We had a really interesting discussion yesterday about voting on Lemmy/PieFed/Mbin and whether they should be private or not, whether they are already public and to what degree, if another way was possible. There was a widely held belief that votes should be private yet it was repeatedly pointed out that a quick visit to an Mbin instance was enough to see all the upvotes and that Lemmy admins already have a quick and easy UI for upvotes and downvotes (with predictable results ). Some thought that using ActivityPub automatically means any privacy is impossible (spoiler: it doesn’t).
As a response, I’m trying this out: PieFed accounts now have two profiles within them - one used for posting content and another (with no name, profile photo or bio, etc) for voting. PieFed federates content using the main profile most of the time but when sending votes to Mbin and Lemmy it uses the anonymous profile. The anonymous profile cannot be associated with its controlling account by anyone other than your PieFed instance admin(s). There is one and only one anonymous profile per account so it will still be possible to analyze voting patterns for abuse or manipulation.
ActivityPub geeks: the anonymous profile is a separate Actor with a different url. The Activity for the vote has its “actor” field set to the anonymous Actor url instead of the main Actor. PieFed provides all the usual url endpoints, WebFinger, etc for both actors but only provides user-provided PII for the main one.
That’s all it is. Pretty simple, really.
To enable the anonymous profile, go to https://piefed.social/user/settings and tick the ‘Vote privately’ checkbox. If you make a new account now it will have this ticked already.
This will be a bit controversial, for some. I’ll be listening to your feedback and here to answer any questions. Remember this is just an experiment which could be removed if it turns out to make things worse rather than better. I’ve done my best to think through the implications and side-effects but there could be things I missed. Let’s see how it goes.
You must log in or register to comment.
How does this work with moderation? I.e. what happens if I ban the real user from a Lemmy instance? What if I ban the alternate user?
Also, what happens if on Piefed, a user votes for something, then they change the setting and then they vote for the same thing again? How would a Lemmy instance know if it should count the vote or not, since the original user didn’t actually vote from Lemmy’s point of view?
The ‘real user’ and the ‘private voter’ are 2 different accounts as far a external instances are concerned, but only 1 as far as piefed.social is concerned. So if you banned either one, it would have the same effect, because PF would locate the same account from the information provided.
Likewise, a piefed user can’t vote twice on something, they make one vote, and then the ‘private voting’ setting determines how it is sent out. The local system has tracked that they have voted, and changing the setting won’t change that.
There’s always more work to do of course, but piefed.social is a small instance, with manual approval required for registration, no API to script things like mass downvoting, and concepts such as ‘attitude’ which would prevent that anyway, so I can’t foresee anything too disastrous happening from this little experiment.
I’m a little concerned about the precedent this sets. An instance could use this technique to facilitate anonymous commenting or posting in addition to votes.
Who cares? Generating an infinite number of tokenized identities to facilitate ban evasion will just result in an instance getting defederated. This introduces no real risk as long as the instance is generally abiding by the rules.
Most of us here are fairly anonymous anyway. I dont think being able to add an additional layer of privacy to our activity is really a big deal.
I actually had an idea that this could be a solution, is just have votes appear from fake accounts. Glad someone implemented it!
Nice, @A_A@lemmy.world, we feeling heard? 😉
Great trial! Will see if you end up feeling a need to iterate sometime later!
@rimu@piefed.social did great on my simple idea and this is very nice to know. He did not implement his other idea of having a pool of available robots that would vote one time each for each one vote of each one user(s) … also I thought it might be implemented in the frontend but he did implement it in the backend.
i did not say before but i was also thinking about complex mechanisms involving some kind of coin that would represent voting power that could be spent when voting or accumulated maybe with some loss of value with time … but then i read about the many research paper that were published about such things … in conclusion i believe we will see many other iterations of such social media.
thanks for the feedback 😌
Hey, Lemmy admin here. If I ban an anonymous account, does the account it’s tethered to also get banned?
No but perhaps it should!
PieFed lacks an API, making it an unattractive tool for scripting bots with. I don’t think you’ll see any PieFed-based attacks anytime soon.
If the pseudo account is banned for it’s vote choices, does that really address the issue of vote-banning?
So no app?
Kind of but technically, no. Please see https://join.piefed.social/docs/piefed-mobile/
What about PieFed-based shitty humans?
PieFed tracks the percentage of downvotes vs upvotes (calling it “Attitude” in the code and admin UI ), making it easy to spot people who downvote excessively and easy to write functionality that deals with them. Perhaps anonymous voting should only be available to accounts with a normal attitude (within a reasonable tolerance).
Wow your documentation is so much better than ours.
That’s nice of you to say. I’ve tried to focus well on certain areas that seem important but I really admire the breadth of https://join-lemmy.org/docs/ which I could never hope to cover.
Do you have a link? The Piefed docs page is empty for me.
Yes but … Navigation icon at the top right of the pages leads to these :
https://join.piefed.social/docs/piefed-mobile/ https://join.piefed.social/docs/developers/ https://join.piefed.social/docs/admin-guide/ https://join.piefed.social/docs/installation/
https://join.piefed.social/2024/06/22/piefed-features-for-growing-healthy-communities/I swear there was documentation there.
Ah fuck! I mistook the piefed docs for the pixelfed docs.
I was wondering what attitude was, but I never got around to checking it out in the documentation. I was wondering why PieFed insisted my attitude wasn’t 100%. Makes sense now - I guess it just isn’t!
(maybe a clickable question mark next to the attitude score explaining briefly what it is could be useful at some point)
Do you really think it would matter to a malicious botter if they have a documented API or simply look at the requests the browser makes?
Do you ben based on voting behaviour?
It’s against the CoC of programming.dev and we have issued warnings to abusers before. Last warning given for that was 13 days ago and was spotted by a normal user.
I think you forgot to say what is against the CoC. It’s implied though.
Vote manipulation
If the same account is voting in the same direction on every single post and comment in an entire community in a matter of seconds while contributing neither posts nor comments? Yes, vote manipulation.
If one user is following another around, down voting their content across a wide range of topics? Yes, targeted harassment.
I think a ban based on those criteria should apply to main acct but I’m not sure how it’s implemented.
Would banning the voting half of the pseudonymous account not mitigate the immediate issue? Then asking their instance admin to later lookup and ban the associated commentating account.
Well, doesn’t that fly in the face of federated autonomy and privacy?
On one end, if it’s my instance and I want to ban a user, I want the whole fucking user banned – not just remove their ability to vote anonymously. If one of my communities or users is being attacked, it’s my responsibility to react. If I can’t remove the whole problem with a ban, then I have to remove the whole problem with a de-federation. (A thing I fundamentally don’t want to do.)
On the other, if some other admin says, “one of your users is being problematic, please tell me who they are,” I’m going to tell that other admin to fuck right off because I just implemented a feature that made their votes anonymous. I’m not about to out my users to some rando because they’re raining downvotes on MeinHitler69@nazi.hut.
It’s a philosophical difference of opinion.
But if the only bad behavior is voting and you can that agent then you’ve solved the core issue. The utility is to remove the bad behavior, no?
No, the utility is to remove bad users.
To prevent them from engaging in bad behavior.
On one end, if it’s my instance and I want to ban a user, I want the whole fucking user banned – not just remove their ability to vote anonymously.
I mean, is that truly the case? If a user only engages in vote manipulation, but otherwise they have insightful comments/posts, is it really that big of a deal that you will ban only their option to vote?
I think you’re conflating my two separate concerns. One’s automated vote manipulation. The other is targeted harassment.
Looks like it’s kinda hard to spin up a piefed bot. Not impossible, but it’s a bitch without an API.
If I have an insightful contributer who’s going out of their way and outside of their normal communities to be a dick to another user, maybe they’re not so insightful after all. Or they’ve got a great reason!
Either way, I want to be able to point to their behavior - without the extra step of having to de-anonymize their activity - and tell them to chill the fuck out or get the fuck out. Out means out. Totally and forever.
Looks like it’s kinda hard to spin up a piefed bot. Not impossible, but it’s a bitch without an API.
What you would actually want to do if you want to bot is take one of the existing apps and modify it to make spamming easy.
Either way, I want to be able to point to their behavior - without the extra step of having to de-anonymize their activity - and tell them to chill the fuck out or get the fuck out. Out means out. Totally and forever.
I can see why you would want that, but my question is is that such a big deal compared to people being harassed for their voting? I don’t think user privacy should be violated - especially en masse / by default just because of some (in my opinion fairly minor) moderation concerns.
And if they are a dick overall, then you will figure it out anyway, ban their “main” account and that will prevent them from voting, too (unless the instance is malicious, but then a malicious instance can do much more harm in general).
Sure, but by the same token, mods are just as capable of manipulation and targeted harassment when they can curate the voting and react based on votes.
On reddit, votes are only visible to the admins, and the admins would take care of this type of thing when they saw it (or it tripped some kind of automated something or other). But they still had the foresight not to let moderators or users see those votes.
Complete anonymity across the board won’t work but they’re definitely needs to be something better than it is now.
mods are just as capable of manipulation and targeted harassment when they can curate the voting and react based on votes
I’m not sure what you’re trying to say.
I’m speaking as an admin, not as a mod. I own the servers. I have direct access to the databases. When law enforcement comes a’knockin’, it’s my ass that gets arrested. I have total control over my instances and can completely sever them from the fediverse if I feel it necessary. Mods are mall cops that can lock posts and deal with problem users one at a time.
On reddit, votes are only visible to the admins, and the admins would take care of this type of thing when they saw it (or it tripped some kind of automated something or other)
There are no built in automations. Decoupling votes from the users that cast them interferes with my ability to “take care of this type of thing.”
Yeah, I see that and it does concern me now that it has been brought up.
However. In the last 6 months of being active in the ‘Lemmy.world defense hq’ matrix room where we coordinate admin actions against bad people, vote manipulation has come up once or twice. The other 99% of the time it’s posts that are spam, racist or transphobic. The vote manipulation we found detected using some scripts and spreadsheets, not looking at the admin UI. After all, using code is the only way to scan through millions of records.
Downvote abuse/harassment coming from PieFed will be countered by monitoring “attitude” and I have robust tools for that. I can tell you with complete confidence that not one PieFed user downvotes more than they upvote. I can provide 12 other accounts on Lemmy instances that do, tho. Lemmy’s lack of a similar admin tool is unfortunate but not something I can do anything about.
What I’ve done with developing this feature is taken advantage of a weakness of ActivityPub - anyone can make accounts and have them do stuff. Even though I’ve done it in a very controlled and limited way and released all the code for it, having this exposed feels pretty uncomfortable. There were many many people droning on about “votes must be public because they need to come from an account” blah blah and that secure safe illusion has been ripped away now. That sucks, but we were going to have to grapple with it eventually one way or another.
Anyway. I’m not wedded to this or motivated by a fixed ideology (e.g. privacy über alles) so removing this is an option. It didn’t even take that long to code, I spent more time explaining it than coding it.
Is that really harassment considering Lemmy votes have no real consequences besides feels?
Look mom, I’m famous!
Why do you downvote all the stuff anyways?
PieFed shows us that he has an “attitude” of -40%, which I guess means that of 200 catloaf votes 140 will point downwards. So I guess at least it’s nothing personal, he or she is just an active downvoter of things. I guess we all enjoy spending our time differently.
A cool potential feature would be weighted downvotes - giving downvotes form users with higher attitude scores (in PieFed terms) greater significance. But I’m derailing.
I’ve always wanted to ask such a person what their deal is. I mean they could be miserable, or one of the people who always complain about everything. Or it’s supposed to be some form of trolling that no one gets… Maybe I shouldn’t ask because it’s not gonna be a healthy discussion… And I don’t care if that happens in an argument. But I really wonder why someone downvotes something like an innocent computer question. Or some comment with correct and uncontroversial advise. Or other people during a healty conversation. It doesn’t happen often to me, but I had all of that happen. And maybe thoughts like this lead to the current situation. And some people think about exposing such people and some think it should be protected.
And i think weighing the votes is a realistic idea. We could also not count votes of people with bad attitude at all.
Then again, if there’s a method to it and logic behind it, maybe these active downvoters are doing everybody a favour by screening content and downvoting things they consider to be of little value?
I don’t know. It would be interesting to hear their motivation for sure.
I’ve always wanted to ask such a person what their deal is.
I can’t answer for other people but I’m probably in the “low attitude” group, since my older account is at -9% and the current one at +42%. And at least for me it’s the result of two factors.
One of them is that old Reddit habits die hard. In Reddit I used to have uBlock Origin hiding the voting buttons from the platform, as a way to avoid contributing with it altogether except in ways that subjectively benefitted me, such as commenting (as I’m verbose, I feel good writing). The exception to the above was typically things so stupid/reddit-like/idiotic that I couldn’t help but downvote.
Another is that my “core” values is rather different from what most people in social networks value. As such, a lot of posts/comments are from my PoV overrated (that get downvoted) or underrated (that get upvoted). And due to sorting algorithms I’m seeing high score comments more often, so this yields a higher amount of downvotes.
Is it possible for an instance to send out false vote data that can’t be verified? Lemmy doesn’t seem like a plausible target for it at the moment (and i dont pretend to know how this works beyond a conceptual level) but I can imagine a bad actor at some point seeking to manipulate voting.
Yes, a fake instance can spam votes over federation. But usually it’s pretty obvious and easy to block.
I guess that can happen now anyway as the bad actor can just create their own instance with as many fake accounts as they like. Ultimately it’s still on other instance admins to block the dodgy ones either way.
Regarding the voting account having no name, does that mean it will be a random string of letters and numbers? I get that it will still be possible to discover vote manipulation or mass downvoting with that, but I suspect it would be more difficult to detect initially or without some deeper analysis, since it’s harder to recognize or remember a random string compared to a human made username.
Random string, yeah, like https://piefed.social/u/WYJH5o7OGkbgtxA
Ah, that’s unfortunate. As an alternative, I have seen some online games name their bots with a random name generator that’s designed to sound somewhat real, like AnnoyingPidgen or WrecklessRaptor. If the voting account naming system was more like that, it would be easier to notice voting patterns/manipulation while still being anonymous.
I’ve seen posts being downvoted by user@instancea, user@instanceb, username@instancec etc. this will make tracking that kind of abuse much more difficult.
From reading about PieFed’s moderation tools linked elsewhere in this thread, seems like the solution to that is already built in more explicitly for them.
Can you elaborate further? If the intention is to obscure the information by federating anonymous information outwards, then no third party instance owners can observe the true usernames for vote manipulation from the same user across instances. If more instances deploy this kind of poisonous behaviour across the fediverse, then it becomes untenable for instance owners and community moderator to protect themselves, which in turn hurts the fediverse as a whole.
Edit: if you mean the vote percentage thing, that’s utterly useless. Vote amplification works both ways, a bot user doesn’t have to vote just down or just up. So knowing the percentage of the anonymous user’s previous behavior doesn’t support identifying vote manipulation. An alleged abuser can easily create thousands of account and sample random % of account to mass drive sentiment without having them all appear with similar percentages.
Mass vote manipulation should still be easy to spot. It’ll only be hard to check whether the account voting is a real person.
Neat
Interesting solution 👍 Curious to see how this plays out!
Oh god…I’m Charlie Kelly.
I read that as “Pirate voting”.
While not a perfect solution, this seems very smart. It’s a great mitigation tactic to try to keep user’s privacy intact.
Seems to me there’s still routes to deanonymization:
- Pull posts that a user has posted or commented in
- Do an analysis of all actors in these posts. The poster’s voting actor will be over represented (if they act like I assume most users do. I upvote people I reply to etc)
- if the results aren’t immediately obvious, statistical analysis might reveal your target.
Piefed is smaller than lemmy, right? So if only one targeted posting account is voting somewhat consistently in posts where few piefed users vote/post/view, you got your guy.
Obviously this is way harder than just viewing votes. Not sure who would go to the trouble. But a deanonymization attack is still possible. Perhaps rotate the ids of the voting accounts periodically?
It could be mitigated further by having a different Actor per community you engage in, but that is definitely a bigger change in how voting works currently, and might have issues detecting vote brigading.
It will never be foolproof for users coming from smaller instances, even with changing IDs. If you see a downvote coming from PieFed.social you already have it narrowed down to not too many users, and the rest you can probably infer based on who contributes to a given discussion.
Still, I think it’s enough to be effective most of the time.
Yea, I agree. It’s good enough. Sorry, I didn’t mean to sound like it was a bad solution, it’s just not perfect and people ought to be aware of limitations.
I used a small instance in my example so the problem was easier to understand, but a motivated person could target someone on a large instance, too, so long as that person tended to vote in the posts they commented on.
Just for example (and I feel like I should mention, I have no bad feelings towards this guy), Flying Squid on lemmy.world posts all over the place, even on topics with few upvotes. If you pull all his posts, and all votes left in those posts from all users, I bet you could find one voter who stands out from the crowd. You just need to find the guy following him everywhere: himself.
I mean, if he tends to leave votes in topics he comments on, which I assume he does.
It would have to be a very targeted attack and that’s much better than the system lemmy uses right now. I’m remembering the mass tagger on Reddit, I thought that add on was pretty toxic sometimes.
Also, it just occurred to me, on Lemmy, when you post you start with one vote, your own. I can even remove this vote (and I’ll do it and start this post off with score 0). I wonder how this vote is handled internally? That would be an immediate flaw in this attempt to protect people’s privacy.
Yeah, I think your point is absolutely well made. And it’s a good reason to, even if features like this are implemented widely, we shouldn’t boast too much about voting being anonymous. It’s just too difficult or impossible to make it bullet proof.
I don’t think the automatic upvotes to your own posts count as real upvotes. At least they don’t federate, so they shouldn’t pose too much of a problem. I think they’re just there to keep people from trying to upvote their own content.
Not familiar with how piefed handles it specifically but aren’t posts/comments self-upvoted by default?
You could probably figure it out pretty easily just by looking at a user’s posts, no?
(This is unless piefed makes it so the main actor up votes their own posts, and the anonymous actor upvotes others’ posts, but then it would still be possible to do analysis on others’ comments to get a pretty accurate guess)
I love this approach, balances user freedom & privacy with moderation & voting pattern analysis by the public.
ActivityPub might mean some data is slightly less private, but that doesn’t mean it has to be.
Dude this is genius
I am interested to see how it plays out but the idea of the instance admin being able to pierce the veil and investigate things that seem suspect (and being responsible for their instance not housing a ton of spam accounts just as now) seems like a perfect balance at first reading
Edit: Hahaha now I know Rimu’s alter ego because he upvoted me. Gotcha!
It wasn’t me, haha
You’re a hero for making this happen in… 24 hours? 48?
The issue won’t go away, we’ll see how well everyone else deals with it, but this is a super strong argument for your system / server.
(Advertise it. Advertise it HARD. “piefed, we have private votes”.)
That’s super cool and amazing that you implemented it so quickly.
So now I have a PieFed account :)
