402
Private voting has been added to PieFed (piefed.social)
submitted 3 weeks ago by rimu@piefed.social to c/fediverse@lemmy.world
155 comments fedilink hide all child comments

We had a really interesting discussion yesterday about voting on Lemmy/PieFed/Mbin and whether they should be private or not, whether they are already public and to what degree, if another way was possible. There was a widely held belief that votes should be private yet it was repeatedly pointed out that a quick visit to an Mbin instance was enough to see all the upvotes and that Lemmy admins already have a quick and easy UI for upvotes and downvotes (with predictable results ). Some thought that using ActivityPub automatically means any privacy is impossible (spoiler: it doesn't).

As a response, I’m trying this out: PieFed accounts now have two profiles within them - one used for posting content and another (with no name, profile photo or bio, etc) for voting. PieFed federates content using the main profile most of the time but when sending votes to Mbin and Lemmy it uses the anonymous profile. The anonymous profile cannot be associated with its controlling account by anyone other than your PieFed instance admin(s). There is one and only one anonymous profile per account so it will still be possible to analyze voting patterns for abuse or manipulation.

ActivityPub geeks: the anonymous profile is a separate Actor with a different url. The Activity for the vote has its “actor” field set to the anonymous Actor url instead of the main Actor. PieFed provides all the usual url endpoints, WebFinger, etc for both actors but only provides user-provided PII for the main one.

That’s all it is. Pretty simple, really.

To enable the anonymous profile, go to https://piefed.social/user/settings and tick the ‘Vote privately’ checkbox. If you make a new account now it will have this ticked already.

This will be a bit controversial, for some. I’ll be listening to your feedback and here to answer any questions. Remember this is just an experiment which could be removed if it turns out to make things worse rather than better. I've done my best to think through the implications and side-effects but there could be things I missed. Let's see how it goes.

top 50 comments
sorted by: hot top controversial new old
[-] imaqtpie@sh.itjust.works 82 points 3 weeks ago* (last edited 3 weeks ago)

Cool solution. It's great to have multiple projects in the fediverse that can experiment with different features/formats.

For those who are concerned about possible downsides, I think it's important to understand that

  • PieFed has a small userbase
  • Rimu is an active admin, so if you are attempting to combat brigading or other bad behavior and this makes it more difficult, just send them a DM and they will be happy to help out

This is a good environment to test this feature because Rimu can keep a close watch over everything. We can't become paralyzed by the hypothetical ways that bad actors might abuse new features or systems. The only way forward is through trial and error, and the fact that PieFed exists makes that process significantly faster and less disruptive.

This is an attempt to add more privacy to the fediverse. If the consequences turn out for the worse, then we can either try something else, or live with the lack of privacy. Either way, we'll be better off than having never tried anything at all.

[-] imaqtpie@piefed.social 28 points 3 weeks ago* (last edited 3 weeks ago)

Just upvoted myself but nobody else knows 🤫

Edit: Actually I forgot to toggle the setting before voting on my own comment, so admins will see my @imaqtpie@piefed.social account upvoted the parent comment. Worth noting that it needs to be manually enabled.

Then I turned the setting on and voted on a bunch of other comments in this post. My anonymized voting account appears as @hED5TzoZomb@piefed.social, admins should be able to see it by checking the votes in this thread.

Point being, you can still track serial downvoters and harassment just as easily. But now you will need to take an extra step and message the instance admin (Rimu) and ask that they either reveal the identity of the linked profile or deal with it themselves. And that's a good thing, imho.

[-] arcuru@lemmy.world 26 points 3 weeks ago

Point being, you can still track serial downvoters and harassment just as easily. But now you will need to take an extra step and message the instance admin (Rimu) and ask that they either reveal the identity of the linked profile or deal with it themselves. And that’s a good thing, imho.

This puts the privacy shield in the hands of a users instance admin. I like that approach, but I'm sure others will disagree.

[-] doctortran@lemm.ee 9 points 3 weeks ago

This is more or less how it worked on Reddit. The admins handled vote spam or abuse, there was absolutely no expectation for moderators to have that information because the admins were dealing with the abuse cases. Moderators only concerned themselves with content and comments, the voting was the heart of how the whole thing works, and therefore only admins could see and affect them. Least privilege, basically.

I think a side effect of this, though, is that it increases the responsibility on admins to only federate with instances that have active and cooperative admins. It increases their responsibilities and demands active monitoring, which isn't a bad thing, but I worry about how the instances that federates openly by default will continue to operate.

If you have to trust the admins, how do you handle new admins, or increasingly absent ones? What if their standards for what constitutes "harassment" don't match yours? Does the whole instances get defederated? What if it's a large instance, where communities will be cut off?

I don't ask any of this as a way to put down this effort because I very, very much want to see this change, but there's gonna be hurtles that have to be overcome

Ultimately I think the best solution would need assistance from the devs but I'm lieu of that, we have to make due.

load more comments (3 replies)
[-] shnizmuffin@lemmy.inbutts.lol 44 points 3 weeks ago

Hey, Lemmy admin here. If I ban an anonymous account, does the account it's tethered to also get banned?

[-] rimu@piefed.social 28 points 3 weeks ago

No but perhaps it should!

PieFed lacks an API, making it an unattractive tool for scripting bots with. I don't think you'll see any PieFed-based attacks anytime soon.

[-] shnizmuffin@lemmy.inbutts.lol 8 points 3 weeks ago

What about PieFed-based shitty humans?

[-] rimu@piefed.social 26 points 3 weeks ago

PieFed tracks the percentage of downvotes vs upvotes (calling it "Attitude" in the code and admin UI ), making it easy to spot people who downvote excessively and easy to write functionality that deals with them. Perhaps anonymous voting should only be available to accounts with a normal attitude (within a reasonable tolerance).

[-] shnizmuffin@lemmy.inbutts.lol 10 points 3 weeks ago

Wow your documentation is so much better than ours.

[-] rimu@piefed.social 10 points 3 weeks ago

That's nice of you to say. I've tried to focus well on certain areas that seem important but I really admire the breadth of https://join-lemmy.org/docs/ which I could never hope to cover.

load more comments (4 replies)
load more comments (1 replies)
load more comments (4 replies)
[-] can@sh.itjust.works 19 points 3 weeks ago

Do you ben based on voting behaviour?

[-] shnizmuffin@lemmy.inbutts.lol 22 points 3 weeks ago

If the same account is voting in the same direction on every single post and comment in an entire community in a matter of seconds while contributing neither posts nor comments? Yes, vote manipulation.

If one user is following another around, down voting their content across a wide range of topics? Yes, targeted harassment.

[-] perviouslyiner@lemmy.world 17 points 3 weeks ago* (last edited 3 weeks ago)

Would banning the voting half of the pseudonymous account not mitigate the immediate issue? Then asking their instance admin to later lookup and ban the associated commentating account.

load more comments (7 replies)
load more comments (5 replies)
load more comments (3 replies)
[-] inlandempire@jlai.lu 39 points 3 weeks ago

This is quite a smart solution, good job !

[-] it_depends_man@lemmy.world 39 points 3 weeks ago

You're a hero for making this happen in... 24 hours? 48?

The issue won't go away, we'll see how well everyone else deals with it, but this is a super strong argument for your system / server.

(Advertise it. Advertise it HARD. "piefed, we have private votes".)

[-] mozz@mbin.grits.dev 28 points 3 weeks ago* (last edited 3 weeks ago)

Dude this is genius

I am interested to see how it plays out but the idea of the instance admin being able to pierce the veil and investigate things that seem suspect (and being responsible for their instance not housing a ton of spam accounts just as now) seems like a perfect balance at first reading

Edit: Hahaha now I know Rimu’s alter ego because he upvoted me. Gotcha!

[-] rimu@piefed.social 10 points 3 weeks ago

It wasn't me, haha

[-] echolalia@lemmy.ml 25 points 3 weeks ago* (last edited 3 weeks ago)

While not a perfect solution, this seems very smart. It’s a great mitigation tactic to try to keep user’s privacy intact.

Seems to me there’s still routes to deanonymization:

  1. Pull posts that a user has posted or commented in
  2. Do an analysis of all actors in these posts. The poster’s voting actor will be over represented (if they act like I assume most users do. I upvote people I reply to etc)
  3. if the results aren’t immediately obvious, statistical analysis might reveal your target.

Piefed is smaller than lemmy, right? So if only one targeted posting account is voting somewhat consistently in posts where few piefed users vote/post/view, you got your guy.

Obviously this is way harder than just viewing votes. Not sure who would go to the trouble. But a deanonymization attack is still possible. Perhaps rotate the ids of the voting accounts periodically?

[-] cabbage@piefed.social 8 points 3 weeks ago

It will never be foolproof for users coming from smaller instances, even with changing IDs. If you see a downvote coming from PieFed.social you already have it narrowed down to not too many users, and the rest you can probably infer based on who contributes to a given discussion.

Still, I think it's enough to be effective most of the time.

load more comments (2 replies)
load more comments (2 replies)
[-] ada@lemmy.blahaj.zone 16 points 3 weeks ago* (last edited 3 weeks ago)

I use people upvoting bigoted and transphobic content to help locate other bigoted and transphobic accounts so I can instance ban them before they post hate in to our communities.

This takes away a tool that can help protect vulnerable communities, whilst doing nothing to protect them.

It's a step backwards

[-] smeg@feddit.uk 29 points 3 weeks ago

whilst doing nothing to protect them

Well it also takes away a tool that harassers can use for their harassing of individuals, right? This does highlight the often-requested issue of Lemmy needs better/more moderation tools though.

[-] maegul@lemmy.ml 10 points 3 weeks ago

If public voting data becomes a thing across the threadiverse, as some lemmy people want.

Which is why I think the appropriate balance is private votes visible to admins/mods.

[-] doctortran@lemm.ee 14 points 3 weeks ago* (last edited 3 weeks ago)

Admins only. Letting mods see it just invites them to share it on a discord channel or some shit. The point is the number of people that can actually see the votes needs to be very small and trusted, and preferably tied to a internal standard for when those things need acted upon.

The inherent issue is public votes allow countless methods of interpreting that information, which can be acted on with impunity by bad actors of all kinds, from outside and within. Either by harassment or undue bans. It's especially bad for the instances that fuck with vote counts. Both are problems.

load more comments (1 replies)
load more comments (5 replies)
[-] rimu@piefed.social 16 points 3 weeks ago

I'm going to have to come up with set criteria for when to de-anonomize, aren't I. Dammit.

In the meantime, get in touch if you spot any bigot upvotes coming from PieFed.social and we'll sort something out.

load more comments (5 replies)
load more comments (5 replies)
[-] brbposting@sh.itjust.works 16 points 3 weeks ago* (last edited 3 weeks ago)

Nice, @A_A@lemmy.world, we feeling heard? 😉

Link

Great trial! Will see if you end up feeling a need to iterate sometime later!

load more comments (1 replies)
[-] Max_P@lemmy.max-p.me 14 points 3 weeks ago

The problem with this approach is trust. It works for the users, but not admins. If I run a PieFed instance with this on, how can lemmy.world for example can trust my tiny instance to be playing by the rules? I went over more details in this other comment.

Sure, right now admins can contact you, for your instance. But you can't really do that with dozens of instances and hundreds of instances. There's a ton of instances we tolerate the users, but would you trust the admin with anonymous votes? Be in constant contact with a dozen instance admins on a daily basis?

It's a good attempt though. Maybe we're all pessimistic and it will work just fine!

[-] rimu@piefed.social 15 points 3 weeks ago* (last edited 3 weeks ago)

I can only respond in general terms because you didn't name any specific problems.

Firstly, remember than each piefed account only has one alt account and it's always the same alt account doing the votes with the same gibberish user name. If the person is always downvoting or always voting the same as another person you'll see those patterns in their alt and the alt can be banned. It's an open source project so the mechanics of it cannot be kept secret and they can be verified by anyone with intermediate Python knowledge.

Regardless, at any kind of decent scale we're going to have to use code to detect bots and bad actors. Relying on admins to eyeball individual posts activity and manually compare them isn't going to scale at all, regardless whether the user names are easy to read or not.

load more comments (4 replies)
load more comments (1 replies)
[-] subignition@fedia.io 12 points 3 weeks ago

Very interesting development, I'll be curious to see how it ends up working out.

[-] Socsa@sh.itjust.works 12 points 3 weeks ago

Awesome! This is the exact stopgap implementation I was arguing for, and I'm surprised how many people kept insisting it was impossible. You should try and get this integrated into mainline Lemmy asap. Definitely joining piefed in the meantime though.

[-] Blaze@sopuli.xyz 11 points 3 weeks ago

You keep delivering, thank you so much!

[-] catloaf@lemm.ee 10 points 3 weeks ago

Look mom, I'm famous!

load more comments (5 replies)
[-] mesamunefire@lemmy.world 10 points 3 weeks ago* (last edited 3 weeks ago)

Its strange to see one of my posts being used as a reference. All I was trying to do was share something cool.

I do agree though. When up/downvotes (especially downvotes) are fully public, it leads to trolls getting angry and lashing out on individuals in a semi-public way. And if you can see ALL of that individuals voting patterns, then we get people strategically making tools to go after people that vote certain ways. Theres a reason anonymous voting is a thing outside of the internet as well.

If this goes live in lemmy.world i will be looking at other places to post/interact with. Love lemmy (and contributed to the codebase as a dev) but I cant be bothered with trolls.

load more comments (8 replies)
[-] PierreKanazawa@fedia.io 8 points 3 weeks ago

That's pseudonymous!

But all kidding aside, it sounds good

[-] Churbleyimyam@lemm.ee 8 points 3 weeks ago

Is it possible for an instance to send out false vote data that can't be verified? Lemmy doesn't seem like a plausible target for it at the moment (and i dont pretend to know how this works beyond a conceptual level) but I can imagine a bad actor at some point seeking to manipulate voting.

[-] smeg@feddit.uk 10 points 3 weeks ago

I guess that can happen now anyway as the bad actor can just create their own instance with as many fake accounts as they like. Ultimately it's still on other instance admins to block the dodgy ones either way.

load more comments (1 replies)
[-] indomara@lemmy.world 7 points 3 weeks ago

I missed the discussion on voting the other day it seems, but for what it's worth, I like the voting system. In real life discussions happen in open air, and don't hang there in posterity for people to stumble upon after. When we come to a consensus in conversation it is then left at that and we move on.

When online, these discussions stay as they are, and I think voting gives a way of people to come to a consensus, to leave a mark upon the conversation such that the people who come behind understand how everyone felt about it.

This is helpful I think, because it does not hide the down votes on nasty comments or ideas that hurt others.

One of the most interesting and horrible things about the internet is that every village has a "crazy Bob" but because they were the minority the good of the people outnumbered their outlandish or hateful ideas.

Now they can and do find each other online, forming a vocal and damaging minority. Without the majority able to show their dislike, human nature means more will fall in line with them and their ideals.

load more comments
view more: next ›
this post was submitted on 19 Aug 2024
402 points (97.9% liked)

Fediverse

27801 readers
199 users here now

A community to talk about the Fediverse and all it's related services using ActivityPub (Mastodon, Lemmy, KBin, etc).

If you wanted to get help with moderating your own community then head over to !moderators@lemmy.world!

Rules

Learn more at these websites: Join The Fediverse Wiki, Fediverse.info, Wikipedia Page, The Federation Info (Stats), FediDB (Stats), Sub Rehab (Reddit Migration), Search Lemmy

founded 1 year ago
MODERATORS
ruud@lemmy.world
Xylinna@lemmy.world
MrCenny@lemmy.world
TragicNotCute@lemmy.world
automodbeta@lemmy.world
woelkchen@lemmy.world