Edit: obligatory explanation (thanks mods for squaring me away)…
What you see via the UI isn’t “all that exists”. Unlike Reddit, where everything is a black box, there are a lot more eyeballs who can see “under the hood”. Any instance admin, proper or rogue, gets a ton of information that users won’t normally see. The attached example demonstrates that while users will only see upvote/downvote tallies, admins can see who actually performed those actions.
Edit: To clarify, not just YOUR instance admin gets this info. This is ANY instance admin across the Fediverse.
To illustrate op’s point I’m going to spin up an instance, federate with everyone, and not tell anyone what that instance is.
Then I’m going to feed all that data into my new website, called Open Lemmy Stats, where anyone can query the user data ive accumulated. The homepage will be ripe with insights, leaderboards and all kinds of data on prolific users.
Additionally, I’ll display a snapshot/profile of a random user by feeding that users data to GPT4 to make inferences about the user’s political affiliations and display the results.
Worst of all, I’m not going to out my instance for everyone to know it as the one to defederate. In fact I’m spinning up a few instances that will host innocuous communities that I plan to mod and support to give my instances cover for their true purpose: redundant fediverse datastreams for my site, Open Lemmy Stats.
I’ll also have a store where anyone can buy my collected fediverse data for a handsome sum.
Just kidding I’m not doing any of this. But someone absolutely will or already is.
To anyone surprised at this: welcome to the fediverse, please treat everyhing you do or say as public.
The way to achieve privacy around here is by following the long forgotten arts of the old internet before Facebook was a thing:
use a Nick name and don't tell strangers on the internet your real identity.Your home instance will act as a proxy and only they have access to your email and IP address. That does stay private.
So, as long as you trust your home instance to not leak or disclose your connection or sign up data (which would be illegal in EU countries), just sign up with an alias.
A very positive aspects of this is that it should allow us to detect voting manipulation by correlating the activity of certain potentially malicious actors. If Lemmy instances take vote manipulation seriously and do their best to block bots this has the chance to make Lemmy / Kbin much more transparent and credible than Reddit ever was.
Lol. kids these days would post their bank info online if the banks didn’t prevent them from doing so.
You say that like A/S/L wasn’t a thing back in the day.
19/f/Cali was the only acceptable response
I think we cybered
As I put on my robe and wizard hat…
Depends, could I have talked some vanilla WoW gold out of you?
puts on wizard’s hat
666/D/Hell
Yall remember those “your stripper name is the street you grew up on and your pet’s name” challenges? Literally phishing for password recovery keys.
Even back then we were told never to reveal that sort of stuff online. How many of us do you think were telling the truth?
You think someone would do that?
Just go on the internet and tell lies?
Lol yeah but we were 12 back then and we still understood the internet better than anyone else 🙃
I got a virus.
Flagrant System Error
Computer Over.
Virus = Very Yes
I don’t want to shame anyone, but I’ve had people sign up give me their full DoB and offering to show me their ID. I know of people who disclose their id to get access to nsfw discord communities.
DUDE MY GIRLFRIEND FUCKING DID THAT AND I JUST LOOKED AT HER AND ASKED HER IF SHE THOUGHT THAT WAS A GOOD IDEA. In hindsight no, thankfully she’s gonna be moving soonish. This was from before we were together, otherwise I would have warned her not to do that. It was the same discord she got a cyberstalker from, thankfully the stalker wasn’t a friend of the owner because otherwise he totally could have gotten her address and irl info.
so would my grandpa
Wasn’t there a twitter account that retweeted people posting photos of their credit cards?
Your home instance will act as a proxy and only they have access to your email and IP address.
Your home image typically doesn’t proxy image loading, those are hotlinked to the Lemmy server that the image was uploaded to. So your IP address and browser string are going to other Lemmy servers.
The posts just contain a URL which doesn’t include the uploader’s ip address or their browser string.
When the browser loads that URL, hotlinked image, that server has to have your IP address to return the results. Just browsing posts those images are being loaded.
Of course. They dont get any info to associate your IP with your lemmy account. You could even not have a lemmy account at all.
Of course. They dont get any info to associate your IP with your lemmy account. You could even not have a lemmy account at all.
I whole heartedly agree with this perspective.
Additionally, and this is an unpopular opinion, but trying to maintain a Nick or online identity over many years is folly. You end up with a huge repository of personal information, increasing the risk that it can be connected to you personally.
This has come up as part of those requests to migrate accounts between instances. “I want a persona that stays with me for years”… Is that actually a good idea though!?
No, an alias will only give you pseudo-anonymity. Even trivial analysis like counting which words occur together frequently in your writings can reveal with very good accuracy any other alt of you, so the available information of you is basically everything you have shared online with enough accompanying self-written text.
Also, it’s not just about privacy, it’s about retaliation. It will be the easiest thing in the world for people to put together bots that will track the downvotes on every post they make and automate adding those people to block lists. Suddenly a whole fleet of alts is invisible to the people that would disagree with them.
Heck some of them dont even require the use of email to make an account
That is why I am as my username states: intentionally anonymous
The thing is, there is really no way to know is trustworthy as a home instance…?
What about post views? Are those also stored?
This person internets. 👏
Reading these comments, seeing so many excuses, sarcastic responses, and handwaving, makes me realize a great deal of users really need to develop some imagination.
This is not about privacy. It’s about data that can easily be used for targeting and profiling users, and how that creates countless avenues for targeted harassment and wide scale retaliation. It’s about all of the innumerable ways public vote information can and will be abused to manipulate scoring across the site with targeted/automated shadow banning and shared blocklists. Raise your hand if you trust every single admin to never abuse such a tool to curate the outward appearance of an instance to fit a narrative.
For a different example: I could say something about how great Nazis are right now, and have a bot programmed to read every single person that downvoted me, add those names to a shared blocklist, and viola, I’ve made myself and all my alts invisible to the people that would challenge me on a massive scale.
I promise you this is going to be a big issue as tools for this site get more sophisticated over time.
Not to sound harsh or anything, but those of you saying that it’s okay that all this data is public are insane. This completely goes against the entire philosophy of the Fediverse and FOSS in general. The reason we all are fleeing from Big Tech is because they collect so much data on us. At least, they keep it hidden from public view. This is a major issue in my opinion, and needs to be addressed ASAP before we can claim to have superior platforms on the Fediverse. Why can’t this data at least be encrypted?
Edit: Obligatory RIP my inbox.
Can we leave this kinda stuff behind? It is NOT obligatory.
I’m going to start throwing “edit: thanks for the gold kind stranger!” on the end of my comments just to induce some nostalgic cringe.
You are a gentleman and a scholar. /s
That’s a pretty common turn-of-phrase in Ireland, I remember hearing it in the early 90s!, and it’s still common to hear it from older generations too. I wouldn’t equate it with reddit slang/culture at all. I wonder when it made its way to reddit?
That’s wildly interesting because it’s heavily associated with neckbeard incels (tips fedora) on Reddit because there was a time when it was overused and comparatively fancy for the average yankey american vocal style. It was also often accompanied with “Edit: thabks for the gold, kind stranger!” Thinking around 2011-2013?
edit: my most upvoted comment is about beans.
I’ll be there to link /c/AwardSpeeches or whatever that sub was called.
🥇
Lemmy moment
Now that’s a big lemmy moment
Redditisms are cringe and always have been. Yes I agree we should leave them behind.
Well, I disagree. Redditsms, or whatever you call them, among other things helped to make reddit as popular as it is (was) right now.
I get you don’t like it personally, but your personal opinion about them being cringe, while respectable, is not a fact.
I agree with both of you. We should leave redditisms behind and create lemmyisms. And yes, they get cringe if overused
Possibly relatedly, is this a good place to mention beans? I have not figured out where that meme actually came from, but apparently it’s a thing the cool kids are saying.
The narwhal bacons at midnight!
Never forget the t-shirts
There were T-shirts?
I think nit picking each others speech is the true cringe redditism
Yes all the bad Reddit jokes and unoriginal lame attempts at garnering upvotes eg making a stupid joke out of a typo (generally unfunny, rare exceptions), I also choose this guy’s wife, take my upvote you bastard, anything along the lines of wow I hate you for making a pun, I’m not crying you are, I feel personally attacked and god knows the list goes on and on
Hopefully these things aren’t just replaced but one can hope
Hopefully these things aren’t just replaced but one can hope
if you listen closely you can hear the beans coming our way
Of those ‘jokes’ you listed, “I also choose this guy’s wife” will never be not funny
I also choose this joke’s wife.
*dead wife
c/angryupvote
This.
EDIT: Thanks for the awards kind stranger!
EDIT 2: Rip my inbox
This is all examples of reddit shit that is really dumb. We don’t need to bring it over here
Besides that. A “disable inbox notification” option is not available yet, is it?
But it’s fun tho…
People raise a good point that in countries where political dissent can actually be dangerous, this would very much dissuade people from voting on things they believe in, or even coming anywhere near Lemmy period.
A better approach I think would be to have the user’s host instance save their votes (the database obviously needs to remember what you voted on), but when federating those votes with other instances just hand over a cumulative total, e.g., “here on vlemmy.net we have +18 votes for this comment”, which the other instances can then add. There’s no need to send user information with that data.
The problem that Reddit realized early on is that user voting is the engine behind the content aggregation. That aggregation is one of the main selling points of Reddit. The more users vote on what they see, the more information Reddit has for how to aggregate that content. That’s what keeps the front page fresh, that’s what keeps content moving up and down on the site. In a very real sense, the voting is the heart pumping blood through the site.
So it behooves the site to not give any reason for users not to vote how they feel. Keeping votes private was part of that. It is one of the most basic tenets of democracy: the only way to give people the freedom to vote honestly and frequently is to give them the privacy to do it.
The potential for retaliation against users, in any number of conceivable ways, far outweighs any benefits that come from making votes public.
The voting information also makes it insanely easy to automate mass blocking of any opinion under the sun. Nobody in this thread seems to grasp all the things you can do with that data to manipulate user interactions on this site. If you think troll armies are bad, wait till those troll armies have a shared automated block list of every single person that has ever downvoted them.
Agreed, especially because I believe we’re headed for a repressive regime here in the US in about 2 years.
Places like this will need to get very careful if they want to remain bastions of free speech and places where people can come to find the information that will no longer be available in mainstream channels.
Lemmy is not a bastion of free speech lmfao
Pretty easy to make an instance that would auto vote certain things with suspicious amounts of votes
As it stands now, they have to fake the origin of some of those votes. Not much of a barrier, the fediverse generally accepts any user an instance says exists, but still, it’s a barrier
And of course any instance thats blatantly manipulating votes is going to be defederated, but I’m more concerned with an instance that behaves normally until it encounters a keyword or user is been set to, and then gives their posts a -5 or whatever
This was my thoughts as well. I understand the need for an audit trail.
Would be very easy to build up an interaction graph with this data that could be used for fingerprinting. If this is an issue for you, though, just browse without signing in/interacting
Was just thinking about this more though, and unfortunately there can also be rogue instances that allow bot users to be created and interact with other instances posts, so this issue could still persist.
Could replace the usernames with UUIDs, and keep the username-UUID map back on the source instance? Then you get an audit trail, but not associated with user identity. There’s also no guarantee that people don’t use bob_jones as their username, and this is Personally Identifiable Information, which brings up some GDPR stuff too.
deleted by creator
The problem with that is that every interaction that any user has with a post or a comment would require calls back to the home instance in order to lookup those usernames. That’s a LOT of extra load
There is no reason you couldn’t only do it for votes and not for posts and comments.
Yeah I just meant for the votes. If you make a comment with your username it’s pretty clear you consented for the input and the username to be visible side by side.
I think those users who live under oppressive governments should be used to using tools like Tor and accounts with a proton email to interact on the internet.
This. And make accounts with name generators so they’re not traceable to you through patterns. And train yourself to not say things that are identifiable across accounts. 🚉
Fair point. Though if nothing else stripping out usernames from vote counts would maybe save some bandwidth or database queries for the instance.
That would allow to fake votes, as I can tweak my instance to spew any number I want.
Can probably fake votes anyway by faking usernames right? Harder, but still doable 🤔
Redditors already scream at people when they get a downvote and blame it on the person that replies to them, even if that person didn’t downvote them.
I can see this being dangerous and leading to a lot of bullying. I know k-bin already publicly shows this. I can see who downvotes my comments/posts when I open up the post in a k-bin instance, without even being a member.
Removed by mod
Some instances don’t allow downvotes by people logged into that instance, which I think helps. (From both sides: I find that when I can’t downvote, I have a lot less motivation to read anything that makes me angry. I just keep scrolling).
Couldn’t we just use a hash for the usernames instead?
Nothing too over the top, but just a simple hash and match that instead?
Also, there’s way too much trust in instances. Like, one person could easily make a post on lemmy.world, go on their personal instance, and just give themselves, say, 2000 upvotes.
Instances should have their own settings on what instances are allowed to keep a local copy. (Default behavior should be to get the post itself from the instance “hosting” it).
So any instance admin can analyze all users upvotes/downvotes and possibly derive political standpoints, likes/dislikes, opinions and location data from it
Yes.
Just muddling around I’ve built queries that: (a) list all of my post & comments, everybody who voted on them, and their votes (b) tally how many times specific users have upvoted or downvoted me. © identifies the most prolific voters across the Fediverse and the communities they are voting in (d) identifies users with the same username or display name across all instances and correlates the activities across those accounts.
These are all for the sake of learning and are innocuos the way I’m using them. It is plain to see that someone with skills and an agenda could make more out of it than I have.
So you have raw database access and you can see that data. Why is this surprising? The systems I’ve used that solve storing data encrypted have massive usibility hits around exchanging and authenticating keys to a point where it sucks so bad I just want to disable it (matrix is a good example, non question their key exchange bullshit is hindering their adoption). I’m not saying this couldn’t be fixed but should it? Most services that use a database will be inline with your discovery of how Lemmy uses that database. Storing something encrypted that is meant to be viewed publicly is the same outcome with more steps. If someone cares enough to monetize it just patch the code to change whatever behavior you don’t like. I havent seeing anything about an acceptance test for Lemmy instances or anything that requires someone to use an unaltered version of Lemmy. How do you know the server admin isn’t already doing all of this? You don’t. Don’t expect privacy in public spaces.
So you can get the users voting on posts on other instances?
Could it be anonymized, so you can get exact up/downvote data from your instance, but when it comes to other instances you only get the absolute up/downvotes?
So you have raw database access and you can see that data. Why is this surprising? The systems I’ve used that solve storing data encrypted have massive usibility hits around exchanging and authenticating keys to a point where it sucks so bad I just want to disable it (matrix is a good example, non question their key exchange bullshit is hindering their adoption). I’m not saying this couldn’t be fixed but should it? Most services that use a database will be inline with your discovery of how Lemmy uses that database. Storing something encrypted that is meant to be viewed publicly is the same outcome with more steps. If someone cares enough to monetize it just patch the code to change whatever behavior you don’t like. I havent seeing anything about an acceptance test for Lemmy instances or anything that requires someone to use an unaltered version of Lemmy. How do you know the server admin isn’t already doing all of this? You don’t. Don’t expect privacy in public spaces.
So you have raw database access and you can see that data. Why is this surprising? The systems I’ve used that solve storing data encrypted have massive usibility hits around exchanging and authenticating services to a point where it sucks. I’m not saying this couldn’t be fixed but should it? Most services that uses a database will be inline with your discovery of how Lemmy uses that database. Storing something encrypted that is meant to be viewed publicly is the same outcome with more steps. If someone cares enough to monetize it just patch the code to change whatever behavior you don’t like. I havent seeing anything about an acceptance test for Lemmy instances or anything that requires someone to use an unaltered version of Lemmy. How do you know the server admin isn’t already doing all of this? You don’t. Don’t expect privacy in public spaces.
You posted three times, may want to delete the extras. Did you press post multiple times?
It seems these multi-posts are typically coming from a user getting an error message when their post actually goes through, then they try posting again.
After I learned about that I’ve been bookmarking comments I want to reply to, copy my intended post in another document, then check later to see if what I wrote was actually posted. If yes, yay, don’t have to worry about multiposting. If no, I just post once the server isn’t being weird.
That is exactly what happened. I posted it said network error and acted like I hadn’t submitted my comment. Rinse repeat and here we are, It also looks like they were auto deleted though? I don’t see them and I don’t see them and I didn’t delete them.
Nevermind found them and deleted them and got the same network error while deleting. Lucky me I picked lemmy.ml before the reddit exodus.
To further this thought, it makes it really easy for any motivated party to profile accounts.
Create an account that posts intentionally politically motivated news or comments.
Rinse and repeat a few times and now you the data you want.
How is this different than any other website?
I can’t just spin up a website and automatically get that info from other websites, but I can spin up a lemmy instance and get that info from everyone it’s federated with.
I agree, someone has to store and maintain your data, but giving all instances access to it is a risk that could be avoided
How is it even possible to do a SQL query on the database from another instance?
Makes no sense, databases should be private and behind the HTTP API. Why is he showing a SQL query as evidence?
So I’ll assume this is done via the HTTP API then. If that’s the case, why does an instance needs to see this information from other instances? By needs I mean if there’s an actual purpose for that info being exposed.
You don’t query another instance’s database.
When your instance is federated with another, your instance will sync a local copy of threads and interactions from that instance.
You then query your own database and instantly have access to everyone else’s interaction data.
Wow. Off-topic but that sounds inefficient for very large networks of instances. Sounds like the federation is doing more that it should.
Is there some place to learn about the federation protocol?
I’m already questioning the whole system behind it, not just votes.
Say you have critical information that you want to delete but other instances can just ignore this deletion request, than I could technically write a plugin that uses an extra instance, to always display all deleted comments to me, despite me being a regular user.
For other sites you’d need a crawler, catching this information and all this in a rapid fashion to be usable, with a lot of programming extra work.
At this point we can as well remove the option to delete or edit a comment as everyone can host their own, which wouldn’t be possible with proprietary tools.
If someone can simply see votes the same way, we can as well add a mouse hover function that will display the username of whoever upvoted.
Good find, albeit a bit horrifying.
I wonder what the GDPR implications of this is. As far as I understand, even free, privately run services are required to abide by GDPR and offer data insight and deletion. They’re also required to state clearly what happens to user data.
Edit: Apparently people have varying takes and feelings on what the GDPR does and does not say, so I urge you to please read the summary of GDPR data privacy here: https://gdpr.eu/data-privacy/ as well as the summary of what constitutes personal data here: https://gdpr.eu/eu-gdpr-personal-data/ It’s easier to have a good and fruitful discussion if we talk about what the GDPR actually says.
deleted by creator
And I updated you with a chuckle!
I have proudly downvoted you 😌 for fun, no less. Not even disagreement.
deleted by creator
I amusedly upvoted you because you called me silly 😌
There is a fundamental misunderstanding here.
Our data has never been ‘invisible’… We’ve just trusted that places like Reddit and their staff will do the right thing. That’s literally how it already works.
If you sign up for Reddit, Reddit staff can see your posts and votes if they want to.
If you sign up for a private forum the admin there can also see database contents.
One way encryption is not possible without stopping functionality… If data about you was encrypted then posts you make couldn’t be displayed. If you include a means to decrypt then there was no point encrypting anyway.
This is how it’s always been, and Lemmy doesn’t change this status quo much.
A faceless corporation that has had access to your data is just replaced by a variety of admins distributed across instances.
This isn’t a good or bad thing, the potential for abuse does exist, but when we have literally made agreements with places like Reddit that they can use and sell our data… then what difference does it make it an admin takes a peek?
It wouldn’t be great… but nothing is perfect.
It’s still worth working on however, to see if a better solution can be found, but at this time I’d say just be aware that it is possible that your data can be seen and understand the only safeguard against that if you need to communicate something private would be to use direct messaging with end to end encryption.
It shouldn’t be like that. I hope it gets changed.
Holy shit. HOLY SHIT.
I just realized what this actually MEANS.
It means that when you like or dislike something so much that you unvote and then vote a second time, people can tell. This will change karma forever.
