EDIT: Initial self-votes don’t federate, so it seems this specific way doesn’t work.
Am I missing something, or is Piefed’s private voting kinda trivial to reverse engineer as long as every user by default upvotes every post and comment they make?
If you have a username and want to find the matching private voting ID, search through that user’s posts and comments for an entry that only has one upvote. The vote cast on that entry will be the private voting ID.
If you have a private voting ID and want to find the matching username, search through all votes cast by the private voting ID to find a post/comment that only has one upvote. The user that posted that entry will be the original user.
If it really is this easy, it seems like it’s sort of a false sense of security. On the other hand, if automatic upvoting of your own content could be disabled by default, that would prevent this from working.
You must log in or register to comment.
Removed by mod
Removed by mod
The upvote of one’s own post/comment does not federate. The only effect that upvote has is on the local instance and remote instances that receive the content are free to initialize the score of that new content however they wish.
I am not sure how PieFed does it. I hope someone more familiar with the actual protocol can shed some light.
What is important here is whether private votes from the same profile are associated with the same voter ID. PieFed accounts have two subaccounts, a public posting account, and a private voting account. When voting on a Lemmy post, the anonymous voting profile is used. There are multiple ways to do this:
-
(the way your post assumes) Assign a unique ID x to every voting profile, and every vote by the same ID x gets tagged with x. This is easily traceable, like you said. Even if auto-upvoting of one’s own posts is not done, one can still gather a lot of information about the voter.
-
Do the same as 1, but, do not tag the vote directly with the voter’s ID x. Instead, encrypt/hash the ID x so that the voter ID tag is different for every vote, but could be decrypted by the hosting instance to get the original ID x.
From my understanding, it is 2. 2 is better for privacy, with a caveat. Admins would still have the ability to deanonymise private voting IDs.
I was under the impression that it’s intentionally #1 so that other instances can still track malicious voting behavior (e.g. mass-downvoting posts in a community) of an anonymous account without knowing the real identity. But yeah I’m guessing we would need some clarification somewhere on the specifics; I tried looking for documentation on how the private voting works but couldn’t find any, and I didn’t feel like digging in the code or hitting the API just yet.
If the voting ID is static in any way, it’s still inevitably trivial to de-anonymize a user’s votes, but it would at least require a more heuristic approach (e.g. finding a thread that the user is in and checking to see if they have upvoted/downvotes any comments they’re replying to). As well, the instance tag (@piefed.ca for example) on the voting ID can narrow things down significantly when trying to figure out which user is voting.
I’m mainly just thinking about how these systems can be scraped for mass data collection by e.g. advertisers/big tech in the future. Upvotes and downvote behavior can really paint a detailed picture of someone when all data is combined.
while true voting privacy would be great to achieve, as long as votes have meaning there need to be methods for tracking and dealing with abuse of them. if you achieve true vote privacy, there is no way to stop someone from creating 100 alt accounts to just downvote everything that person doesn’t like, including automatically voting on new content by selected users, without anyone being able to stop them. 100 downvotes are easily enough to bury new content and ensure it won’t reach the popular feeds where it’s more likely to gain more votes.
we have already removed private votes from piefed.world and i know that there is at least one other instance considering the same. it might be tolerable when you’re on the trusted instances list of a piefed instance and still see the original voters, but this also means that instances will have to start negotiating with other instances whether they will be marked as trusted by them. i know there is at least one admin already looking into options for flat out rejecting piefed’s “private” votes and just dropping them when they federate to them, stopping them from impacting any ranking on their instance or communities hosted on their instance.
Ugh, that’s really unfortunate. I will probably just disable voting buttons for myself if that ends up being the case.
I don’t really know what’s stopping someone from creating 100 alt accounts without private voting though? If the voting ID is consistent and you can take punitive action on the voting ID, it seems the same as if the person had a cleartext name. The real problem is that an instance is allowing these 100 alt accounts to sign up and manipulate votes, which I assume there are already solutions/measures for?
Don’t mind me though, I’m fairly new to all this, and I’m sure everyone’s thought of all these vectors before. I just hope that there is some sort of middle ground that doesn’t inevitably allow mass data harvesting.
I don’t really know what’s stopping someone from creating 100 alt accounts without private voting though?
nothing, but at least they can be identified and taken down. it hasn’t been too long ago that i banned 346 accounts involved in such a scheme, and if these accounts had been using piefed’s private voting, they would have been much harder to identify and separate from real users. as a result, this likely have had a much higher chance for false positives catching real users. activity beyond votes alone is very useful to isolate these abusive accounts. for example, a real account will frequently have a range of legitimate comments and those won’t just look like LLM garbage posting. there can also be other patterns, like similar/same usernames across instances. there was another case not that long ago where I banned around 80 accounts using the same name on many different instances, one per instance, to boost votes on one of those accounts.
The real problem is that an instance is allowing these 100 alt accounts to sign up and manipulate votes
there is no easy way to prevent people from creating a bunch of alts. there are various options that can be done to detect creation of multiple accounts, and piefed also has some features to help detecting with that, but there is only so much you can do without this also becoming a privacy nightmare with device fingerprinting etc. it’s not without reason that a lot of larger services with community functionality will prompt you to attach a phone number and/or using invasive fingerprinting measures to prevent people from creating a bunch of accounts or evading bans.
That makes a lot of sense, thanks.
-
If the accounts aren’t randomized, which I think weren’t, then yes, this is possible to do. If the voting timestamps are also recorded, then it is as easy as checking the oldest vote in a comment/post. To make it harder for someone to associate your voting account with your actual account, you would either need to:
- collect votes and send in randomized order (I think a minimum of 3 votes is good)
- create a new voting account on each vote
- disable voting your own comment/post
I think the best would be creating a new voting account on each vote, but that would kill moderation.
I think the best would be disabling the ability to vote your own comment/post with your voting account.
Actually yeah this is pretty easily the best option. Just make it so that every post/comment is upvoted once with your real account, and leave any other votes to the private voting account. This feels so obvious that I’m guessing it already works this way.
Actually I’ve been thinking about this more and I’ve changed my mind. If someone really wants to figure out who voted, they probably still can. It just makes it a bit harder, not impossible.
Say user X makes a post in a dead community and gets a comment from user Y. Then user X upvotes that comment. Now the comment has only two votes. One is from Y themselves and the other is almost certainly from X. The chances would be even higher if X replies to that comment too.
Or imagine a situation where user X and user Z are arguing and start downvoting each other. Depending on how new the comments are and how active the post is, it’s still possible to connect the downvotes to their real accounts
Which is why I now think the only real way to make voting private is to generate a completely new voting account for every single vote. That would make it impossible to trace the votes back to the user across posts/comments.
