EDIT: Initial self-votes don’t federate, so it seems this specific way doesn’t work.
Am I missing something, or is Piefed’s private voting kinda trivial to reverse engineer as long as every user by default upvotes every post and comment they make?
If you have a username and want to find the matching private voting ID, search through that user’s posts and comments for an entry that only has one upvote. The vote cast on that entry will be the private voting ID.
If you have a private voting ID and want to find the matching username, search through all votes cast by the private voting ID to find a post/comment that only has one upvote. The user that posted that entry will be the original user.
If it really is this easy, it seems like it’s sort of a false sense of security. On the other hand, if automatic upvoting of your own content could be disabled by default, that would prevent this from working.
I was under the impression that it’s intentionally #1 so that other instances can still track malicious voting behavior (e.g. mass-downvoting posts in a community) of an anonymous account without knowing the real identity. But yeah I’m guessing we would need some clarification somewhere on the specifics; I tried looking for documentation on how the private voting works but couldn’t find any, and I didn’t feel like digging in the code or hitting the API just yet.
If the voting ID is static in any way, it’s still inevitably trivial to de-anonymize a user’s votes, but it would at least require a more heuristic approach (e.g. finding a thread that the user is in and checking to see if they have upvoted/downvotes any comments they’re replying to). As well, the instance tag (@piefed.ca for example) on the voting ID can narrow things down significantly when trying to figure out which user is voting.
I’m mainly just thinking about how these systems can be scraped for mass data collection by e.g. advertisers/big tech in the future. Upvotes and downvote behavior can really paint a detailed picture of someone when all data is combined.
while true voting privacy would be great to achieve, as long as votes have meaning there need to be methods for tracking and dealing with abuse of them. if you achieve true vote privacy, there is no way to stop someone from creating 100 alt accounts to just downvote everything that person doesn’t like, including automatically voting on new content by selected users, without anyone being able to stop them. 100 downvotes are easily enough to bury new content and ensure it won’t reach the popular feeds where it’s more likely to gain more votes.
we have already removed private votes from piefed.world and i know that there is at least one other instance considering the same. it might be tolerable when you’re on the trusted instances list of a piefed instance and still see the original voters, but this also means that instances will have to start negotiating with other instances whether they will be marked as trusted by them. i know there is at least one admin already looking into options for flat out rejecting piefed’s “private” votes and just dropping them when they federate to them, stopping them from impacting any ranking on their instance or communities hosted on their instance.
Ugh, that’s really unfortunate. I will probably just disable voting buttons for myself if that ends up being the case.
I don’t really know what’s stopping someone from creating 100 alt accounts without private voting though? If the voting ID is consistent and you can take punitive action on the voting ID, it seems the same as if the person had a cleartext name. The real problem is that an instance is allowing these 100 alt accounts to sign up and manipulate votes, which I assume there are already solutions/measures for?
Don’t mind me though, I’m fairly new to all this, and I’m sure everyone’s thought of all these vectors before. I just hope that there is some sort of middle ground that doesn’t inevitably allow mass data harvesting.
nothing, but at least they can be identified and taken down. it hasn’t been too long ago that i banned 346 accounts involved in such a scheme, and if these accounts had been using piefed’s private voting, they would have been much harder to identify and separate from real users. as a result, this likely have had a much higher chance for false positives catching real users. activity beyond votes alone is very useful to isolate these abusive accounts. for example, a real account will frequently have a range of legitimate comments and those won’t just look like LLM garbage posting. there can also be other patterns, like similar/same usernames across instances. there was another case not that long ago where I banned around 80 accounts using the same name on many different instances, one per instance, to boost votes on one of those accounts.
there is no easy way to prevent people from creating a bunch of alts. there are various options that can be done to detect creation of multiple accounts, and piefed also has some features to help detecting with that, but there is only so much you can do without this also becoming a privacy nightmare with device fingerprinting etc. it’s not without reason that a lot of larger services with community functionality will prompt you to attach a phone number and/or using invasive fingerprinting measures to prevent people from creating a bunch of accounts or evading bans.
That makes a lot of sense, thanks.