YSK: Your Lemmy activities (e.g. downvotes) are far from private
i.imgur.com
Edit: obligatory explanation (thanks mods for squaring me away)...
What you see via the UI isn't "all that exists". Unlike Reddit, where everything is a black box, there are a lot more eyeballs who can see "under the hood". Any instance admin, proper or rogue, gets a ton of information that users won't normally see. The attached example demonstrates that while users will only see upvote/downvote tallies, admins can see who actually performed those actions.
Edit: To clarify, not just YOUR instance admin gets this info. This is ANY instance admin across the Fediverse.
You are viewing a single comment
I'm already questioning the whole system behind it, not just votes.
Say you have critical information that you want to delete but other instances can just ignore this deletion request, than I could technically write a plugin that uses an extra instance, to always display all deleted comments to me, despite me being a regular user.
For other sites you'd need a crawler, catching this information and all this in a rapid fashion to be usable, with a lot of programming extra work.
At this point we can as well remove the option to delete or edit a comment as everyone can host their own, which wouldn't be possible with proprietary tools.
If someone can simply see votes the same way, we can as well add a mouse hover function that will display the username of whoever upvoted.
Displaying the internal information publicly is indeed the more honest approach. Still, people need to understand that Social Media is Public Media. Deleting and editing depends on the goodwill of the receiver. Just imagine you were sending an email when you send something here. It is about the same level of control. It is not like you had much more control on Facebook or Reddit.
Sure, I agree but less technically versed people don't see it that way. It's obfuscated, that delete doesn't mean deleted. If I delete something on Reddit or Twitter, it's hidden for anyone but the owner and maybe a crawler that happen to have snacked it. People try to circumvent this by using sites that cache Reddit, but even there it most often is not available if you deleted it fast enough. It costs money and there's a delay to have a crawler everywhere all at once.
Of course nothing is ever truly deleted on the web but we have levels of hiding it. I don't think that alone justifies ignoring that issue. It makes a difference if someone can find it with one click or needs effort. One is much easier to abuse to dogpile someone. Sure, you might not agree with me, I still though it was important to voice my concerns.
I think the problem is that people post things without informing themselves. I don't know how to change that. People don't read disclaimers. How do you make them know these things? You can't put big red warning labels everywhere. People need to inform themselves.
Which is an education problem and has nothing to do with lemmy.
It is fucking 2023 if you don’t understand how the internet works by now, it’s out of ignorance and likely has to do with this societal aristocratic attitude towards “techy” subjects.
It is your responsibility to be informed and to understand the consequences of your actions. We’re finally wakin up a bit :)
While I agree with others that it is perfectly fine for everything to be irrevocable like email is (there's no real way the system could work otherwise), I do think the Lemmy web UI and popular Lemmy native clients could do a better job making sure users are aware of that. Maybe when writing a comment there could be a little info bar that says "Content posted to Lemmy cannot be permanently deleted. (Learn more)". And then when you click Delete on something, it could have a similar explanation, adding something like "Deleting this comment will remove it from the feed/thread, but it can still be retrieved from the federated database by any instance administrator. (Learn more)"
I think it is still useful to have a Delete function, or maybe rename it to "Remove" or something, because maybe you realize what you wrote isn't contributing to the discussion or for some other reason isn't useful for most people to have in their feed. There's a difference between deleting data and removing content from the canonical "discussion", and just because we can't have the former doesn't mean there's no value in the latter. Also, the delete function does have meaningful effects like making it impossible for people to reply to the deleted comment, which can still help with harassment. 99.9% of users will never see that comment again.
I agree that it’s good to have some kind of deletion, even if it’s not really getting rid of the content. Nothing is ever really gone on the internet, but there is value in communicating to others that you meant to retract a comment.
Which is why either
Another option is assigning an id per user that's only used for tracking votes. Only the user's server would know who did the voting, but you still get moderation where you could block votes from a certain id on another server if you believe it's being abusive in some form.
As long as you don't delete the voting id when the user's account is deleted, you can avoid the votes ever being associated with the user on another server. (Since a snooping party could correlate the timing of the two deletion requests and associate the user with the votes at that time). If you did want to delete them, you could say voting id deletion happens in batches. So accounts get deleted immediately, but votes only get deleted when there's some group size N available for deletion.
Your idea assumes that you can just change the protocol. The ActivityPub protocol is developed under the W3C. If you just change something you are no longer compatible with other services.
I didn't intend to imply that only one server changes something. I was intending to imply that the protocol should be updated (after review, ratification, etc.). I'm sure there's edge cases I haven't considered.
This part of the protocol is not explicitly defined. In fact, section 3.1 of the AP spec says that null may be used to signify an anonymous identifier, then additionally these activities could be tagged using extensions to contain a unique identifier that isn't the actor. The more you look at AP, the more you see how loosely it's defined, and for good reason, it allows it to be applicable to many different scenarios (a twitter, a FB, and now a Reddit). What he's suggesting would make it not interoperable with things like Mastodon which require an actor for a Like, but it's not changing anything about the protocol.
EDIT: By the way, other things don't work when viewing Lemmy comments on Mastodon too, like downvotes don't do anything on the Mastodon end. And you can follow Lemmy users from Mastodon but not the other way around.
Then you shouldn't have uploaded it publicly.
The same was always possible with Reddit and was even implemented. Why is this a problem now?
Only if they don't have an API.
People can accidentally reveal there identity or post something, notice this is too private edit or delete it. The chance for someone to have seen it in 1 second is low. The chance for a bit to have crawled that thread, with that comment, is higher but still low as it requires infrastructure, that costs money and a little skill to setup. Something someone for a simple plugin won't do.
If anyone can host a Lemmy instance and you just need to filter that one line of code that's for forwarding delete or edit requests, you can just push that info into a separate view. You now just need a plugin that will poll from the instance that's not complying to delete requests and display them to the user. Hell that's something even I could do quickly if I ever feel bored.
Hosting (or simply just using) a crawler takes less resources and skill than hosting Lemmy let alone modify it the way you intend.
Yes, I know, every CS student can program a crawler. I explained in another comment why it's still a huge difference.
Maybe if hosting a Lemmy instance is that hard, it's enough? I don't know.
I found hosting a Lemmy instance pretty easy but I admit I have the experience to readily recognize how fucked the Lemmy docker-compose example is.
No clue whatsoever how to write a crawler.