Fediverse @lemmy.world Rimu @piefed.social 3 mo. ago

Private voting has been added to PieFed

We had a really interesting discussion yesterday about voting on Lemmy/PieFed/Mbin and whether they should be private or not, whether they are already public and to what degree, if another way was possible. There was a widely held belief that votes should be private yet it was repeatedly pointed out that a quick visit to an Mbin instance was enough to see all the upvotes and that Lemmy admins already have a quick and easy UI for upvotes and downvotes (with predictable results ). Some thought that using ActivityPub automatically means any privacy is impossible (spoiler: it doesn't).

As a response, I’m trying this out: PieFed accounts now have two profiles within them - one used for posting content and another (with no name, profile photo or bio, etc) for voting. PieFed federates content using the main profile most of the time but when sending votes to Mbin and Lemmy it uses the anonymous profile. The anonymous profile cannot be associated with its controlling account by anyone other than your PieFed instance admin(s). There is one and only one anonymous profile per account so it will still be possible to analyze voting patterns for abuse or manipulation.

ActivityPub geeks: the anonymous profile is a separate Actor with a different url. The Activity for the vote has its “actor” field set to the anonymous Actor url instead of the main Actor. PieFed provides all the usual url endpoints, WebFinger, etc for both actors but only provides user-provided PII for the main one.

That’s all it is. Pretty simple, really.

To enable the anonymous profile, go to https://piefed.social/user/settings and tick the ‘Vote privately’ checkbox. If you make a new account now it will have this ticked already.

This will be a bit controversial, for some. I’ll be listening to your feedback and here to answer any questions. Remember this is just an experiment which could be removed if it turns out to make things worse rather than better. I've done my best to think through the implications and side-effects but there could be things I missed. Let's see how it goes.

161

161 comments

Cool solution. It's great to have multiple projects in the fediverse that can experiment with different features/formats.

For those who are concerned about possible downsides, I think it's important to understand that

PieFed has a small userbase

Rimu is an active admin, so if you are attempting to combat brigading or other bad behavior and this makes it more difficult, just send them a DM and they will be happy to help out

This is a good environment to test this feature because Rimu can keep a close watch over everything. We can't become paralyzed by the hypothetical ways that bad actors might abuse new features or systems. The only way forward is through trial and error, and the fact that PieFed exists makes that process significantly faster and less disruptive.

This is an attempt to add more privacy to the fediverse. If the consequences turn out for the worse, then we can either try something else, or live with the lack of privacy. Either way, we'll be better off than having never tried anything at all.
Hey, Lemmy admin here. If I ban an anonymous account, does the account it's tethered to also get banned?
You're a hero for making this happen in... 24 hours? 48?

The issue won't go away, we'll see how well everyone else deals with it, but this is a super strong argument for your system / server.

(Advertise it. Advertise it HARD. "piefed, we have private votes".)
This is quite a smart solution, good job !
Dude this is genius

I am interested to see how it plays out but the idea of the instance admin being able to pierce the veil and investigate things that seem suspect (and being responsible for their instance not housing a ton of spam accounts just as now) seems like a perfect balance at first reading

Edit: Hahaha now I know Rimu’s alter ego because he upvoted me. Gotcha!
While not a perfect solution, this seems very smart. It’s a great mitigation tactic to try to keep user’s privacy intact.

Seems to me there’s still routes to deanonymization:

Pull posts that a user has posted or commented in

Do an analysis of all actors in these posts. The poster’s voting actor will be over represented (if they act like I assume most users do. I upvote people I reply to etc)

if the results aren’t immediately obvious, statistical analysis might reveal your target.

Piefed is smaller than lemmy, right? So if only one targeted posting account is voting somewhat consistently in posts where few piefed users vote/post/view, you got your guy.

Obviously this is way harder than just viewing votes. Not sure who would go to the trouble. But a deanonymization attack is still possible. Perhaps rotate the ids of the voting accounts periodically?
I use people upvoting bigoted and transphobic content to help locate other bigoted and transphobic accounts so I can instance ban them before they post hate in to our communities.

This takes away a tool that can help protect vulnerable communities, whilst doing nothing to protect them.

It's a step backwards
Nice, @A_A@lemmy.world, we feeling heard? 😉

Link

Great trial! Will see if you end up feeling a need to iterate sometime later!
The problem with this approach is trust. It works for the users, but not admins. If I run a PieFed instance with this on, how can lemmy.world for example can trust my tiny instance to be playing by the rules? I went over more details in this other comment.

Sure, right now admins can contact you, for your instance. But you can't really do that with dozens of instances and hundreds of instances. There's a ton of instances we tolerate the users, but would you trust the admin with anonymous votes? Be in constant contact with a dozen instance admins on a daily basis?

It's a good attempt though. Maybe we're all pessimistic and it will work just fine!
Awesome! This is the exact stopgap implementation I was arguing for, and I'm surprised how many people kept insisting it was impossible. You should try and get this integrated into mainline Lemmy asap. Definitely joining piefed in the meantime though.
Very interesting development, I'll be curious to see how it ends up working out.
You keep delivering, thank you so much!
Look mom, I'm famous!
Its strange to see one of my posts being used as a reference. All I was trying to do was share something cool.

I do agree though. When up/downvotes (especially downvotes) are fully public, it leads to trolls getting angry and lashing out on individuals in a semi-public way. And if you can see ALL of that individuals voting patterns, then we get people strategically making tools to go after people that vote certain ways. Theres a reason anonymous voting is a thing outside of the internet as well.

If this goes live in lemmy.world i will be looking at other places to post/interact with. Love lemmy (and contributed to the codebase as a dev) but I cant be bothered with trolls.
Is it possible for an instance to send out false vote data that can't be verified? Lemmy doesn't seem like a plausible target for it at the moment (and i dont pretend to know how this works beyond a conceptual level) but I can imagine a bad actor at some point seeking to manipulate voting.
That's pseudonymous!

But all kidding aside, it sounds good
That's super cool and amazing that you implemented it so quickly.

So now I have a PieFed account :)
Interesting solution 👍 Curious to see how this plays out!
I missed the discussion on voting the other day it seems, but for what it's worth, I like the voting system. In real life discussions happen in open air, and don't hang there in posterity for people to stumble upon after. When we come to a consensus in conversation it is then left at that and we move on.

When online, these discussions stay as they are, and I think voting gives a way of people to come to a consensus, to leave a mark upon the conversation such that the people who come behind understand how everyone felt about it.

This is helpful I think, because it does not hide the down votes on nasty comments or ideas that hurt others.

One of the most interesting and horrible things about the internet is that every village has a "crazy Bob" but because they were the minority the good of the people outnumbered their outlandish or hateful ideas.

Now they can and do find each other online, forming a vocal and damaging minority. Without the majority able to show their dislike, human nature means more will fall in line with them and their ideals.
How does this work with moderation? I.e. what happens if I ban the real user from a Lemmy instance? What if I ban the alternate user?

Also, what happens if on Piefed, a user votes for something, then they change the setting and then they vote for the same thing again? How would a Lemmy instance know if it should count the vote or not, since the original user didn't actually vote from Lemmy's point of view?
I'm surprised most people are against public votes. Most people already seem to have an anonymous account via some weird username not connected to their real identity already. What difference does it make that votes can be viewed, other than for transparency during discussion?

Maybe I'm the odd one out that uses my real name on the Internet and generally try to behave/vote the same as I would in person, but it seems weird wanting a hybrid account that's private (votes), yet not private (comments).
So I've been thinking about this and I would go for a different approach.

Admins can set voting to be public or private on a server wide level.

When users vote, a key is created as the userid

The votes table is essentially: voteid, postid, userid, timestamp, salt, public

If the vote is private, userid is salt(userid, password)

And it's that simple.
Is it possible to double vote this way (once on each account)? On second thought, would it even matter? A malicious actor could have multiple accounts.
Cool solution!
Neat
This is excellent.

I'm curious about piefed now. Is it free of any explicit agenda?
Regarding the voting account having no name, does that mean it will be a random string of letters and numbers? I get that it will still be possible to discover vote manipulation or mass downvoting with that, but I suspect it would be more difficult to detect initially or without some deeper analysis, since it's harder to recognize or remember a random string compared to a human made username.
@rimu is there a forum style ap implementation that can talk to lemmy communities (I'm assuming that piefed can) without voting?
I actually had an idea that this could be a solution, is just have votes appear from fake accounts. Glad someone implemented it!
I love this approach, balances user freedom & privacy with moderation & voting pattern analysis by the public.

ActivityPub might mean some data is slightly less private, but that doesn't mean it has to be.
Oh god.....I'm Charlie Kelly.

I read that as "Pirate voting".
People who post and vote anonymously have no incentive to stand by their comments and votes. Anonymity is how we allow trolls to troll. We already allow fake names with no limits or verification, and now we're trying to protect their fake reputation, too. And for what benefit, exactly?

Hiding votes like this also allows pretty much anyone to generate as many votes in whatever direction they want. If we could see the votes, we could at least see patterns in reused accounts or personal instances. Without that, anyone can always be "right" by spamming themselves with upvotes, and whoever disagrees will always "wrong" when they get spammed down.

What's the point of voting at that point? May as well remove votes all-together, since they're even more pointless than they were on reddit.

You've viewed 161 comments.