I have been working on Lemvotes, a tool to check who voted on a Lemmy post. In this blog post, I will describe how it works and the ethics of such a tool.
Yep this is exactly right. Too many people are unaware that their votes are not anonymous on Lemmy and blocking the public tool only helps the bad guys who already know this. I’ve always thought this was a major weakness in Lemmy but I don’t have a solution myself without some other major drawback.
I think probably votes should be anonymized or batched between servers so that only your instance’s admins can see individual votes and you just have to trust the instances you federate with that they aren’t pulling any shenanigans or otherwise defederate. That’s not an easy problem to solve, but it’s not like it’s not currently possible to manipulate votes with a federated server, it would just be harder to detect. Regardless I think the need for privacy wins here.
Maybe instead of usernames, the instances could store/trade… salted hashes of the usernames where the salt is the title or unique identifier of the post/comment being voted on?
I didn’t have time to reply earlier, but I was thinking the same thing, except with the extra step of replacing the username with a unique user identifier randomly generated at signup by the user’s instance and kept secret.
I wonder if there’s a way to prevent people from even knowing that two different votes came from the same user.
Removed by mod
Yep this is exactly right. Too many people are unaware that their votes are not anonymous on Lemmy and blocking the public tool only helps the bad guys who already know this. I’ve always thought this was a major weakness in Lemmy but I don’t have a solution myself without some other major drawback.
I think probably votes should be anonymized or batched between servers so that only your instance’s admins can see individual votes and you just have to trust the instances you federate with that they aren’t pulling any shenanigans or otherwise defederate. That’s not an easy problem to solve, but it’s not like it’s not currently possible to manipulate votes with a federated server, it would just be harder to detect. Regardless I think the need for privacy wins here.
I didn’t have time to reply earlier, but I was thinking the same thing, except with the extra step of replacing the username with a unique user identifier randomly generated at signup by the user’s instance and kept secret.
I wonder if there’s a way to prevent people from even knowing that two different votes came from the same user.
Removed by mod
I was thinking of a variable-length hash, but if we use a fixed length (which I acknowledge the term “salt” does imply), then I agree.