We had a really interesting discussion yesterday about voting on Lemmy/PieFed/Mbin and whether they should be private or not, whether they are already public and to what degree, if another way was possible. There was a widely held belief that votes should be private yet it was repeatedly pointed out that a quick visit to an Mbin instance was enough to see all the upvotes and that Lemmy admins already have a quick and easy UI for upvotes and downvotes (with predictable results ). Some thought that using ActivityPub automatically means any privacy is impossible (spoiler: it doesn’t).
As a response, I’m trying this out: PieFed accounts now have two profiles within them - one used for posting content and another (with no name, profile photo or bio, etc) for voting. PieFed federates content using the main profile most of the time but when sending votes to Mbin and Lemmy it uses the anonymous profile. The anonymous profile cannot be associated with its controlling account by anyone other than your PieFed instance admin(s). There is one and only one anonymous profile per account so it will still be possible to analyze voting patterns for abuse or manipulation.
ActivityPub geeks: the anonymous profile is a separate Actor with a different url. The Activity for the vote has its “actor” field set to the anonymous Actor url instead of the main Actor. PieFed provides all the usual url endpoints, WebFinger, etc for both actors but only provides user-provided PII for the main one.
That’s all it is. Pretty simple, really.
To enable the anonymous profile, go to https://piefed.social/user/settings and tick the ‘Vote privately’ checkbox. If you make a new account now it will have this ticked already.
This will be a bit controversial, for some. I’ll be listening to your feedback and here to answer any questions. Remember this is just an experiment which could be removed if it turns out to make things worse rather than better. I’ve done my best to think through the implications and side-effects but there could be things I missed. Let’s see how it goes.
Cool solution. It’s great to have multiple projects in the fediverse that can experiment with different features/formats.
For those who are concerned about possible downsides, I think it’s important to understand that
- PieFed has a small userbase
- Rimu is an active admin, so if you are attempting to combat brigading or other bad behavior and this makes it more difficult, just send them a DM and they will be happy to help out
This is a good environment to test this feature because Rimu can keep a close watch over everything. We can’t become paralyzed by the hypothetical ways that bad actors might abuse new features or systems. The only way forward is through trial and error, and the fact that PieFed exists makes that process significantly faster and less disruptive.
This is an attempt to add more privacy to the fediverse. If the consequences turn out for the worse, then we can either try something else, or live with the lack of privacy. Either way, we’ll be better off than having never tried anything at all.
Just upvoted myself but nobody else knows 🤫
Edit: Actually I forgot to toggle the setting before voting on my own comment, so admins will see my @imaqtpie@piefed.social account upvoted the parent comment. Worth noting that it needs to be manually enabled.
Then I turned the setting on and voted on a bunch of other comments in this post. My anonymized voting account appears as @hED5TzoZomb@piefed.social, admins should be able to see it by checking the votes in this thread.
Point being, you can still track serial downvoters and harassment just as easily. But now you will need to take an extra step and message the instance admin (Rimu) and ask that they either reveal the identity of the linked profile or deal with it themselves. And that’s a good thing, imho.
Point being, you can still track serial downvoters and harassment just as easily. But now you will need to take an extra step and message the instance admin (Rimu) and ask that they either reveal the identity of the linked profile or deal with it themselves. And that’s a good thing, imho.
This puts the privacy shield in the hands of a users instance admin. I like that approach, but I’m sure others will disagree.
This is more or less how it worked on Reddit. The admins handled vote spam or abuse, there was absolutely no expectation for moderators to have that information because the admins were dealing with the abuse cases. Moderators only concerned themselves with content and comments, the voting was the heart of how the whole thing works, and therefore only admins could see and affect them. Least privilege, basically.
I think a side effect of this, though, is that it increases the responsibility on admins to only federate with instances that have active and cooperative admins. It increases their responsibilities and demands active monitoring, which isn’t a bad thing, but I worry about how the instances that federates openly by default will continue to operate.
If you have to trust the admins, how do you handle new admins, or increasingly absent ones? What if their standards for what constitutes “harassment” don’t match yours? Does the whole instances get defederated? What if it’s a large instance, where communities will be cut off?
I don’t ask any of this as a way to put down this effort because I very, very much want to see this change, but there’s gonna be hurtles that have to be overcome
Ultimately I think the best solution would need assistance from the devs but I’m lieu of that, we have to make due.
Hey, Lemmy admin here. If I ban an anonymous account, does the account it’s tethered to also get banned?
No but perhaps it should!
PieFed lacks an API, making it an unattractive tool for scripting bots with. I don’t think you’ll see any PieFed-based attacks anytime soon.
PieFed tracks the percentage of downvotes vs upvotes (calling it “Attitude” in the code and admin UI ), making it easy to spot people who downvote excessively and easy to write functionality that deals with them. Perhaps anonymous voting should only be available to accounts with a normal attitude (within a reasonable tolerance).
Kind of but technically, no. Please see https://join.piefed.social/docs/piefed-mobile/
If the same account is voting in the same direction on every single post and comment in an entire community in a matter of seconds while contributing neither posts nor comments? Yes, vote manipulation.
If one user is following another around, down voting their content across a wide range of topics? Yes, targeted harassment.
Would banning the voting half of the pseudonymous account not mitigate the immediate issue? Then asking their instance admin to later lookup and ban the associated commentating account.
Sure, but by the same token, mods are just as capable of manipulation and targeted harassment when they can curate the voting and react based on votes.
On reddit, votes are only visible to the admins, and the admins would take care of this type of thing when they saw it (or it tripped some kind of automated something or other). But they still had the foresight not to let moderators or users see those votes.
Complete anonymity across the board won’t work but they’re definitely needs to be something better than it is now.
It’s against the CoC of programming.dev and we have issued warnings to abusers before. Last warning given for that was 13 days ago and was spotted by a normal user.
This is quite a smart solution, good job !
You’re a hero for making this happen in… 24 hours? 48?
The issue won’t go away, we’ll see how well everyone else deals with it, but this is a super strong argument for your system / server.
(Advertise it. Advertise it HARD. “piefed, we have private votes”.)
Dude this is genius
I am interested to see how it plays out but the idea of the instance admin being able to pierce the veil and investigate things that seem suspect (and being responsible for their instance not housing a ton of spam accounts just as now) seems like a perfect balance at first reading
Edit: Hahaha now I know Rimu’s alter ego because he upvoted me. Gotcha!
