Thoughts about private voting

CoyoteFacts@piefed.ca · edit-2 18 hours ago

Thoughts about private voting

freamon@preferred.social · 18 hours ago

is Piefed’s private voting kinda trivial to reverse engineer?

Yes. But not for the reason you’re suggesting. If your instance has seen activity from the main account and the voting account, you can connect them for the mundane reason that they have the same public key. So when you receive activity from the voting account, you could just do something like:

if about.startswith('This is an anonymous alternative account of another account'):  
    public_key = activity_json['publicKey']['publicKeyPem']  
    main_user = User.query.filter_by(public_key=public_key).first()  
    if main_user:  
        return main_user

Upvoting your own stuff doesn’t reveal it though.
On PieFed and Lemmy, the initial upvote that your content gets is an assumption - both your local server and any remote servers give you a free +1 from your main account. Nothing is actually sent out for this. ‘Private voting’ only applies for activity sent out for other people’s content that you actually had to press a button for.
MBIN is different - their accounts send out the content, and then send out an actual vote (which Lemmy and PieFed both ignore of course). If you see content from Lemmy or PieFed on MBIN, it starts at 0, because no votes were sent, and MBIN hasn’t made the same assumption.

Rimu@piefed.social · 19 hours ago

The upvote of one’s own post/comment does not federate. The only effect that upvote has is on the local instance and remote instances that receive the content are free to initialize the score of that new content however they wish.

Mohamed@lemmy.ca · 19 hours ago

I am not sure how PieFed does it. I hope someone more familiar with the actual protocol can shed some light.

What is important here is whether private votes from the same profile are associated with the same voter ID. PieFed accounts have two subaccounts, a public posting account, and a private voting account. When voting on a Lemmy post, the anonymous voting profile is used. There are multiple ways to do this:

(the way your post assumes) Assign a unique ID x to every voting profile, and every vote by the same ID x gets tagged with x. This is easily traceable, like you said. Even if auto-upvoting of one’s own posts is not done, one can still gather a lot of information about the voter.
Do the same as 1, but, do not tag the vote directly with the voter’s ID x. Instead, encrypt/hash the ID x so that the voter ID tag is different for every vote, but could be decrypted by the hosting instance to get the original ID x.

From my understanding, it is 2. 2 is better for privacy, with a caveat. Admins would still have the ability to deanonymise private voting IDs.

CoyoteFacts@piefed.ca · 19 hours ago

I was under the impression that it’s intentionally #1 so that other instances can still track malicious voting behavior (e.g. mass-downvoting posts in a community) of an anonymous account without knowing the real identity. But yeah I’m guessing we would need some clarification somewhere on the specifics; I tried looking for documentation on how the private voting works but couldn’t find any, and I didn’t feel like digging in the code or hitting the API just yet.

If the voting ID is static in any way, it’s still inevitably trivial to de-anonymize a user’s votes, but it would at least require a more heuristic approach (e.g. finding a thread that the user is in and checking to see if they have upvoted/downvotes any comments they’re replying to). As well, the instance tag (@piefed.ca for example) on the voting ID can narrow things down significantly when trying to figure out which user is voting.

I’m mainly just thinking about how these systems can be scraped for mass data collection by e.g. advertisers/big tech in the future. Upvotes and downvote behavior can really paint a detailed picture of someone when all data is combined.

asudox@lemmy.asudox.dev · edit-2 18 hours ago

If the accounts aren’t randomized, which I think weren’t, then yes, this is possible to do. If the voting timestamps are also recorded, then it is as easy as checking the oldest vote in a comment/post. To make it harder for someone to associate your voting account with your actual account, you would either need to:

collect votes and send in randomized order (I think a minimum of 3 votes is good)
create a new voting account on each vote
disable voting your own comment/post

I think the best would be creating a new voting account on each vote, but that would kill moderation.

CoyoteFacts@piefed.ca · 19 hours ago

I think the best would be disabling the ability to vote your own comment/post with your voting account.

Actually yeah this is pretty easily the best option. Just make it so that every post/comment is upvoted once with your real account, and leave any other votes to the private voting account. This feels so obvious that I’m guessing it already works this way.

asudox@lemmy.asudox.dev · 19 hours ago

Actually I’ve been thinking about this more and I’ve changed my mind. If someone really wants to figure out who voted, they probably still can. It just makes it a bit harder, not impossible.

Say user X makes a post in a dead community and gets a comment from user Y. Then user X upvotes that comment. Now the comment has only two votes. One is from Y themselves and the other is almost certainly from X. The chances would be even higher if X replies to that comment too.

Or imagine a situation where user X and user Z are arguing and start downvoting each other. Depending on how new the comments are and how active the post is, it’s still possible to connect the downvotes to their real accounts

Which is why I now think the only real way to make voting private is to generate a completely new voting account for every single vote. That would make it impossible to trace the votes back to the user across posts/comments.