this post was submitted on 19 Aug 2024
403 points (97.9% liked)

Fediverse

28715 readers
65 users here now

A community to talk about the Fediverse and all it's related services using ActivityPub (Mastodon, Lemmy, KBin, etc).

If you wanted to get help with moderating your own community then head over to !moderators@lemmy.world!

Rules

Learn more at these websites: Join The Fediverse Wiki, Fediverse.info, Wikipedia Page, The Federation Info (Stats), FediDB (Stats), Sub Rehab (Reddit Migration), Search Lemmy

founded 2 years ago
MODERATORS
 

We had a really interesting discussion yesterday about voting on Lemmy/PieFed/Mbin and whether they should be private or not, whether they are already public and to what degree, if another way was possible. There was a widely held belief that votes should be private yet it was repeatedly pointed out that a quick visit to an Mbin instance was enough to see all the upvotes and that Lemmy admins already have a quick and easy UI for upvotes and downvotes (with predictable results ). Some thought that using ActivityPub automatically means any privacy is impossible (spoiler: it doesn't).

As a response, I’m trying this out: PieFed accounts now have two profiles within them - one used for posting content and another (with no name, profile photo or bio, etc) for voting. PieFed federates content using the main profile most of the time but when sending votes to Mbin and Lemmy it uses the anonymous profile. The anonymous profile cannot be associated with its controlling account by anyone other than your PieFed instance admin(s). There is one and only one anonymous profile per account so it will still be possible to analyze voting patterns for abuse or manipulation.

ActivityPub geeks: the anonymous profile is a separate Actor with a different url. The Activity for the vote has its “actor” field set to the anonymous Actor url instead of the main Actor. PieFed provides all the usual url endpoints, WebFinger, etc for both actors but only provides user-provided PII for the main one.

That’s all it is. Pretty simple, really.

To enable the anonymous profile, go to https://piefed.social/user/settings and tick the ‘Vote privately’ checkbox. If you make a new account now it will have this ticked already.

This will be a bit controversial, for some. I’ll be listening to your feedback and here to answer any questions. Remember this is just an experiment which could be removed if it turns out to make things worse rather than better. I've done my best to think through the implications and side-effects but there could be things I missed. Let's see how it goes.

you are viewing a single comment's thread
view the rest of the comments
[–] sabreW4K3@lazysoci.al 4 points 4 months ago (2 children)

So I've been thinking about this and I would go for a different approach.

Admins can set voting to be public or private on a server wide level.

When users vote, a key is created as the userid

The votes table is essentially: voteid, postid, userid, timestamp, salt, public

If the vote is private, userid is salt(userid, password)

And it's that simple.

[–] lazynooblet@lazysoci.al 9 points 4 months ago (1 children)

With the user id being salted it's going to be different every time. This means it'll be difficult if not impossible to monitor voting trends or abuse.

Also how would you use the password unless it was stored in the clear. If it's based on a pre-salted tuple, how does one handle password changes?

[–] sabreW4K3@lazysoci.al 2 points 4 months ago (1 children)

Dammit! Okay, cancel the salt idea. How about just a simple md5() and then it should remain a static value right?

[–] kudos@lemmy.ml 3 points 4 months ago (1 children)

Let me change my password real quick...

[–] sabreW4K3@lazysoci.al 2 points 4 months ago (1 children)

Just add a function so when you change your profile, it also pulls all records that match md5(userid, password) and then update them records too.

Though I'm convinced the overarching logic is correct, this is not my wheelhouse, so I'm probably wrong.

[–] kudos@lemmy.ml 4 points 4 months ago

You'd need to federate that, and I don't think AP allows you to change federated user IDs.

[–] sabreW4K3@lazysoci.al 1 points 4 months ago (1 children)

@dullbananas@lemmy.ca does the design hold up?

[–] dullbananas@lemmy.ca 1 points 4 months ago

This might work well with a separate per-user random secret value instead of the password.

Overall the vote privacy issue is a tough dilemma for me.