Remote View

2y ago

YSK: Your Lemmy activities (e.g. downvotes) are far from private

Edit: obligatory explanation (thanks mods for squaring me away)...

What you see via the UI isn't "all that exists". Unlike Reddit, where everything is a black box, there are a lot more eyeballs who can see "under the hood". Any instance admin, proper or rogue, gets a ton of information that users won't normally see. The attached example demonstrates that while users will only see upvote/downvote tallies, admins can see who actually performed those actions.

Edit: Obligatory RIP my inbox.

The Andromedus Galacticus Collection @lemm.ee

Cross-Post lemmy.world

YSK: Your Lemmy activities (e.g. downvotes) are far from private -

44 12

697 comments

To anyone surprised at this: welcome to the fediverse, please treat everyhing you do or say as public.
The way to achieve privacy around here is by following the long forgotten arts of the old internet before Facebook was a thing: use a Nick name and don't tell strangers on the internet your real identity.
Your home instance will act as a proxy and only they have access to your email and IP address. That does stay private.
So, as long as you trust your home instance to not leak or disclose your connection or sign up data (which would be illegal in EU countries), just sign up with an alias.
A very positive aspects of this is that it should allow us to detect voting manipulation by correlating the activity of certain potentially malicious actors. If Lemmy instances take vote manipulation seriously and do their best to block bots this has the chance to make Lemmy / Kbin much more transparent and credible than Reddit ever was.
- Lol. kids these days would psot their bank info online if the banks didn't prevent them from doing so.
  
  You say that like A/S/L wasn't a thing back in the day.
  
  I don't want to shame anyone, but I've had people sign up give me their full DoB and offering to show me their ID. I know of people who disclose their id to get access to nsfw discord communities.
  
  Wasn't there a twitter account that retweeted people posting photos of their credit cards?
  
  so would my grandpa
  
  So would a significant portion of the population of all ages
  
  19/f/Cali is the only acceptable response
  
  If I offered someone a nice cup of Starbucks, they'd give me their SSN.
  
  Well lemmy has some protections u cant post ur password see: *******************
- Your home instance will act as a proxy and only they have access to your email and IP address.
  Your home image typically doesn't proxy image loading, those are hotlinked to the Lemmy server that the image was uploaded to. So your IP address and browser string are going to other Lemmy servers.
  
  That's fair enough, but other servers can't correlate your account with your IP nor do they have your email. User agent strings are public information, and you control what it is. If you're worried about privacy, simply send a recent chrome user agent and nobody can identify you in the sea of other chrome user agents.
  
  The posts just contain a URL which doesn't include the uploader's ip address or their browser string.
- I whole heartedly agree with this perspective.
  Additionally, and this is an unpopular opinion, but trying to maintain a Nick or online identity over many years is folly. You end up with a huge repository of personal information, increasing the risk that it can be connected to you personally.
  
  This has come up as part of those requests to migrate accounts between instances. "I want a persona that stays with me for years"... Is that actually a good idea though!?
- What about post views? Are those also stored?
  
  No, Lemmy currently doesn't do authorized fetch and thus there's no way for users to request access to a certain post, which would sort of require to disclose a user wanting to get access to something. So no, they are not stored as part of activitypub.
  They could be logged on your instance's server and/or the server where are an image is hosted as part of typical logs for web requests. These would contain your ip address and other browser metadata such as the user Agent, but these are typical logs that happen every time you load anything on the internet on any website that exists.
- Me, using an mail alias + VPN, should be safe privacy wise. :)
  
  That's only going to protect you from your instance admin or data breaches knowing your connection location and email.
  Most doxxing happens from user-submitted information. For example, you just mention the following:
  the city you live in
  your birthday
  physical characteristics - hair color, height, etc
  Those can be done across a lot of comments, and someone can easily write a script to distill all of that into a list of details.
  My general strategy is:
  don't give someone a reason to dox me - i.e. be polite
  recreate my account every so often - usually 1-2 years
  lie frequently to make it harder to sift through
  assume someone is going to try to dox me
- No, an alias will only give you pseudo-anonymity. Even trivial analysis like counting which words occur together frequently in your writings can reveal with very good accuracy any other alt of you, so the available information of you is basically everything you have shared online with enough accompanying self-written text.
  
  Also, it's not just about privacy, it's about retaliation. It will be the easiest thing in the world for people to put together bots that will track the downvotes on every post they make and automate adding those people to block lists. Suddenly a whole fleet of alts is invisible to the people that would disagree with them.
- The thing is, there is really no way to know is trustworthy as a home instance...?
- That is why I am as my username states: intentionally anonymous
- or: pgp :)
- This person internets. 👏

To illustrate op's point I'm going to spin up an instance, federate with everyone, and not tell anyone what that instance is.
Then I'm going to feed all that data into my new website, called Open Lemmy Stats, where anyone can query the user data ive accumulated. The homepage will be ripe with insights, leaderboards and all kinds of data on prolific users.
Additionally, I'll display a snapshot/profile of a random user by feeding that users data to GPT4 to make inferences about the user's political affiliations and display the results.
Worst of all, I'm not going to out my instance for everyone to know it as the one to defederate. In fact I'm spinning up a few instances that will host innocuous communities that I plan to mod and support to give my instances cover for their true purpose: redundant fediverse datastreams for my site, Open Lemmy Stats.
I'll also have a store where anyone can buy my collected fediverse data for a handsome sum.
Just kidding I'm not doing any of this. But someone absolutely will or already is.

There's something amusing about people feeling violated by their activity being made public, but not necessarily by corporations hoarding and capitalizing on that activity & data. I mean, one of them is out in the open. The other is pure abuse.
- How about both are bad.
  
  That is the entire (and only) point I was making. x)
  
  It is what it is, mí hijo
- Ah, the old ~~Reddit~~ Lemmy switcharoo.
  You are probably seeing two very different vocal minorities, and conflating the two.
  Also, there's a very clear difference in expectations between posting/commenting and upvoting. I blame the UI. We naturally expect public actions to be easily visible. The lack of universal accessibilty to the public data makes people unaware that the data is public. Lemmy UIs, including apps, need to make this information (a list of upvoting users) universally publicly accessible before people will change their expectations.
  
  On the contrary, I'm not conflating two specifics. I'm speaking in general terms about the demonstrable public perception (read: billions of social media users who happily hand over their data vs. the palpable unease over data publication in all walks of tech discussion) and how it is innately hypocritical.
  It is perfectly normal and useful to discuss societal contradictions. For example: "We hate school shootings, but we do fuck-all to stop them from occurring." That statement does not conflate two different vocal minorities, it purports to accurately describe the generalized societal contradiction at hand.
  The rest of your post is completely off-topic.
- It makes sense to me that people are more worried about potentially any corporation / bad actor accessing their data rather than one
  
  here, have my upvote. but please don't tell anyone.
  
  Can't wait until someone unleashes an AI dox bot on the world:
  "Dear applicant, we regret to inform you that your application has been denied. After reviewing your resume and public social media, our AIDoxBot has determined that there is a 98.4% chance you also are AnonymousAardvark123@Lemmy.Instance, and your tendency to downvote interracial porn does not fit with our company's efforts to improve diversity and inclusion. Have a nice day."
  
  Why? The masses have no issue forking data over to big tech. What difference does it make if it's one or a million corporations using that data when it's being sold willy-nilly to anybody with a checkbook?
  The point is not how many actors have access to your data. The point is that in both scenarios (public data vs. single-corporation-controlled data), your data is pragmatically public from data sales, data leaks, and so on. However, in only one of them, your data is ostensibly "protected" by a corporation - the lie at hand. In the other scenario, you are under no spell that your data is protected or private - the truth.
  My comment was simply pointing out how they're effectively the same thing. Giving your data to a big tech firm is effectively the same thing as making it public. Hence, the outrage over one not matching the outrage over the other is amusing to me because it implies how effective the corpo framing of this issue is.
- And the one in the open can be abused by everyone. Not just one bad actor.
  
  Well, only really by owners of instances. There no way for me to know what you voted because I don't run the server.
- Well it's just as bad but in a different way.
  Big cooperations may not respect me as an individual, but they have a self-preserving interest, a brand image to loose, and are checked by privacy watchdogs.
  A Lemmy I stance can be run on any PC in some anonymous guys basement; there really no way of telling.
- i dont think a humongous corporation can afford to screw me with this data as much as the random people running instances, what're they gonna do? give me midget porn ads?

Activities are public and easily viewable on kbin. It's been interesting. Seems mostly positive other than people harassing those who down-vote them demanding explanations.
- Knowing they're visible on kbin made me realize that most Lemmy users probably weren't aware, as it's non-obvious.
  
  Yea, good call. I wonder if kbin makes them viewable because the activity pub protocol does not allow them to be easily hidden.
  
  Yeah, I had a good natured discussion with a Lemmy user on feddit.uk the other day where they were still inexplicably downvoting my responses each time, despite us both being polite and constructive.
  It made me realise that a) they use the downvote button quite differently to how I use it and b) they probably didn't know that I, as a kbinaut, could literally see they were the one downvoting.
- One thing I really like is that it makes it easy to identify users to block. If there's a post stating that "Nazis are bad" and it has ten downvotes, it's very easy to use that to block future content from trolls and people I'm not interested in hearing from.
  
  Yeah, and guess what? They can do that to you.
  Effectively, every single person can use a bot that will automate the blocking of any user that ever downvotes them ever.
  Like if I made a post that says I like Nazis, and then waited for the downvotes to pour in. Add every single one of those names to a block list, share that block list with all of my alts and all of my friends, and suddenly you have a whole army of Nazi sympathizers that are invisible to the users that would downvote them.
  These hand waving excuses about votes being public are really lacking imagination. This is extremely abusable information, and cursory tools can will be put together to make abusing them simple.
  
  Depends on where it's posted in. Also this example is pretty low effort. I would downvote it too

I downvoted the beans and I don't care who knows about it. I'd do it again.
This is useful to know though, thanks. I guess assume everything is public short of your password (unless your admin is particularly nefarious and has altered the code to store passwords in plaintext for some reason).
- I respect your right to be wrong about the bean meme.
- Probably safer to assume your password is public to
  
  Nah because if you type in your password it will show as stars.
  ******* see?
  
  ...so you see, it wasn't me who upvoted all those Justin Bieber posts, my password was hacked!
  
  Its not, all passwords are salted and hashed
  
  Its not, all passwords are salted and hashed

Isn't that kind of the point? You don't get very far hiding in a social setting. You're on a public website talking to other people. Your posts should be public, comments, etc. At least people should treat all websites or apps they didn't develop personally like they're public. I mean you don't really have a right to privacy in public.
And I'm not trying to say this with some malicious tone or anything but it's just my view on it.
- Posts and comments is one thing... It's inherently public. But I think being able to see up and down vote publically is a tough pill. If you don't realize your votes can be seen you risk your vote being held against you. If you do know it disincentivizes you to use the vote system to protect yourself from something that should be rather benign.
  
  At least you know the instance host isn’t selling your data right? The advertisers already have it 🤪
  
  I mean I didn't upvote or downvote porn on Reddit either. It's all personal information.
  On Reddit there were plenty of people with access and the data was sold to advertisers.
  Here it's public, not great but not terrible either. Also makes it easier to battle vote brigading?
  
  That's my only concern. I don't mind my comments to be public. That's what a public place is, unlike other social media platforms who claim to be but they're not. It's, like you mentioned, the upvote/downvote system that I'm worried about and will refrain from using. Because it is public, too, it feels like it lets people read your thoughts. So, I'll refrain from using it until it's fixed.
- Still unexpected. And that's the problem.
  Comments are obviously public because I can read them. But there is no "upvoted by xx people (and downvoted by xx)" link I can click to see the list of people who interacted this way with the post. It's only with API calls or similar that I can access the information.
  
  kbin has the ability to see activity including upvotes, boosts, and downvotes from the UI for entries, comments, and microblogs
- Don't think people should be expected to be developers to consider their right to privacy on websites where contents meant to be private. Like online banking, instant messaging. Let's not strip devs of these services of their responsibility.
- I am looking forward to new apps having the option to show this kind of information.
- Still unexpected. And that's the problem.
  Comments are obviously public because I can read them. But there is no "upvoted by xx people (and downvoted by xx)" link I can click to see the list of people who interacted this way with the post. It's only with API calls or similar that I can access the information.
  
  In case of pitchforks: I downvoted this comment because it's a duplicate, not because it's bad.

Edit: Obligatory RIP my inbox.
Can we leave this kinda stuff behind? It is NOT obligatory.

Nothing private in fediverse except when you are selfhosting yourself.
- and not interacting with anyone else.
  
  🤣🤣
- If post views are public that’s a fairly poor implementation on the developers part. I’m sure it will change over time.
  E.g. someone using your account to view illegal content in a community you are not a member of, and you being held accountable.
  
  I think the in the current implementation, your post views is not public. But any data you have is still accessible to your instance admin.
  
  These are upvotes and downvotes. I doubt views are logged anywhere, apart from the webserver.
  
  It's not possible to make votes private is your care about no manipulation happening. Otherwise any self hosted instance could just communicate any made up amount of votes.
  
  E.g. someone using your account to view illegal content in a community you are not a member of, and you being held accountable
  Can you explain what you mean here? How would someone else be using your account without your knowledge?

Good. If I downvote something its for a reason, and I don't care who knows.
- In fact, I'm tempted to say I WANT people to know I'm not the one downvoting them when I disagree.
  
  SAME its happened on Reddit where I would have a back and forth w someone where we disagreed but it was respectful, and then in the middle of it I'd notice the other person's comments being -1 even new ones. Meaning someone who isnt in the convo would start downvoting the other person, and I'd be like 'what if they think I did it? What if that damages a mutual understanding they were close to reaching? What if that turns them off from considering a different point of view bc they assume I'm doing it and that I'm hostile?' Then sometimes I'd be like "sorry someone is downvoting you its not me"
- People might ask you to provide context for your down vote.
  Recently somebody got butthurt about being called out on it.
  I think the feature is nice because you can spot shill ops, as those accounts travel in packs.
  New articles for politicians are pretty obvious about it but so are generic karma farmers. Although I am not sure why farm karma on here.
  
  People can certainly ask about reasons for voting, but that doesn't mean anyone has to provide the answer. Nobody is entitled to know a person's reason for voting on posts except for that person themselves.
  
  They can ask, and I can tell them to fuck right off. Simple.
  
  People might also ask you to provide further justification of your comment. In both cases you can either engage in a civil manner, tell them to eat a bag of dicks or just ingore.
- That's cool but I think the votes are more trustworthy (in any voting system) if all people feel comfortable voting without some sort of retaliation. Maybe there could be a toggle and you can see who voted that doesn't mind the vote being public.

Reading these comments, seeing so many excuses, sarcastic responses, and handwaving, makes me realize a great deal of users really need to develop some imagination.
This is not about privacy. It's about data that can easily be used for targeting and profiling users, and how that creates countless avenues for targeted harassment and wide scale retaliation. It's about all of the innumerable ways public vote information can and will be abused to manipulate scoring across the site with targeted/automated shadow banning and shared blocklists. Raise your hand if you trust every single admin to never abuse such a tool to curate the outward appearance of an instance to fit a narrative.
For a different example: I could say something about how great Nazis are right now, and have a bot programmed to read every single person that downvoted me, add those names to a shared blocklist, and viola, I've made myself and all my alts invisible to the people that would challenge me on a massive scale.
I promise you this is going to be a big issue as tools for this site get more sophisticated over time.

Not to sound harsh or anything, but those of you saying that it's okay that all this data is public are insane. This completely goes against the entire philosophy of the Fediverse and FOSS in general. The reason we all are fleeing from Big Tech is because they collect so much data on us. At least, they keep it hidden from public view. This is a major issue in my opinion, and needs to be addressed ASAP before we can claim to have superior platforms on the Fediverse. Why can't this data at least be encrypted?

For me, it makes so much sense. Likes and dislikes, besides serving as a means of sorting posts and comments, also serve as a shortcut for leaving a comment saying, "This^" or "I disagree."
- I think the issue is just that having votes publicly accessible can lead to harassment. Sometimes I want to downvote bigots or idiots and not want the possibility of them engaging with me.
  
  Huh, now I'm actually thinking that maybe it's not that bad that my instance hides downvotes. No temptation
  
  That's my biggest concern, too. People are fuckin' weird and you never know what will set them off. Some people just can't stand any sort of disagreement or pushback and might want to retaliate. I really think the source should remain invisible to other users.
- This^
- I don't see why this is an issue. I used Boost for Reddit, which let me see all my upvotes on my account by checking my profile. I always assumed this could be seen by anyone. Also, to respond to a comment lower down, this is not a democratic process, this is internet opinions. Voting in an election is NOT equal to agreeing with a publicly posted opinion. I know you voted, if you showed up to the voting booth on election day. But you don't get to hide your identity either.

Can someone explain why r/privacy is so up in arms about this? Seems fairly obvious that my actions in the public domain are public, but they’re all “Lemmy doesn’t care about your privacy”. Why?
https://www.reddit.com/r/privacy/comments/144clka/warning_lemmy_federated_reddit_clone_doesnt_care/?utm_source=share&utm_medium=ios_app&utm_name=ioscss&utm_content=1&utm_term=1
- I wouldn't say Lemmy doesn't care about your privacy, but probably they didn't have enough traffic before the death of Reddit to really prioritize it. I myself have security concerns, particularly with the storage of account data on servers that who knows where they are hosted or what the security is. But I would say Lemmy instances are much more likely to be targetted for attacks by malicious hackers than Reddit, because most instances are likely hosted on far less secure machines than Reddit servers.
  
  secure machines than Reddit servers
  Not that I don't agree but there is a pretty big citation needed there.
  We don't really know how secure Reddit Servers are and their attack surface is likely to be far larger.
  
  What account data are you referencing?
- Because they've not ever done a data request from Reddit, I imagine. Reddit stores a COLOSSAL amount of information on you. The bits that they are willing to provide are concerning enough; I do wonder what they have that they don't reveal. For example. your ENTIRE history of IP connections seem to be stored (because there's a use for a 3 year old IP record, you know,) all of your chat messages (no way to delete those either,) associated accounts (I am guessing this is "accounts we think are you too, but I don't know...) ...so I'm not sure why Lemmy / Kbin / etc get the hate here.
  I think Kbin and Lemmy could be better about disclosure, but there's nothing inherently shady about the way they're set up. Downvotes being revealed, I am torn on. I tend to lean toward private, but I see arguments either way.
- Because they're stupid

Suppose there is someone who wants to maintain their anonymity and privacy on Lemmy so that it couldn't be tied to their real identity, what do you think is the best way to do that?
Hmm, I, famous Hollywood actress Margot Robbie and star of "Barbie", sure am stumped.
- Margot, can I get a selfie with you, my kids would really think I was dope if I could.
- It’s simple. Just don’t comment or upvote on anything that interests you.
- There are a number of things you can do, depending on how serious you want to get about it (think about who and what you want to protect against - harassment from other users? Admins?).
  Create an account using an email alias or an email account not linked with something you can trace back to your real identity.
  If you're concerned about retaliation/harassment from downvoting something, you could create 2 accounts - one for normal use and the other you only use for downvoting, or one for participating in discussions on controversial topics.
  You could retire an account and start using a new one after a period of time, so your entire history isn't linked to a single account.
  The above might be able to shield you from other users but not from admins.
  If you want to stay anonymous from admins:
  An admin would be able to see the IP address the account uses to connect to the service. If 2 accounts connect with the same IP address and the IP is consistently the same, they'd be able to conclude it's likely the same person (or someone else in their household) is connecting to the service with both accounts.
  If you use a VPN or Tor when connecting to the site, that won't be as easy to see because many people would connect to the service from the same IP address and the account would likely frequently connect using different IP addresses.
  Be aware that if you access the site on a mobile device app with a VPN, it's possible that the app could contact the server when the VPN is down (for example, if the VPN connection is closed when the device is locked). To avoid that, you could try using using something like OpenVPN with its "Kill Switch" enabled).
  Note that the admin of the VPN service would be able to see your connections to Lemmy's servers (but not specially what you're doing on Lemmy), so you aren't fully anonymous. Lemmy's admins would see part of the picture, the VPN's admins would see another part, and you're counting on the 2 not talking to each other (and a good VPN service shouldn't, unless they're legally required to).
  I use a VPN in general for all connections to the Internet but don't always care to keep my IP address hidden from some services (banking, primary email addresses, etc - services that will have my personal info anyway). It can be very challenging to keep your IP address hidden over the long haul with a frequently used service - you could end up connecting with the VPN down due to a technical reason or carelessness.
  With some services I might have multiple accounts - on one I might not really care if my real IP is revealed, but another on the same service that I'm very careful with to keep hidden.
  You could use a browser with protections against fingerprinting like Tor or Mullvad Browser.

So everyone knows I upvote my own posts? This is an outrage.
- I upvote my own posts too, I do try to avoid boosting my own posts. We're from kbin though, I think on Lemmy self-upvotes are automatic.
  
  Never thought of boosting them too, see you at the top.
  
  Yea, I automatically upvote my own posts and comments. I felt very self-conscious about it at first, but then I figured all other users do the same.
  So now I just mentally subtract one vote from every score :)
- I always upvote myself. But I have to think extremely highly about my contribution to even think about boosting it.

I'mma be honest, this might be the worst part of lemmy. NSFW, gray area topics, sports discussion, all that becomes completely radioactive.
- I think its a massive improvement. Reddit did next to nothing about astro-turfing and vote manipulation. Lemmy gives people the tools needed to detect inorganic content.
- People might have to stand behind their opinions if they choose to voice them. The horror!
  (Although the user/account is still basically anonymous 🤷‍♂️)
  
  There's a reason nobody has to publicly announce who their voting for in democratic countries, and that there's no mechanism to check that. People can be grouped, ostracized, persecuted, canceled, or worse.
  
  This is an issue of privacy, though. There is a reason why people dislike google or their neighbour having access to their information, however mundane.
  
  Yeah, that's terrifying for a lot of people
- What about IP addresses? I see those are logged. Are they available to query?
  I would imagine so, right?
  If so, ummmmmmmm. That is not ok.
  
  Umm, anything you access on the Internet has to know your IP address, that's how the Internet works. Whether or not they choose to keep the logs is a different matter.
  
  every website logs ip. The question is whether the admin maintains those logs. However a web server needs your IP so they can route traffic back to you. That IP gets logged so that if something is not working the admin can review the logs and figure out what is going on. Many websites that are privacy focused either turn the logging off or dump the logs fairly quickly. Doing something like that means the admin needs to take steps to create other avenues for troubleshooting that don't factor user data into the scenario. With smaller projects like instances hosted on lemmy that might not always be feasible for volunteer admins. This doesn't necessarily mean they are doing anything wrong. Lots of websites maintain logs that include IP addresses.
  
  IP Adresse does not really matter. It changes every day or whenever I restart the router.
- Err, up/down voting is just a quick way to agree or disagree. If one is voting because they feel they can't stand behind their opinion if they expanded it in text... I don't know what to tell ya.
  
  I always thought the upvote/downvote function was to promote information relevant to the topic and bury stuff that is nonsense or irrelevant... not an agree/disagree button.
  That was the major problem with reddit. Instead of upvoting detailed posts with relevant information, people now just upvote whatever sounds right to them.
  
  One of the reasons I really disliked Reddit and stopped using it years ago was this way of using the voting system. If I make a post, and it gets voted something like +4-10, and a reply that is some rewording of "that's a dumb statement", what am I to think? I'm certainly not going to change my mind, no one gave me a good reason to.
  If one is voting because they feel they can’t stand behind their opinion if they expanded it in text… I don’t know what to tell ya.
  I'm inclined to believe a lot of people do this. This is not to say they are terrible for doing this, it's that it's human nature. Replying to someone with a well thought out post takes effort and, from my experience, makes the me realize i don't know shit about the subject. Point is, this way of using the voting system breeds half-thought opinions which is a host of a lot of other problems.

Now we know who are the people stalling the liftoff of the bean's meme to the stratosphere.
- And who helped. Via the database on my instance I can tell I was about the 8th person in the federation to upvote the original beans post.
  Not particularly useful knowledge but I find it fascinating, nonetheless.

Woah woah woah. Hold the phone. You’re telling me that things that I post… on the internet… are… PUBLIC???
- Not post, upvote. I find it interesting that you like Asian Babes (obviously you don't, it's just some information you wouldn't expect to be public or shared).
  
  All the more reason to keep a different alt for each area of interest.
- Here's something I didn't know until I was in my thirties!!
- Here's an upvote to add to the database.
  
  I like how you two think

People raise a good point that in countries where political dissent can actually be dangerous, this would very much dissuade people from voting on things they believe in, or even coming anywhere near Lemmy period.
A better approach I think would be to have the user's host instance save their votes (the database obviously needs to remember what you voted on), but when federating those votes with other instances just hand over a cumulative total, e.g., "here on vlemmy.net we have +18 votes for this comment", which the other instances can then add. There's no need to send user information with that data.

Hello there, and welcome to our community! I hope you like it in here.
Could you please include some body text as to why should people know this, and how would that help them? It’s our second rule. Thank you :)
- Done. Thanks for setting me straight and the very polite manner of reminding me to RTFM.

I only downvote awful/hateful comments so I usually stand by what I strike down. I can understand why this may concern others though.
- Maybe it will encourage us to downvote only those comments that don't contribute to the conversation, and not every comment we disagree with. Like how Reddit was supposed to be until it turned into a shouting match.
  
  No chance
- honestly I don't give a damn if people know I downvoted, otherwise what's the down vote worth lol
- And I only downvote meme comments and comments that are discussing things like downvotes.
  
  And I only downvote things I feel are worthy of a downvote.
- Kind of a bummer for anti-dictator memes. People might have thought they could maintain anonymity by upvoting without commenting. Better to not engage with it at all.

That said, don't just call people out who downvote you. No one owes you an explanation if they thought your post was bad. I've already seen it once and it was pretty childish.
- On reddit you'd regularly see people calling the people who downvoted them names

So if one downvotes something and then removes that vote, does doing that removes it saying they downvoted or does it still keep it on record?
- I had to run an experiment on this one.
  It appears that changing you vote causes the old vote to be completely deleted from the database and a new vote cast and propagated.
  Edit: The above description is what happens in the COMMENT_LIKE or POST_LIKE table HOWEVER the ACTIVITY table reflects both actions, which makes sense since it's a complete transaction log. So, it's a slightly more complex query but the history is maintained.
  
  However, that's not really any better for privacy. There's absolutely nothing preventing someone from logging a history of the changes.
- Depends on the rest of the structure of those tables and the supporting procedures that modify them. I haven't checked, but I'm very interested in using this as a sample dataset.
  
  Weird way to say you don't know.

There is a fundamental misunderstanding here.
Our data has never been 'invisible'... We've just trusted that places like Reddit and their staff will do the right thing. That's literally how it already works.
If you sign up for Reddit, Reddit staff can see your posts and votes if they want to.
If you sign up for a private forum the admin there can also see database contents.
One way encryption is not possible without stopping functionality... If data about you was encrypted then posts you make couldn't be displayed. If you include a means to decrypt then there was no point encrypting anyway.
This is how it's always been, and Lemmy doesn't change this status quo much.
A faceless corporation that has had access to your data is just replaced by a variety of admins distributed across instances.
This isn't a good or bad thing, the potential for abuse does exist, but when we have literally made agreements with places like Reddit that they can use and sell our data... then what difference does it make it an admin takes a peek?
It wouldn't be great... but nothing is perfect.
It's still worth working on however, to see if a better solution can be found, but at this time I'd say just be aware that it is possible that your data can be seen and understand the only safeguard against that if you need to communicate something private would be to use direct messaging with end to end encryption.

Oh no, so my upvotes on c/spacedicks aren't private?
/s

What about private messages? We should assume the person running the instance can read all private messages.
- Yes. While I see no reason that private message would exist anywhere other than the instance of the sender and receiver, the admins of those instances CAN see the contents of the message and whether or not they have been read.
  
  I've always assumed private messages on any site can be read by the site's admin unless they are end-to-end encrypted.

So this is interesting... I thought only kbin visualized voting. Does this mean Lemmy's users are also tracked on kbin?
- Yes. But Kbin is actually doing the right thing by disclosing the votes since any instance admin would be able to see them anyways.
  
  kbin doesn't allow downvotes, right? I think the potential issue here is people figuring out who downvotes them then proceed to harrass the downvoters. Maybe lemmy should just store the cryptographic signature of the downvoter, which should be enough for the system to verify the action's validity, and skip storing the actual username.
- Every subscriber of a community or magazine gets a message containing who voted. So if a kbin user subscribed to a lemmy community they'd see who voted what because the data is stored on the kbin instance.
- I'm no expert but I believe comments are pulled down by an instance when a user requests the information and is then cached in the DB. So not everything is, but content that's viewed by a user on the instance will be.

Couldn’t we just use a hash for the usernames instead?
Nothing too over the top, but just a simple hash and match that instead?
Also, there’s way too much trust in instances. Like, one person could easily make a post on lemmy.world, go on their personal instance, and just give themselves, say, 2000 upvotes.
Instances should have their own settings on what instances are allowed to keep a local copy. (Default behavior should be to get the post itself from the instance “hosting” it).
- If that is a solution you'd need to change the ActivityPub specification. You are more than welcome to submit your idea.
  Also, there’s way too much trust in instances. Like, one person could easily make a post on lemmy.world, go on their personal instance, and just give themselves, say, 2000 upvotes.
  I'd first have to create 2000 users, then I'd have to send 2000 upvotes. And then I'd get blocked by all instances.
  Instances should have their own settings on what instances are allowed to keep a local copy.
  This is also not compatible with the ActivityPub spec but even if it were you'd win nothing because as soon as you fetch the post it is still on the server.
  
  Hey, just curious: how would all the instances discover this type of fraud?
- Couldn’t we just use a hash for the usernames instead?
  The hash function would still need to be public to share data between instances.
  
  That's the point of a hash function. You have a public hash function, say SHA-256. It's easy to check a username against it's hash, but virtually impossible to reverse the hash back to the username.
  Edit: Instead of storing, say, eddie, we'd store 3b9d8298f1b5086d012618feebb2da1a394357c1dab7523443c9f6a743c4c84d. Then when the instance gets a Like from eddie, it hashes his username to get 3b9d8298f1b5086d012618feebb2da1a394357c1dab7523443c9f6a743c4c84d, realizes there's a match, and doesn't update the count.
  Note that when given 3b9d8298f1b5086d012618feebb2da1a394357c1dab7523443c9f6a743c4c84d, it would take millions of CPU years to compute the original username from it. Therefore, we can check for duplicates without actually checking the name itself (a similar method is used for checking passwords; Lemmy is open source, we know the hashing algorithm, but we can't unhash user passwords, only check them).

Is it just user activity that's public? Curious to know about what is preserved on the backend, like if user removed posts/etc get stored somewhere accessible like this too.
- Deleted items just get marked as 'removed', the content remains in the database. I can see the comment you deleted on https://lemmy.world/post/955546.
  Overwrites appear to replace the original content. I can see when you edited this comment but can't see what the edit was.
  
  What happens if someone posts something illegal? Does the instance owner have to know enough SQL to remove the row and the image connected to it or is there a friendly way to do it in an admin interface?
- Self removals are hard to sync between instances, so a message you posted and deleted can linger forever.
  For example, a message I posted from sopuli.xyz to a pawb.social post and then deleted shows as being deleted on sopuli, but is still visible on pawb.
  Mod removals are all publicly listed neatly right here on the mod-log: https://lemmy.world/modlog?page=1&actionType=ModRemoveComment
  
  Both links appear valid to me

Good to know but I always assume everything is public on the internet.

Wait, is there a granular way to give access to my information? Like say I don't mind people seeing my comment history but would like to hide what posts and comments I upvote and downvote.
- Not really. It's a side effect of federation. The information is propagated much further than one might initially think. Even if your instance doesn't display upvotes, it doesn't stop any other instance in the federation from doing so.
  
  More like a side effect of sending data to third parties. Whether it's email or messages, you can't control what happens with that data on the other end unless you control both ends. But then you're talking to yourself.

I’ll just use my short username then

Nice joins...
- I write my joins the same way (instead of JOIN tablename on one row and ON columnnames on the next row) and my coworkers think I'm weird. IT'S EASIER TO READ THIS WAY, DAMMIT.
  
  Who the hell does the joins like that? SQL already has a fuck ton of lines and they want to separate the statements into more lines? wild.
  I also always use alias instead of the full table name.

This is what lemmy.world tells me when I want to delete my account:
"Warning: this will permanently delete all of your data from this instance. Your data may not be deleted on other, existing instances. Enter your password to confirm."
Edit: So if we want to own our data we should only post, comment and vote within our own instance or just keep in mind that whatever we do on other instances might be there indefinitely.
- Regarding your edit: that will only help if your instance doesn't federate. If someone subscribes to the community on your instance, all actions (posts, comments, votes,...) are sent to all instances with subscribers and saved there.
  
  Thank you for the insight! I'll guess I'll be polite here on lemmy until someone finds a way to handle it.
  As a followup question: Would this not be against EU's GDPR laws in some way?
- That won't help AFAIK. For example, your comment seems posted on lemmy.world, in a lemmy.world community, yet I can see it on Kbin. If you delete all your data on lemmy.world I can still see it on other instances, since every instance has received a copy.
  As usual on the internet, treat everything you post as public and irrevocable.
- That is because of how ActivityPub works. Action is pushed to alle instances that subscribe to the community. Posts, upvotes, downvotes, comments, everything is also stored on all federated instances. There is no way to make absolutely sure that all servers delete your data.

Why are you selecting for long names? 😅
- To not actually dox people, just demonstrate.
- So I could squish the column and not show people's full names.

Back in my day everyone knew that once you put something on the internet it's there forever to be seen by all. Has everyone already forgotten this? This is nothing new and in fact the way it's always been! Now get off my lawn!

Holy shit. HOLY SHIT.
I just realized what this actually MEANS.
It means that when you like or dislike something so much that you unvote and then vote a second time, people can tell. This will change karma forever.

So any instance admin can analyze all users upvotes/downvotes and possibly derive political standpoints, likes/dislikes, opinions and location data from it

I agree that this is a good fit for YSK, however, I think it's important to keep in mind that privacy isn't a main goal of the system. It's designed to distribute the cost and responsibility and be difficult to take down or influence as a whole network, but it does not appear to be designed to hide user activities.
In fact, I propose that we keep this information publicly listed so that users are under no illusion that their interaction with Lemmy is private. Transparency and communication prevents misunderstandings.
- If you want privacy on the fediverse, use an alias. It's as easy as that. This is akin to the old adage "don't tell your real name on the internet" which Facebook destroyed.
  
  An alias isn’t instant privacy. If you upvote your local sports team, downvote a local politician, etc and never comment anti-establishment sentiments that still builds a profile which could interest someone who has no need to have access to that information.

How would one find this? Is it just a console command?
- Queries directly against the database.
- You can just go to more activity and it’s right there.
  
  Only on kbin, on lemmy that doesn't exist (yet)

Is this only accessible for the people who host the instance, or for all users?
- Anybody with access to the database on ANY instance. It would be pretty easy to surface in the UI if someone was so inclined to code it.
  
  Kbin was so inclined. You can see who interacted with any post and how they did right from the default UI.
- Everyone, on kbin u can see who boosted , downvoted/reduced, or upvote/favourited any comment by pressing "more" then "activity". For posts it's at the bottom of the comment section

Well, yeah, it's put on the database.
It's the only way to avoid double voting from the same account or to remove the reverse vote if one changes one's mind and votes the other way.
Did you think that it was any different on Reddit and that no random employee with access to their database could run a similar SQL query with a couple of joins and end up with nicknames, e-mails and IP addresses?!
Do you know who are the Reddit employees with access to their database or a copy of it? Have you had a chance to vet them? I don't think so.
At least here it's a bit more transparent.
The only shocking thing in this is that anybody is shocked by it.

I see that IP addresses are logged.
Are those public as well then?

How often are we going to see this postage? I think this is the third time I've seen it at least
- You’re following up to a post made almost 3 months ago so it’s not surprising you’ve seen similar since.
  
  what? oh wow, that is so weird. I'm sorry. I was browsing by Top 6 hour, guess there was a glitch.

Pretty much, it wasn't private on Reddit either, except the only people who had access to it were the ones running the place.
- It is weird that even with an alias, I felt more comfortable that you had to be employed by Reddit to see my data posted on Reddit?

Color me shocked. The only thing I'm wondering is why the name length needs to be greater than 7 for the query?
- So he can show the row of data as an example but not display the full username (and doxx those users unintentionally).

Just commenting so this stays one of the most commented posts. Feel free to keep scrolling

I don't mind this, but what about my email, is that also publicly available? What about my password? I had to give my email to confirm my sigup to this instance. It would be pretty shitty if my email was up for grabs now. Think of the poor idiots who use the same password for every service they use.
- What you see in the picture is a database query. Only the admin of the server can see this.
  
  Key point... not THE server, any federated instance server. This activity is available to admins of any of the thousands of servers in the federation.
- You email exists only on your home instance, where you signed up. It does not get federated. Same with you password, which is hashed.

I mean essentially any decentralised type of social Media cannot work any other way. An open backend is not shocking, it is expected.

I've been in forums where upvotes were public. It's not something that I expect to be anonymous by design.
That being said. If something is public, it should be clear that is public (and available to everyone), if it's not it should be protected.
I think Lemmy should go one way or the other, or upvotes are public to everyone, or they are available only for you instance admins.

I think this is a good conversation to have, I'm assuming there are no security checks to make sure instances connecting to each other are legitimately released and code reviewed by the community? I'm also curious if you could run a malicious instance that garners a lot more information from your users than is necessary or uses security holes to gather information from other instances. This could send this entire experiment down the toilet very fast. For instance HTTPS guarantees you are connecting to who they say they are and are from a trusted source. At the very least it would be nice to be able to have control over your credentials and history, and only release it to trusted instances.

697 comments