Lemmy votes ARE public, should they be anonymous?
Currently, almost anyone in the Fediverse can see Lemmys votes. Lemmy admins can see votes, as well as mods. Only regular Lemmy users can't. Should the Lemmy devs create a way to make the votes anonymous?
There is a discussion going on right now considering "making the Lemmy votes public" but I think that premisse is just wrong. The votes are public already, they're just hidden from Lemmy users. Anyone from a kbin/mbin/fedia instance can check out the votes if they are so inclined.
The users right now may fall into a false sense of privacy when voting because the votes are hidden from Lemmy users. If you want to vote something and not show up on the vote list, please create another account to support that type of content and don't tell anyone.
This would solve some of the problems. If only 2 instances know about the votes, post instance and sublemmy instance, you can reasonably expect to get most instances to never release that info. It would allow either the sublemmy or post instance to manipulate around in the votes, but most manipulation would be detectable by the respective other instance.
It would open the door however to manipulating around with internal posts made from the instance in a sublemmy on the instance. And it would allow the post instance to drop votes selectively, though I think that is possible currently all the same.
Votes being sent to both the sublemmy and the post instance simultaneously would make manipulation a lot harder. And for cases like internal posts, you could add another involved "judge instance" that receives the vote details directly from source, and is merely there to confirm the total. Instances that hand out non-independent "judge instances" could be labeled as untrustworthy in the lemmy community.
So you end up with a list of instances per post that votes are reported to, to which you add the post instance, sublemmy instance, judge instance, and maybe some more.
In terms of implementation, I think the activitypub protocol needs an origin for votes, right? I would say an instance can just report the votes coming from a stock of obviously fake accounts, like "masked_upvote_1" to _999999 ... and "masked_downvote_1" to _XYZ.
About the votes, I am not sure. It could be done as a lemmy-internal feature where lemmy instances and other instances knowing of the lemmy protocol send the info to all the relevant instances, while any votes from external instances only arrive at I guess the post instance and that then forwards it on to all other instances. This way the checking doesn't work for software unaware of that lemmy specific vote implementation, but everything is still compatible.
You could then even for those lemmy-external votes add an interface on the judge instance, that would confirm via pm if your vote has arrived.
Do you think this could work?
We can look at PeerTube for an example of a system that could be shaped into what I meant: when you look at a post (video) from peertube it links lists for likes, dislikes and shares (so basically upvotes, downvotes and boosts). These collections contain a
totalItems
property, but also list the peoples identities, but just imagine that it wouldn't be there. When a user now likes the video, the creator of the video now sends out anUpdate
acitivity to all subscribers. Now all subscribers can update the counts for likes, dislikes and shares. Only the "home instance" of the creator account knows about all votes, nobody else does, but nevertheless everybody else can now how many likes, dislikes and shares there are.If we compare that to mastodon the first part of the statement is still true:
But that means that most instances just show 0 likes for most of the posts, because your instance only knows about likes originating from your instance...
As for your proposition: I couldn't follow for some of it. However I think the risk of an actor abusing the creation of fake accounts and fake upvoters is not really a risk, that is what defederation is for... I would argue very much agains a lemmy specific protocol and some judge instances simply because then big instances would just have pretty much all the data again and it would definitely hurt interoperability because lemmy devs can then just take the easier route instead of implementing something according to AP spec