As a response, I’m trying this out: PieFed accounts now have two profiles within them - one used for posting content and another (with no name, profile photo or bio, etc) for voting. PieFed federates content using the main profile most of the time but when sending votes to Mbin and Lemmy it uses the anonymous profile. The anonymous profile cannot be associated with its controlling account by anyone other than your PieFed instance admin(s). There is one and only one anonymous profile per account so it will still be possible to analyze voting patterns for abuse or manipulation.
ActivityPub geeks: the anonymous profile is a separate Actor with a different url. The Activity for the vote has its “actor” field set to the anonymous Actor url instead of the main Actor. PieFed provides all the usual url endpoints, WebFinger, etc for both actors but only provides user-provided PII for the main one.
This will be a bit controversial, for some. I’ll be listening to your feedback and here to answer any questions. Remember this is just an experiment which could be removed if it turns out to make things worse rather than better. I've done my best to think through the implications and side-effects but there could be things I missed. Let's see how it goes.
Cool solution. It's great to have multiple projects in the fediverse that can experiment with different features/formats.
For those who are concerned about possible downsides, I think it's important to understand that
PieFed has a small userbase
Rimu is an active admin, so if you are attempting to combat brigading or other bad behavior and this makes it more difficult, just send them a DM and they will be happy to help out
This is a good environment to test this feature because Rimu can keep a close watch over everything. We can't become paralyzed by the hypothetical ways that bad actors might abuse new features or systems. The only way forward is through trial and error, and the fact that PieFed exists makes that process significantly faster and less disruptive.
This is an attempt to add more privacy to the fediverse. If the consequences turn out for the worse, then we can either try something else, or live with the lack of privacy. Either way, we'll be better off than having never tried anything at all.
Edit: Actually I forgot to toggle the setting before voting on my own comment, so admins will see my @[email protected] account upvoted the parent comment. Worth noting that it needs to be manually enabled.
Then I turned the setting on and voted on a bunch of other comments in this post. My anonymized voting account appears as @[email protected], admins should be able to see it by checking the votes in this thread.
Point being, you can still track serial downvoters and harassment just as easily. But now you will need to take an extra step and message the instance admin (Rimu) and ask that they either reveal the identity of the linked profile or deal with it themselves. And that's a good thing, imho.
Point being, you can still track serial downvoters and harassment just as easily. But now you will need to take an extra step and message the instance admin (Rimu) and ask that they either reveal the identity of the linked profile or deal with it themselves. And that’s a good thing, imho.
This puts the privacy shield in the hands of a users instance admin. I like that approach, but I'm sure others will disagree.
If the same account is voting in the same direction on every single post and comment in an entire community in a matter of seconds while contributing neither posts nor comments? Yes, vote manipulation.
If one user is following another around, down voting their content across a wide range of topics? Yes, targeted harassment.
It's against the CoC of programming.dev and we have issued warnings to abusers before. Last warning given for that was 13 days ago and was spotted by a normal user.
I am interested to see how it plays out but the idea of the instance admin being able to pierce the veil and investigate things that seem suspect (and being responsible for their instance not housing a ton of spam accounts just as now) seems like a perfect balance at first reading
Edit: Hahaha now I know Rimu’s alter ego because he upvoted me. Gotcha!
While not a perfect solution, this seems very smart. It’s a great mitigation tactic to try to keep user’s privacy intact.
Seems to me there’s still routes to deanonymization:
Pull posts that a user has posted or commented in
Do an analysis of all actors in these posts. The poster’s voting actor will be over represented (if they act like I assume most users do. I upvote people I reply to etc)
if the results aren’t immediately obvious, statistical analysis might reveal your target.
Piefed is smaller than lemmy, right? So if only one targeted posting account is voting somewhat consistently in posts where few piefed users vote/post/view, you got your guy.
Obviously this is way harder than just viewing votes. Not sure who would go to the trouble. But a deanonymization attack is still possible. Perhaps rotate the ids of the voting accounts periodically?
It will never be foolproof for users coming from smaller instances, even with changing IDs. If you see a downvote coming from PieFed.social you already have it narrowed down to not too many users, and the rest you can probably infer based on who contributes to a given discussion.
Still, I think it's enough to be effective most of the time.
Yea, I agree. It’s good enough. Sorry, I didn’t mean to sound like it was a bad solution, it’s just not perfect and people ought to be aware of limitations.
I used a small instance in my example so the problem was easier to understand, but a motivated person could target someone on a large instance, too, so long as that person tended to vote in the posts they commented on.
Just for example (and I feel like I should mention, I have no bad feelings towards this guy), Flying Squid on lemmy.world posts all over the place, even on topics with few upvotes. If you pull all his posts, and all votes left in those posts from all users, I bet you could find one voter who stands out from the crowd. You just need to find the guy following him everywhere: himself.
I mean, if he tends to leave votes in topics he comments on, which I assume he does.
It would have to be a very targeted attack and that’s much better than the system lemmy uses right now. I’m remembering the mass tagger on Reddit, I thought that add on was pretty toxic sometimes.
Also, it just occurred to me, on Lemmy, when you post you start with one vote, your own. I can even remove this vote (and I’ll do it and start this post off with score 0). I wonder how this vote is handled internally? That would be an immediate flaw in this attempt to protect people’s privacy.
It could be mitigated further by having a different Actor per community you engage in, but that is definitely a bigger change in how voting works currently, and might have issues detecting vote brigading.
Not familiar with how piefed handles it specifically but aren't posts/comments self-upvoted by default?
You could probably figure it out pretty easily just by looking at a user's posts, no?
(This is unless piefed makes it so the main actor up votes their own posts, and the anonymous actor upvotes others' posts, but then it would still be possible to do analysis on others' comments to get a pretty accurate guess)
@[email protected] did great on my simple idea and this is very nice to know. He did not implement his other idea of having a pool of available robots that would vote one time each for each one vote of each one user(s) ... also I thought it might be implemented in the frontend but he did implement it in the backend.
i did not say before but i was also thinking about complex mechanisms involving some kind of coin that would represent voting power that could be spent when voting or accumulated maybe with some loss of value with time ... but then i read about the many research paper that were published about such things ... in conclusion i believe we will see many other iterations of such social media.
I use people upvoting bigoted and transphobic content to help locate other bigoted and transphobic accounts so I can instance ban them before they post hate in to our communities.
This takes away a tool that can help protect vulnerable communities, whilst doing nothing to protect them.
Well it also takes away a tool that harassers can use for their harassing of individuals, right? This does highlight the often-requested issue of Lemmy needs better/more moderation tools though.
The problem is, it's more than just the upvote. I don't ban people for a single upvote, even on something bigoted, because it could be a misclick. What I normally do is have a look at the profiles of people who upvote dogwhistle transphobia, stuff that many cis admins wouldn't always recognise. And those upvotes point me at people's profiles, and if their profile is full of dog whistles, then they get pre-emptively instance banned.
I don't think you do. Admins can just ban the voting agent for bad voting behavior and the user for bad posting behavior. All of this conflict is imagined.
Yea, which is why I think the obvious solution to the whole vote visibility question is to have private votes that are visible to admins and mods for moderation purposes. It seems like the right balance.
It will be difficult to get the devs of Lemmy, Mbin, Sublinks, FutureProject, SomeOtherProject, etc to all agree to show and hide according to similar criteria. Different projects will make different decisions based on their values and priorities.
Plus, if you know your votes are public, maybe it'll incentivise some people to maybe skip upvoting that kind of content. People use anonymity to say and promote absolute vile things that would never dare say or support openly otherwise.
The problem with this approach is trust. It works for the users, but not admins. If I run a PieFed instance with this on, how can lemmy.world for example can trust my tiny instance to be playing by the rules? I went over more details in this other comment.
Sure, right now admins can contact you, for your instance. But you can't really do that with dozens of instances and hundreds of instances. There's a ton of instances we tolerate the users, but would you trust the admin with anonymous votes? Be in constant contact with a dozen instance admins on a daily basis?
It's a good attempt though. Maybe we're all pessimistic and it will work just fine!
I can only respond in general terms because you didn't name any specific problems.
Firstly, remember than each piefed account only has one alt account and it's always the same alt account doing the votes with the same gibberish user name. If the person is always downvoting or always voting the same as another person you'll see those patterns in their alt and the alt can be banned. It's an open source project so the mechanics of it cannot be kept secret and they can be verified by anyone with intermediate Python knowledge.
Regardless, at any kind of decent scale we're going to have to use code to detect bots and bad actors. Relying on admins to eyeball individual posts activity and manually compare them isn't going to scale at all, regardless whether the user names are easy to read or not.
Firstly, remember than each piefed account only has one alt account and it's always the same alt account doing the votes with the same gibberish user name.
It's an open source project so the mechanics of it cannot be kept secret and they can be verified by anyone with intermediate Python knowledge.
That implies trust in the person that operates the instance. It's not a problem for piefed.social, because we can trust you. It will work for your instance. But can you trust other people's PieFed instances? It's open-source, I could just install it on my server, change the code to make me 2-3 alt accounts instead. Pick a random instance from lemmy.world's instance list, would you blindly trust them to not fudge votes?
The availability of the source code doesn't help much because you can't prove that it's the exact code that's running with no modifications, and marking people running modified code as suspicious out of the box would be unfair and against open-source culture.
I also see some deanonymization exploits too: people commonly vote+comment, so with some time, you can do correlation attacks and narrow down the accounts. So to prevent that, you'd have to remove the users mapping 1:1 to a gibberish alt by at least letting the user rotate them on demand, or rotate them on a schedule, and now we can't correlate votes to patterns anymore. And everyone's database endlessly fills up with generated alt accounts (that you can't delete).
If the person is always downvoting or always voting the same as another person you'll see those patterns in their alt and the alt can be banned.
Sure, but you lose some visibility into who the user is. Seeing the comments is useful to get a better grasp of who they are. Maybe they're just a serial fact checker and downvoting misinformation and posting links to reputable sources. It can also help identify if there's other activity beside just votes, large amounts of votes are less suspicious if you see the person's also been engaging with comments all day.
And then you circle back to, do you trust the instance admin to investigate or even respond to your messages? How is it gonna go when a big, politically aligned instance is accused of botting and the admin denies the claims but the evidence suggests it's likely? What do we do with Threads or even an hypothetical Twitter going fediverse, with Elon still as the boss? Or Truth Social?
The bigger the instance, the easier it is to sneak a few votes in. With millions of user accounts, you can borrow a couple hundred of your long inactive user's alts easily and it's essentially undetectable.
I'm sorry for the pessimism but I've come to expect the worst from people. Anything that can be exploited, will be exploited. I do wish this problem to be solved, and it's great that some people like you go ahead and at least try to make it work. I'm not trying to discourage anyone from experimenting with that, but I do think those what-ifs are important to discuss before everyone implements it and then oops we have a big problem.
The way things are, we don't have to put any trust in an instance admin. It might as well not be there, it's just a gateway and file host. But we can independently investigate accounts and ban them individually, without having to resort to banning whole instances, even if the admins are a bit sketchy. Because of the inherent transparency of the protocol.
Awesome! This is the exact stopgap implementation I was arguing for, and I'm surprised how many people kept insisting it was impossible. You should try and get this integrated into mainline Lemmy asap. Definitely joining piefed in the meantime though.
Its strange to see one of my posts being used as a reference. All I was trying to do was share something cool.
I do agree though. When up/downvotes (especially downvotes) are fully public, it leads to trolls getting angry and lashing out on individuals in a semi-public way. And if you can see ALL of that individuals voting patterns, then we get people strategically making tools to go after people that vote certain ways. Theres a reason anonymous voting is a thing outside of the internet as well.
If this goes live in lemmy.world i will be looking at other places to post/interact with. Love lemmy (and contributed to the codebase as a dev) but I cant be bothered with trolls.
It's vice versa. In the old good times there was a saying "don't feed the troll". Just block him. Downvoting is just a cheap solution for people who cannot justify their argument. Btw, I love to read downvoted comments which are by default 'hidden'. Most of them are trash but sometimes it's a valid point but not the very popular one
PieFed shows us that he has an "attitude" of -40%, which I guess means that of 200 catloaf votes 140 will point downwards. So I guess at least it's nothing personal, he or she is just an active downvoter of things. I guess we all enjoy spending our time differently.
A cool potential feature would be weighted downvotes - giving downvotes form users with higher attitude scores (in PieFed terms) greater significance. But I'm derailing.
Is it possible for an instance to send out false vote data that can't be verified? Lemmy doesn't seem like a plausible target for it at the moment (and i dont pretend to know how this works beyond a conceptual level) but I can imagine a bad actor at some point seeking to manipulate voting.
I guess that can happen now anyway as the bad actor can just create their own instance with as many fake accounts as they like. Ultimately it's still on other instance admins to block the dodgy ones either way.
I missed the discussion on voting the other day it seems, but for what it's worth, I like the voting system. In real life discussions happen in open air, and don't hang there in posterity for people to stumble upon after. When we come to a consensus in conversation it is then left at that and we move on.
When online, these discussions stay as they are, and I think voting gives a way of people to come to a consensus, to leave a mark upon the conversation such that the people who come behind understand how everyone felt about it.
This is helpful I think, because it does not hide the down votes on nasty comments or ideas that hurt others.
One of the most interesting and horrible things about the internet is that every village has a "crazy Bob" but because they were the minority the good of the people outnumbered their outlandish or hateful ideas.
Now they can and do find each other online, forming a vocal and damaging minority. Without the majority able to show their dislike, human nature means more will fall in line with them and their ideals.
How does this work with moderation? I.e. what happens if I ban the real user from a Lemmy instance? What if I ban the alternate user?
Also, what happens if on Piefed, a user votes for something, then they change the setting and then they vote for the same thing again? How would a Lemmy instance know if it should count the vote or not, since the original user didn't actually vote from Lemmy's point of view?
The 'real user' and the 'private voter' are 2 different accounts as far a external instances are concerned, but only 1 as far as piefed.social is concerned. So if you banned either one, it would have the same effect, because PF would locate the same account from the information provided.
Likewise, a piefed user can't vote twice on something, they make one vote, and then the 'private voting' setting determines how it is sent out. The local system has tracked that they have voted, and changing the setting won't change that.
There's always more work to do of course, but piefed.social is a small instance, with manual approval required for registration, no API to script things like mass downvoting, and concepts such as 'attitude' which would prevent that anyway, so I can't foresee anything too disastrous happening from this little experiment.
I'm a little concerned about the precedent this sets. An instance could use this technique to facilitate anonymous commenting or posting in addition to votes.
I'm surprised most people are against public votes. Most people already seem to have an anonymous account via some weird username not connected to their real identity already. What difference does it make that votes can be viewed, other than for transparency during discussion?
Maybe I'm the odd one out that uses my real name on the Internet and generally try to behave/vote the same as I would in person, but it seems weird wanting a hybrid account that's private (votes), yet not private (comments).
If votes were anonymous here, I might "come out" as my professional self and share more from my resources that can be used to Identity who I am.
I'm concerned that my voting pattern is probably already being collected to build a profile on MajorHavok, to decide whether MajorHavok should be favored or disfavored in anything owned by old Elon or Zuck or Bezos.
Elon is a fuck up, but he still owns a lot of places that I might need to use for my work.
So, for now, it's pretty important to me that MajorHavok and John Jacob Jinglehimer Schmidt are kept as separate identities, so that John's employability where Elon/Zuck/Bezos has influence will remain unaffected.
In addition to that, I guarantee you that meta and the like are already running data mining instances on here. Being publicly tied to votes is just more telemetry for the machine. I don't quite understand why people seem to think that is no big deal.
Hmm, I can understand how someone can be concerned about that, but personally I find it too theoretical and unlikely to matter.
Any company wanting to harvest data from the fediverse would likely just create their own instance to easily copy the databases from every major instance, private voting wouldn't help against that. I would also say that your comment would be a thousand times more damning than upvoting every comment/post critical of Musk.
If you only lurk, you will stay anonymous as long as you use an anonymous username. If you comment, you are way more likely to "leak" your opinion through comments anyway.
But those are just my thoughts, I might be way off base and lack the full range of perspectives.
When you comment you make a conscious decision to put your opinion out there and sign it with your "name" (or alternatively you switch to a "burner" account and do it pseudonymously).
But when you vote for stuff it's often without much thinking, and it's private on pretty much every other platform. Where it isn't it's usually blatantly obvious that that is the case.
What difference does it make that votes can be viewed, other than for transparency during discussion?
There are many reasons that have been stated time and time again; one is simply that people may wish to stay anonymous when supporting certain opinions.
To me it feels like comments are what you can actually stand behind publicly, while votes also show what you think privately. And not everyone is willing to stand behind all of their opinions publicly, often for fear of backlash or harassment.
To me it feels like comments are what you can actually stand behind publicly, while votes also show what you think privately. And not everyone is willing to stand behind all of their opinions publicly, often for fear of backlash or harassment.
I guess I'm just of the opinion that if someone has that concern, they should rethink how they use social platforms and maybe look into creating a more anonymous profile that suits their need better.
But now we are just down to differing opinions, which is all fine to have, I won't claim my thoughts are the best one.
I have felt the want to have a more anonymous profile from time to time since being an admin means I need to avoid controversial topics, but it isn't any more difficult than simply not engaging with it.
I'm surprised most people are against public votes.
It's okay that you don't understand why, but it would be best to learn why anonymity is a key requirement for voting freedom, be it in the polls or on social media.
Votes doesn't break the anonymity is my point. You achieve anonymity by using a fake name and not sharing too much personal information in your comments. No amount of voting will reveal that [email protected] is Jonathan Brown from Newcastle.
Regarding the voting account having no name, does that mean it will be a random string of letters and numbers? I get that it will still be possible to discover vote manipulation or mass downvoting with that, but I suspect it would be more difficult to detect initially or without some deeper analysis, since it's harder to recognize or remember a random string compared to a human made username.
I’ve seen posts being downvoted by user@instancea, user@instanceb, username@instancec etc. this will make tracking that kind of abuse much more difficult.
From reading about PieFed's moderation tools linked elsewhere in this thread, seems like the solution to that is already built in more explicitly for them.
Ah, that's unfortunate. As an alternative, I have seen some online games name their bots with a random name generator that's designed to sound somewhat real, like AnnoyingPidgen or WrecklessRaptor. If the voting account naming system was more like that, it would be easier to notice voting patterns/manipulation while still being anonymous.
With the user id being salted it's going to be different every time. This means it'll be difficult if not impossible to monitor voting trends or abuse.
Also how would you use the password unless it was stored in the clear. If it's based on a pre-salted tuple, how does one handle password changes?
There are definitely values and opinions embedded in there. I would say it's a bit more "high control" vibe than lemm.ee. If you chose that instance because of it's more libertarian ethos then perhaps some of the features PieFed have would seem sinister or irrelevant to you.
The code of conduct for contributors is pretty vanilla IMO but would be seen as "left wing" by people from USA.
If you look in the sidebar of https://piefed.social you'll see a random collection of links (they change every page refresh) which are intentionally chosen to combat extremist ideologies and make PieFed instances uncomfortable places for cult-like groups (mostly on the right). That's a political decision which few projects would make.
Thanks for being so upfront about how you run your instance. I think it's disingenuous when people claim that there is "no agenda" or "no moderation" or whatever, because there is always some - even if unintended - just by the pure nature of people running it. So being explicit and opinionated about it is great.
You could achieve this by installing a Lemmy, PieFed or Mbin instance (whichever you find easiest to install and customise), in the admin area set the sorting options to a sensible default ("New", or "Active", perhaps) and then add a small snippet of CSS that hides the voting information.
Is it possible to double vote this way (once on each account)? On second thought, would it even matter? A malicious actor could have multiple accounts.
No, the other account isn't something you can log into or interact with. PieFed knows whether I've already voted on something, so it won't let me vote again by changing the 'vote privately' setting.
People who post and vote anonymously have no incentive to stand by their comments and votes. Anonymity is how we allow trolls to troll. We already allow fake names with no limits or verification, and now we're trying to protect their fake reputation, too. And for what benefit, exactly?
Hiding votes like this also allows pretty much anyone to generate as many votes in whatever direction they want. If we could see the votes, we could at least see patterns in reused accounts or personal instances. Without that, anyone can always be "right" by spamming themselves with upvotes, and whoever disagrees will always "wrong" when they get spammed down.
What's the point of voting at that point? May as well remove votes all-together, since they're even more pointless than they were on reddit.
I don't follow your critique at all, there is no difference in amount of votes caused by this feature.
I like it and i hope lemmy will do something similar. I also like votes generally, they give an indication of interaction even if nobody comments on a post.
Perhaps I didn't explain it clearly enough but I suggest you go back and read my post again. I would not make such obvious mistakes and if I did you wouldn't be the only one to point them out.
Your comments seem to be targeted at admins/mods who are paying attention, and acting in good faith (which we would all hope is common, but sometimes isn't). Mine are more on the user-side.
People should be able to see who agree/disagree with them. I honestly don't see a benefit to hiding this data from them.
I've seen it argued that votes being visible might cause abuse, but if the admin/mods/tools are doing their job, the result is the same, visible or not. No?