I have been working on Lemvotes, a tool to check who voted on a Lemmy post. In this blog post, I will describe how it works and the ethics of such a tool.
I tend to agree, but the fact is that they aren’t anonymous. This tool just exposes the already-existing fact that Lemmy expressly does not guarantee anonymity for votes. The solution isn’t to not for the poster to not publish this tool. Believe me, such tools already exist in private even if none other than this one are published. Publishing this one only democratizes access to that information. (And not entirely, I don’t think. From what I’m seeing on the page, it looks like it still requires an admin account on an instance. Update: Actually, I’m not sure if it requires an admin account or not. Either way, though.) The solution is (if it’s possible) to make Lemmy itself protect voters’ anonymity.
The reason why instances know who has up/down voted things (rather than only keeping an anonymized “total” for each post/comment) is so it can prevent double-voting.
Maybe instead of usernames, the instances could store/trade… salted hashes of the usernames where the salt is the title or unique identifier of the post/comment being voted on? It wouldn’t be perfect, but it would allow the instance to figure out whether the currently-viewing or currently-voting user has already voted while also making it harder for anyone else to get that information. About the only way a tool could tell you exhaustively who had voted if that were how things worked that I can think of off hand is to try every username on Lemmy one-by-one until all the votes were accounted for.
(Of course, malicious instances could still keep track of usernames or unique user ids who up/downvoted, but only on the instance on which the vote was cast. Also, one downside of this approach would be increased CPU usage. How much? Not sure. It might be trivial. Or maybe not. Dunno.)
And there may be much better ways to do this. I haven’t really thought about it much. I also haven’t checked whether there is an open ticket asking for improved anonymity for votes already.
(Also, full disclosure, all of the above was written after only an extremely brief skim of the linked page.)
(One more edit. Something IHawkMike said led me to realize that the scheme I described above would allow instances to manipulate votes by just inventing hashes. Like, grabbing 512 bits of data from /dev/urandom and giving it to other instances as if it was a hash of a username or user id when, in fact, it’s not a hash of anything. Other instances wouldn’t be able to easily tell that it wasn’t the hash of a valid user id. I haven’t thought how to go about solving that yet. Maybe if it occurs to me, I’ll update this post.)
Yep this is exactly right. Too many people are unaware that their votes are not anonymous on Lemmy and blocking the public tool only helps the bad guys who already know this. I’ve always thought this was a major weakness in Lemmy but I don’t have a solution myself without some other major drawback.
I think probably votes should be anonymized or batched between servers so that only your instance’s admins can see individual votes and you just have to trust the instances you federate with that they aren’t pulling any shenanigans or otherwise defederate. That’s not an easy problem to solve, but it’s not like it’s not currently possible to manipulate votes with a federated server, it would just be harder to detect. Regardless I think the need for privacy wins here.
Maybe instead of usernames, the instances could store/trade… salted hashes of the usernames where the salt is the title or unique identifier of the post/comment being voted on?
I didn’t have time to reply earlier, but I was thinking the same thing, except with the extra step of replacing the username with a unique user identifier randomly generated at signup by the user’s instance and kept secret.
I wonder if there’s a way to prevent people from even knowing that two different votes came from the same user.
I wonder if there’s a way to prevent people from even knowing that two different votes came from the same user.
What I outlined above should prevent anyone from knowing two different votes came from the same user… without specifically trying that user’s id on each. That’s what the salt (the comment/post id) is for.
I tend to agree, but the fact is that they aren’t anonymous. This tool just exposes the already-existing fact that Lemmy expressly does not guarantee anonymity for votes. The solution isn’t to not for the poster to not publish this tool. Believe me, such tools already exist in private even if none other than this one are published. Publishing this one only democratizes access to that information. (
And not entirely, I don’t think. From what I’m seeing on the page, it looks like it still requires an admin account on an instance.Update: Actually, I’m not sure if it requires an admin account or not. Either way, though.) The solution is (if it’s possible) to make Lemmy itself protect voters’ anonymity.The reason why instances know who has up/down voted things (rather than only keeping an anonymized “total” for each post/comment) is so it can prevent double-voting.
Maybe instead of usernames, the instances could store/trade… salted hashes of the usernames where the salt is the title or unique identifier of the post/comment being voted on? It wouldn’t be perfect, but it would allow the instance to figure out whether the currently-viewing or currently-voting user has already voted while also making it harder for anyone else to get that information. About the only way a tool could tell you exhaustively who had voted if that were how things worked that I can think of off hand is to try every username on Lemmy one-by-one until all the votes were accounted for.
(Of course, malicious instances could still keep track of usernames or unique user ids who up/downvoted, but only on the instance on which the vote was cast. Also, one downside of this approach would be increased CPU usage. How much? Not sure. It might be trivial. Or maybe not. Dunno.)
And there may be much better ways to do this. I haven’t really thought about it much. I also haven’t checked whether there is an open ticket asking for improved anonymity for votes already.
(Also, full disclosure, all of the above was written after only an extremely brief skim of the linked page.)
(One more edit. Something IHawkMike said led me to realize that the scheme I described above would allow instances to manipulate votes by just inventing hashes. Like, grabbing 512 bits of data from /dev/urandom and giving it to other instances as if it was a hash of a username or user id when, in fact, it’s not a hash of anything. Other instances wouldn’t be able to easily tell that it wasn’t the hash of a valid user id. I haven’t thought how to go about solving that yet. Maybe if it occurs to me, I’ll update this post.)
Yep this is exactly right. Too many people are unaware that their votes are not anonymous on Lemmy and blocking the public tool only helps the bad guys who already know this. I’ve always thought this was a major weakness in Lemmy but I don’t have a solution myself without some other major drawback.
I think probably votes should be anonymized or batched between servers so that only your instance’s admins can see individual votes and you just have to trust the instances you federate with that they aren’t pulling any shenanigans or otherwise defederate. That’s not an easy problem to solve, but it’s not like it’s not currently possible to manipulate votes with a federated server, it would just be harder to detect. Regardless I think the need for privacy wins here.
I didn’t have time to reply earlier, but I was thinking the same thing, except with the extra step of replacing the username with a unique user identifier randomly generated at signup by the user’s instance and kept secret.
I wonder if there’s a way to prevent people from even knowing that two different votes came from the same user.
What I outlined above should prevent anyone from knowing two different votes came from the same user… without specifically trying that user’s id on each. That’s what the salt (the comment/post id) is for.