EDIT: Initial self-votes don’t federate, so it seems this specific way doesn’t work.
Am I missing something, or is Piefed’s private voting kinda trivial to reverse engineer as long as every user by default upvotes every post and comment they make?
If you have a username and want to find the matching private voting ID, search through that user’s posts and comments for an entry that only has one upvote. The vote cast on that entry will be the private voting ID.
If you have a private voting ID and want to find the matching username, search through all votes cast by the private voting ID to find a post/comment that only has one upvote. The user that posted that entry will be the original user.
If it really is this easy, it seems like it’s sort of a false sense of security. On the other hand, if automatic upvoting of your own content could be disabled by default, that would prevent this from working.
I am not sure how PieFed does it. I hope someone more familiar with the actual protocol can shed some light.
What is important here is whether private votes from the same profile are associated with the same voter ID. PieFed accounts have two subaccounts, a public posting account, and a private voting account. When voting on a Lemmy post, the anonymous voting profile is used. There are multiple ways to do this:
(the way your post assumes) Assign a unique ID x to every voting profile, and every vote by the same ID x gets tagged with x. This is easily traceable, like you said. Even if auto-upvoting of one’s own posts is not done, one can still gather a lot of information about the voter.
Do the same as 1, but, do not tag the vote directly with the voter’s ID x. Instead, encrypt/hash the ID x so that the voter ID tag is different for every vote, but could be decrypted by the hosting instance to get the original ID x.
From my understanding, it is 2. 2 is better for privacy, with a caveat. Admins would still have the ability to deanonymise private voting IDs.
I was under the impression that it’s intentionally #1 so that other instances can still track malicious voting behavior (e.g. mass-downvoting posts in a community) of an anonymous account without knowing the real identity. But yeah I’m guessing we would need some clarification somewhere on the specifics; I tried looking for documentation on how the private voting works but couldn’t find any, and I didn’t feel like digging in the code or hitting the API just yet.
If the voting ID is static in any way, it’s still inevitably trivial to de-anonymize a user’s votes, but it would at least require a more heuristic approach (e.g. finding a thread that the user is in and checking to see if they have upvoted/downvotes any comments they’re replying to). As well, the instance tag (@piefed.ca for example) on the voting ID can narrow things down significantly when trying to figure out which user is voting.
I’m mainly just thinking about how these systems can be scraped for mass data collection by e.g. advertisers/big tech in the future. Upvotes and downvote behavior can really paint a detailed picture of someone when all data is combined.