[Poll] Anyone can make 100 accounts with VPNs and vote with the current process, should we restrict voting to IP address?

What if I have multiple people in my household who want to vote? One vote per IP address would not allow for this. And as others have pointed out, sophisticated users can get around the IP restriction.

I think putting up even small hurdles would drastically cut down on the bot problem. I outlined one idea here: https://sh.itjust.works/comment/455909

It is basically go out and solve a CAPTCHA, then vote, pasting in a url with your vote that verifies you solved the CAPTCHA. A script should be able to verify that the url is indeed for the user who cast the vote. It is not a bulletproof method, but raises just enough of a hurdle that is would be hard for bots, but realitivly easy for humans (we'd want an audio version or other alternative for the visually impaired; I'm not sure what the state of the art is).

Doesn't solve the problem of one real person operating several alts. Frankly, I don't know how important that is to solve.

What if 300 students sharing an IP from the same dorm want to vote, should 299 of them be ignored?

Yeah, I don't turn my vpn off, period.

Not that it matters. If this instance gets enough fake accounts just to game voting in this single community, we're fucked. You get that many fakes and moderation becomes a full time job. Lemmy doesn't have the tools to cope with it on a moderator level (and from what the admin of pond of the bot attacked instances said, the admin tools are weak as well).

This just makes voting a pain in the ass. Add in a rule about writing a coherent sentence along with your vote, and you'll reduce fakes without the need to leave the app/page, or deal with VPN usage invalidating the ability to participate.

Secure and accurate electronic voting is a very hard problem to solve.

One of the ways to mitigate this issue is to not have votes on nuts and bolts issues and rather have discussions and votes on guidelines and policies. '[Vote] Should be ban Xxx User?' is not a good kind of vote since it is way too specific, '[Vote] Should we add xxx rules to the instance-wide rules?' is a bit better. That way people provide input but still rely on the instance staff to use their judgement to handle the myriad of issues.

Democracy takes work.

Using an off-site tool for voting trades our current problems for others. We would have no way to limit voting to only users of this instance, allowing anyone to brigade our votes.

Basically, the same problem as a single user making 100s of accounts to manipulate a vote.

I think instead we need to limit voting to user accounts of a certain age, and with X number of comments. We can all help with this by reporting accounts that are too young, or appear to have bot generated comments.

Until new tools are developed and built into Lemmy for voting, we'll all have to chip in. Because...

Democracy takes work.

This is an interesting topic, I would like to discuss further.

Locking down votes to accounts on the instance is important - the current system of Aye/Nay comments natively beats strawpoll on that account.

Since this instance is anonymous, having some amount of accountability to other users is also important. Even I can go through and at least audit comments to be sure they're on the instance and active users. This is another point where, again, strawpoll falls short.

I agree the system isn't perfect, but IP locking is also an imperfect solution. There are absolutely VPN solutions that will beat strawpoll's VPN identification, and there very well could be legitimate votes that would share public IP addresses, especially as the instance grows. I think I'm unconvinced that ensuring unique IP is vastly more important than the benefits the current system provides.

All that said, I don't know what a perfect solution would look like, but I would expect it to address ALL of these points (deep integration with lemmy, user auditability, and basic protection from fraudulent votes). I'm honestly curious what your thoughts are here - do you have a more comprehensive proposal to address my above concerns?

I feel like we need more robust tools like built in polls with options as to who can vote, rather than going off site. I think that age of accounts is a factor that might help reduce the amount of bad actors and brigading a poll. For instance an option that prevents accounts newer than the poll from voting. This is of course not a silver bullet, but I think it would help protect polls without punishing people who use vpns like myself.

I wish there was a system where you could add an actual poll in a Lemmy post and have the option to only have accounts logged in on the instance vote on it. This would solve about 98% of the issues it seems like the current system has

I'm not directly on instance, and won't participate beyond pointing out there's plenty of ways to subvert log by IP services.

I don't know what the right model is, but I'm not sure going propritiary for the solution solves the issue. If anything this is more an open call to FOSS devs about specific tools needed, because otherwise I think you're fighting a losing battle to purity testing about whom you represent.

Just food for thought.

Doesn't using a VPN mask your IP address?

I think restricting votes to accounts whose cake days are from before the announcement of a vote's discussion thread should do it.

Got another idea: Remove accounts that only vote in !agora. The idea is we're trying to have a community here, right? So if ALL an account does is vote in the Agora and it posts nowhere else...ban that account.

I've been consistent in my advocacy for more robust voting tools that might be off-site and not on Lemmy, my only concern with your suggestions is that strawpoll is proprietary, right? I haven't heard of livepoll before so I don't know much about it.

I'm passionate about direct democracy and consensus-based decision-making, which I feel would be perfect for the way sh.itjust.works is attempting to be moderated, so moving to systems where we can track results and ensure the integrity of the vote is paramount to me. I don't like the current system of just typing "aye" in a top-level comment. It's working now, but I feel like it's only a matter of time before something goes wrong with it.

Do we really care this much at this point? Like really.. if people are going out of their way to do this, they should: get a life.

Besides that, people tend to share ipv4s in some configurations. Also some people don't have ipv6.

If you use another service, you have no way to know if a person has an account here or not.

This is a topic that i’ve been meaning to start a discussion about but haven’t had a chance due to the level of detail i’d like to provide.

I will also be posting the current logic of how vote counts are counted and also publish the code that i use for the counting.

Without going too much into detail today when votes are counted theres a few things that the logic accounts for.

1. It only counts votes at the first level (meaning anyone that replies to a vote with their vote gets their vote discarded)
2. In the event someone tries voting more than once, only the first vote gets counted, the others get discarded.
3. Users who join after the voting post is made do not get their votes counted. You must have had your account active prior to the vote post
4. External and local users get separated and counted separately.

In the future, and this is the part i’d like to discuss more in detail on another thread, is whether we factor in someone’s reputation. Lemmy currently collects a post and comment score for every user. This score is essentially = to how many upvotes your post or comments have gotten. Additionally the number of post and comments also get tracked. I’d like to see if there would be a method to use this data in order to determine if an account should have the ability to vote. This does alienate the lurkers but they don’t typically vote anyway unless its something that could affect them.

When I have some extra time i’ll post a detailed post on this so that those of you who have an overachiever mindset can provide your 2 cents.

I am not convinced. The most important thing is restricting voting to sh.itheads only. Strawpoll can definitely not do this. I however agree with the fact that even basic VPN-protection is better than no protection. A solution would be checking a users activity, however this would obviously would be done manually, which is unsustainable. It is neat, certainly safer than the current method, but instance-locking is still primary.

Wouldn't that become problematic for voting anytime the user goes on a trip?

The final tally is 10 NO, 5 YES.

Wtf? I tried to vote, but it said “You can’t vote anymore”. I hadn’t voted before.

I'm glad I posted about this because clearly it's an issue that will need to be addressed as Lemmy grows, but luckily it's not rampant currently. Restricting IP addresses (1 account 1 IP address) is definitely not the best way to go about it, but it's one way to restrict bad actors from doing bad things. The reality is that verifying whether an individual has 1 account or 500 accounts is very difficult, and most solutions potentially invade someone's privacy. Finding solutions that allow users to remain anonymous whilst also verifying that they're an individual with a single account is something extremely difficult. It's something that's going to need to be solved over time, manipulating voting is not the only thing that bad actors will do. I hope that sh.itjust.works maintains its level of good fair moderation going forward.

Most cloud will give huge ipv6 address ranges. Oci offers a /56 for free. I think we need to get instance level tools rather than going off site.

Yes

Nay!

I think this discussion should be used when fediverse is big.