YSK: Your Lemmy activities (e.g. downvotes) are far from private
i.imgur.com
Edit: obligatory explanation (thanks mods for squaring me away)...
What you see via the UI isn't "all that exists". Unlike Reddit, where everything is a black box, there are a lot more eyeballs who can see "under the hood". Any instance admin, proper or rogue, gets a ton of information that users won't normally see. The attached example demonstrates that while users will only see upvote/downvote tallies, admins can see who actually performed those actions.
Edit: To clarify, not just YOUR instance admin gets this info. This is ANY instance admin across the Fediverse.
You are viewing a single comment
I'mma be honest, this might be the worst part of lemmy. NSFW, gray area topics, sports discussion, all that becomes completely radioactive.
I think its a massive improvement. Reddit did next to nothing about astro-turfing and vote manipulation. Lemmy gives people the tools needed to detect inorganic content.
People might have to stand behind their opinions if they choose to voice them. The horror!
(Although the user/account is still basically anonymous 🤷‍♂️)
There's a reason nobody has to publicly announce who their voting for in democratic countries, and that there's no mechanism to check that. People can be grouped, ostracized, persecuted, canceled, or worse.
Not all votes are private in this way, and we're not exactly voting for a new prime minister / president.
You don't publicly announce it, but the government still knows it's you who voted. Except in this case the site is open source. Knowing who voted is the only way to prevent vote manipulation.
In the US, all elections are done by secret ballot. The govt can see that you voted, but not who you voted for
Okay, yea, that does make sense. I was thinking of electronic votes, in which case there wasn't much stopping them from storing that data. But you can get a paper ballet where your name isn't on it. Regardless, actual voting isn't a good analogy. You can change your vote on an internet forum, you cannot with a ballet.
Let's say on lemmy, up or down vote, it reported "Bazoogle has voted" and simply adds a number to the variable without my name tied to it. If I wanted to undo my vote, it wouldn't know whether to subtract an up vote or down vote unless it knew which one I did in the first place. The only other option would be to try and encrypt the username with some sort of identifier that can't easily be decrypted. Which might be possible, but is beyond my current knowledge of cybersecurity.
It’s as simple as sharing vote counts but not individual identifiers between instances. Problem solved.
A user doesn’t even have to comment to be doxxed by publicly viewable upvotes. They upvote a post in a community for their local state, then upvote a post about how to get an abortion. The state subpoenas the instance admin and gets their IP and email address.
They could already do that with Reddit. Is that something that happens?
With Reddit that data could be kept between the users and admins.
I do not have any insider knowledge regarding whether Reddit has received requests for user data.
You were saying in the example of the government requesting the data. That's not any different for reddit or Lemmy. If anything, it would be harder to get from Lemmy since it's decentralized. And reddit is known to comply with government warrants.
Uhm the government knows it's you who voted but not what
No one is forcing anyone to upvote or downvote. There's not even karma or anything here. If people don't want others to know how they feel, then they shouldn't say anything, no matter what form the speech takes.
This is an issue of privacy, though. There is a reason why people dislike google or their neighbour having access to their information, however mundane.
Yeah, that's terrifying for a lot of people
Err, up/down voting is just a quick way to agree or disagree. If one is voting because they feel they can't stand behind their opinion if they expanded it in text... I don't know what to tell ya.
One of the reasons I really disliked Reddit and stopped using it years ago was this way of using the voting system. If I make a post, and it gets voted something like +4-10, and a reply that is some rewording of "that's a dumb statement", what am I to think? I'm certainly not going to change my mind, no one gave me a good reason to.
I'm inclined to believe a lot of people do this. This is not to say they are terrible for doing this, it's that it's human nature. Replying to someone with a well thought out post takes effort and, from my experience, makes the me realize i don't know shit about the subject. Point is, this way of using the voting system breeds half-thought opinions which is a host of a lot of other problems.
Agreed.
What about IP addresses? I see those are logged. Are they available to query?
I would imagine so, right?
If so, ummmmmmmm. That is not ok.
Umm, anything you access on the Internet has to know your IP address, that's how the Internet works. Whether or not they choose to keep the logs is a different matter.
Ok, sure. But the difference is that I can’t make my own Reddit instance and then see all Reddit users IP addresses.
What is the vetting process of getting an instance federated?
Like if I was an authoritarian henchman, could I make an instance with a community about cats, get federated, then see all the IPs of users calling my boss a pooh bear, on all other instances?
There's no difference, you don't get IPs of other instances' users just an id
Or you could just buy it from reddit.
Fix your police.
This sounds a lot like “not my problem.” I am familiar with this type of response, but usually this level of irresponsible indifference comes from those evil VC backed companies. Except they don’t usually say it out loud.
If this is the attitude of the devs, I am deleting all my glowing recommendations of lemmy on other sites.
Is this really the attitude of the devs?
I suppose if you ignore the part where I said the problem doesn't actually exist (IPs are not included in federated content) then It can look like a not my problem response.
I wonder if you will also delete the FUD and misinformation you posted on this thread.
I haven't looked into it at all but I expect IPs are visible to instance admins. That's pretty typical of any online platform.
But if I understand this, anyone that makes a lemmy instance can see the IPs of any commenter or voter, on any other federated instance?
What is the vetting process for federation?
Even if lemmy itself doesn't support it, there are plenty of ways to log visitors ips and correlate that data with lemmy to figure out who the user is.
EX: Using a revese proxy like cloudflare or nginx, which are both very common.
Even if lemmy itself doesn't support it, there are plenty of ways to log visitors ips and correlate that data with lemmy to figure out who the user is.
EX: Using a revese proxy like cloudflare or nginx, which are both very common.
Even if lemmy itself doesn't support it, there are plenty of ways to log visitors ips and correlate that data with lemmy to figure out who the user is.
EX: Using a revese proxy like cloudflare or nginx, which are both very common.
every website logs ip. The question is whether the admin maintains those logs. However a web server needs your IP so they can route traffic back to you. That IP gets logged so that if something is not working the admin can review the logs and figure out what is going on. Many websites that are privacy focused either turn the logging off or dump the logs fairly quickly. Doing something like that means the admin needs to take steps to create other avenues for troubleshooting that don't factor user data into the scenario. With smaller projects like instances hosted on lemmy that might not always be feasible for volunteer admins. This doesn't necessarily mean they are doing anything wrong. Lots of websites maintain logs that include IP addresses.
IP Adresse does not really matter. It changes every day or whenever I restart the router.
Your public IP stays the same for long periods of time, is geographically tied, and also associates you to certain ISPs based on your address space. How long does it stay the same? Months - Years potentially depending on the lease set on the IP.
Well... not in Germany. Here you have to request a static ip
It depends on the ISP, country etc
I'm in France and almost every time our IP changes it's because my parents changed our internet subscription, or because moved to another place
Oh. That's pretty bad
It's probably bad for privacy, but it makes self hosting super easy
Radioactive? Honestly, some people are never satisfied and really like to constantly complain, don't they?