We had a really interesting discussion yesterday about voting on Lemmy/PieFed/Mbin and whether they should be private or not, whether they are already public and to what degree, if another way was possible. There was a widely held belief that votes should be private yet it was repeatedly pointed out that a quick visit to an Mbin instance was enough to see all the upvotes and that Lemmy admins already have a quick and easy UI for upvotes and downvotes (with predictable results ). Some thought that using ActivityPub automatically means any privacy is impossible (spoiler: it doesn’t).
As a response, I’m trying this out: PieFed accounts now have two profiles within them - one used for posting content and another (with no name, profile photo or bio, etc) for voting. PieFed federates content using the main profile most of the time but when sending votes to Mbin and Lemmy it uses the anonymous profile. The anonymous profile cannot be associated with its controlling account by anyone other than your PieFed instance admin(s). There is one and only one anonymous profile per account so it will still be possible to analyze voting patterns for abuse or manipulation.
ActivityPub geeks: the anonymous profile is a separate Actor with a different url. The Activity for the vote has its “actor” field set to the anonymous Actor url instead of the main Actor. PieFed provides all the usual url endpoints, WebFinger, etc for both actors but only provides user-provided PII for the main one.
That’s all it is. Pretty simple, really.
To enable the anonymous profile, go to https://piefed.social/user/settings and tick the ‘Vote privately’ checkbox. If you make a new account now it will have this ticked already.
This will be a bit controversial, for some. I’ll be listening to your feedback and here to answer any questions. Remember this is just an experiment which could be removed if it turns out to make things worse rather than better. I’ve done my best to think through the implications and side-effects but there could be things I missed. Let’s see how it goes.
I use people upvoting bigoted and transphobic content to help locate other bigoted and transphobic accounts so I can instance ban them before they post hate in to our communities.
This takes away a tool that can help protect vulnerable communities, whilst doing nothing to protect them.
It’s a step backwards
Well it also takes away a tool that harassers can use for their harassing of individuals, right? This does highlight the often-requested issue of Lemmy needs better/more moderation tools though.
If public voting data becomes a thing across the threadiverse, as some lemmy people want.
Which is why I think the appropriate balance is private votes visible to admins/mods.
Admins only. Letting mods see it just invites them to share it on a discord channel or some shit. The point is the number of people that can actually see the votes needs to be very small and trusted, and preferably tied to a internal standard for when those things need acted upon.
The inherent issue is public votes allow countless methods of interpreting that information, which can be acted on with impunity by bad actors of all kinds, from outside and within. Either by harassment or undue bans. It’s especially bad for the instances that fuck with vote counts. Both are problems.
I can see this argument, at least in general. As for community mods, I feel like it’d be generally fruitful and useful for them to be and feel empowered to create their own spaces. While I totally hear your argument about the size of the “mod” layer being too large to be trustworthy, I feel like some other mitigating mechanisms might be helpful. Maybe the idea of a “senior” mod, of which any community can only have one? Maybe “earning” seniority through being on the platform for a long time or something, not sure. But generally, I think enabling mods to moderate effectively is a generally good idea.
It actually adds a tool for harassers, in that targeted harassment can’t be tied back to a harasser without the cooperation of their instance admin.
In reality, I think a better answer might be to anonymize the username and publicize the votes.
Hmm, yes.
PieFed tracks the percentage of downvotes vs upvotes (calling it “Attitude” in the code and admin UI), making it easy to spot people like this and easy to write functionality that deals with them. Perhaps anonymous voting should only be available to accounts with a normal attitude (within a reasonable tolerance).
That’s cool. I wonder what my attitude is and I wonder how accurate the score is, if our federations don’t overlap super well. What happens if I have a ton of interactions on an instance that yours is completely unaware of?
(I think “Attitude” is a perfect word, because it’s perceptive. Like, “you say they’re great but all I see them do is get drunk and complain about how every Pokemon after Mewtwo isn’t ‘legit’,” sort of thing.)
I’ve intentionally subscribed to every active community I can find (so I can populate a comprehensive topics hierarchy ) making piefed.social get a fairly complete picture. Your attitude is only 3% below the global average, nowhere near the point where I’d take notice.
Feels to me that being able to link what people like/dislike to their comments and username is much more dangerous than just being able to downvote all their comments.
And I’d hope that in this new suggestion an admin would still be able to ban the user even if they only knew the anonymous/voter ID, though that’s probably an interesting question for OP.
I’m going to have to come up with set criteria for when to de-anonomize, aren’t I. Dammit.
In the meantime, get in touch if you spot any bigot upvotes coming from PieFed.social and we’ll sort something out.
The problem is, it’s more than just the upvote. I don’t ban people for a single upvote, even on something bigoted, because it could be a misclick. What I normally do is have a look at the profiles of people who upvote dogwhistle transphobia, stuff that many cis admins wouldn’t always recognise. And those upvotes point me at people’s profiles, and if their profile is full of dog whistles, then they get pre-emptively instance banned.
Ahh, right, got it.
Let’s keep an eye on this. I am hopeful that with PieFed being unusually strong on moderation in other respects that we don’t harbor many people like that for long.
This is great
So you can still ban the voting agent. Worst case scenario you have to wait for a single rule breaking comment to ban the user. That seems like a small price to pay for a massive privacy enhancement.
I don’t think you do. Admins can just ban the voting agent for bad voting behavior and the user for bad posting behavior. All of this conflict is imagined.
Yea, which is why I think the obvious solution to the whole vote visibility question is to have private votes that are visible to admins and mods for moderation purposes. It seems like the right balance.
It will be difficult to get the devs of Lemmy, Mbin, Sublinks, FutureProject, SomeOtherProject, etc to all agree to show and hide according to similar criteria. Different projects will make different decisions based on their values and priorities.
…and it still doesn’t solve the issue that literally anyone can run their own instance and just capture the data.
The OP discusses exactly a solution to the anyone setting up an instance to capture the data, because the users home instance federates their votes anonymously.
There maybe flaws in it, not that’s exactly what it aims to solve.
Plus, if you know your votes are public, maybe it’ll incentivise some people to maybe skip upvoting that kind of content. People use anonymity to say and promote absolute vile things that would never dare say or support openly otherwise.