-
-
Notifications
You must be signed in to change notification settings - Fork 884
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Discussion] Should votes be displayed publicly? #4967
Comments
some reasons for making votes public:
the main argument against making votes public for me would be that it makes it a lot easier for people to harass others for their voting behavior without spending some time figuring out a way to access votes elsewhere. this is a low barrier but any barrier is more effective than no barrier and might prevent some harassment. for the negatives you mentioned:
|
The positives you listed seem more useful for instance admins and community mods. However, as you and @Nothing4You pointed out, the votes aren't really private and are shown on other platforms, leading to a false sense of privacy. |
It may seem like a low barrier to us (devs and server admins), but most users aren't able or willing to spin up a server just to expose votes. But ya I agree it does give a false sense of privacy, since at least some eyes are able to see their votes. |
I support votes public mainly for the reason that has been mentioned which is that they are visible to all federating admins. The other reason is that the opacity introduced by making them private is good for sites like Reddit since they are for-profit and it allows them to fiddle with the voting system in ways that benefits them with no scrutiny from users. Like doing stuff like inflating vote count through bot activity. Not accusing them but it is within the realm of possibility. For a non-profit site I think having votes public imparts a sense of goodwill, trust and transparency. In my personal experience I have never voted on a post where I wouldn't mind people knowing what my vote was. I am not sure how this works out in practice though. It is just a feeling. Since there is an option for admins to disable downvotes I think having votes public should be viable. |
The lowest barrier is just going to another federated service like Kbin/Mbin. I've already seen people point this out in comments in Lemmy communities multiple times that they've been looking at who voted on content by going to the community on those other services. It doesn't require any technical skills or server operation. |
In a democracy, voting is private for good reasons which transfer pretty well to this situation:
|
Even though votes already aren't private, because the original votes can be exposed by running your own instance. I think the effort that is currently required to do so is non-trivial for the average user, and significantly reduces the chances of most of the issues mentioned by @rimu being a practical problem. I think showing the total amount of votes (in either direction) by instance would be a good compromise. It could help fight bot and multiple-account voting and identify voting-patterns from specific servers, but still wouldn't make the ability to harass users who voted easily accessible (unless they host their own instance). I would also be in favor of adding a warning that makes it clear that, with some effort, individual votes can be traced back to specific users to prevent giving a false sense of privacy. |
it's just a count. not linked to any names. good for mods to see for a quick check of community opinion on a post. |
@m3t0034 this discussion isn't about showing or hiding vote counts. |
Vote lists should be separate from profile pages unless the user opts in, otherwise the meaning of the votes can be misinterpreted. It's kinda hard for me to explain. It could make a vote be falsely seen as a statement of support for the posts, or as a much louder one, or as having a strong intention of making people know something about the user, etc. |
For the record, there is a third possibility: Allow access to anonymized nominal votes, i.e. hash all user ids with a secret key when giving vote data. It allows analysis of voting patterns but keeps vote privacy. |
@maparent that's not completely private because you could compare the posts, comments, and community between a hash and each user. For example, the posts (and comments if applicable) associated with a user's post/comment votes and the posts and/or parent comments associated with comments written by that user will have a lot of overlap. |
@dullbananas |
My 2c as (mostly) just an end user: I like how vote privacy is currently handled, and am not huge on the idea of them being exposed to all Lemmy users. Although I can see both arguments, I think publishing them would stop anyone who's aware of it from voting honestly. This may create a voting echo chamber where a lot of people either refrain from voting, or only vote with the common consensus. The only relevant change I'd like to see made is more transparency around votes not being entirely private. I think most people (particularly on Lemmy) realise somebody can see their votes, but the default assumption is likely that it would require digging through databases. I myself didn't realise until I started dipping my toes into running an instance (after a year of just being an end user), that the votes are shown right there in the UI to administrators, including admins from other instances. I won't go so far as to say that foreign admins shouldn't be able to see local users votes, purely because I haven't seen things from an admins PoV yet. But that was my initial reaction. E: to clarify my stance (since I really didn't do that): I think admins should be able to see votes, end users and mods should not. |
mods can already see votes in communities they moderate since 0.19.4, so this would be reducing what is visible today: |
I'd like to clarify that mods should only be able to see votes for the communities they mod only. Admins can see all votes. |
The votes are already public, they're just hidden from the users. If votes were supposed to be private, then a solution like #4967 (comment) should be implemented. I suggest the votes are exposed so users know that others can see their activity instead of falling into a false sense of privacy. Public votes (and public community follow-age) should also make easier for users to identify vote brigading if the votes are coming from people outside of a community. Vote harassment may happen as any other type of harassment, like harassment for a comment you've made, so I don't think it's a big issue. |
@laurolima I don't think privacy is a binary thing that one either has or does not - there are degrees of privacy. Currently what we have is mostly private, requiring either technical skill or admin access to circumvent. This is a pretty high bar which 99% of people would not be able to reach. You're proposing removing the bar entirely because it is not high enough. |
I'm favour of making votes public as it will increase transparency. Everyone signed up to Lemmy using anonymous accounts, upvoting would be like commenting on a post. |
I have no strong opinion on votes being public in the Lemmy UI or not; I lean a little more on the side of making them public, but I can see good arguments both ways. I think it's extremely obvious that, whatever the behavior is in the UI, there should be a popup the first time a user votes that warns them that their votes are not private. Anyone who wants to spin up a passive instance of their own, or pop over to a server that runs software that shows them, can see them. I think most users have an expectation of privacy when they vote, and since that privacy doesn't exist in a robust sense, we should be letting people know that. |
The 3 reasons you provided: "Could help fight bot and multiple-account voting." Are all mod benefits that you are already aiming to provide. We know that admins can already see this information in a database, so have access to this. The key point with this is, if you want to help mods see these things, you only need to surface functionality to them under correct authorisation so it can help them see this information which is already in the database which part of the team has access to. With that point, I think you can achieve the positives of this without realising the negatives (loss of privacy to the vast majority of users that are non-technical and don't see this info ; people being comfortable to be straight and honest). What mastodon and twitter do is irrelevant, it's a platform where people are trying to build their brand and focus on how they are perceived. The focus is on the users rather than the content. It's a digital soapbox. Reddit's power, and now Lemmy's is the focus on the content. That is what link aggregation sites are about. To use a quote to emphasise that "Strong minds discuss ideas, average minds discuss events, weak minds discuss people.” If people wanted to use Mastodon, they would. We're here because Lemmy gives us a platform for quality discussion and engagement. To discuss ideas, and maybe events. People are free to behave in a way they can be honest. I fear with this feature, you're a solving a problem that most users do not have, to benefit many that do not need this feature in this form. It's a sledgehammer approach to something that requires a scalpel. You've build a great platform that people love and use. Do not kill one of the things that makes it special. I understand the points that this can be visible from some channels, and with some solutions, but knowing that doesn't change users behaviour and how they interact with it like this would. |
I would prefer that votes remain obfuscated for those unwilling or unable to do the work to find the data. I realize that Mbin already allows easy access to the data, but the large majority of active accounts are on Lemmy federated services do not have their default UI provide easy access to the data. I hope Mbin also starts obfuscating access to the data as well. |
Absolutely not. Privacy is not a binary thing as this poll treats it as, and I don't want the door wide open to vote stalkers to just be able to go digging around in whatever I've looked at and voted on. Voting is so second-nature to me on a platform like this that I would legitimately leave Lemmy immediately if this change went through. Mbin exposes them, sure, but this would be a dramatic reduction in privacy by trivializing the process. |
Copying my comment from lemmy on this topic, made in this post made by rimu on fediverse at lemmy dot world I think the best way to think about this is in terms of "affordances" of the platform and the balance of their merits. "Affordances" just mean the actions and behaviours enabled by the platform's features (a jargon-y but useful word I've seen others use in these discussions). Broader principles like privacy are important too, but I think can easily lead to less productive and relevant discussions, in part because many of the counters or complications will come down to the actual affordances. The biggest affordance is obvious: more polarisation & abusive/antagonistic behaviourFrom what I've read so far, I think everyone shares a pretty clear understanding of what public votes will lead to ... a more heated and polarising dynamic, with potential abuse vectors opening up, and less honesty and openness in voting. And I think most share a distaste for that scenario. Either way, I do, and I'd encourage others to think about how it's likely result of public votes and with the internet being the internet, is unlikely to be pleasant or fruitful. Specific people having access doesn't decide the matterWhile others have access to vote data, namely admins of instances, mods (for their communities) and members of platforms that make votes public like k/mbin, I don't think this is decisive. It's about the behaviours that are being enabled and the balance of behaviours and how they interact to form community dynamics, with the fediverse itself being an important factor. An admin or mod having access to votes is part of making their job easier, which is a good thing. It's power and responsibility. And the moment they violate the bounds of their role by "doxing" someone's voting data, that'd obviously be a bad thing, but with countermeasures we can take. We can leave their instance or community and our instance can defederate from them ... their account can be blocked and possibly banned by admins. On balance, this seems stable and fair enough to me. In the case of other platforms, like k/mbin, that's definitely more tricky. But again, defederation is always a possibility here if it becomes problematic enough (however dramatic that could end up). This is just the nature of the fediverse, that platforms will differ on things like this. Again, if people start abusing that information from other platforms and instances, blocking, banning are options, as is the nuclear option of defederation with any such instances (which is a core balancing feature of the fediverse). As it presently stands, k/mbin are a minority of users on the threadiverse and so whatever their platform choices are don't really affect the rest of the threadiverse. In the end, you can only make the best platform that you can. That k/mbin do something we don't want to do isn't a good reason for following suite. If anything, it's a good reason to stick with what we prefer and continue to make the argument with them on their choices. Privacy and transparency are relevant but not decisiveI agree it's an issue that it seems votes are private when they aren't. Again, I come back to the balance of affordances, and I think they're better as they are than with public votes. However misleading the privacy situation is, it can be handled by being more transparent with users by providing warnings etc. Ultimately, the privacy problem on the fediverse is not going away any time soon ... it's the nature of decentralisation, and this should maybe be made more clear to more people! But making a better platform is a real problem in front of us right now and I think it's better to focus on that than how the general issue of privacy or consistency with privacy is best served. Other platforms aren't that relevantI think I saw someone mentioning in the GitHub dicussion that other platforms expose vote data. While true, many of those would be microblogging platforms (mastodon, twitter, bluesky etc), where, again, the balance of affordances becomes relevant. A "vote" there, normally called a "like" is a personal action between user accounts that are likely to follow each other with such being the core mechanic of the platform. On aggregators like lemmy/reddit, the core mechanic is making popular posts so that your content gets to the top of the feed (roughly anyway). While there's a lot of overlap, there's more angst here around what gets voted on and what doesn't and less inter-personal accountability and bonding. Posts and discussions are more public affairs and less conversations between people. Technical can of wormsI wonder if making votes public would create the need or desire for enabling more post-specific options for users, such as making a post that can't be voted on or that doesn't provide public voting data? What about the children!!In the end, my bet would be that at the scale that lemmy is at, it won't make too much of a difference if votes were made public. I think some would definitely encounter more unpleasantness and some would definitely find voting a more stressful affair, but we're cosy enough that we'll cope. Going forward though, public voting for an aggregator feels dangerous and hard to undo. Yes, it could be technically removed, but if a culture is established that is accustomed to it and become desensitised to the negatives, they'll probably want to hold on to it. |
I don't see a point in associating votes with an individual's ID. The reason IRL votes are private is because people were pressured, shamed, and harassed into voting a certain way. Even if your ID is anonymous, there's always the chance that the vote will be made public and the person will be doxxed and ostracized for what they thought was their free expression. Some of the reasons stated for making votes public (anti-bot, anti-brigading) could be technically accomplished without exposing an individual's opinion (proxy IDs, etc.) I would even go farther and hide the voting data from mods and admins. It is way too easy for a mod to block people who vote the opposite way than the mod's personal opinions. Mods should make decisions based on content, not on who up/down voted something. Lastly, open display of votes will stifle participation of those, especially in marginalized groups, who are rightfully worried about being targeted. There is a long history of voter intimidation and vote buying that led to the practice of private voting. Upvoting a shitpost may not seem that important, but the principle is the same. |
Against due to the issues with harassment and circlejerk that others have mentioned, but I want to (somewhat unrelatedly) mention an issue that may arise in the future regardless if instance admins can see who voted in which ways: Being able to see votes if you have an instance could easily lead to someone setting up a website showing all of the votes seen from their instance, and then potentially connect that to a userscript or extension so that some(!) users can see the votes anyways (people will mod(ify) lemmy, and some of those people will be bad actors.) This has somewhat been seen with the Discord Undeleter plugin. (This is unrelated, but could someone explain why admins are allowed to see how people not on their instance voted? Is this to prevent bad actors from inventing fake votes?) |
My perspective is coming from a regular user perspective and as someone who has no experience moderating or administering a community. I like the level if privacy where it is now. I think if votes were completely public bad actors would still behave poorly. Even if the public voting helps address the problems mentioned I would be concerned that a lower barrier to entry with identifying individuals and their votes on certain topics for bad actors. That could lead to harassment that follows users around the internet. |
The current setup establishes an asymmetry between moderators/admins and regular users. I can understand why this would be necessary for something like reports (reports are anonymous to prevent retaliation), but I see no reason for it to apply to votes. People complaining about circlejerking or vote policing have no faith in their admins to develop their instance's culture's expectations surrounding the changes. This is just as much a human issue as it is a technical or logistical one. Toxic instances are going to be toxic whether you give them more tools to do so or not. I don't see this proposed change making any non-toxic instances suddenly devolve into chaos and would go as far as to say that worries about that happening are catastrophizing about the situation. |
There should be a option to hide yourself |
Would it be possible to only federate the number of upvotes as opposed to federating each upvote object? Being able to spool up an instance to track upvotes seems like it could be used for harassment. |
My personal "ideal" would be that admins should be able to see votes - but only for the users of their own instance. I see the merit in being able to detect upvote/downvote abuse, but I don't see why every random little personal instance should be able to see how people on other instances voted. I don't mind so much if they can see the votes, but they have to go digging through the database or vote logs, but I do see an issue with them being able to see foreign votes right in the UI. |
Everyone here making very good points. I'm personally most convinced by @ancientmarinerdev 's solid arguments here: that this is really a mod-specific problem that should be using a scalpel, rather than a sledgehammer approach, and that there are too many privacy-related concerns to make opening them up be a net positive. I'm just one voice here though, this should be a community decision. Side point, but could someone please open up and link an equivalent issue on the mbin repo? All of the privacy concerns above apply just as much to them as us, and if any fediverse service allows any non-mod to trivially view votes, then all our efforts to keep votes private-(ish) are moot. |
I'm strongly conflicted on this. People judge people enough already exposing thier votes further (I've read of a method for seeing them already) surely will make people more prone to revenge voting. On the other hand bad actors can't hide what they just voted on. I really feel like only the mods/admins should see this type of info, or it should be optional, but those options don't help because you'd still lose privacy and anyone could set up an instance to gather that info anyway, right? I think in the end whether this positive or negative comes down to community culture and human nature, and thats kind of a crapshoot. I guess ultimately I have to say I'm against this. I don't forsee the good outweighing the bad from this. Edit: If anything we should tokenize things to give people the privacy they erroneously thought they already had. |
I think we could potentially tokenize user strings to still work within the existing framework. I'd need to do a do a dive of code I'm unfamilar with to really know but a cursory glance it looks at least a possibility. |
It seems trivial to verify the account and then increment a couple counters. up/down and be happy. wanting to track an up/down vote to a person seems creepy and pointless. I use them to see what the community thinks about a reported post. Am I doing it wrong? this seems like a no-brainer. Always thought they were anonymous and 'who voted this down?' except when some probable bot was down-voting everything a couple times. weird but harmless. |
I support making them public, they are not really private as it is, and while you say that it's a big barrier for somebody to host their own instance to see them it is not a big barrier for somebody to host another activity pub instance that does have them visible. Kbin and Mbin do that already to an extent. So the only privacy that anyone really gets from them being hidden on Lemmy is a false sense of privacy. Which in a way is worse than no privacy at all. People who use the fediverse need to get used to the fact that things are not private here, that's the point of interoperability, trying to convince them that they have fake privacy is just going to make them feel self entitled and violated when they learn that nothing here is really private, which shouldn't really be expected as it is a public and decentralized forum. |
While that does sound like a scary situation something like that is already possible, right now as it is because the votes are federated to all servers. This includes other activitypub servers which may not have the same strange fake privacy ideals as Lemmy. @dessalines is very misled in his idea about it being a big enough barrier for people to host their own instances because while it is probably true in most cases it is also irrelevant because it is not just Lemmy that can access this data but any other federated software that is compatible. Such software does not have to conform to the wishes of the devs of Lemmy and thus it may show these votes publicly already. It's also not inconceivable that somebody could add these changes to a fork and thus make public voting data on any instances that use their fork. |
Adding my voice as someone who says they already are public, there is nothing stopping anyone running an instance or any other piece of activitypub software from seeing them. Said person can also trivially make that information as widely or narrowly available as they like. I don't think users are done any favours by pretending they are private as bad actors can already do whatever odious crap they want to and it leads people into a false sense of security. For example someone liking controversial content on an account which can be traced to an identity they may need to keep separate is already taking a massive risk under a false assumption of privacy. In general soc med and fediverse show support publicly. We need to be upfront to users about how this works and figure out how to resolve any social problems that arise by using the technology, as opposed to hoping users are basically too ignorant to know what is really going on. |
Quote from the initial post:
All the positives seem to help moderation only, nothing for the normal user. Then you have this:
So if mods and admins can already see this and there's no real benefit for normal users then why even do this? |
Voting is already fine the way it is. Instances can even choose to disable downvotes if they wish. Yes instance owners do have the data on who voted for who by simply hosting but this data should be private. |
I don't see how normal users benefit from the positives, this is far too much data to investigate. You should have algorithms or AI or other counter measures to moderate users. The big question is how that will influence the etiquette and social "zerg" dynamic that is already there. If you vote wrong you're labeled either fascist, tankie, limbrol or centrist. My guess is that vote participation generally will drop significantly. I probably won't participate much. It used to be that you would upvote a comment that was well argued even if you didn't agree, and that you don't downvote things just based on your political orientation but based on quality. That is already gone now though. But I imagine it will get much worse with public voting. There is a reason why voting in elections is private. Maybe some type of clever mathematical algorithm similar to blockchain to allow users to vote truly anonymously. Or so that only the backbone software has access to statistics that can detect bots and malicious voting patterns. But malicious actors will min-max any system. |
Dessalines, thank you for consulting with the community and listening to our feedback around this. Please know that we all appreciate it. I'm grateful to have been part of this discussion. And I don't want to miss the opportunity to throw shade at Reddit: if they had decided to do something similar to this, they absolutely would not have asked. They probably wouldn't have even told their site wide moderators and administrators about the change until a week after it was rolled out, and then no doubt they would've bungled things and probably decided to straight up remove the downvote button for everybody just 'cause. |
If votes should become public, they should be publicly accessible by everyone and that information should be made clear to the user on performing a vote. It's important that there's no form of tech-gatekeeping going on where only the tech-literate have the ability to see the votes (e.g. cause they are only accessible via API), while the less tech-literate are in believe that votes are private. |
I don't really care about this issue, but I definitely care that there's still no way to vote anonymously. I'm not tech-savvy enough to know how to make it happen, but it’s definitely possible since Monero does it for transactions on a public blockchain. |
Why do we want votes in the first place? Votes are useful because they allow readers to sort posts. Votes aren't ballots. Anonymous ballots allow a society to select the best leader without fear that bad actors can corrupt the voting process. Anonymous votes prevent users from understanding the intent behind votes and make it easier to corrupt the process. Consider a couple of hypothetical posts that have been upvoted by different people:
Some of those votes are obviously more valuable than others. There are a few I'd like to ignore all together. Is it possible to have a hybrid system? |
Keep votes anonymous to users, visible to mods and admins. Add favorite button which will function similarly to re🤮it rewards except it's free to gift and the gifter list is public. In case people want to publicly show they like the post/comment. |
I don't support this |
It's also worth pointing out that it's trivial for even a non-technical user to preserve the privacy of their votes. Just make a dummy account. Alt accounts are a common practice across almost all sites that allow account creation. Even in cases where the ToS specifically disallow multiple accounts, users tend to find ways around it. It's a way to be much more anonymous, even under the current system and a more public system does nothing to reduce the privacy benefits of creating an alt account. |
My idea:
|
Actually, the user's default vote type should initially be null, then selected when voting for the first time. And in that prompt, it should be made clear that private votes are local-only and much less effective. |
Private upvotes (not downvotes) should be visible to the post/comment creator and the admins of that person's instance |
I want people to actually think about this for a moment if you're talking about the importance of privacy, Lemmy is part of the Fediverse, the Fediverse is a collection of decentralized servers that communicate over activitypub. All federated data, votes included, is shared over Activitypub with other servers. Lemmy can restrict the visibility for a sense of privacy or anonymity but since all the data is handed to the other servers this is a false sense of privacy. Said servers absolutely do not need to abide by @dessalines' or @Nutomic's wishes in this department, and other software are also free to implement it differently too. People may argue that hosting a server is technically challenging but only a few actually need to do it in this regard, really if one software or fork implements it then there would be servers that have it and servers that don't. Destroying all false privacy then and there. So the best thing to do is to not create false privacy or entitlement to it, that does not help people. That's the sacrifice to being in the Fediverse, you sacrifice the illusion of privacy on public facing posts for the sake of interoperability and resilience against single bad faith actors. Some people don't want to do that, and that's okay, though personally I'd rather do that than trust Elon Musk or Steve Huffman, as it's not a lot to ask on a publicly facing forum. |
Based on the discussion here, the majority of users are against making votes completely public and expect a certain level of privacy. If we make votes public, there is a risk that users will vote less, which means that post ranking will work worse. On the other hand there are legitimate reasons for admins and mods to see the votes, which is already implemented. Some people want to make votes even more private, but that could be very complicated to implement and have little benefit. One option I would consider is to let admins see only votes in locally hosted communities, so its not as easy as setting up an instance and seeing all votes directly on the website (but they can still be seen through the database or by modifying the source code). Generally I believe the way votes are handled now is a good compromise and wouldnt change it. However it is not clear for new users that votes are only semi-private. To explain this, I would add an info dialog when a user votes for the first time. Regarding votes being visible on Mbin I just opened an issue in their repo. However its always possible that other projects ignore the vote privacy and there is nothing we can do except ask nicely. |
Closing as the overall consensus is to keep vote privacy as it is. As far as telling users about the current limitations of vote privacy (IE admins can see them, and other software that doesn't feel as strongly about vote privacy can also see them), that's something that should go in the |
I added a short text in the documentation regarding vote privacy. |
Question
I'd like to hear everyone's thoughts on possibly making votes public. This has been discussed in a lot of other issues, but here's a dedicated one for discussion.
Positives
Negatives
Also noteworthy is that reddit and lemmy are unique in keeping vote privacy: mastodon, twitter, and most other platforms expose them.
We've already added most of the work to show votes, but this is only shown to admins and moderators (for the communities they mod). It would take very little work to make this available to all.
cc @kartikynwa @Nutomic @SleeplessOne1917 @phiresky @dullbananas
#4088 #4924 #4086 #4052
The text was updated successfully, but these errors were encountered: