Edit: obligatory explanation (thanks mods for squaring me away)…

What you see via the UI isn’t “all that exists”. Unlike Reddit, where everything is a black box, there are a lot more eyeballs who can see “under the hood”. Any instance admin, proper or rogue, gets a ton of information that users won’t normally see. The attached example demonstrates that while users will only see upvote/downvote tallies, admins can see who actually performed those actions.

Edit: To clarify, not just YOUR instance admin gets this info. This is ANY instance admin across the Fediverse.

  • Wander@yiffit.net
    link
    fedilink
    English
    arrow-up
    675
    arrow-down
    7
    ·
    edit-2
    1 year ago

    To anyone surprised at this: welcome to the fediverse, please treat everyhing you do or say as public.

    The way to achieve privacy around here is by following the long forgotten arts of the old internet before Facebook was a thing: use a Nick name and don't tell strangers on the internet your real identity.

    Your home instance will act as a proxy and only they have access to your email and IP address. That does stay private.

    So, as long as you trust your home instance to not leak or disclose your connection or sign up data (which would be illegal in EU countries), just sign up with an alias.

    A very positive aspects of this is that it should allow us to detect voting manipulation by correlating the activity of certain potentially malicious actors. If Lemmy instances take vote manipulation seriously and do their best to block bots this has the chance to make Lemmy / Kbin much more transparent and credible than Reddit ever was.

  • TimewornTraveler@lemm.ee
    link
    fedilink
    English
    arrow-up
    298
    arrow-down
    14
    ·
    edit-2
    1 year ago

    Edit: Obligatory RIP my inbox.

    Can we leave this kinda stuff behind? It is NOT obligatory.

  • booty_flexx@lemmy.world
    link
    fedilink
    English
    arrow-up
    275
    arrow-down
    1
    ·
    edit-2
    1 year ago

    To illustrate op’s point I’m going to spin up an instance, federate with everyone, and not tell anyone what that instance is.

    Then I’m going to feed all that data into my new website, called Open Lemmy Stats, where anyone can query the user data ive accumulated. The homepage will be ripe with insights, leaderboards and all kinds of data on prolific users.

    Additionally, I’ll display a snapshot/profile of a random user by feeding that users data to GPT4 to make inferences about the user’s political affiliations and display the results.

    Worst of all, I’m not going to out my instance for everyone to know it as the one to defederate. In fact I’m spinning up a few instances that will host innocuous communities that I plan to mod and support to give my instances cover for their true purpose: redundant fediverse datastreams for my site, Open Lemmy Stats.

    I’ll also have a store where anyone can buy my collected fediverse data for a handsome sum.

    Just kidding I’m not doing any of this. But someone absolutely will or already is.

  • RyanHx@vlemmy.net
    link
    fedilink
    English
    arrow-up
    191
    arrow-down
    1
    ·
    1 year ago

    People raise a good point that in countries where political dissent can actually be dangerous, this would very much dissuade people from voting on things they believe in, or even coming anywhere near Lemmy period.

    A better approach I think would be to have the user’s host instance save their votes (the database obviously needs to remember what you voted on), but when federating those votes with other instances just hand over a cumulative total, e.g., “here on vlemmy.net we have +18 votes for this comment”, which the other instances can then add. There’s no need to send user information with that data.

    • Paradox@lemdro.id
      link
      fedilink
      English
      arrow-up
      26
      ·
      edit-2
      1 year ago

      Pretty easy to make an instance that would auto vote certain things with suspicious amounts of votes

      As it stands now, they have to fake the origin of some of those votes. Not much of a barrier, the fediverse generally accepts any user an instance says exists, but still, it’s a barrier

      And of course any instance thats blatantly manipulating votes is going to be defederated, but I’m more concerned with an instance that behaves normally until it encounters a keyword or user is been set to, and then gives their posts a -5 or whatever

      • Distributed@lemmy.world
        link
        fedilink
        English
        arrow-up
        11
        ·
        edit-2
        1 year ago

        This was my thoughts as well. I understand the need for an audit trail.

        Would be very easy to build up an interaction graph with this data that could be used for fingerprinting. If this is an issue for you, though, just browse without signing in/interacting

        Was just thinking about this more though, and unfortunately there can also be rogue instances that allow bot users to be created and interact with other instances posts, so this issue could still persist.

        • plumbercraic@lemmy.sdf.org
          link
          fedilink
          English
          arrow-up
          19
          ·
          edit-2
          1 year ago

          Could replace the usernames with UUIDs, and keep the username-UUID map back on the source instance? Then you get an audit trail, but not associated with user identity. There’s also no guarantee that people don’t use bob_jones as their username, and this is Personally Identifiable Information, which brings up some GDPR stuff too.

          • Muddybulldog@mylemmy.winOP
            link
            fedilink
            English
            arrow-up
            13
            ·
            1 year ago

            The problem with that is that every interaction that any user has with a post or a comment would require calls back to the home instance in order to lookup those usernames. That’s a LOT of extra load

              • plumbercraic@lemmy.sdf.org
                link
                fedilink
                English
                arrow-up
                7
                ·
                1 year ago

                Yeah I just meant for the votes. If you make a comment with your username it’s pretty clear you consented for the input and the username to be visible side by side.

    • deweydecibel@lemmy.world
      link
      fedilink
      English
      arrow-up
      25
      ·
      1 year ago

      The problem that Reddit realized early on is that user voting is the engine behind the content aggregation. That aggregation is one of the main selling points of Reddit. The more users vote on what they see, the more information Reddit has for how to aggregate that content. That’s what keeps the front page fresh, that’s what keeps content moving up and down on the site. In a very real sense, the voting is the heart pumping blood through the site.

      So it behooves the site to not give any reason for users not to vote how they feel. Keeping votes private was part of that. It is one of the most basic tenets of democracy: the only way to give people the freedom to vote honestly and frequently is to give them the privacy to do it.

      The potential for retaliation against users, in any number of conceivable ways, far outweighs any benefits that come from making votes public.

      The voting information also makes it insanely easy to automate mass blocking of any opinion under the sun. Nobody in this thread seems to grasp all the things you can do with that data to manipulate user interactions on this site. If you think troll armies are bad, wait till those troll armies have a shared automated block list of every single person that has ever downvoted them.

    • Feirdro@lemmy.world
      link
      fedilink
      English
      arrow-up
      26
      arrow-down
      3
      ·
      1 year ago

      Agreed, especially because I believe we’re headed for a repressive regime here in the US in about 2 years.

      Places like this will need to get very careful if they want to remain bastions of free speech and places where people can come to find the information that will no longer be available in mainstream channels.

    • astral_avocado@lemmynsfw.com
      link
      fedilink
      English
      arrow-up
      15
      arrow-down
      1
      ·
      1 year ago

      I think those users who live under oppressive governments should be used to using tools like Tor and accounts with a proton email to interact on the internet.

      • RyanHx@vlemmy.net
        link
        fedilink
        English
        arrow-up
        11
        ·
        edit-2
        1 year ago

        Fair point. Though if nothing else stripping out usernames from vote counts would maybe save some bandwidth or database queries for the instance.

  • deweydecibel@lemmy.world
    link
    fedilink
    English
    arrow-up
    179
    arrow-down
    2
    ·
    edit-2
    1 year ago

    Reading these comments, seeing so many excuses, sarcastic responses, and handwaving, makes me realize a great deal of users really need to develop some imagination.

    This is not about privacy. It’s about data that can easily be used for targeting and profiling users, and how that creates countless avenues for targeted harassment and wide scale retaliation. It’s about all of the innumerable ways public vote information can and will be abused to manipulate scoring across the site with targeted/automated shadow banning and shared blocklists. Raise your hand if you trust every single admin to never abuse such a tool to curate the outward appearance of an instance to fit a narrative.

    For a different example: I could say something about how great Nazis are right now, and have a bot programmed to read every single person that downvoted me, add those names to a shared blocklist, and viola, I’ve made myself and all my alts invisible to the people that would challenge me on a massive scale.

    I promise you this is going to be a big issue as tools for this site get more sophisticated over time.

  • czech@no.faux.moe
    link
    fedilink
    arrow-up
    165
    arrow-down
    2
    ·
    edit-2
    1 year ago

    Activities are public and easily viewable on kbin. It’s been interesting. Seems mostly positive other than people harassing those who down-vote them demanding explanations.

  • kennydidwhat@lemmy.world
    link
    fedilink
    English
    arrow-up
    171
    arrow-down
    16
    ·
    1 year ago

    There’s something amusing about people feeling violated by their activity being made public, but not necessarily by corporations hoarding and capitalizing on that activity & data. I mean, one of them is out in the open. The other is pure abuse.

  • ScaNtuRd@lemmy.world
    link
    fedilink
    English
    arrow-up
    155
    arrow-down
    18
    ·
    edit-2
    1 year ago

    Not to sound harsh or anything, but those of you saying that it’s okay that all this data is public are insane. This completely goes against the entire philosophy of the Fediverse and FOSS in general. The reason we all are fleeing from Big Tech is because they collect so much data on us. At least, they keep it hidden from public view. This is a major issue in my opinion, and needs to be addressed ASAP before we can claim to have superior platforms on the Fediverse. Why can’t this data at least be encrypted?

  • Aceticon@lemmy.world
    link
    fedilink
    English
    arrow-up
    151
    arrow-down
    17
    ·
    1 year ago

    Well, yeah, it’s put on the database.

    It’s the only way to avoid double voting from the same account or to remove the reverse vote if one changes one’s mind and votes the other way.

    Did you think that it was any different on Reddit and that no random employee with access to their database could run a similar SQL query with a couple of joins and end up with nicknames, e-mails and IP addresses?!

    Do you know who are the Reddit employees with access to their database or a copy of it? Have you had a chance to vet them? I don’t think so.

    At least here it’s a bit more transparent.

    The only shocking thing in this is that anybody is shocked by it.

  • Bill@lemm.ee
    link
    fedilink
    English
    arrow-up
    112
    ·
    1 year ago

    I downvoted the beans and I don’t care who knows about it. I’d do it again.

    This is useful to know though, thanks. I guess assume everything is public short of your password (unless your admin is particularly nefarious and has altered the code to store passwords in plaintext for some reason).

  • Margot Robbie@lemmy.world
    link
    fedilink
    English
    arrow-up
    95
    ·
    edit-2
    1 year ago

    Suppose there is someone who wants to maintain their anonymity and privacy on Lemmy so that it couldn’t be tied to their real identity, what do you think is the best way to do that?

    Hmm, I, famous Hollywood actress Margot Robbie and star of “Barbie”, sure am stumped.

  • FinalFallacy@kbin.social
    link
    fedilink
    arrow-up
    97
    arrow-down
    10
    ·
    edit-2
    1 year ago

    Isn’t that kind of the point? You don’t get very far hiding in a social setting. You’re on a public website talking to other people. Your posts should be public, comments, etc. At least people should treat all websites or apps they didn’t develop personally like they’re public. I mean you don’t really have a right to privacy in public.

    And I’m not trying to say this with some malicious tone or anything but it’s just my view on it.

  • MissingNo@lemmy.world
    link
    fedilink
    English
    arrow-up
    84
    arrow-down
    2
    ·
    1 year ago

    At first I agreed with the general “whatever” sentiment. It has some important implications, however.

    It discourages people from voting if they’re concerned about other people seeing their activity. This could result in a lower quality of scoring for posts.

    • Azzu@lemm.ee
      link
      fedilink
      English
      arrow-up
      13
      arrow-down
      2
      ·
      edit-2
      1 year ago

      It might also increase quality though. If people downvote out of spite and now it can be proven that they did, they might not do it and thus remove “bad” downvotes from the pool.

      I still think in total it’s probably better that they can not be seen, since anonymity usually gives more honest opinions.

    • chakan2@lemmy.world
      link
      fedilink
      English
      arrow-up
      15
      arrow-down
      4
      ·
      edit-2
      1 year ago

      It discourages people from voting if they’re concerned about other people seeing their activity. This could result in a lower quality of scoring for posts.

      I strongly disagree with that. I think showing downvotes makes your votes more relevant. If something has 10k up votes and 10k down votes, it’s probably a decent post. If it just shows 10k up votes, or 0 net total, the score doesn’t reflect the nature of the post.

      At the individual level, it lets you know if someone is just trolling. That’s also a plus as far as reputation goes (not sure how people are scored here, or if they are).

      • OmniGlitcher@lemmy.world
        link
        fedilink
        English
        arrow-up
        15
        arrow-down
        1
        ·
        edit-2
        1 year ago

        I agree with what you’re saying, but that’s not the point of this post. This post is about the fact that an individual user’s vote history is semi-public.

        i.e. if you were to upvote my comment, anyone who owns an instance would be able to see it was you who upvoted it. Likewise for if you downvote it.

        Whilst I’m sure there are those who don’t care, I’d personally rather not have any rando who can be bothered to set up a Lemmy instance know what I’ve voted on. I’d honestly rather just not vote.

    • Draconic NEO@lemmy.world
      link
      fedilink
      English
      arrow-up
      7
      arrow-down
      4
      ·
      1 year ago

      I disagree, a lot of people troll-downvote meaning they downvote content that they don’t like, or just downvote because it’s already low score. Same also happens with upvotes and content that shouldn’t be upvoted. If you’re concerned with other people seeing your vote history you probably shouldn’t be making those votes.

      Semi public voting discourages this form of misconduct because people who want to can audit their history and see that they’re a troll.

      • noworriesimaracoon@lemmy.ml
        link
        fedilink
        English
        arrow-up
        4
        arrow-down
        3
        ·
        1 year ago

        I disagree, a lot of people troll-downvote meaning they downvote content that they don’t like, or just downvote because it’s already low score.

        Is there a valid reason, according to you, to use the downvote button? I’m really interested in knowing.

        • IronKrill@lemmy.ca
          link
          fedilink
          English
          arrow-up
          11
          arrow-down
          1
          ·
          edit-2
          1 year ago

          The accepted reason for downvoting since early Reddit times is content that either doesn’t contribute to discussion or is factually false. Downvote was never meant to be a disagree button, but I am sure we’ve all broken that rule occasionally.

          • locuester@lemmy.zip
            link
            fedilink
            English
            arrow-up
            8
            arrow-down
            1
            ·
            1 year ago

            Exactly. It seems everyone here is of the impression that voting is for agree/disagree. That sucks and it’s simply impossible to fix.

        • sauerkraus@lemmy.world
          link
          fedilink
          English
          arrow-up
          3
          arrow-down
          3
          ·
          edit-2
          1 year ago

          Downvoting has always been an indicator that you disagree in some way. Whether it’s a disagreement with the substance or format never mattered. You’ll sometimes see people jump through hoops trying to justify how their form of disagreement is the only valid one though.

      • minnow@lemmy.world
        link
        fedilink
        English
        arrow-up
        7
        ·
        1 year ago

        You do see how it could have a chilling effect on engagement if the “someone” judging you negatively for your vote is, say, a repressive government, right? And what’s the point of a social network without engagement?

        • MrMonkey@lemm.ee
          link
          fedilink
          English
          arrow-up
          4
          arrow-down
          1
          ·
          1 year ago

          Exactly.

          “I see you up votes posts about my election rival… see you soon!”

          “Dear child, I see you up voted LGBT content. Let’s talk about your sins, then try some electroshock”

  • Exosus@lemmy.world
    link
    fedilink
    English
    arrow-up
    85
    arrow-down
    3
    ·
    1 year ago

    I mean essentially any decentralised type of social Media cannot work any other way. An open backend is not shocking, it is expected.

    • Muddybulldog@mylemmy.winOP
      link
      fedilink
      English
      arrow-up
      35
      ·
      1 year ago

      To those of use who understand how it works, yes. Five minutes in Lemmy support makes it obvious that there are many people who DON’T understand how it works. Hence, YSK.

      • MrShankles@reddthat.com
        link
        fedilink
        English
        arrow-up
        12
        ·
        1 year ago

        Which has been extremely helpful. It took me a second to have a grasp on what was going on here, but it was an almost painless switch for me, especially because of these tips showing up in my feed. I still scroll some of them because of the additional tips/info in the comments

        I feel like I’m kinda back to the forum-feel of when I lurked around SA; but this is way cooler imo. And everyone’s been really awesome here trying to make it work for all of us, so quickly. I’m a very appreciative new user!

    • sparr@lemmy.world
      link
      fedilink
      English
      arrow-up
      14
      arrow-down
      1
      ·
      1 year ago

      That’s not true, it’s just very computationally expensive to make it secure and private. There are cryptographic solutions these problems.

      • astral_avocado@lemmynsfw.com
        link
        fedilink
        English
        arrow-up
        4
        ·
        edit-2
        1 year ago

        Good luck building a performant version.

        Although I’ve always wondered why someone hasn’t built a Tor version of Lemmy/mastodon yet… imagining no home instance control, you’re just donating hosting to a truly decentralized website that nobody controls but anyone can post to. It would be the ultimate dissent tool.

    • AncientMariner@lemmy.world
      link
      fedilink
      English
      arrow-up
      10
      arrow-down
      2
      ·
      edit-2
      1 year ago

      So no known user will ever have a desire to join. Malicious actors will dig out their votes and expose it publicly. Could be massively damaging. You cannot do that with other social media. Obviously those companies have that information, but they do not share it.

      • james1@lemmy.world
        link
        fedilink
        English
        arrow-up
        6
        ·
        1 year ago

        You cannot do that with other social media.

        Facebook likes, Twitter likes, Discord reacts, LinkedIn reacts, etc. are all publicly visible. The only possible slight difference with this is that in some cases people might not be aware, in which case the issue would be that it is less obvious to a casual browser than Facebook’s “AncientMariner and 23 others liked this post” rather than that the likes are visible at all.

        • AncientMariner@lemmy.world
          link
          fedilink
          English
          arrow-up
          5
          arrow-down
          1
          ·
          1 year ago

          I think the awareness is the main thing. I don’t like and use those platforms like Twitter, or Mastodon. I assumed it was private like Reddit. Many would also.

      • rigatti@lemmy.world
        link
        fedilink
        English
        arrow-up
        5
        arrow-down
        3
        ·
        1 year ago

        They could just make an account that’s not identifiable? Or only use their identifiable account sparingly. Or not have their upvotes be publicly damaging.

        • AncientMariner@lemmy.world
          link
          fedilink
          English
          arrow-up
          15
          ·
          1 year ago

          Or the technology could just share the information it needs to share and not everything and anonymise the data ;).

          • WaveCommander@lemmy.world
            link
            fedilink
            English
            arrow-up
            6
            arrow-down
            1
            ·
            edit-2
            1 year ago

            Or the technology could just share the information it needs to share and not everything and anonymise the data ;)

            It does. If it “anonymized” the data before broadcasting it to the federation, usernames would not be valid across federated instances.

            If I post on instance A as “John” but my username gets anonymized as “UserA893SAJ”, any instance other than A has no idea that that is John, and therefore it is just some anonymous user.

            It’s totally possible, but that’s not what Lemmy wants to be

            Edit: Yeah no, in cases where attribution is not necessary, like upvote/downvote, they really should be anonymized between Lemmy instances.

            I wonder why it isn’t at the moment. Possibly just didn’t have the foresight. I could look into contributing that possibly if someone isn’t working on it already