Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Discussion] Should votes be displayed publicly? #4967

Closed
dessalines opened this issue Aug 8, 2024 · 77 comments
Closed

[Discussion] Should votes be displayed publicly? #4967

dessalines opened this issue Aug 8, 2024 · 77 comments
Labels
type: discussion General talk without any clear action

Comments

@dessalines
Copy link
Member

dessalines commented Aug 8, 2024

Question

I'd like to hear everyone's thoughts on possibly making votes public. This has been discussed in a lot of other issues, but here's a dedicated one for discussion.

Positives

  • Could help fight bot and multiple-account voting.
  • Could help identify voting-patterns from specific servers.
  • Could quickly expose zero-content downvote accounts (IE accounts that have no comments or posts, only downvotes.)

Negatives

  • Privacy concerns (this was the main reason I wanted them to be private in the first place)
  • People are less likely to vote honestly if they feel others can see their votes.

Also noteworthy is that reddit and lemmy are unique in keeping vote privacy: mastodon, twitter, and most other platforms expose them.

We've already added most of the work to show votes, but this is only shown to admins and moderators (for the communities they mod). It would take very little work to make this available to all.

cc @kartikynwa @Nutomic @SleeplessOne1917 @phiresky @dullbananas

#4088 #4924 #4086 #4052

@dessalines dessalines added the type: discussion General talk without any clear action label Aug 8, 2024
@Nothing4You
Copy link
Collaborator

Nothing4You commented Aug 9, 2024

some reasons for making votes public:

  • anyone can spin up a new instance and passively (after running an auto subscribe script) gather votes from all instances with public federation
    • this does not fully apply to private instances, local-only communities, as well as instances with limited federation
  • some other software already makes votes public, such as kbin/mbin, so all votes federating to them are already publicly visible there
  • having votes publicly visible makes it very clear to end users that their votes are in fact not private
  • abuse detection without instance admin/community moderator privileges

the main argument against making votes public for me would be that it makes it a lot easier for people to harass others for their voting behavior without spending some time figuring out a way to access votes elsewhere. this is a low barrier but any barrier is more effective than no barrier and might prevent some harassment.

for the negatives you mentioned:

  • privacy concerns: votes on a federated instance are not private. if we can't ensure votes are private we should ensure that users are aware of them not being private.
  • vote honesty: while this certainly can and will impact voting behavior, it seems dishonest to not make it clear to users that their votes are not private. instance privacy policies will likely already include this information, but realistically people are typically not reading them.

@SleeplessOne1917
Copy link
Member

The positives you listed seem more useful for instance admins and community mods. However, as you and @Nothing4You pointed out, the votes aren't really private and are shown on other platforms, leading to a false sense of privacy.

@dessalines
Copy link
Member Author

the main argument against making votes public for me would be that it makes it a lot easier for people to harass others for their voting behavior without spending some time figuring out a way to access votes elsewhere. this is a low barrier but any barrier is more effective than no barrier and might prevent some harassment.

It may seem like a low barrier to us (devs and server admins), but most users aren't able or willing to spin up a server just to expose votes. But ya I agree it does give a false sense of privacy, since at least some eyes are able to see their votes.

@kartikynwa
Copy link
Contributor

I support votes public mainly for the reason that has been mentioned which is that they are visible to all federating admins.

The other reason is that the opacity introduced by making them private is good for sites like Reddit since they are for-profit and it allows them to fiddle with the voting system in ways that benefits them with no scrutiny from users. Like doing stuff like inflating vote count through bot activity. Not accusing them but it is within the realm of possibility.

For a non-profit site I think having votes public imparts a sense of goodwill, trust and transparency. In my personal experience I have never voted on a post where I wouldn't mind people knowing what my vote was. I am not sure how this works out in practice though. It is just a feeling. Since there is an option for admins to disable downvotes I think having votes public should be viable.

@Nothing4You
Copy link
Collaborator

The lowest barrier is just going to another federated service like Kbin/Mbin. I've already seen people point this out in comments in Lemmy communities multiple times that they've been looking at who voted on content by going to the community on those other services. It doesn't require any technical skills or server operation.

@rimu
Copy link

rimu commented Aug 10, 2024

In a democracy, voting is private for good reasons which transfer pretty well to this situation:

  • intimidation and coercion - people might feel pressured to vote a certain way especially if they see the vote of other influential people. This will distort the genuine popularity of content and discourage honest voting.
  • brigading and manipulation - groups could more easily coordinate their actions and see who in their group has or has not played their part
  • other forms of social pressure - voting in line with their friends or not against their friends
  • loss of trust - when votes are visible people might be less likely to vote at all, reducing engagement. When people only vote when it is safe to do so and everyone knows that, there is less reason to have faith in the truthiness of the system.
  • discrimination and retaliation - people will face a backlash, harassment or exclusion based on their voting patterns especially on controversial issues. This will lead to a less vibrant and diverse community. We have already seen a case where an admin exposed who voted for what and attacked them for it.

@QazCetelic
Copy link

QazCetelic commented Aug 11, 2024

Even though votes already aren't private, because the original votes can be exposed by running your own instance. I think the effort that is currently required to do so is non-trivial for the average user, and significantly reduces the chances of most of the issues mentioned by @rimu being a practical problem.

I think showing the total amount of votes (in either direction) by instance would be a good compromise. It could help fight bot and multiple-account voting and identify voting-patterns from specific servers, but still wouldn't make the ability to harass users who voted easily accessible (unless they host their own instance).

I would also be in favor of adding a warning that makes it clear that, with some effort, individual votes can be traced back to specific users to prevent giving a false sense of privacy.

@m3t0034
Copy link

m3t0034 commented Aug 11, 2024

it's just a count. not linked to any names. good for mods to see for a quick check of community opinion on a post.

@Nothing4You
Copy link
Collaborator

@m3t0034 this discussion isn't about showing or hiding vote counts.
it's about making individual votes, including the associated names, visible on Lemmy.

@dullbananas
Copy link
Collaborator

Vote lists should be separate from profile pages unless the user opts in, otherwise the meaning of the votes can be misinterpreted. It's kinda hard for me to explain. It could make a vote be falsely seen as a statement of support for the posts, or as a much louder one, or as having a strong intention of making people know something about the user, etc.

@maparent
Copy link

For the record, there is a third possibility: Allow access to anonymized nominal votes, i.e. hash all user ids with a secret key when giving vote data. It allows analysis of voting patterns but keeps vote privacy.

@dullbananas
Copy link
Collaborator

@maparent that's not completely private because you could compare the posts, comments, and community between a hash and each user. For example, the posts (and comments if applicable) associated with a user's post/comment votes and the posts and/or parent comments associated with comments written by that user will have a lot of overlap.

@maparent
Copy link

@dullbananas
Not wrong, but not sure it's such a huge problem in practice.
First, I want to make sure we're clear that the userId hashing would only concern voting data, not the post/comment attribution.
Second, you're right that even then it is possible to infer plausible associations, but generally not with 100% accuracy. In general, many more people vote than comment, and that should make matching more difficult. This should allow enough plausible deniability.
If we want to make inference more difficult, we could also use a different hashing key for different communities, or even per data request.
I know deanonymization is a deep field of research, and I do not pretend that what I propose would protect 100% against it; but I think we can provide a "good enough" protection for the most common cases.
That said, I think that this should ultimately be a configuration parameter. Servers which have need for extra security should make the choice to hide voting data. I just don't think this needs to be the default.

@IAmABakuAMA
Copy link

IAmABakuAMA commented Aug 14, 2024

My 2c as (mostly) just an end user:

I like how vote privacy is currently handled, and am not huge on the idea of them being exposed to all Lemmy users. Although I can see both arguments, I think publishing them would stop anyone who's aware of it from voting honestly. This may create a voting echo chamber where a lot of people either refrain from voting, or only vote with the common consensus.

The only relevant change I'd like to see made is more transparency around votes not being entirely private. I think most people (particularly on Lemmy) realise somebody can see their votes, but the default assumption is likely that it would require digging through databases. I myself didn't realise until I started dipping my toes into running an instance (after a year of just being an end user), that the votes are shown right there in the UI to administrators, including admins from other instances. I won't go so far as to say that foreign admins shouldn't be able to see local users votes, purely because I haven't seen things from an admins PoV yet. But that was my initial reaction.

E: to clarify my stance (since I really didn't do that): I think admins should be able to see votes, end users and mods should not.

@Nothing4You
Copy link
Collaborator

Nothing4You commented Aug 14, 2024

mods should not

mods can already see votes in communities they moderate since 0.19.4, so this would be reducing what is visible today:

@dessalines
Copy link
Member Author

I'd like to clarify that mods should only be able to see votes for the communities they mod only.

Admins can see all votes.

@laurolima
Copy link

The votes are already public, they're just hidden from the users. If votes were supposed to be private, then a solution like #4967 (comment) should be implemented. I suggest the votes are exposed so users know that others can see their activity instead of falling into a false sense of privacy.

Public votes (and public community follow-age) should also make easier for users to identify vote brigading if the votes are coming from people outside of a community.

Vote harassment may happen as any other type of harassment, like harassment for a comment you've made, so I don't think it's a big issue.

@phiresky phiresky changed the title [Discussion] Should votes be made public? [Discussion] Should votes be displayed publicly? Aug 18, 2024
@rimu
Copy link

rimu commented Aug 18, 2024

@laurolima I don't think privacy is a binary thing that one either has or does not - there are degrees of privacy. Currently what we have is mostly private, requiring either technical skill or admin access to circumvent. This is a pretty high bar which 99% of people would not be able to reach. You're proposing removing the bar entirely because it is not high enough.

@Ralimbahere
Copy link

I'm favour of making votes public as it will increase transparency. Everyone signed up to Lemmy using anonymous accounts, upvoting would be like commenting on a post.

@andrewmoise
Copy link

I have no strong opinion on votes being public in the Lemmy UI or not; I lean a little more on the side of making them public, but I can see good arguments both ways.

I think it's extremely obvious that, whatever the behavior is in the UI, there should be a popup the first time a user votes that warns them that their votes are not private. Anyone who wants to spin up a passive instance of their own, or pop over to a server that runs software that shows them, can see them. I think most users have an expectation of privacy when they vote, and since that privacy doesn't exist in a robust sense, we should be letting people know that.

@ancientmarinerdev
Copy link

ancientmarinerdev commented Aug 18, 2024

The 3 reasons you provided:

"Could help fight bot and multiple-account voting."
"Could help identify voting-patterns from specific servers."
"Could quickly expose zero-content downvote accounts (IE accounts that have no comments or posts, only downvotes.)"

Are all mod benefits that you are already aiming to provide. We know that admins can already see this information in a database, so have access to this. The key point with this is, if you want to help mods see these things, you only need to surface functionality to them under correct authorisation so it can help them see this information which is already in the database which part of the team has access to.

With that point, I think you can achieve the positives of this without realising the negatives (loss of privacy to the vast majority of users that are non-technical and don't see this info ; people being comfortable to be straight and honest).

What mastodon and twitter do is irrelevant, it's a platform where people are trying to build their brand and focus on how they are perceived. The focus is on the users rather than the content. It's a digital soapbox. Reddit's power, and now Lemmy's is the focus on the content. That is what link aggregation sites are about. To use a quote to emphasise that "Strong minds discuss ideas, average minds discuss events, weak minds discuss people.” If people wanted to use Mastodon, they would. We're here because Lemmy gives us a platform for quality discussion and engagement. To discuss ideas, and maybe events. People are free to behave in a way they can be honest.

I fear with this feature, you're a solving a problem that most users do not have, to benefit many that do not need this feature in this form. It's a sledgehammer approach to something that requires a scalpel. You've build a great platform that people love and use. Do not kill one of the things that makes it special. I understand the points that this can be visible from some channels, and with some solutions, but knowing that doesn't change users behaviour and how they interact with it like this would.

@ericjmorey
Copy link

I would prefer that votes remain obfuscated for those unwilling or unable to do the work to find the data. I realize that Mbin already allows easy access to the data, but the large majority of active accounts are on Lemmy federated services do not have their default UI provide easy access to the data. I hope Mbin also starts obfuscating access to the data as well.

@TheTechnician27
Copy link

TheTechnician27 commented Aug 19, 2024

Absolutely not. Privacy is not a binary thing as this poll treats it as, and I don't want the door wide open to vote stalkers to just be able to go digging around in whatever I've looked at and voted on. Voting is so second-nature to me on a platform like this that I would legitimately leave Lemmy immediately if this change went through. Mbin exposes them, sure, but this would be a dramatic reduction in privacy by trivializing the process.

@maegul
Copy link

maegul commented Aug 19, 2024

Copying my comment from lemmy on this topic, made in this post made by rimu on fediverse at lemmy dot world


I think the best way to think about this is in terms of "affordances" of the platform and the balance of their merits. "Affordances" just mean the actions and behaviours enabled by the platform's features (a jargon-y but useful word I've seen others use in these discussions).

Broader principles like privacy are important too, but I think can easily lead to less productive and relevant discussions, in part because many of the counters or complications will come down to the actual affordances.

The biggest affordance is obvious: more polarisation & abusive/antagonistic behaviour

From what I've read so far, I think everyone shares a pretty clear understanding of what public votes will lead to ... a more heated and polarising dynamic, with potential abuse vectors opening up, and less honesty and openness in voting. And I think most share a distaste for that scenario. Either way, I do, and I'd encourage others to think about how it's likely result of public votes and with the internet being the internet, is unlikely to be pleasant or fruitful.

Specific people having access doesn't decide the matter

While others have access to vote data, namely admins of instances, mods (for their communities) and members of platforms that make votes public like k/mbin, I don't think this is decisive.

It's about the behaviours that are being enabled and the balance of behaviours and how they interact to form community dynamics, with the fediverse itself being an important factor. An admin or mod having access to votes is part of making their job easier, which is a good thing. It's power and responsibility. And the moment they violate the bounds of their role by "doxing" someone's voting data, that'd obviously be a bad thing, but with countermeasures we can take. We can leave their instance or community and our instance can defederate from them ... their account can be blocked and possibly banned by admins. On balance, this seems stable and fair enough to me.

In the case of other platforms, like k/mbin, that's definitely more tricky. But again, defederation is always a possibility here if it becomes problematic enough (however dramatic that could end up). This is just the nature of the fediverse, that platforms will differ on things like this. Again, if people start abusing that information from other platforms and instances, blocking, banning are options, as is the nuclear option of defederation with any such instances (which is a core balancing feature of the fediverse).

As it presently stands, k/mbin are a minority of users on the threadiverse and so whatever their platform choices are don't really affect the rest of the threadiverse.

In the end, you can only make the best platform that you can. That k/mbin do something we don't want to do isn't a good reason for following suite. If anything, it's a good reason to stick with what we prefer and continue to make the argument with them on their choices.

Privacy and transparency are relevant but not decisive

I agree it's an issue that it seems votes are private when they aren't. Again, I come back to the balance of affordances, and I think they're better as they are than with public votes. However misleading the privacy situation is, it can be handled by being more transparent with users by providing warnings etc.

Ultimately, the privacy problem on the fediverse is not going away any time soon ... it's the nature of decentralisation, and this should maybe be made more clear to more people! But making a better platform is a real problem in front of us right now and I think it's better to focus on that than how the general issue of privacy or consistency with privacy is best served.

Other platforms aren't that relevant

I think I saw someone mentioning in the GitHub dicussion that other platforms expose vote data. While true, many of those would be microblogging platforms (mastodon, twitter, bluesky etc), where, again, the balance of affordances becomes relevant. A "vote" there, normally called a "like" is a personal action between user accounts that are likely to follow each other with such being the core mechanic of the platform. On aggregators like lemmy/reddit, the core mechanic is making popular posts so that your content gets to the top of the feed (roughly anyway). While there's a lot of overlap, there's more angst here around what gets voted on and what doesn't and less inter-personal accountability and bonding. Posts and discussions are more public affairs and less conversations between people.

Technical can of worms

I wonder if making votes public would create the need or desire for enabling more post-specific options for users, such as making a post that can't be voted on or that doesn't provide public voting data?

What about the children!!

In the end, my bet would be that at the scale that lemmy is at, it won't make too much of a difference if votes were made public. I think some would definitely encounter more unpleasantness and some would definitely find voting a more stressful affair, but we're cosy enough that we'll cope. Going forward though, public voting for an aggregator feels dangerous and hard to undo. Yes, it could be technically removed, but if a culture is established that is accustomed to it and become desensitised to the negatives, they'll probably want to hold on to it.

@raminf
Copy link

raminf commented Aug 19, 2024

I don't see a point in associating votes with an individual's ID. The reason IRL votes are private is because people were pressured, shamed, and harassed into voting a certain way. Even if your ID is anonymous, there's always the chance that the vote will be made public and the person will be doxxed and ostracized for what they thought was their free expression.

Some of the reasons stated for making votes public (anti-bot, anti-brigading) could be technically accomplished without exposing an individual's opinion (proxy IDs, etc.) I would even go farther and hide the voting data from mods and admins. It is way too easy for a mod to block people who vote the opposite way than the mod's personal opinions. Mods should make decisions based on content, not on who up/down voted something.

Lastly, open display of votes will stifle participation of those, especially in marginalized groups, who are rightfully worried about being targeted. There is a long history of voter intimidation and vote buying that led to the practice of private voting. Upvoting a shitpost may not seem that important, but the principle is the same.

@moosetwin0
Copy link

moosetwin0 commented Aug 19, 2024

Against due to the issues with harassment and circlejerk that others have mentioned, but I want to (somewhat unrelatedly) mention an issue that may arise in the future regardless if instance admins can see who voted in which ways:

Being able to see votes if you have an instance could easily lead to someone setting up a website showing all of the votes seen from their instance, and then potentially connect that to a userscript or extension so that some(!) users can see the votes anyways (people will mod(ify) lemmy, and some of those people will be bad actors.) This has somewhat been seen with the Discord Undeleter plugin.

(This is unrelated, but could someone explain why admins are allowed to see how people not on their instance voted? Is this to prevent bad actors from inventing fake votes?)

@mjshonty
Copy link

My perspective is coming from a regular user perspective and as someone who has no experience moderating or administering a community.

I like the level if privacy where it is now. I think if votes were completely public bad actors would still behave poorly. Even if the public voting helps address the problems mentioned I would be concerned that a lower barrier to entry with identifying individuals and their votes on certain topics for bad actors. That could lead to harassment that follows users around the internet.

@ViableSystemModel
Copy link

ViableSystemModel commented Aug 19, 2024

The current setup establishes an asymmetry between moderators/admins and regular users. I can understand why this would be necessary for something like reports (reports are anonymous to prevent retaliation), but I see no reason for it to apply to votes.

People complaining about circlejerking or vote policing have no faith in their admins to develop their instance's culture's expectations surrounding the changes. This is just as much a human issue as it is a technical or logistical one. Toxic instances are going to be toxic whether you give them more tools to do so or not. I don't see this proposed change making any non-toxic instances suddenly devolve into chaos and would go as far as to say that worries about that happening are catastrophizing about the situation.

@Totallynotmwa
Copy link

There should be a option to hide yourself

@Cynosure-null
Copy link

Would it be possible to only federate the number of upvotes as opposed to federating each upvote object? Being able to spool up an instance to track upvotes seems like it could be used for harassment.

@IAmABakuAMA
Copy link

Would it be possible to only federate the number of upvotes as opposed to federating each upvote object? Being able to spool up an instance to track upvotes seems like it could be used for harassment.

My personal "ideal" would be that admins should be able to see votes - but only for the users of their own instance. I see the merit in being able to detect upvote/downvote abuse, but I don't see why every random little personal instance should be able to see how people on other instances voted. I don't mind so much if they can see the votes, but they have to go digging through the database or vote logs, but I do see an issue with them being able to see foreign votes right in the UI.

@dessalines
Copy link
Member Author

Everyone here making very good points. I'm personally most convinced by @ancientmarinerdev 's solid arguments here: that this is really a mod-specific problem that should be using a scalpel, rather than a sledgehammer approach, and that there are too many privacy-related concerns to make opening them up be a net positive. I'm just one voice here though, this should be a community decision.

Side point, but could someone please open up and link an equivalent issue on the mbin repo? All of the privacy concerns above apply just as much to them as us, and if any fediverse service allows any non-mod to trivially view votes, then all our efforts to keep votes private-(ish) are moot.

@TeoTwawki
Copy link

TeoTwawki commented Aug 19, 2024

I'm strongly conflicted on this.

People judge people enough already exposing thier votes further (I've read of a method for seeing them already) surely will make people more prone to revenge voting.

On the other hand bad actors can't hide what they just voted on.

I really feel like only the mods/admins should see this type of info, or it should be optional, but those options don't help because you'd still lose privacy and anyone could set up an instance to gather that info anyway, right?

I think in the end whether this positive or negative comes down to community culture and human nature, and thats kind of a crapshoot.

I guess ultimately I have to say I'm against this. I don't forsee the good outweighing the bad from this.

Edit: If anything we should tokenize things to give people the privacy they erroneously thought they already had.

@TeoTwawki
Copy link

Side point, but could someone please open up and link an equivalent issue on the mbin repo? All of the privacy concerns above apply just as much to them as us, and if any fediverse service allows any non-mod to trivially view votes, then all our efforts to keep votes private-(ish) are moot.

I think we could potentially tokenize user strings to still work within the existing framework. I'd need to do a do a dive of code I'm unfamilar with to really know but a cursory glance it looks at least a possibility.

@m3t0034
Copy link

m3t0034 commented Aug 19, 2024

It seems trivial to verify the account and then increment a couple counters. up/down and be happy. wanting to track an up/down vote to a person seems creepy and pointless. I use them to see what the community thinks about a reported post. Am I doing it wrong? this seems like a no-brainer. Always thought they were anonymous and 'who voted this down?' except when some probable bot was down-voting everything a couple times. weird but harmless.

@DraconicNEO
Copy link

I support making them public, they are not really private as it is, and while you say that it's a big barrier for somebody to host their own instance to see them it is not a big barrier for somebody to host another activity pub instance that does have them visible. Kbin and Mbin do that already to an extent.

So the only privacy that anyone really gets from them being hidden on Lemmy is a false sense of privacy. Which in a way is worse than no privacy at all. People who use the fediverse need to get used to the fact that things are not private here, that's the point of interoperability, trying to convince them that they have fake privacy is just going to make them feel self entitled and violated when they learn that nothing here is really private, which shouldn't really be expected as it is a public and decentralized forum.

@DraconicNEO
Copy link

What of the people who voted on nsfw lgbt content expecting the vote to be hidden from the public.

This could unwittingly out someone in locations where they may be prosecuted for their sexuality.

I think this discussion should be about fixing the security situation that any federating instance admin can see the list of up/down-voters

While that does sound like a scary situation something like that is already possible, right now as it is because the votes are federated to all servers. This includes other activitypub servers which may not have the same strange fake privacy ideals as Lemmy. @dessalines is very misled in his idea about it being a big enough barrier for people to host their own instances because while it is probably true in most cases it is also irrelevant because it is not just Lemmy that can access this data but any other federated software that is compatible. Such software does not have to conform to the wishes of the devs of Lemmy and thus it may show these votes publicly already.

It's also not inconceivable that somebody could add these changes to a fork and thus make public voting data on any instances that use their fork.

@NaevaTheCat
Copy link

Adding my voice as someone who says they already are public, there is nothing stopping anyone running an instance or any other piece of activitypub software from seeing them. Said person can also trivially make that information as widely or narrowly available as they like.

I don't think users are done any favours by pretending they are private as bad actors can already do whatever odious crap they want to and it leads people into a false sense of security. For example someone liking controversial content on an account which can be traced to an identity they may need to keep separate is already taking a massive risk under a false assumption of privacy.

In general soc med and fediverse show support publicly. We need to be upfront to users about how this works and figure out how to resolve any social problems that arise by using the technology, as opposed to hoping users are basically too ignorant to know what is really going on.

@wason-sonico
Copy link

Quote from the initial post:

Positives
• Could help fight bot and multiple-account voting.
• Could help identify voting-patterns from specific servers.
• Could quickly expose zero-content downvote accounts (IE accounts that have no comments or posts, only downvotes.)

All the positives seem to help moderation only, nothing for the normal user.

Then you have this:

We've already added most of the work to show votes, but this is only shown to admins and moderators (for the communities they mod).

So if mods and admins can already see this and there's no real benefit for normal users then why even do this?

@trymeouteh
Copy link

Voting is already fine the way it is. Instances can even choose to disable downvotes if they wish.

Yes instance owners do have the data on who voted for who by simply hosting but this data should be private.

@DejayRezme
Copy link

I don't see how normal users benefit from the positives, this is far too much data to investigate. You should have algorithms or AI or other counter measures to moderate users.

The big question is how that will influence the etiquette and social "zerg" dynamic that is already there. If you vote wrong you're labeled either fascist, tankie, limbrol or centrist. My guess is that vote participation generally will drop significantly. I probably won't participate much. It used to be that you would upvote a comment that was well argued even if you didn't agree, and that you don't downvote things just based on your political orientation but based on quality. That is already gone now though. But I imagine it will get much worse with public voting.

There is a reason why voting in elections is private.

Maybe some type of clever mathematical algorithm similar to blockchain to allow users to vote truly anonymously. Or so that only the backbone software has access to statistics that can detect bots and malicious voting patterns. But malicious actors will min-max any system.

@IAmABakuAMA
Copy link

I'm just one voice here though, this should be a community decision.

Dessalines, thank you for consulting with the community and listening to our feedback around this. Please know that we all appreciate it. I'm grateful to have been part of this discussion.

And I don't want to miss the opportunity to throw shade at Reddit: if they had decided to do something similar to this, they absolutely would not have asked. They probably wouldn't have even told their site wide moderators and administrators about the change until a week after it was rolled out, and then no doubt they would've bungled things and probably decided to straight up remove the downvote button for everybody just 'cause.

@GeckoEidechse
Copy link

If votes should become public, they should be publicly accessible by everyone and that information should be made clear to the user on performing a vote.

It's important that there's no form of tech-gatekeeping going on where only the tech-literate have the ability to see the votes (e.g. cause they are only accessible via API), while the less tech-literate are in believe that votes are private.
Similarly, it goes without saying that this should not be applied retroactively, i.e. every vote made before a potential change needs to stay private as it was cast under the assumption that it would not be publicly visible.

@evlogiy
Copy link

evlogiy commented Aug 20, 2024

I don't really care about this issue, but I definitely care that there's still no way to vote anonymously. I'm not tech-savvy enough to know how to make it happen, but it’s definitely possible since Monero does it for transactions on a public blockchain.

@claudiusli
Copy link

claudiusli commented Aug 20, 2024

Why do we want votes in the first place?

Votes are useful because they allow readers to sort posts.
A user can currently choose from several different algorithms that seem to sort on some function of votes and time (including the option of ignoring votes all together and just sorting on time). Public votes allow the reader to differentiate among votes.

Votes aren't ballots.
When we're electing leaders, anonymous votes are important for all the reasons people have state elsewhere. We don't need to differentiate between voters because we explicitly state that all voters are the same in the eyes of the state. No person's vote counts more than anyone else's so we don't care who cast a vote, only that we limit individuals to a single vote.

Anonymous ballots allow a society to select the best leader without fear that bad actors can corrupt the voting process. Anonymous votes prevent users from understanding the intent behind votes and make it easier to corrupt the process.

Consider a couple of hypothetical posts that have been upvoted by different people:

  • some rando who thinks the post is cool
  • a troll who's in it for the lulz
  • a bot
  • an expert in the field
  • a total idiot
  • someone who's dating the poster
  • 3 toddlers in a trenchoat

Some of those votes are obviously more valuable than others. There are a few I'd like to ignore all together.

Is it possible to have a hybrid system?
Voters could choose to make their votes public or anonymous and readers could choose how to interpret them
There could be an account level setting for (public vs anonymous) that could be overridden for a particular vote.
Users could choose to include or ignore anonymous comments when calculating sort order.
When you mouse over the vote count number you would see something like "312(100) Upvotes - 42(12) Downvotes", which would mean "312 people upvoted this and 100 of them are public about who they are."
Clicking on the number would give you a list of the people who publicized their votes.

@TheLongLife
Copy link

Keep votes anonymous to users, visible to mods and admins. Add favorite button which will function similarly to re🤮it rewards except it's free to gift and the gifter list is public. In case people want to publicly show they like the post/comment.

@IAmABakuAMA
Copy link

Add favorite button which will function similarly to re🤮it rewards except it's free to gift and the gifter list is public.

I don't support this

@claudiusli
Copy link

It's also worth pointing out that it's trivial for even a non-technical user to preserve the privacy of their votes.

Just make a dummy account. Alt accounts are a common practice across almost all sites that allow account creation. Even in cases where the ToS specifically disallow multiple accounts, users tend to find ways around it.

It's a way to be much more anonymous, even under the current system and a more public system does nothing to reduce the privacy benefits of creating an alt account.

@dullbananas
Copy link
Collaborator

My idea:

  • Public votes are federated and publicly listed.
  • Private votes are local-only. Instance admins can view them and disable private voting.
  • For score calculations, local votes are multiplied by a weight so that votes from other instances don't have almost all control over scores. The weight is a single instance-wide value calculated using statistics of all votes and instances in the database.
    • weight = estimated vote count for non malicious instances / vote count for local instance
    • estimated vote count for non malicious instances = number of instances including local instance * median of each instance's vote count
  • A user setting determines the default vote type, and the menu on posts and comments shows buttons to do the non-default vote type (e.g. "add private upvote" and "add private downvote" items). The default vote type for a newly created user is private votes if they're enabled.
  • The vote type of previous votes can be changed in bulk. It can be done for all votes, for all votes in a community, or for all votes associated with a post. Each bulk change is saved to allow undoing.

@dullbananas
Copy link
Collaborator

Actually, the user's default vote type should initially be null, then selected when voting for the first time. And in that prompt, it should be made clear that private votes are local-only and much less effective.

@dullbananas
Copy link
Collaborator

dullbananas commented Aug 26, 2024

Private upvotes (not downvotes) should be visible to the post/comment creator and the admins of that person's instance

@DraconicNEO
Copy link

I want people to actually think about this for a moment if you're talking about the importance of privacy, Lemmy is part of the Fediverse, the Fediverse is a collection of decentralized servers that communicate over activitypub. All federated data, votes included, is shared over Activitypub with other servers. Lemmy can restrict the visibility for a sense of privacy or anonymity but since all the data is handed to the other servers this is a false sense of privacy. Said servers absolutely do not need to abide by @dessalines' or @Nutomic's wishes in this department, and other software are also free to implement it differently too.

People may argue that hosting a server is technically challenging but only a few actually need to do it in this regard, really if one software or fork implements it then there would be servers that have it and servers that don't. Destroying all false privacy then and there. So the best thing to do is to not create false privacy or entitlement to it, that does not help people.

That's the sacrifice to being in the Fediverse, you sacrifice the illusion of privacy on public facing posts for the sake of interoperability and resilience against single bad faith actors. Some people don't want to do that, and that's okay, though personally I'd rather do that than trust Elon Musk or Steve Huffman, as it's not a lot to ask on a publicly facing forum.

@Nutomic
Copy link
Member

Nutomic commented Sep 12, 2024

Based on the discussion here, the majority of users are against making votes completely public and expect a certain level of privacy. If we make votes public, there is a risk that users will vote less, which means that post ranking will work worse. On the other hand there are legitimate reasons for admins and mods to see the votes, which is already implemented. Some people want to make votes even more private, but that could be very complicated to implement and have little benefit. One option I would consider is to let admins see only votes in locally hosted communities, so its not as easy as setting up an instance and seeing all votes directly on the website (but they can still be seen through the database or by modifying the source code).

Generally I believe the way votes are handled now is a good compromise and wouldnt change it. However it is not clear for new users that votes are only semi-private. To explain this, I would add an info dialog when a user votes for the first time.

Regarding votes being visible on Mbin I just opened an issue in their repo. However its always possible that other projects ignore the vote privacy and there is nothing we can do except ask nicely.

@dessalines
Copy link
Member Author

Closing as the overall consensus is to keep vote privacy as it is.

As far as telling users about the current limitations of vote privacy (IE admins can see them, and other software that doesn't feel as strongly about vote privacy can also see them), that's something that should go in the /legal site markdown.

@dessalines dessalines closed this as not planned Won't fix, can't repro, duplicate, stale Sep 12, 2024
@LemmyNet LemmyNet locked as resolved and limited conversation to collaborators Sep 12, 2024
@Nutomic
Copy link
Member

Nutomic commented Sep 13, 2024

I added a short text in the documentation regarding vote privacy.

LemmyNet/lemmy-docs#320

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
type: discussion General talk without any clear action
Projects
None yet
Development

No branches or pull requests