鴉PieFedFundamental problems with private voting
submitted by
PieFed dev
edited
RimuSeveral months ago I have PieFed users the option to vote privately, where an alt/sockpuppet account automatically votes on their behalf. Since then I've been watching to see how it turned out.
- Finding bigots who upvote transphobia (etc) is harder. To work around this, piefed shares the real vote with trusted instances, BUT:
- trusted instances Announce votes using the primary to untrusted instances, so the privacy doesn't work most of the time
- Maintaining a list of trusted instances is a pain in the ass.
- People always ask why their instance isn't trusted
- Figuring out who the primary account is, could be quite easy if you have technical skills and a little knowledge of how ActivityPub works. It's not truly 100% private.
Plus, cases of admins/mods abusing their knowledge of who downvoted them have been very rare, lately. This removes most of the reason for private voting in the first place.
I'm starting to feel like private voting is not working and can't really be made to work. Thoughts?
Total votes: 35.
Poll closes 3 weeks ago.
So, there has been quite a bit of discussion on this in this thread and there was also a ton of it on matrix:
From everything I have seen, I am convinced that votes within the Activitypub spec can't be private. Anonymizing them either breaks the spec, become simple for a technical user to de-anonymize, or end up really spammy and would just be ignored/defederated by other instances.
So...just don't federate them. If a user really doesn't want their vote to be public, give them the option to not have their votes federate. It would still influence content curation and sorting on their local instance, but it wouldn't broadcast their votes to anybody that knows how to query an api. It seems like kbin (RIP) had a similar idea in the past, and scrolling through that thread is what gave me the idea to bring it up here.
Along these lines, lemmy is planning on introducing instance-wide settings to allow/block remote votes. So, something like selectively federating votes is already coming for the fediverse.
I'll share your elaboration of this idea here because it deserves a wider audience:
For people who turn on private voting:
Currently, the second click removes the previously cast vote. I guess that would continue to be how it works for those who didn't turn on this feature.
how would someone remove their vote in that case, without first making it public?
Gah. I didn't think of that.
Maybe, by casting a vote in the other direction?
I guess if it public for a second and then immediately removed that's not the end of the world.
Yeah, I think that this paradigm would require a UI change for voting. I can imagine two different scenarios:
I think that apps are unlikely to implement something like this, so the api would probably be ok to just stick with only local/only federated based on user preference.
for apps i could see this being the difference between a short and a long press on the voting button
Good point x)
The entire point, as far as I see it, isn't that this is not meant to be an absolute anonymous function, but that it provides a layer of plausible deniability if my account was doxxed years down the road. I am profoundly uncomfortable with how activitypub makes these things public not just to admins but to anyone on the network, and there are already website popping up to display that activity to anyone. In the future, if my account is doxxed, there's a world of difference between someone being able to query my user activity on a search form, versus needing to forensically link a bunch of anonymized database entries.
Why are there trusted instances? Why not remove them so only the instance casting the vote knows?
Personally private voting is my primary motivation for using piefed, it’s awful that with Lemmy everyone knows every little thing someone likes or dislikes. There is a reason voting IRL is private. The government can equally see that you are liking things that may one day put you at risk. Being able to upvote posts criticizing certain politicians from a my server in Canada without getting detained at the border is invaluable in this day and age.
Edit: I've given my best effort to try to convince people that handing all the worlds corporations and government granular data on everything we like/dislike is bad. Why pay and strike a deal with Reddit when the fediverse will hand it over for free?! If the feature is removed, I'll just create a fake account or not vote until someone implements this feature because I feel strongly on this issue.
In principle I agree with you.
In practice I've found that occasionally admins have a legitimate need to access to voting information. To detect vote manipulation and to detect abusive people. It is very hard to provide that access, in a federated environment with lots of different software, while also being private. At the moment I don't see a way to make it truly work.
They can work with the admins of other instances. A set of tools to flag accounts and communicate issues. Defederate “voting” only on instances that don’t address issues.
this isn't realistic if you are reviewing hundreds of accounts potentially involved in vote manipulation.
the votes themselves aren't the only signal useful for identifying these accounts, other user activity can help a lot to reduce the number of false positive.
The work has to be done at the account creation stage by the home instance, motivated by the fact that if they let people signup with little scrutiny then their instance won't get to participate in voting. The ease of unaccountable creation of accounts is the real issue here. We can all create fake accounts and manipulate votes still, the tools to address that across a decentralized network is what's needed most. I think there is a lack of willingness to think through and build these solutions because they are indeed hard work but they are worth it. Wouldn't the fediverse be better if we could limit a person to one vote on all their accounts? It's a thing we really could figure out, but we don't have a chance if as a community we struggle to imagine what the power of this will be when it lands in the hands of someone we hate. AI companies don't have to make a deal with Reddit anymore, governments don't have to get a warrant from a judge, we're just giving it all to them.
this basically boils down to requiring globally unique identifiers of users, and then still having them tied to voting, to ensure people can't just sign up on multiple instances to vote multiple times.
this isn't an issue with hard work, this is an issue with how much identifying information are you willing to collect and store, as well as requiring users to provide this. maybe you would be okay with providing your id on signup, but the majority of people won't be okay with that. this is also not data that i would want to store as a server operator, as this is a huge liability.
once you have this kind of unique identifier, and that allows you to prevent the same person from voting again, how do you imagine this could be done in a private fashion? it is just not possible. especially when considering your arguments about law enforcement requests, this would be even more transparent.
Frankly, as a user this isn't my problem and is orthogonal to the reasons I care about private voting.
private voting has already been changed to non-federated voting, so the original point is no longer relevant, but it absolutely is your problem if you want your votes to have any meaning. otherwise you could just not vote. if your instance is just telling me there are 20 accounts that vote very similar and I don't have means to verify authenticity of those accounts I'd rather ban them all and if you get caught in that then your votes don't matter anymore at all, at least as far as federation to my instance is concerned. otherwise I could just create a bunch of alts and downvote all your content, after all nobody could verify if this is coming from authentic users.
Can't the admins just ban the voting agents?
Yes, they can and as long as there are only a handful (like PieFed in the early days) they won't mind the extra work. They probably won't even notice.
But if they get tired of doing it dozens or hundreds of times they might take the easy route and defederate your whole instance. Especially if it is a very small instance with no communities of interest to them.
I wouldn't, but others might.
I guess I don't understand what the difference is between banning an agent versus banning the user in terms of vote manipulation. And the idea that politics is the real issue here rather than technology just seems terrible.
@Paige @rimu
I always assumed the purpose of publishing websites was to publish stuff, and if we didn't want to publish something we could not publish it.
Not sure mine's the prevailing opinion though!
This seems like a semantic argument. The general public do not see casting a vote as "publishing a vote" and have a expectation of voting carrying a certain level of anonymity. Comments and posts in public, that's understood to be something we can hold people accountable for.
this depends a lot on the platform is presenting this to users. some platforms make votes always visible to all users, others only expose numbers to the average user. a huge part of the issue at hand is the disconnect between users thinking votes are private and the reality of them not being private.
Isn't the answer to have an acct not tied to your real identity?
Why not both? This stuff has levels. If I was a democracy activist in China, logging in with anonymous details on a VPN combined with private voting would be great. I’m a Canadian citizen, I just want the modest barrier of being able to vote on and disagree/agree on stuff without broadcasting it to the whole world.
The entire issue is that every action on Lemmy is public and that data gets vacuumed up by everyone and everything on the network. If I get doxxed in reddit, I am pretty sure that all my activity won't get leaked, but on the fediverse it's everywhere. You are putting every single thing you do into a huge archive for any malcontent, asshole or even state actor to record in an incredibly trivial way
This. I don't understand why this is being rolled back. If the issue is with bigots then just ban the voting agent. Seems easy enough.
the way i see it, social media is a public forum, and while in public people need to be held accountable for their actions. hiding this data only ever puts obstacles in the way of people who want to get something done but dont have the motivation to do something about it. a sufficiently motivated person will find a way around the private voting, but the average user will not. providing the data publicly only adds to the accountability of people on your platform.
Any dedicated adversary can still break into my house. Why do I put locks on my doors? Why don't I give my keys to everyone I meet? There is still utility in preventing the vast majority of other users from using your voting information against you.
People will just create an anonymous account that’s not linked to their identity like the old social media. There’s something funny about the fact I am having to defend private voting on here as the only person not using a pseudonym. Without private voting anyone like me who believes that it’s important to be accountable will just have to switch to a sock puppet account because I don’t want such a massive 100x volume of data on what I think about everything I read dumped on the internet.
The chilling effect of public voting is also definitely a problem. Maybe users will think twice about upvoting that controversial post about ICE, or downvoting a post from a community moderator. Keeping people honest works both ways in this regard.
Yes. One consequence of everything you vote on so easily being monitored is less engagement on the fediverse. For example, I've been stopped at the border and investigated for a few hours. If I vote on reddit, that border guard doesn't have easy access to that and it's only the guard on the US border. This on the other hand, anyone, anywhere. Way too easy: https://lemvotes.org/user/[email protected]
oh daaamm, that sucks
How would that border guard know your Piefed username?
Reddit collaborating with the US government isn't also completely out of question.
In my (personal) opinion, letting trusted admins have access to private voting data is not nearly as much of a concern as having data harvesting companies scrape users' public voting sentiments for selling and profiling. The possibility of user stalking is also not great; if votes are fine being public, why don't we add links to every comment showing which users voted which way, and add links to every user profile showing a list of their votes? There already exists a site that can show public voting data, and if the threadiverse is intended to become a large platform, there will quickly be a userscript that adds this functionality. It feels to me like private voting is a positive goal, and trying to retroactively think of reasons why we don't care about it just because no one's thought of a good way to do it yet seems like sour grapes. IMO I'm okay with understanding that it's a hard problem that may need more brainstorming on a better solution for the future, but I feel like completely giving up on it is bad.
You raise some good points.
One day if PieFed is in a more dominant position we could be able to push harder for fundamental changes to how things work. But protocols are hard to change - that's why email still has spam even after 40 years.
Mbin does that: https://fedia.io/m/[email protected]/t/2328607/PieFed-1-0-is-released-dev-update/favourites
Right - I meant why was that not the standard from the beginning on Lemmy and PieFed? I.e., it feels like we originally wanted votes to be private and are only capitulating now because we don't know how to do it. I also know that there's this Lemmy issue where people voted overwhelmingly to not make public votes easily accessible.
Kbin even had downvotes publicly displayed, then made that information hidden.
Here is the conversation from 2 years ago: https://codeberg.org/Kbin/kbin-core/issues/455
It's more that with tools like https://lemvotes.org/ , whatever the devs do doesn't really matter, people are going to see votes anyway.
Seems like you already have an answer in mind but needs little bit nudging (and assurances) from the community : )
I am indifferent about the feature. I don't use it but I think the option is nice, though as you suggested it barely works. Seems like a stuff you should put on backburner for now.
I agree. I fully understand why a user would want private voting. However, the voting data has actually done a lot of good at helping detect/prevent vote manipulation and sock puppet accounts. The community of instance administrators have built up a host of techniques to help keep lemmy/mbin/piefed a little nicer and public voting is a very useful tool in that respect.
Comments are public. Votes are a shortened version of comments. Having them public seems logical.
Private messages are also public. These are not virtues of the protocol, they are shortcomings which mean I rarely use it for voting or for direct messages. Which is a shame because I’d like my discussion forum interactions and group chats helping the network effect of the fediverse.
private messages are not public. they're also not sent out to all other instances. private messages are only seen by the sender's instance and the recipient's instance.
the only non-private part about them is that someone with access to the instance database can extract them, but that isn't any different from a non-federated platform. the only way to mitigate that is by ensuring strong e2ee that isn't managed by the platform, where the keys are only available to the user.
Edit: Private posts are too public for me.
what do you mean? what are private posts?
Personally, I prefer having votes public. Mbin does this and makes it so that voting data of a post is accessible for everyone so there is no expectation of privacy. For ActivityPub and federation to work, transparency seems to be really important.
Many forums also have "votes" (often called "likes") which are public. The list of people who liked a post in a thread is clearly displayed. Public liking is also present in many mainstream social media like Facebook, Instagram, Twitter (pre-Musk), and TikTok.
I think that voting in social media is just a very simple expression of "I like this, I agree" and "I don't like this, I disagree". Now if association is a concern, then shouldn't comments be anonymous too? I think that the burden of anonymity should be placed on the user. They should be using VPN or Tor if they are really concerned about association. Besides, if it's politics we're talking about, comments are much more valuable than likes in discourse.
I guess it really depends on the type of culture being built. Personally, I would prefer the culture of accountability and discourse.
Damn I am really upset to hear that you are dropping this. I was a big evangelist of this feature as I think public voting is a privacy and potential security concern. I will probably stop using piefed and may even get around to forking it and rolling my own private voting system. That's how much I care about this.
Please have a look at those three threads - https://piefed.social/post/956572 - https://piefed.social/post/979325 - https://piefed.social/post/982478