Currently, almost anyone in the Fediverse can see Lemmys votes. Lemmy admins can see votes, as well as mods. Only regular Lemmy users can’t. Should the Lemmy devs create a way to make the votes anonymous?

There is a discussion going on right now considering “making the Lemmy votes public” but I think that premisse is just wrong. The votes are public already, they’re just hidden from Lemmy users. Anyone from a kbin/mbin/fedia instance can check out the votes if they are so inclined.

The users right now may fall into a false sense of privacy when voting because the votes are hidden from Lemmy users. If you want to vote something and not show up on the vote list, please create another account to support that type of content and don’t tell anyone.

  • mozz@mbin.grits.dev
    link
    fedilink
    arrow-up
    33
    arrow-down
    6
    ·
    edit-2
    4 months ago

    With the current way that ActivityPub works, this isn’t really possible. Every vote needs to be signed by some real user; if that changed such that anonymous votes were accepted then there’s nothing to stop any random person from adding 5 or 5,000 anonymous votes.

    • lalo@discuss.tchncs.deOP
      link
      fedilink
      English
      arrow-up
      12
      ·
      4 months ago

      What it the instance signs the activity? Then it propagates to others instances after local validation. That way only local admins would have access to voting data. Malicious instances could still be defederated/blocked/have votes disregarded.

      • Max-P@lemmy.max-p.me
        link
        fedilink
        English
        arrow-up
        10
        arrow-down
        2
        ·
        4 months ago

        The problem with that is, can you really trust most instances out there? If you’re a sketchy admin, it’s not that hard to convince a handful of people to use your instance and have a couple dozen anonymous votes at your disposal to influence certain topics. There’s no way to detect it, not even the other users.

        That would then mean that small instances would have to prove themselves before being accepted in the wider network of instances and just end up centralizing the fediverse.

        With the votes being public, while you can create as many accounts as you want, you still have to publicly use a bunch of bot accounts which makes it more easily detectable. And of course, there’s no way your instance can get away with impersonating you, because you could see it sneaking votes or comments.

        I wish it could be more private, but I can’t think of a way you can prevent vote manipulation without revealing who actually voted for what or rely on trust. Another way to look at it would be, what if Lemmy didn’t use instances but instead some sort of decentralized system where each user is its own entity. How would we obfuscate the votes then? Anyone can publish a message to the network, so you need to tie it to some identity, and you circle right back to the problem.

        For privacy, there’s always alt accounts and recycling accounts often. Or treat the votes as if you were commenting “+1” or “-1”.

        Unless someone comes up with some crypto scheme to somehow anonymously prove that a user has voted, and has voted only once, and the user has credible history being a real person.

        Personally, it’s a tradeoff I chose as the price of entry for being able to participate in this while being fully independent of some benevolent person/organization/company/private equity firm. Nobody can take away my API or my apps or shove me ads. I can post entire 4K HDR clips if I want. I can have an offline copy of it if I want to read on a plane trip. I can index Lemmy, I can search Lemmy.

        • lalo@discuss.tchncs.deOP
          link
          fedilink
          English
          arrow-up
          5
          ·
          4 months ago

          We already depend on trusting instances for a lot of what’s going on here, I don’t see why we shouldn’t be able to defederate untrusted ones.

          • Richard@lemmy.world
            link
            fedilink
            English
            arrow-up
            4
            arrow-down
            1
            ·
            4 months ago

            That would then mean that small instances would have to prove themselves before being accepted in the wider network of instances and just end up centralizing the fediverse.

            Most of us want the Fediverse to eternally decentralise. Imho, this would be the optimal scenario. Whitelists would be a major obstacle to the décentralisation effort.

      • rglullis@communick.news
        link
        fedilink
        English
        arrow-up
        7
        ·
        4 months ago
        1. You are still trusting the instance admin. What if the admin pushes a code patch that transforms every like into a dislike based on a keyword?
        2. Your history will never be fully portable.
        3. It creates some weird dynamic: are we going to start dividing ourselves into “instances that obfuscate voting” and “instances that prefer transparency”?
        4. What is the criteria for “malicious”?
        • lalo@discuss.tchncs.deOP
          link
          fedilink
          English
          arrow-up
          6
          ·
          4 months ago
          1. Currently, any admin can modify any local user activity, can’t they?
          2. Not really, your local instance may still hold the vote data for validation. And therefore could be ported and resigned.
          3. Don’t see the problem.
          4. Today, each instance decides whomever they want federation with. The ones who decide the criteria should be the same ones who decide whom the instance federates with.
          • rglullis@communick.news
            link
            fedilink
            English
            arrow-up
            4
            ·
            edit-2
            4 months ago
            1. Admins could modify the activity, but users can verify from outside (if they so which). If the user data gets obfuscated, it becomes a complete black box.
            2. But then you have two different events.
            3. Here is one problem: the userbase on the Fediverse is already ridiculously small. If we keep dividing ourselves over every little preference, we will end up with nothing but a thousand little ghetto fiefdoms, used by people who will never ever learn how to tolerate a different point of view.
            4. No. What will happen is that the silent majority will want to keep federation with everyone, but the intolerant minority will keep pushing instance admins to defederate from anyone who does not want to obfuscate votes. Eventually, LW will make a decision one way or another and everyone else will just have to decide if they want to stick with their principles or follow the leader so that they are not isolated.
    • chicken@lemmy.dbzer0.com
      link
      fedilink
      English
      arrow-up
      5
      ·
      4 months ago

      I bet you could do it with ring signatures

      a message signed with a ring signature is endorsed by someone in a particular set of people. One of the security properties of a ring signature is that it should be computationally infeasible to determine which of the set’s members’ keys was used to produce the signature