this post was submitted on 19 Aug 2024
406 points (98.1% liked)

Fediverse

28713 readers
548 users here now

A community to talk about the Fediverse and all it's related services using ActivityPub (Mastodon, Lemmy, KBin, etc).

If you wanted to get help with moderating your own community then head over to [email protected]!

Rules

Learn more at these websites: Join The Fediverse Wiki, Fediverse.info, Wikipedia Page, The Federation Info (Stats), FediDB (Stats), Sub Rehab (Reddit Migration), Search Lemmy

founded 2 years ago
MODERATORS
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
406
Private voting has been added to PieFed (piefed.social)
submitted 4 months ago by [email protected] to c/[email protected]
156 comments fedilink hide all child comments
 

We had a really interesting discussion yesterday about voting on Lemmy/PieFed/Mbin and whether they should be private or not, whether they are already public and to what degree, if another way was possible. There was a widely held belief that votes should be private yet it was repeatedly pointed out that a quick visit to an Mbin instance was enough to see all the upvotes and that Lemmy admins already have a quick and easy UI for upvotes and downvotes (with predictable results ). Some thought that using ActivityPub automatically means any privacy is impossible (spoiler: it doesn't).

As a response, I’m trying this out: PieFed accounts now have two profiles within them - one used for posting content and another (with no name, profile photo or bio, etc) for voting. PieFed federates content using the main profile most of the time but when sending votes to Mbin and Lemmy it uses the anonymous profile. The anonymous profile cannot be associated with its controlling account by anyone other than your PieFed instance admin(s). There is one and only one anonymous profile per account so it will still be possible to analyze voting patterns for abuse or manipulation.

ActivityPub geeks: the anonymous profile is a separate Actor with a different url. The Activity for the vote has its “actor” field set to the anonymous Actor url instead of the main Actor. PieFed provides all the usual url endpoints, WebFinger, etc for both actors but only provides user-provided PII for the main one.

That’s all it is. Pretty simple, really.

To enable the anonymous profile, go to https://piefed.social/user/settings and tick the ‘Vote privately’ checkbox. If you make a new account now it will have this ticked already.

This will be a bit controversial, for some. I’ll be listening to your feedback and here to answer any questions. Remember this is just an experiment which could be removed if it turns out to make things worse rather than better. I've done my best to think through the implications and side-effects but there could be things I missed. Let's see how it goes.

(page 2) 50 comments
sorted by: hot top controversial new old
[–] [email protected] 6 points 4 months ago (3 children)

I'm surprised most people are against public votes. Most people already seem to have an anonymous account via some weird username not connected to their real identity already. What difference does it make that votes can be viewed, other than for transparency during discussion?

Maybe I'm the odd one out that uses my real name on the Internet and generally try to behave/vote the same as I would in person, but it seems weird wanting a hybrid account that's private (votes), yet not private (comments).

[–] [email protected] 16 points 4 months ago (2 children)

If votes were anonymous here, I might "come out" as my professional self and share more from my resources that can be used to Identity who I am.

I'm concerned that my voting pattern is probably already being collected to build a profile on MajorHavok, to decide whether MajorHavok should be favored or disfavored in anything owned by old Elon or Zuck or Bezos.

Elon is a fuck up, but he still owns a lot of places that I might need to use for my work.

So, for now, it's pretty important to me that MajorHavok and John Jacob Jinglehimer Schmidt are kept as separate identities, so that John's employability where Elon/Zuck/Bezos has influence will remain unaffected.

[–] [email protected] 3 points 4 months ago (1 children)

Hmm, I can understand how someone can be concerned about that, but personally I find it too theoretical and unlikely to matter.

Any company wanting to harvest data from the fediverse would likely just create their own instance to easily copy the databases from every major instance, private voting wouldn't help against that. I would also say that your comment would be a thousand times more damning than upvoting every comment/post critical of Musk.

If you only lurk, you will stay anonymous as long as you use an anonymous username. If you comment, you are way more likely to "leak" your opinion through comments anyway.

But those are just my thoughts, I might be way off base and lack the full range of perspectives.

load more comments (1 replies)
load more comments (1 replies)
[–] [email protected] 15 points 4 months ago (1 children)

When you comment you make a conscious decision to put your opinion out there and sign it with your "name" (or alternatively you switch to a "burner" account and do it pseudonymously).

But when you vote for stuff it's often without much thinking, and it's private on pretty much every other platform. Where it isn't it's usually blatantly obvious that that is the case.

What difference does it make that votes can be viewed, other than for transparency during discussion?

There are many reasons that have been stated time and time again; one is simply that people may wish to stay anonymous when supporting certain opinions.

To me it feels like comments are what you can actually stand behind publicly, while votes also show what you think privately. And not everyone is willing to stand behind all of their opinions publicly, often for fear of backlash or harassment.

[–] [email protected] -1 points 4 months ago (5 children)

To me it feels like comments are what you can actually stand behind publicly, while votes also show what you think privately. And not everyone is willing to stand behind all of their opinions publicly, often for fear of backlash or harassment.

I guess I'm just of the opinion that if someone has that concern, they should rethink how they use social platforms and maybe look into creating a more anonymous profile that suits their need better.

But now we are just down to differing opinions, which is all fine to have, I won't claim my thoughts are the best one.

I have felt the want to have a more anonymous profile from time to time since being an admin means I need to avoid controversial topics, but it isn't any more difficult than simply not engaging with it.

load more comments (5 replies)
[–] [email protected] 9 points 4 months ago* (last edited 4 months ago) (1 children)

I'm surprised most people are against public votes.

It's okay that you don't understand why, but it would be best to learn why anonymity is a key requirement for voting freedom, be it in the polls or on social media.

[–] [email protected] -1 points 4 months ago

Votes doesn't break the anonymity is my point. You achieve anonymity by using a fake name and not sharing too much personal information in your comments. No amount of voting will reveal that [email protected] is Jonathan Brown from Newcastle.

[–] [email protected] 11 points 4 months ago

You keep delivering, thank you so much!

[–] [email protected] 39 points 4 months ago

You're a hero for making this happen in... 24 hours? 48?

The issue won't go away, we'll see how well everyone else deals with it, but this is a super strong argument for your system / server.

(Advertise it. Advertise it HARD. "piefed, we have private votes".)

[–] [email protected] 8 points 4 months ago

That's pseudonymous!

But all kidding aside, it sounds good

[–] [email protected] 25 points 4 months ago* (last edited 4 months ago) (3 children)

While not a perfect solution, this seems very smart. It’s a great mitigation tactic to try to keep user’s privacy intact.

Seems to me there’s still routes to deanonymization:

  1. Pull posts that a user has posted or commented in
  2. Do an analysis of all actors in these posts. The poster’s voting actor will be over represented (if they act like I assume most users do. I upvote people I reply to etc)
  3. if the results aren’t immediately obvious, statistical analysis might reveal your target.

Piefed is smaller than lemmy, right? So if only one targeted posting account is voting somewhat consistently in posts where few piefed users vote/post/view, you got your guy.

Obviously this is way harder than just viewing votes. Not sure who would go to the trouble. But a deanonymization attack is still possible. Perhaps rotate the ids of the voting accounts periodically?

[–] [email protected] 1 points 4 months ago

Not familiar with how piefed handles it specifically but aren't posts/comments self-upvoted by default?

You could probably figure it out pretty easily just by looking at a user's posts, no?

(This is unless piefed makes it so the main actor up votes their own posts, and the anonymous actor upvotes others' posts, but then it would still be possible to do analysis on others' comments to get a pretty accurate guess)

[–] [email protected] 2 points 4 months ago

It could be mitigated further by having a different Actor per community you engage in, but that is definitely a bigger change in how voting works currently, and might have issues detecting vote brigading.

[–] [email protected] 8 points 4 months ago (1 children)

It will never be foolproof for users coming from smaller instances, even with changing IDs. If you see a downvote coming from PieFed.social you already have it narrowed down to not too many users, and the rest you can probably infer based on who contributes to a given discussion.

Still, I think it's enough to be effective most of the time.

[–] [email protected] 2 points 4 months ago (1 children)

Yea, I agree. It’s good enough. Sorry, I didn’t mean to sound like it was a bad solution, it’s just not perfect and people ought to be aware of limitations.

I used a small instance in my example so the problem was easier to understand, but a motivated person could target someone on a large instance, too, so long as that person tended to vote in the posts they commented on.

Just for example (and I feel like I should mention, I have no bad feelings towards this guy), Flying Squid on lemmy.world posts all over the place, even on topics with few upvotes. If you pull all his posts, and all votes left in those posts from all users, I bet you could find one voter who stands out from the crowd. You just need to find the guy following him everywhere: himself.

I mean, if he tends to leave votes in topics he comments on, which I assume he does.

It would have to be a very targeted attack and that’s much better than the system lemmy uses right now. I’m remembering the mass tagger on Reddit, I thought that add on was pretty toxic sometimes.

Also, it just occurred to me, on Lemmy, when you post you start with one vote, your own. I can even remove this vote (and I’ll do it and start this post off with score 0). I wonder how this vote is handled internally? That would be an immediate flaw in this attempt to protect people’s privacy.

[–] [email protected] 3 points 4 months ago

Yeah, I think your point is absolutely well made. And it's a good reason to, even if features like this are implemented widely, we shouldn't boast too much about voting being anonymous. It's just too difficult or impossible to make it bullet proof.

I don't think the automatic upvotes to your own posts count as real upvotes. At least they don't federate, so they shouldn't pose too much of a problem. I think they're just there to keep people from trying to upvote their own content.

[–] [email protected] 4 points 4 months ago (2 children)

So I've been thinking about this and I would go for a different approach.

Admins can set voting to be public or private on a server wide level.

When users vote, a key is created as the userid

The votes table is essentially: voteid, postid, userid, timestamp, salt, public

If the vote is private, userid is salt(userid, password)

And it's that simple.

[–] [email protected] 9 points 4 months ago (1 children)

With the user id being salted it's going to be different every time. This means it'll be difficult if not impossible to monitor voting trends or abuse.

Also how would you use the password unless it was stored in the clear. If it's based on a pre-salted tuple, how does one handle password changes?

[–] [email protected] 2 points 4 months ago (1 children)

Dammit! Okay, cancel the salt idea. How about just a simple md5() and then it should remain a static value right?

[–] [email protected] 3 points 4 months ago (1 children)

Let me change my password real quick...

[–] [email protected] 2 points 4 months ago (1 children)

Just add a function so when you change your profile, it also pulls all records that match md5(userid, password) and then update them records too.

Though I'm convinced the overarching logic is correct, this is not my wheelhouse, so I'm probably wrong.

[–] [email protected] 4 points 4 months ago

You'd need to federate that, and I don't think AP allows you to change federated user IDs.

[–] [email protected] 1 points 4 months ago (1 children)

@[email protected] does the design hold up?

load more comments (1 replies)
[–] [email protected] 16 points 4 months ago* (last edited 4 months ago) (1 children)

Nice, @[email protected], we feeling heard? 😉

Link

Great trial! Will see if you end up feeling a need to iterate sometime later!

load more comments (1 replies)
load more comments
view more: ‹ prev next ›