YSK: Your Lemmy activities (e.g. downvotes) are far from private

Muddybulldog@mylemmy.win to You Should Know@lemmy.world – 2746 points –
i.imgur.com

Edit: obligatory explanation (thanks mods for squaring me away)...

What you see via the UI isn't "all that exists". Unlike Reddit, where everything is a black box, there are a lot more eyeballs who can see "under the hood". Any instance admin, proper or rogue, gets a ton of information that users won't normally see. The attached example demonstrates that while users will only see upvote/downvote tallies, admins can see who actually performed those actions.

Edit: To clarify, not just YOUR instance admin gets this info. This is ANY instance admin across the Fediverse.

1102

You are viewing a single comment
View all comments

There is a fundamental misunderstanding here.

Our data has never been 'invisible'... We've just trusted that places like Reddit and their staff will do the right thing. That's literally how it already works.

If you sign up for Reddit, Reddit staff can see your posts and votes if they want to.

If you sign up for a private forum the admin there can also see database contents.

One way encryption is not possible without stopping functionality... If data about you was encrypted then posts you make couldn't be displayed. If you include a means to decrypt then there was no point encrypting anyway.

This is how it's always been, and Lemmy doesn't change this status quo much.

A faceless corporation that has had access to your data is just replaced by a variety of admins distributed across instances.

This isn't a good or bad thing, the potential for abuse does exist, but when we have literally made agreements with places like Reddit that they can use and sell our data... then what difference does it make it an admin takes a peek?

It wouldn't be great... but nothing is perfect.

It's still worth working on however, to see if a better solution can be found, but at this time I'd say just be aware that it is possible that your data can be seen and understand the only safeguard against that if you need to communicate something private would be to use direct messaging with end to end encryption.

I'll contribute that my intent with this post is not evangelism. I like the voting system and would be disappointed to see it disappear.

A vote in Reddit was, from a practical perspective, anonymous. While it was recorded in the database and admins had access to this information there were mitigations in place to deter abuse and the end result was that the person you up or down voted was not going to know that YOU, personally, downvoted them. It was also of limited value to external data sifters in creating social graphs.

Since Lemmy votes are non-anonymously propagated across the Fediverse and, literally, anyone can be an admin there are people who may want to reconsider whether they upvote or downvote a particular post or comment. The actual reasons may vary; they don't want to be outed as sympathetic to a political view or cause, they don't want it used a social graph for targeted advertising or even spear-phishing. In many cases there will be people who don't care at all.

Just trying to contribute to transparency. Not everyone can read code, sift data or visualize how a social network would work behind the scenes. There's plenty of opportunities for others to use our data, good and evil. I believe that efforts to bring to light non-obvious consequences of actions is good citizenship.

I agree with everything you're saying, but it's frustrating that people are jumping to conclusions to think this is deliberate, nefarious etc..

Lemmy, being a federated system has different practical realities to Reddit. You can't have a federated system with multiple instances each with their own admins, and have it function without cutting off data flow. For voting to work in a federated system, vote data must flow, and people need to understand this.

Reddit was **not **a federated system, so there was no need for vote data to flow, and people also need to appreciate this difference.

The only solution is to remove voting. It's as simple as that.

Maybe long term a system could be devised.

I'm not in denial, i do firmly believe that is is an issue, and that it WILL be abused by someone. But I'm also a realist, and the features we have can't survive without voting data. People need to be aware of this, i think it's fair that everyone knows the risks. At an individual level people can choose not to vote, and thus have no vote data associated with them, but i suspect there might be more than vote data, i don't know for sure without looking at the code, but I suspect saved posts might be a privacy concern.

Personal opinion, i think abuse will happen, but it will be limited, just a feel i have. I do however suspect this abuse will exponentially ramp up if lemmy gets big traction.

The problem is that it's actively worse than Reddit. While only Reddit employees can access your data and it's being sold to the highest bidder, Lemmy sells your data for $0.00.

Anyone can become an instance admin through their own instance, so your voting data is pretty much unprotected. That is the opposite of privacy. I get that it's a consequence of the fediverse, but then it just may not be the solution to social media.

Your choice of wording is driving me take you less seriously. You sound passionate though so I'll explain.

  1. Actively worse? Your use of of the word active implies that something deliberately malicious is happening. It's not the case, this issue is a side effect of how lemmy works. It is an issue, it is a concern and it does need addressing, but your hyperbole is unwarranted.

  2. Lemmy isn't selling anything... it's a piece of software. This is the most false and malicious claim you've made. If our data were to be used nefariously then it would be the actions of a rouge server admin.

The definition of privacy is somewhat flexible. Nothing is private unless end to end encryption is employed. And nothing like lemmy can work with end to end encryption. So there is the dilemma. Yes it sucks... yes voting should be private. How about you propose a solution? Because at this point, outside of shutting everything down there is none.

The technical fact is the software must be able to reference data in a database to then create this page you are viewing, this text you are reading and the votes you are seeing.

Possible lemmy / server side solution...

  1. remove voting
  2. remove accounting of voting (this can't really work as without connecting a vote to a user, any user can upvote or down vote something unlimited times.

Possible user side solution... Don't vote Simply not participating in voting means there is no voting data tied to you; and this is, believe it or not an actual valid solution if you are concerned.

Ultimately for lemmy to work some tradeoffs are required. I do agree that where there is some gain to be made, someone will abuse the system, I'm not naive enough to say there is no problem here... there is. It's just that yelling at the wall isn't going to fix it. I've exhausted myself trying to think of a solution, and the only real and workable solution i can think of is as i said above, that voting be removed, or that you simply don't participate in voting.

So if you're really concerned and want an immediate solution effective for you then don't vote on anything ever. I'm not saying this to be a prick, but as a piece of legitimate advice. If no vote data exists for you then no one can harvest your voting preferences.