As a response, I’m trying this out: PieFed accounts now have two profiles within them - one used for posting content and another (with no name, profile photo or bio, etc) for voting. PieFed federates content using the main profile most of the time but when sending votes to Mbin and Lemmy it uses the anonymous profile. The anonymous profile cannot be associated with its controlling account by anyone other than your PieFed instance admin(s). There is one and only one anonymous profile per account so it will still be possible to analyze voting patterns for abuse or manipulation.
ActivityPub geeks: the anonymous profile is a separate Actor with a different url. The Activity for the vote has its “actor” field set to the anonymous Actor url instead of the main Actor. PieFed provides all the usual url endpoints, WebFinger, etc for both actors but only provides user-provided PII for the main one.
This will be a bit controversial, for some. I’ll be listening to your feedback and here to answer any questions. Remember this is just an experiment which could be removed if it turns out to make things worse rather than better. I've done my best to think through the implications and side-effects but there could be things I missed. Let's see how it goes.
How does this work with moderation? I.e. what happens if I ban the real user from a Lemmy instance? What if I ban the alternate user?
Also, what happens if on Piefed, a user votes for something, then they change the setting and then they vote for the same thing again? How would a Lemmy instance know if it should count the vote or not, since the original user didn't actually vote from Lemmy's point of view?
The 'real user' and the 'private voter' are 2 different accounts as far a external instances are concerned, but only 1 as far as piefed.social is concerned. So if you banned either one, it would have the same effect, because PF would locate the same account from the information provided.
Likewise, a piefed user can't vote twice on something, they make one vote, and then the 'private voting' setting determines how it is sent out. The local system has tracked that they have voted, and changing the setting won't change that.
There's always more work to do of course, but piefed.social is a small instance, with manual approval required for registration, no API to script things like mass downvoting, and concepts such as 'attitude' which would prevent that anyway, so I can't foresee anything too disastrous happening from this little experiment.
I'm a little concerned about the precedent this sets. An instance could use this technique to facilitate anonymous commenting or posting in addition to votes.
Who cares? Generating an infinite number of tokenized identities to facilitate ban evasion will just result in an instance getting defederated. This introduces no real risk as long as the instance is generally abiding by the rules.
Most of us here are fairly anonymous anyway. I dont think being able to add an additional layer of privacy to our activity is really a big deal.