Skip Navigation

Lemmy votes ARE public, should they be anonymous?

Currently, almost anyone in the Fediverse can see Lemmys votes. Lemmy admins can see votes, as well as mods. Only regular Lemmy users can't. Should the Lemmy devs create a way to make the votes anonymous?

There is a discussion going on right now considering "making the Lemmy votes public" but I think that premisse is just wrong. The votes are public already, they're just hidden from Lemmy users. Anyone from a kbin/mbin/fedia instance can check out the votes if they are so inclined.

The users right now may fall into a false sense of privacy when voting because the votes are hidden from Lemmy users. If you want to vote something and not show up on the vote list, please create another account to support that type of content and don't tell anyone.

261 comments
  • Should the Lemmy devs create a way to make the votes anonymous?

    I'm not sure if there is a good way to have the content federate anonymously. Even if there was, it would be a vector for spam.

    Vote manipulation is a growing problem on Reddit. It's only getting worse with all the AI spam bots and they don't have an incentive to stop it. Why trust a review on Reddit if bots are upvoting/downvoting on behalf of a company, or worse what happens in news communities when a well funded group wants to change perspectives.

    Admins need to know if the votes/likes coming in are legitimate, else they should block them. It's too easy to abuse anonymous votes to affect how content is ranked.

    I left a long comment in the other thread which I will link in a moment, but I think either

    1. We keep the current setup, but we put in more effort to make new users aware that vote records are visible to admins/mods
    2. We make it public for everyone and take steps to deal with the new issues that it could cause

    Other comment on the benefits/issues: https://lemmy.ca/comment/11097046

  • "If you have nothing to hide then you have nothing to fear."

    Given the strong presence of the privacy community on Lemmy, I have to say that I'm a bit shocked to hear so many in these discussions chiming in to support voting transparency.

    I'm on board with the idea of using ring signatures to validate the legitimacy of a vote and moderating spammers based on metadata.

    Or, for something (potentially) easier to implement, aggregating vote tallies at the instance level (votes visible to your instance admin and mods) and federating the votes anonymously by instance, so you might see something like:

    Up/down votes are the method of community moderation that sets Reddit apart from many other platforms. If the Lemmy community is trying to capture some of that magic, which is good for both highlighting gems AND burying turds, radical transparency isn't the path to get there.

    In fact, I'd argue that the secret ballot has already been thoroughly discussed and tested throughout history and there are plenty of legitimate examples of why it would be better if they were more secret than they are today.

    Many people have brought up the idea of brigading, but would this truly get better if votes are public? Is it hard to imagine noticing that an account you generally trust has voted and matching their vote, even subconsciously?

    For those who feel that they aren't able to post on Lemmy because downvotes make you feel sad, my feeling is that if you make posts in a community and they consistently get down voted to oblivion, you're in the wrong place. The people in that community don't value your contributions, and you should find another place to share them. This is the system working as intended and the mods should be thankful that such a system has been implemented.

    The last point I'll make is about the potential for a chilling effect - making users less likely to interact with a post in any way due to a fear of retaliation. Look - if you're looking for a platform where all of your activity is public, those are out there. Why should we make Lemmy look just like every other platform?

    • Agreed. 10/10.

      And you don't even need real crypto here to start. The home instance can just send vote actions as fixed unique tokens. The way the trust framework currently works, this is literally a drop-in replacement and introduces no new spam/brigade vulns which don't already exist from a rogue instance. It would be imperfect, and may still make it possible to correlate and infer vote patterns for a sufficiently motivated adve, but it would raise the bar for protecting user telemetry by a huge factor with very minimal effort. I'm honestly a bit surprised it hasn't been done already.

      • introduces no new spam/brigade vulns which don’t already exist from a rogue instance

        It does though. Now a rogue instance would have to have "believable" profiles for the accounts that vote, because an instance of just "lurkers" who seem to suspiciously vote is a pretty big signal of vote manipulation. If you only see a random identifier (or not even that, just a tally of votes) it'd be impossible to tell if it's truly the instance's users just passionate about something or actual vote manipulation.

        In other words it would at least make the problem way worse.

    • Is it hard to imagine noticing that an account you generally trust has voted and matching their vote, even subconsciously?

      Not only is it not hard to imagine its easy to imagine the benefits of using this information automatically. I could imagine a client side script which re-ordered content based on who I trusted who had up or down voted it.

      So I have users A B C D E F who are known to me who have voted on a given post. D and E are idiots I disregard their votes. F literally hates everything I love so I count his votes inversely. A and B are fantastic I count them x10 I tend to agree with C so I count his x2.

      Not only can I potentially re-score threads and comments based on whom I trust I can if I really trust someone's opinion apply their weights as well, and the weights of the folks upstream.

      • Yes, I too salivate at the idea that I could simply disappear all of the ideas I disagree with, but that is exactly how to turn a community into an echo chamber.

        So I have users A B C D E F who are known to me who have voted on a given post. D and E are idiots I disregard their votes. F literally hates everything I love so I count his votes inversely. A and B are fantastic I count them x10 I tend to agree with C so I count his x2.

        What you are suggesting here is, as I'm understanding it, a way to only get feedback from people you agree with and to never experience a critical discussion of ideas based on their merits.

        Now, I'm not here to suggest that Lemmy is some kind of shining beacon of drama-free intellectualism, where every idea is discussed without bias or agenda, but I DO think it is valuable to hear from people whose lived experiences led them to a different conclusion than the one I've reached. Obviously there needs to be a mechanism to remove trolls from the discussion, but I fear a world where we only see content that we agree with, because then we will truly be removed from reality, and that's not why I'm here.

      • I want to have the ability to turn on my echo chamber, when I want it, and also to be able to turn it off, when I want to step outside of it for awhile. This doesn't have to be a toggle - it could be having an alt on a different instance.

        I don't want this choice made for me by people who think they know better how to run my own life than me. They can write an appeal that I will consider, but ultimately I want to make my own choice.

        Having votes be publicly viewable allows us all the freedom to do as we choose with that information - including to ignore them entirely. What I would probably do with it is make large block lists of people on lemmy.ml, since it turns out that user blocks of an instance don't block all that much. Fwiw, for everyone I've blocked in the past, I look through the post history to see if they merely are being disagreeable on a particular matter but overall are capable of contributing something substantive to a conversation, or are nothing more than a troll, setting out to vomit their emotions upon everyone worldwide across the Fediverse.

        I've been a mod before, on Reddit, and am under no illusions anymore that everyone is worth listening to - a downvote from someone rational I will give serious thought about, but an idiot is an idiot, even if a community mod hasn't banned them (yet?).

        It's like autocorrect: feel free to make suggestions, but it would be nice if I could have control when I want it, including/especially not wasting my time.

  • With the current way that ActivityPub works, this isn’t really possible. Every vote needs to be signed by some real user; if that changed such that anonymous votes were accepted then there’s nothing to stop any random person from adding 5 or 5,000 anonymous votes.

    • What it the instance signs the activity? Then it propagates to others instances after local validation. That way only local admins would have access to voting data. Malicious instances could still be defederated/blocked/have votes disregarded.

      • The problem with that is, can you really trust most instances out there? If you're a sketchy admin, it's not that hard to convince a handful of people to use your instance and have a couple dozen anonymous votes at your disposal to influence certain topics. There's no way to detect it, not even the other users.

        That would then mean that small instances would have to prove themselves before being accepted in the wider network of instances and just end up centralizing the fediverse.

        With the votes being public, while you can create as many accounts as you want, you still have to publicly use a bunch of bot accounts which makes it more easily detectable. And of course, there's no way your instance can get away with impersonating you, because you could see it sneaking votes or comments.

        I wish it could be more private, but I can't think of a way you can prevent vote manipulation without revealing who actually voted for what or rely on trust. Another way to look at it would be, what if Lemmy didn't use instances but instead some sort of decentralized system where each user is its own entity. How would we obfuscate the votes then? Anyone can publish a message to the network, so you need to tie it to some identity, and you circle right back to the problem.

        For privacy, there's always alt accounts and recycling accounts often. Or treat the votes as if you were commenting "+1" or "-1".

        Unless someone comes up with some crypto scheme to somehow anonymously prove that a user has voted, and has voted only once, and the user has credible history being a real person.

        Personally, it's a tradeoff I chose as the price of entry for being able to participate in this while being fully independent of some benevolent person/organization/company/private equity firm. Nobody can take away my API or my apps or shove me ads. I can post entire 4K HDR clips if I want. I can have an offline copy of it if I want to read on a plane trip. I can index Lemmy, I can search Lemmy.

        1. You are still trusting the instance admin. What if the admin pushes a code patch that transforms every like into a dislike based on a keyword?
        2. Your history will never be fully portable.
        3. It creates some weird dynamic: are we going to start dividing ourselves into "instances that obfuscate voting" and "instances that prefer transparency"?
        4. What is the criteria for "malicious"?
    • I bet you could do it with ring signatures

      a message signed with a ring signature is endorsed by someone in a particular set of people. One of the security properties of a ring signature is that it should be computationally infeasible to determine which of the set's members' keys was used to produce the signature

  • Wouldn’t it be easier to leave it as an option for each user on Lemmy?

    If users want anonymity, let them have it. If they want to share their vote, let them do that. Forcing one option on others without the voice of the usually silent majority isn’t going to fix anything, it’s just going to scare some people away or start posts requesting it private again; or optional.

    Not to mention, using this method you will quickly see how many users really wanted this option based on how many leave privacy enabled or disabled, instead of listening to a current vocal minority.

  • I'm at the completely opposite end of the spectrum of most people, they should be public to all. It makes it clear whether the guy downvoting you is doing so maliciously or as a non-participant. Same for upvotes. Otherwise, just get rid of it and find some better mechanism. The people saying "NO!" or that they should be anonymous don't really have a reason, your comment history is already giving you away and no one has a problem with that.

    The worst thing public upvotes/downvotes might lead to are the same things your comments are already profiled for by the same people that would and perhaps a random getting mad at your downvote or upvote and voting back, which doesn't matter that much with the current karma system. The benefits, however, are a clear vision of where those upvotes and downvotes are coming from, without it you are a blind person in a social networks but with it you can tell who is interacting with you and you can investigate why and even make judgement calls because you can see whether they interact like a jerk.

    No drama witch hunts, accountability for the way you are interacting online, the the benefits outweighs the drawbacks, but people don't want it because they feel insecure about it. I specially favor it because it could be a first step for a form of crowdsourced moderation (speculated on it here), where you can choose the people you think are voting comments to your taste to eventually have a select group large enough to determine which should show up first and which shouldn't show at all, and it could be completely complementary to existing systems. Don't want to see "yes, I agree" comments sorting as the most relevant? You might choose people who do not upvote but have engaged with the rest of the thread for comments you consider more informative.

    No one from kbin/mbin instances can check out the downvotes you make, since this attitude has been so widespread many don't report it to those instances. They can see people who upvote, and the sky hasn't fallen because of it. Anonymity largely only helps the minority making the drama remain hidden.

    • the world is an interesting place, the very reasons you gave "for" it is why I was against it. I don't agree that it won't cause witch hunts, and from the POV of the commentor it might be nice, but from the POV of the person who is giving the vote, it's a severe downgrade.

      Especially considering the fact that if the person downvoted but didn't leave a comment afterward they likely would not have downvoted in the first place if it wasn't anonymous because they don't want to have to deal with the social interaction of someone trying to push them to explain further. Not everything needs a detailed this is why I feel this way, that's why there is a upvo and down vote system in the first place, to prevent everyone from leaving a comment of I agree with this / I disagree with this / this is on topic / this is off topic

      In addition to this, to say that no one's giving reasons of why voting should be private, I don't think that's a truthful statement there are plenty of reasons that people have provided via privacy, security and sometimes just mental state.

      You mentioned that you want to have a system where you choose what people you see and the people you don't agree with don't appear., I think that type of environment is extremely unhealthy for a social media platform. It's why other platforms that have curated that content is starting to become a cesspool. I really don't want to see lemmy become one big Echo chamber, it's not healthy to have only one ideology that you see at all times and let's face it that's what that system you're proposing would introduce.

      Additionally the system your proposing is going to run into the same issue as the other websites that have attempted to do, this sort of system leads to new people inadvertently getting filtered out as untrustworthy, which will mean that they're not getting activity on their posts/ comments as well which means that they're just going to move on to another platform.

      Honestly, I think I would rather just have the score system be removed as a whole then see that type of system implemented

      • I know that's probably why you do, like I said, people feel really insecure about it. I don't really respect irrational insecurity though. Your comment history could also lead to witch hunts, yet no worries there... If it does need to be handled, it should be done by automatically deleting your old up/downvotes and comments. But no one is asking for that with comments either... They only take in issue because they don't want to be held accountable to their votes, even if the probability is practically zero and extremely exceptional.

        If you really don't want to explain why you are downvoting, I really don't think people should be downvoting. I very rarely downvote, and there are plenty of comments I neither upvote or downvote simply because not everything should be rated nor am I capable of doing so. It is toxic.

        You already have a system where people with alts and moderation privileges decide what you see and don't see, this will happen regardless with information saturation. What I want to have is putting that in the hands of the users. Whether it will be good or bad will depend on the users, and because it would be complementary, you could still accept the traditional or default method. More choice is not bad, it is the users that make it bad, and in this case, they would make it bad only for themselves. But it would also be easy to work this system into something like https://ground.news , where as with a homogeneous imposition you don't have a choice nor even an idea of what is being censored if you don't go out of your way to find out. If it's completely transparent, you could even look through the eye of another user's moderation settings to see the sort of content they are getting.

        Not sure where you are pulling the "new users get filtered out as untrustworthy", the system I'm proposing would do not such thing. This seems more like a projected insecurity without specific examples that can be countered.

        Without a karma system, the problem then goes back to which comments show up first and which might not show up at all. That's just a traditional forum thread, where the newest comments do.

  • Sounds like opinions are pretty mixed. Maybe we should put it to a vote.

    But then how do we decide if that vote should be public or not...

  • I am the admin of a website where we have a place where our users can post custom content and rate the content of others.

    We have discussed how it works and should work many times and came to the conclusion that we'd never want it to be public. Any report of abuse will be checked by the website owner directly in the database and even admins don't have full access. Everybody tries to stay as far away from the personal ratings as possible.

    We also noticed that it would be a lot more fragile when there are not many voters. A whole group that is negative about something wouldn't get as much harassment as a single person having a unique opinion.

    On our website we have a comment section that isn't anonymous, and we even noticed that people often don't post something negative when it would be obvious that they are the only one who has voted/rated something. ("Negative" is almost always constructive in our case)

    These are just a few things that I think add to this discussion.

  • How about pseudonymous as a compromise? Votes could be publicly federated but tied to some uuid instead of the username. That way you still have the same anti spam ability (can see that a user upvoted these things from this instance at this time) but can't tie it directly to comments or actual user accounts without some extra osint.

    It might be theoretically possible to correlate the uuids with an account's activity and dox the user in some cases, especially with some instances having a single user, but it would be very difficult or impossible to do on larger instances and would add an extra layer. Single user instances would be kind of impossible to make totally private anyway because they can be identified by instance.

    • Votes could be publicly federated but tied to some uuid instead of the username. That way you still have the same anti spam ability (can see that a user upvoted these things from this instance at this time) but can’t tie it directly to comments or actual user accounts without some extra osint.

      The issue with that is with malicious instances that could engage with vote manipulation by just generating new IDs and voting for whatever they want. If you can't look back at the profile and determine whether it's a real, non-spam account, it's a pretty big issue unfortunately.

      You also have an issue where someone could potentially vote with "your" ID without any way to detect that it's not actually "you" who sent the vote.

  • I've been thinking about this for several hours since I first became aware of the debate.

    I don't care that much in theory if anyone sees my votes. They aren't anything I'm particularly private about. I care about conversation way more than up/down votes.

    However, some people get a little upset about being downvoted. I think it will result in retaliatory downvotes. You already see that when two folks are arguing. I don't normally waste my time downvoting a post I'm writing a rebuttal to, but when they are downvoting me I tend to do it back. I think if everyone had easy access, they would hunt down their down voters posts and retaliate regardless of the quality of the comments.

    Lastly, I wonder if this will give rise to a client that lets you use one account to post/comment and a different one to vote. And if it does, will that be better all around? Then no one will be able to associate votes with a user. But it seems unnecessarily wasteful to create a whole account that does nothing but vote. It seems like it would deny mods (and everyone) a useful tool for identifying bad actors.

    Technically, anyone could get access to the voters identity if they try hard enough but 99% of the users won't put in that much effort. And technically someone could already use different accounts for different activities, but without reason to create a client to support that it's too much of a pain to be worth the effort.

    So I really think I'm on team status quo here.

    • I don’t normally waste my time downvoting a post I’m writing a rebuttal to, but when they are downvoting me I tend to do it back. I think if everyone had easy access, they would hunt down their down voters posts and retaliate regardless of the quality of the comments

      That would stop as soon as people start reporting this behavior to mods who felt enabled to ban users based on unjustified downvoting.

  • I think votes shouldn't be anonymous. Transparency is important to weed out trolls and bots. And public votes should be made easier accessible to every user not only admins/mods.

  • Yes, they should ideally. But it's hard to properly implement them in a way that will guarantee anonymity and be sybil-resistant at the same time.

  • The only fair way to handle this is for all admins to immediately turn over all passwords to the Crumbgrabber, who will act as an interface between the government and private sector interests in determining the value of each Lemmy user, and whether they are a fit candidate for the mobile infantry. Remember- only service guarantees citizenship.

  • At least NOW I can find out exactly who can call me out for saying something stupid, and thank that person for providing me with valuable information and knowledge.

    Downvotes are actually kinda useful, even I benefit from them.

    • In LiveLeak all votes were public. What happened was a lot less downvoting, but also aggrevated users would stalk your page and leave mean messages if you downvoted their comment.

      On the other hand, it was really easy to spot trolls trying to manipulate the narratives, Hasbarah and Russian trolls were really active on LiveLeak. This allowed me to block them and keep them from bombing my comments anytime I said something critical.

  • The more I spend time on Lemmy, the more I think it is in a lot of trouble. There are many serious issues that need to be addressed and I don't see how most of them can be.

    Federation is touted as a Good, but has many drawbacks. Privacy (as listed in this post for example) for one, instead of algorithm curated/focused content federated servers each enforce (subconsciously or overtly) a theme, rampant user generation off multiple servers rendering moderation pointless, and so on.

    Then there is the rampant issue of moderation abuse. It seems that the only reason to be a moderator is to not be annoyed at other people forcing their opinions on you. This reminder that admins/mods get yet another way to subject the users to their biases is the nail in the coffin IMO. "You vote this way? Banned because my feelings matter more".

    Privacy is important for a lot of people and that is impossible to get on Lemmy unless something drastically changes, but it doesn't sound like this is will ever happen. The people that can see your data is not under your control at all and I think this fact alone will never allow Lemmy to grow to a place we can be happy with.

    If admins can see data without limits, everyone should be able to. All 5 of us once that realization sinks in.

    ;tldr I don't think even admins should see peoples data but that seems impossible so...

  • Eh, I don't personally care.

    But it could lead to nastiness as lemmy expands. If enough people go to the trouble of looking it up, you get some of them being assholes because people are prone to being assholes. That leads to drama. Drama leads to nastiness and worse things sometimes.

    If that's going to be part of how lemmy works, so be it, I'm way too old to skip using a block list for assholes. But it might bite federated services in the ass, so it probably should be on the list to get implemented.

  • If that were to happen, the receiving end wouldn't know who sent which vote, thus making spamming extremely easy.

    • I did think of a few ways round it (in kbin/mbin) a year or so ago. But, it wouldn't work unless everyone using ActivityPub recognized it. It's also really a small problem in reality. It's likes and dislikes.

261 comments