PSA: Lemmy votes can be manipulated

I see what you mean, but there's also a large number of lurkers, who will only vote but never comment.

I don't think it's unfeasible to have a small number of comments on a highly upvoted post.

Reddit had ways to automatically catch people trying to manipulate votes though, at least the obvious ones. A friend of mine posted a reddit link for everyone to upvote on our group and got temporarily suspended for vote manipulation like an hour later. I don't know if something like that can be implemented in the Fediverse but some people on github suggested a way for instances to share to other instances how trusted/distrusted a user or instance is.

I feel like this is what happened when you’d see posts with hundreds / thousands of upvotes but had only 20-ish comments.

Nah it's the same here in Lemmy. It's because the algorithm only accounts for votes and not for user engagement.

Yes, I feel like this is a moot point. If you want it to be "one human, one vote" then you need to use some form of government login (like id.me, which I've never gotten to work). Otherwise people will make alts and inflate/deflate the "real" count. I'm less concerned about "accurate points" and more concerned about stability, participation, and making this platform as inclusive as possible.

On Reddit there were literally bot armies by which thousands of votes could be instantly implemented. It will become a problem if votes have any actual effect.

It’s fine if they’re only there as an indicator, but if the votes are what determine popularity, prioritize visibility, it will become a total shitshow at some point. And it will be rapid. So yeah, better to have a defense system in place asap.

I always had 3 or 4 reddit accounts in use at once. One for commenting, one for porn, one for discussing drugs and one for pics that could be linked back to me (of my car for example) I also made a new commenting account like once a year so that if someone recognized me they wouldn't be able to find every comment I've ever written.

On lemmy I have just two now (other is for porn) but I'm probably going to make one or two more at some point

If you and several other accounts all upvoted each other from the same IP address, you'll get a warning from reddit. If my wife ever found any of my comments in the wild, she would upvoted them. The third time she did it, we both got a warning about manipulating votes. They threatened to ban both of our accounts if we did it again.

But here, no one is going to check that.

Congratulations on such a tough project.

And yes, as long as the API is accessible somebody will create bots. The alternative is far worse though

May I ask how do you format your text? My format bar has disappeared from wefwef.

I'd just make new usernames whenever I thought of one I thought was funny. I've only used this one on Lemmy (so far) but eventually I'll probably make a new one when I have one of those "Oh shit, that'd be a good username" moments.

I think the best solution there is so far is to require captcha for every upvote but that’d lead to poor user experience. I guess it’s the cost benefit of user experience degrading through fake upvotes vs through requiring captcha.

I had all 8 accounts signed in on my third-party app and I could easily manipulate votes on the posts I posted.

There's no chance this works. Reddit surely does a simple IP check.

IMO the best way to solve it is to 'lower the stakes' - spread out between instances, avoid behaviors like buying any highly upvoted recommendation without due diligence etc. Basically, become 'un-advertiseable', or at least less so

I don't know how you got away with that to be honest. Reddit has fairly good protection from that behaviour. If you up vote something from the same IP with different accounts reasonably close together there's a warning. Do it again there's a ban.

I have like tens of accounts on reddit.

I’m curious what value you get from a bot? Were you using it to upvote your posts, or to crawl for things that you found interesting?

It can still be used to artificially pump up an idea. Or used to bury one.

Maybe you move public perception of a product or political goal.
To push a narrative of some kind. Astroturfing basically.

Lack of karma is a fallacy. The default Lemmy UI doesn't display it but the karma system appears to be fully built.

Corporations could use it to push their ads to the top

Maybe I'm misunderstanding karma, but Memmy appears to show the total upvotes I've gotten for comments and posts, isn't that basically karma?

The lack of karma also makes it worse. Usually if I saw a discussion that felt kinda off I'd check the accounts age and karma. Made it easier to sniff out bots.

The karma though is what drove Reddit adoption to an extent. Gamification helps. It helped Reddit, it helped robinhood stocks app.

Maybe fediverse needs some gamification.

Or maybe not. Facebook and YouTube seem to be doing fine just using the line/unlike button.

“Shill” is a rather on-the-nose choice for a name to iterate with haha

Oh cool 👀 What's the rest of that table? Is the actor_id one column in like... an upvotes table or something?

Over a houndred dollars for 700 upvotes O_o

I wouldn't exactly call that cheap 🤑

On the other hand, ten or twenty quick downvotes on an early answer could swing things I guess ...

To me, the draw of Lemmy is that it's not the same as it ever was here. I don't know the internet before ads, this place is great!

Cause the problem, sell the solution. What a degenerate.

Your client has to compute the raw data, not the server or else it will just be your server manipulating what you see and think.

Love that type of solution.

I've been thinking about an admin that votes on example posts to define the policy, and then getting users scored against it, then using high scorers to represent user copies of the admins spirit of moderation, and then make systems that use that for automoderation.

e.g. I vote yes, no, yes. I then run the script that checks my users that have voted in all three, and the ones with the highest matching votes that i define(must be 100% matching to my votes) gets counted as "matching my spirit of moderation". If a spirit of moderation user downvotes or reports then it can be auto flagged into an admin console for me to then rapidly view instead of sifting through user complaints, and if things get critically spicy i can promote them to emergency mods, or automate their reports so that if a spirit user and a random user both report, it gets auto removed.

For each vote, read user post content and vote history and age

This should happen in the client and easily controllable by the user. As well as to investigate why one particular post or current was selected by the local content discovery algorithm. So you can quickly find fraudulent accounts and block them.

And this public, user led moderation actions then go on to inform the content discovery algorithm of other users until we have consensus user led content discovery and moderation.

And just like that we eliminate the need for shadowy humans of the moderator priesthood to play human spamfilter / human thought manipulator

This was a great feature of reddit enhancement suite.

It actually seems like an interesting problem to solve. Instance runners have the sql database with all the voting record, finding manipulative instances seems a bit like a machine learning problem to me

One other thing is that you can bulk create your own instances, and that's a lot more effort to defederate. People could be creating those instances right now and just start using them after a year; at least they have incurred some costs during that..

I believe abuse management in openly federated systems (e.g. Lemmy, Mastodon, Matrix) is still an unsolved problem. I doubt good solutions will arrive before they become popular enough to attract commercial spammers.

Then they will just distribute their bots equally to other legit servers, and by that, defederation is not a viable solution anymore.

One other problem are real human troll farms

Reddit also created fake users to post fake content... At least in the beginning of reddit.

Aaaand...?

Interesting idea.

Small instances are cheap, so we need a way to prevent 100 bot instances running on the same server from gaming this too

[This comment has been deleted by an automated system]

Everyone forgot how he and his wife announced their marriage in a subreddit nobody knew about that suddenly rise up to the first place on r/all.

Just lie? You really thing someone would do that!? Just go on the internet and tell lies?

reddit used to have a horde of bots just to become popular

Since the launch back in 2005.

I have strong feelings about reddit being infested with bots too. And because reddit could, there's no reason lemmy doesn't have the same issue.

it didn’t really bother me

Bot armies could have hidden things from you that would bother you deeply, but because it's hidden, you don't have a chance to be bothered.

How do you differentiate between a small instance where 10 votes would already be suspicious vs a large instance such as lemmy.world, where 10 would be normal?

I don't think instances publish how many users they have and it's not reliable anyway, since you can easily fudge those numbers.

This. It's only a matter of time until we can automatically detected vote manipulation. Furthermore, there's a possibility that in future versions we can decrease the weight of votes coming from certain instances that might be suspicious.

I've set the registration date on my account back 100 years just to show how easy it is to manipulate Lemmy when you run your own server.

That's exactly what a vampire that was here 100 years ago would say.

This man is over 100 years old

Happy centennial cake day

If it becomes too big of a problem, instances will whitelist the most popular instances instead of trying to blacklist all the bad ones.

Yep, give admins the tools they need to identify this activity so they can defederate accordingly. Seems like the only way.

that would be the best way to do it, i guess if you go further you could let users filter which instances they would like to "count" and even have whole filter lists made by the community.

I like that idea. A twist on it would be to divide the votes on a post by the total vote count or user count for that instance, so each instance has the same proportional say as any other. e.g. if a server with 1000 people gives 1000 upvotes, those count the same as a server with 10 people giving 10 votes.

I think it would actually be pretty easy to detect because the bots would vote very similarly to each other (otherwise what's the point), which means it would look very different from the distribution of votes coming from an organic user base

Some instances don't allow downvoting. It doesn't really matter, mass upvoting the remaining content has the same effect.

💀😂

There's a reason everyone comes to my saloon...

I think the point is that the Fediverse is severely limited by this vulnerability. It's not supposed to solve that specific problem, but that problem might need to be addressed if we want the Fediverse to be able to do what we want it to do (put the power back in the hands of the users)

What did I miss?

Yes but you presumably had to go through a captcha to make each one, whereas here someone can spin up an instance and 'create' 1 million accounts immediately.

Something like that already happened on Mastodon! Admins got together and marked instances as "bad". They made a list. And after a few months, everything went back to normal. This kind of self organization is normal on the fediverse.

Now days email spam filter especially proprietary from Google or Verizon yahoo really make indie mail server harder to maintain and always got labeled as spam even with DKIM, dmarc, right spf, and clean reputable public IP

I don't know what the answer is, but I hope it is something more environmentally friendly than burning cash on electricity. I wonder if there could be some way to prove time spent but not CPU.

when you say import tax do you mean actual monetary payment? Or a computing power tax? I don't think I understand

Classic forums still exist.

Voting does allow the cream to rise to the top, which is why reddit was much better than a forum.

Honestly, I think part of the problem is that companies don't have an incentive to fight bots or spam: higher numbers of users and engagement make them look better to investors and advertisers.

I don't think it's that difficult of a problem to solve. It should be quite possible to detect patterns between real users and bots.

We will see how the fediverse handles it.

I keep thinking about this. The only reason for votes that a forum cant do, is filtering massive content quantities through an equally massive userbase to get pages of great and revolving posts. In a forum you can just filter with comments/hour and give free promotion to new posts.

I like upvotes, otherwise I’d have stayed on forums. It’s also one of the only ethical algorithmic sorting methods as long as you can whitelist your members.

Ironically, I agree and upvoted this.

I ironically up vote this also. Agreed to no upvote and downvot.

Lets cut the sorting to chronological order. With options to arrange to new or old only.

I’ve always wondered if it would help to have to reply in order to give an up/downvote but I assume it would likely just result in more spam. Still, I hope people are thinking of new ways to try things

What if account B only ever posts high quality content? What if everybody upvotes account B because their content is so good? What if they rarely post so it would be reasonable that a smaller subset of the population has ever seen their posts?

Your theory assumes large volumes of constant posts seen by a wide audience, but that's not how these sites work, your ideal would censor and disadvantage many accounts.

No need to make all federation under a whitelist. It's enough to ignore votes from suspicious instances or reduce their weight.

In this context it would be an account with the sole purpose of boosting the visible popularity of a post or comment.

Are you an academic or just dense?

This alone wouldn't help because I can just set up an instance that requires email verification (or any other kind) and automate it still since I can make infinite emails with my own domain.

[This comment has been deleted by an automated system]

that's only an option if they are obvious about it

That can only be done after the fact, and people can just create new ones constantly can they not? There needs to be a different pro-active defense to watch for the signs of manipulation and counter them as they happen.

There are legitimate reasons for creating a “low-usage” server to host your personal account, so you have full control over federating etc.

If we start assuming all small instances are spam by default, we’ll end up like email now—where it’s practically impossible for small sites to run their own mail servers without getting a corporate stamp of approval from Google.

This would actually be a bit more difficult. So first it would be easy for me to set up lemmy1.derproid.com, lemmy2.derproid.com, etc. but if you could just defed from *.derproid.com it's no problem. However setting up lemmy1.com, lemmy2.com, etc. is more expensive because you would need to register and pay for each of those domains individually.

That's not to say it's impossible but there is a bigger barrier to it.

[This comment has been deleted by an automated system]

Ok, but what would the reputation score be based on that can't be manipulated or faked?