old good times there was a saying “don’t feed the troll”. Just block him. Downvoting is just a cheap solution for people who cannot justify their argument. Btw, I love to read downvoted comments which are by default ‘hidden’. Most of them are trash but sometimes it’s a valid point but not the very popular one

        • endofline@lemmy.ca
          link
          fedilink
          English
          arrow-up
          0
          arrow-down
          1
          ·
          edit-2
          3 months ago

          Yes, exactly my thoughts on this. Downvoting is only a measure of crowd censorship based on opinion popularity. If you see some trolls, just block them but don’t hide their posts for other ones who may think on that person views otherwise

          • doctortran@lemm.ee
            link
            fedilink
            English
            arrow-up
            1
            ·
            3 months ago

            Downvotes are part of the whole curation aspect of the site, and it’s a valid part of the democratic system. For all the whining about being “censored” because you got downvoted, there’s countless cases where downvotes influence the sorting algorithm positively.

            Garbage shouldn’t sit on the same level as fluff comments no one bothered to vote on.

            • endofline@lemmy.ca
              link
              fedilink
              English
              arrow-up
              0
              arrow-down
              2
              ·
              3 months ago

              Millions flies cannot be mistaken. Democratic mob cannot be mistaken. Mobs have never lynched anybody. How ignorant you are in your ego with your “whining” argument

  • echolalia@lemmy.ml
    link
    fedilink
    English
    arrow-up
    0
    ·
    edit-2
    3 months ago

    While not a perfect solution, this seems very smart. It’s a great mitigation tactic to try to keep user’s privacy intact.

    Seems to me there’s still routes to deanonymization:

    1. Pull posts that a user has posted or commented in
    2. Do an analysis of all actors in these posts. The poster’s voting actor will be over represented (if they act like I assume most users do. I upvote people I reply to etc)
    3. if the results aren’t immediately obvious, statistical analysis might reveal your target.

    Piefed is smaller than lemmy, right? So if only one targeted posting account is voting somewhat consistently in posts where few piefed users vote/post/view, you got your guy.

    Obviously this is way harder than just viewing votes. Not sure who would go to the trouble. But a deanonymization attack is still possible. Perhaps rotate the ids of the voting accounts periodically?

    • cabbage@piefed.social
      link
      fedilink
      English
      arrow-up
      1
      ·
      3 months ago

      It will never be foolproof for users coming from smaller instances, even with changing IDs. If you see a downvote coming from PieFed.social you already have it narrowed down to not too many users, and the rest you can probably infer based on who contributes to a given discussion.

      Still, I think it’s enough to be effective most of the time.

  • Ada@lemmy.blahaj.zone
    link
    fedilink
    English
    arrow-up
    0
    ·
    edit-2
    3 months ago

    I use people upvoting bigoted and transphobic content to help locate other bigoted and transphobic accounts so I can instance ban them before they post hate in to our communities.

    This takes away a tool that can help protect vulnerable communities, whilst doing nothing to protect them.

    It’s a step backwards

    • Rimu@piefed.socialOP
      link
      fedilink
      English
      arrow-up
      0
      ·
      3 months ago

      I’m going to have to come up with set criteria for when to de-anonomize, aren’t I. Dammit.

      In the meantime, get in touch if you spot any bigot upvotes coming from PieFed.social and we’ll sort something out.

      • Ada@lemmy.blahaj.zone
        link
        fedilink
        English
        arrow-up
        0
        ·
        3 months ago

        The problem is, it’s more than just the upvote. I don’t ban people for a single upvote, even on something bigoted, because it could be a misclick. What I normally do is have a look at the profiles of people who upvote dogwhistle transphobia, stuff that many cis admins wouldn’t always recognise. And those upvotes point me at people’s profiles, and if their profile is full of dog whistles, then they get pre-emptively instance banned.

        • Socsa@sh.itjust.works
          link
          fedilink
          English
          arrow-up
          1
          ·
          3 months ago

          So you can still ban the voting agent. Worst case scenario you have to wait for a single rule breaking comment to ban the user. That seems like a small price to pay for a massive privacy enhancement.

    • maegul (he/they)@lemmy.ml
      link
      fedilink
      English
      arrow-up
      0
      ·
      3 months ago

      Yea, which is why I think the obvious solution to the whole vote visibility question is to have private votes that are visible to admins and mods for moderation purposes. It seems like the right balance.

      • Rimu@piefed.socialOP
        link
        fedilink
        English
        arrow-up
        0
        ·
        3 months ago

        It will be difficult to get the devs of Lemmy, Mbin, Sublinks, FutureProject, SomeOtherProject, etc to all agree to show and hide according to similar criteria. Different projects will make different decisions based on their values and priorities.

        • Amju Wolf@pawb.social
          link
          fedilink
          English
          arrow-up
          0
          ·
          3 months ago

          …and it still doesn’t solve the issue that literally anyone can run their own instance and just capture the data.

          • fuzzzerd@programming.dev
            link
            fedilink
            English
            arrow-up
            1
            ·
            3 months ago

            The OP discusses exactly a solution to the anyone setting up an instance to capture the data, because the users home instance federates their votes anonymously.

            There maybe flaws in it, not that’s exactly what it aims to solve.

  • UndercoverUlrikHD@programming.dev
    link
    fedilink
    English
    arrow-up
    0
    ·
    3 months ago

    I’m surprised most people are against public votes. Most people already seem to have an anonymous account via some weird username not connected to their real identity already. What difference does it make that votes can be viewed, other than for transparency during discussion?

    Maybe I’m the odd one out that uses my real name on the Internet and generally try to behave/vote the same as I would in person, but it seems weird wanting a hybrid account that’s private (votes), yet not private (comments).

    • corsicanguppy@lemmy.ca
      link
      fedilink
      English
      arrow-up
      1
      ·
      edit-2
      3 months ago

      I’m surprised most people are against public votes.

      It’s okay that you don’t understand why, but it would be best to learn why anonymity is a key requirement for voting freedom, be it in the polls or on social media.

    • Amju Wolf@pawb.social
      link
      fedilink
      English
      arrow-up
      1
      ·
      3 months ago

      When you comment you make a conscious decision to put your opinion out there and sign it with your “name” (or alternatively you switch to a “burner” account and do it pseudonymously).

      But when you vote for stuff it’s often without much thinking, and it’s private on pretty much every other platform. Where it isn’t it’s usually blatantly obvious that that is the case.

      What difference does it make that votes can be viewed, other than for transparency during discussion?

      There are many reasons that have been stated time and time again; one is simply that people may wish to stay anonymous when supporting certain opinions.

      To me it feels like comments are what you can actually stand behind publicly, while votes also show what you think privately. And not everyone is willing to stand behind all of their opinions publicly, often for fear of backlash or harassment.

      • UndercoverUlrikHD@programming.dev
        link
        fedilink
        English
        arrow-up
        0
        ·
        3 months ago

        To me it feels like comments are what you can actually stand behind publicly, while votes also show what you think privately. And not everyone is willing to stand behind all of their opinions publicly, often for fear of backlash or harassment.

        I guess I’m just of the opinion that if someone has that concern, they should rethink how they use social platforms and maybe look into creating a more anonymous profile that suits their need better.

        But now we are just down to differing opinions, which is all fine to have, I won’t claim my thoughts are the best one.

        I have felt the want to have a more anonymous profile from time to time since being an admin means I need to avoid controversial topics, but it isn’t any more difficult than simply not engaging with it.

        • Socsa@sh.itjust.works
          link
          fedilink
          English
          arrow-up
          1
          ·
          3 months ago

          Ok, then you can keep your votes public and other who don’t want that have an option as well. Everyone is happy. There is no conflict here.

        • Amju Wolf@pawb.social
          link
          fedilink
          English
          arrow-up
          0
          ·
          3 months ago

          I think this approach kinda fixes that issue though, no? You can use it the way it is now, and others can be anonymous.

          I mean it would be also nice if you could log into multiple accounts and easily switch between them for each vote and comment, but this is also good, IMO.

          • UndercoverUlrikHD@programming.dev
            link
            fedilink
            English
            arrow-up
            0
            ·
            3 months ago

            Admins need a way to track votes to detect abuse/bots though. And anyone can be an admin if they set up an instance, so votes will still be public.

            • Amju Wolf@pawb.social
              link
              fedilink
              English
              arrow-up
              1
              ·
              3 months ago

              That’s what PieFed changes though. You can still track how someone votes, but you can’t tie it to a specific profile (without doing some extra analysis and even then you can’t be completely sure).

              Or, with my suggestion, you could track how that specific account votes, but it would be easy to obfuscate who exactly it is and (hopefully) impossible to track to the user’s other identities.

  • Light@noc.social
    link
    fedilink
    arrow-up
    0
    ·
    3 months ago

    @rimu is there a forum style ap implementation that can talk to lemmy communities (I’m assuming that piefed can) without voting?