YSK: Your Lemmy activities (e.g. downvotes) are far from private

You Should Know@lemmy.world – 2749 points – 1 years ago

i.imgur.com

Edit: obligatory explanation (thanks mods for squaring me away)...

What you see via the UI isn't "all that exists". Unlike Reddit, where everything is a black box, there are a lot more eyeballs who can see "under the hood". Any instance admin, proper or rogue, gets a ton of information that users won't normally see. The attached example demonstrates that while users will only see upvote/downvote tallies, admins can see who actually performed those actions.

Edit: To clarify, not just YOUR instance admin gets this info. This is ANY instance admin across the Fediverse.

You are viewing a single comment

View all comments Show the parent comment

There's a reason nobody has to publicly announce who their voting for in democratic countries, and that there's no mechanism to check that. People can be grouped, ostracized, persecuted, canceled, or worse.

Not all votes are private in this way, and we're not exactly voting for a new prime minister / president.

You don't publicly announce it, but the government still knows it's you who voted. Except in this case the site is open source. Knowing who voted is the only way to prevent vote manipulation.

In the US, all elections are done by secret ballot. The govt can see that you voted, but not who you voted for

Okay, yea, that does make sense. I was thinking of electronic votes, in which case there wasn't much stopping them from storing that data. But you can get a paper ballet where your name isn't on it. Regardless, actual voting isn't a good analogy. You can change your vote on an internet forum, you cannot with a ballet.

Let's say on lemmy, up or down vote, it reported "Bazoogle has voted" and simply adds a number to the variable without my name tied to it. If I wanted to undo my vote, it wouldn't know whether to subtract an up vote or down vote unless it knew which one I did in the first place. The only other option would be to try and encrypt the username with some sort of identifier that can't easily be decrypted. Which might be possible, but is beyond my current knowledge of cybersecurity.

It’s as simple as sharing vote counts but not individual identifiers between instances. Problem solved.

A user doesn’t even have to comment to be doxxed by publicly viewable upvotes. They upvote a post in a community for their local state, then upvote a post about how to get an abortion. The state subpoenas the instance admin and gets their IP and email address.

They could already do that with Reddit. Is that something that happens?

With Reddit that data could be kept between the users and admins.

I do not have any insider knowledge regarding whether Reddit has received requests for user data.

You were saying in the example of the government requesting the data. That's not any different for reddit or Lemmy. If anything, it would be harder to get from Lemmy since it's decentralized. And reddit is known to comply with government warrants.

Uhm the government knows it's you who voted but not what

No one is forcing anyone to upvote or downvote. There's not even karma or anything here. If people don't want others to know how they feel, then they shouldn't say anything, no matter what form the speech takes.