this post was submitted on 19 Aug 2024
406 points (98.1% liked)

Fediverse

28713 readers
548 users here now

A community to talk about the Fediverse and all it's related services using ActivityPub (Mastodon, Lemmy, KBin, etc).

If you wanted to get help with moderating your own community then head over to [email protected]!

Rules

Learn more at these websites: Join The Fediverse Wiki, Fediverse.info, Wikipedia Page, The Federation Info (Stats), FediDB (Stats), Sub Rehab (Reddit Migration), Search Lemmy

founded 2 years ago
MODERATORS
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
406
Private voting has been added to PieFed (piefed.social)
submitted 4 months ago by [email protected] to c/[email protected]
156 comments fedilink hide all child comments
 

We had a really interesting discussion yesterday about voting on Lemmy/PieFed/Mbin and whether they should be private or not, whether they are already public and to what degree, if another way was possible. There was a widely held belief that votes should be private yet it was repeatedly pointed out that a quick visit to an Mbin instance was enough to see all the upvotes and that Lemmy admins already have a quick and easy UI for upvotes and downvotes (with predictable results ). Some thought that using ActivityPub automatically means any privacy is impossible (spoiler: it doesn't).

As a response, I’m trying this out: PieFed accounts now have two profiles within them - one used for posting content and another (with no name, profile photo or bio, etc) for voting. PieFed federates content using the main profile most of the time but when sending votes to Mbin and Lemmy it uses the anonymous profile. The anonymous profile cannot be associated with its controlling account by anyone other than your PieFed instance admin(s). There is one and only one anonymous profile per account so it will still be possible to analyze voting patterns for abuse or manipulation.

ActivityPub geeks: the anonymous profile is a separate Actor with a different url. The Activity for the vote has its “actor” field set to the anonymous Actor url instead of the main Actor. PieFed provides all the usual url endpoints, WebFinger, etc for both actors but only provides user-provided PII for the main one.

That’s all it is. Pretty simple, really.

To enable the anonymous profile, go to https://piefed.social/user/settings and tick the ‘Vote privately’ checkbox. If you make a new account now it will have this ticked already.

This will be a bit controversial, for some. I’ll be listening to your feedback and here to answer any questions. Remember this is just an experiment which could be removed if it turns out to make things worse rather than better. I've done my best to think through the implications and side-effects but there could be things I missed. Let's see how it goes.

(page 3) 50 comments
sorted by: hot top controversial new old
[–] [email protected] 4 points 4 months ago* (last edited 4 months ago) (6 children)

This is excellent.

I'm curious about piefed now. Is it free of any explicit agenda?

load more comments (6 replies)
[–] [email protected] 14 points 4 months ago (2 children)

The problem with this approach is trust. It works for the users, but not admins. If I run a PieFed instance with this on, how can lemmy.world for example can trust my tiny instance to be playing by the rules? I went over more details in this other comment.

Sure, right now admins can contact you, for your instance. But you can't really do that with dozens of instances and hundreds of instances. There's a ton of instances we tolerate the users, but would you trust the admin with anonymous votes? Be in constant contact with a dozen instance admins on a daily basis?

It's a good attempt though. Maybe we're all pessimistic and it will work just fine!

[–] [email protected] 15 points 4 months ago* (last edited 4 months ago) (1 children)

I can only respond in general terms because you didn't name any specific problems.

Firstly, remember than each piefed account only has one alt account and it's always the same alt account doing the votes with the same gibberish user name. If the person is always downvoting or always voting the same as another person you'll see those patterns in their alt and the alt can be banned. It's an open source project so the mechanics of it cannot be kept secret and they can be verified by anyone with intermediate Python knowledge.

Regardless, at any kind of decent scale we're going to have to use code to detect bots and bad actors. Relying on admins to eyeball individual posts activity and manually compare them isn't going to scale at all, regardless whether the user names are easy to read or not.

[–] [email protected] 5 points 4 months ago* (last edited 4 months ago) (2 children)

Firstly, remember than each piefed account only has one alt account and it's always the same alt account doing the votes with the same gibberish user name. It's an open source project so the mechanics of it cannot be kept secret and they can be verified by anyone with intermediate Python knowledge.

That implies trust in the person that operates the instance. It's not a problem for piefed.social, because we can trust you. It will work for your instance. But can you trust other people's PieFed instances? It's open-source, I could just install it on my server, change the code to make me 2-3 alt accounts instead. Pick a random instance from lemmy.world's instance list, would you blindly trust them to not fudge votes?

The availability of the source code doesn't help much because you can't prove that it's the exact code that's running with no modifications, and marking people running modified code as suspicious out of the box would be unfair and against open-source culture.

I also see some deanonymization exploits too: people commonly vote+comment, so with some time, you can do correlation attacks and narrow down the accounts. So to prevent that, you'd have to remove the users mapping 1:1 to a gibberish alt by at least letting the user rotate them on demand, or rotate them on a schedule, and now we can't correlate votes to patterns anymore. And everyone's database endlessly fills up with generated alt accounts (that you can't delete).

If the person is always downvoting or always voting the same as another person you'll see those patterns in their alt and the alt can be banned.

Sure, but you lose some visibility into who the user is. Seeing the comments is useful to get a better grasp of who they are. Maybe they're just a serial fact checker and downvoting misinformation and posting links to reputable sources. It can also help identify if there's other activity beside just votes, large amounts of votes are less suspicious if you see the person's also been engaging with comments all day.

And then you circle back to, do you trust the instance admin to investigate or even respond to your messages? How is it gonna go when a big, politically aligned instance is accused of botting and the admin denies the claims but the evidence suggests it's likely? What do we do with Threads or even an hypothetical Twitter going fediverse, with Elon still as the boss? Or Truth Social?

The bigger the instance, the easier it is to sneak a few votes in. With millions of user accounts, you can borrow a couple hundred of your long inactive user's alts easily and it's essentially undetectable.

I'm sorry for the pessimism but I've come to expect the worst from people. Anything that can be exploited, will be exploited. I do wish this problem to be solved, and it's great that some people like you go ahead and at least try to make it work. I'm not trying to discourage anyone from experimenting with that, but I do think those what-ifs are important to discuss before everyone implements it and then oops we have a big problem.

The way things are, we don't have to put any trust in an instance admin. It might as well not be there, it's just a gateway and file host. But we can independently investigate accounts and ban them individually, without having to resort to banning whole instances, even if the admins are a bit sketchy. Because of the inherent transparency of the protocol.

[–] [email protected] 16 points 4 months ago* (last edited 4 months ago) (1 children)

Yes. You're going to have to trust someone, eventually. People can modify the Lemmy source code, too. Well, I can't because Rust looks like hieroglyphics to me but you get the idea.

I'd rather this than have to trust Lemmy admins not to abuse their access to voting data - https://lemm.ee/comment/13768482

load more comments (1 replies)
load more comments (1 replies)
load more comments (1 replies)
[–] [email protected] 7 points 4 months ago

I missed the discussion on voting the other day it seems, but for what it's worth, I like the voting system. In real life discussions happen in open air, and don't hang there in posterity for people to stumble upon after. When we come to a consensus in conversation it is then left at that and we move on.

When online, these discussions stay as they are, and I think voting gives a way of people to come to a consensus, to leave a mark upon the conversation such that the people who come behind understand how everyone felt about it.

This is helpful I think, because it does not hide the down votes on nasty comments or ideas that hurt others.

One of the most interesting and horrible things about the internet is that every village has a "crazy Bob" but because they were the minority the good of the people outnumbered their outlandish or hateful ideas.

Now they can and do find each other online, forming a vocal and damaging minority. Without the majority able to show their dislike, human nature means more will fall in line with them and their ideals.

[–] [email protected] 3 points 4 months ago (1 children)

Is it possible to double vote this way (once on each account)? On second thought, would it even matter? A malicious actor could have multiple accounts.

[–] [email protected] 6 points 4 months ago

No, the other account isn't something you can log into or interact with. PieFed knows whether I've already voted on something, so it won't let me vote again by changing the 'vote privately' setting.

[–] [email protected] 4 points 4 months ago

Cool solution!

[–] [email protected] 82 points 4 months ago* (last edited 4 months ago) (1 children)

Cool solution. It's great to have multiple projects in the fediverse that can experiment with different features/formats.

For those who are concerned about possible downsides, I think it's important to understand that

  • PieFed has a small userbase
  • Rimu is an active admin, so if you are attempting to combat brigading or other bad behavior and this makes it more difficult, just send them a DM and they will be happy to help out

This is a good environment to test this feature because Rimu can keep a close watch over everything. We can't become paralyzed by the hypothetical ways that bad actors might abuse new features or systems. The only way forward is through trial and error, and the fact that PieFed exists makes that process significantly faster and less disruptive.

This is an attempt to add more privacy to the fediverse. If the consequences turn out for the worse, then we can either try something else, or live with the lack of privacy. Either way, we'll be better off than having never tried anything at all.

[–] [email protected] 28 points 4 months ago* (last edited 4 months ago) (4 children)

Just upvoted myself but nobody else knows 🤫

Edit: Actually I forgot to toggle the setting before voting on my own comment, so admins will see my @[email protected] account upvoted the parent comment. Worth noting that it needs to be manually enabled.

Then I turned the setting on and voted on a bunch of other comments in this post. My anonymized voting account appears as @[email protected], admins should be able to see it by checking the votes in this thread.

Point being, you can still track serial downvoters and harassment just as easily. But now you will need to take an extra step and message the instance admin (Rimu) and ask that they either reveal the identity of the linked profile or deal with it themselves. And that's a good thing, imho.

[–] [email protected] 2 points 4 months ago* (last edited 4 months ago)

All I see through lemmy.ca View Vote option as an instance admin on the comment I'm replying to.

[–] [email protected] 26 points 4 months ago (1 children)

Point being, you can still track serial downvoters and harassment just as easily. But now you will need to take an extra step and message the instance admin (Rimu) and ask that they either reveal the identity of the linked profile or deal with it themselves. And that’s a good thing, imho.

This puts the privacy shield in the hands of a users instance admin. I like that approach, but I'm sure others will disagree.

load more comments (1 replies)
[–] [email protected] 5 points 4 months ago

You wouldn't dare!

load more comments (1 replies)
[–] [email protected] 28 points 4 months ago* (last edited 4 months ago) (1 children)

Dude this is genius

I am interested to see how it plays out but the idea of the instance admin being able to pierce the veil and investigate things that seem suspect (and being responsible for their instance not housing a ton of spam accounts just as now) seems like a perfect balance at first reading

Edit: Hahaha now I know Rimu’s alter ego because he upvoted me. Gotcha!

[–] [email protected] 10 points 4 months ago

It wasn't me, haha

[–] [email protected] 7 points 4 months ago

Interesting solution 👍 Curious to see how this plays out!

[–] [email protected] 4 points 4 months ago

Neat

[–] [email protected] 4 points 4 months ago* (last edited 4 months ago) (3 children)

Regarding the voting account having no name, does that mean it will be a random string of letters and numbers? I get that it will still be possible to discover vote manipulation or mass downvoting with that, but I suspect it would be more difficult to detect initially or without some deeper analysis, since it's harder to recognize or remember a random string compared to a human made username.

[–] [email protected] 3 points 4 months ago (1 children)

Random string, yeah, like https://piefed.social/u/WYJH5o7OGkbgtxA

[–] [email protected] 6 points 4 months ago

Ah, that's unfortunate. As an alternative, I have seen some online games name their bots with a random name generator that's designed to sound somewhat real, like AnnoyingPidgen or WrecklessRaptor. If the voting account naming system was more like that, it would be easier to notice voting patterns/manipulation while still being anonymous.

[–] [email protected] 7 points 4 months ago (2 children)

I’ve seen posts being downvoted by user@instancea, user@instanceb, username@instancec etc. this will make tracking that kind of abuse much more difficult.

load more comments (2 replies)
load more comments (1 replies)
[–] [email protected] 8 points 4 months ago (2 children)

Is it possible for an instance to send out false vote data that can't be verified? Lemmy doesn't seem like a plausible target for it at the moment (and i dont pretend to know how this works beyond a conceptual level) but I can imagine a bad actor at some point seeking to manipulate voting.

[–] [email protected] 10 points 4 months ago

I guess that can happen now anyway as the bad actor can just create their own instance with as many fake accounts as they like. Ultimately it's still on other instance admins to block the dodgy ones either way.

[–] [email protected] 6 points 4 months ago

Yes, a fake instance can spam votes over federation. But usually it's pretty obvious and easy to block.

load more comments
view more: ‹ prev next ›