YSK: Your Lemmy activities (e.g. downvotes) are far from private

Edit: obligatory explanation (thanks mods for squaring me away)…

What you see via the UI isn’t “all that exists”. Unlike Reddit, where everything is a black box, there are a lot more eyeballs who can see “under the hood”. Any instance admin, proper or rogue, gets a ton of information that users won’t normally see. The attached example demonstrates that while users will only see upvote/downvote tallies, admins can see who actually performed those actions.

Edit: To clarify, not just YOUR instance admin gets this info. This is ANY instance admin across the Fediverse.

s4if,

Nothing private in fediverse except when you are selfhosting yourself.

muddybulldog,

and not interacting with anyone else.

s4if,

🤣🤣

vinnymac,

If post views are public that’s a fairly poor implementation on the developers part. I’m sure it will change over time.

E.g. someone using your account to view illegal content in a community you are not a member of, and you being held accountable.

Wander,
@Wander@yiffit.net avatar

It’s not possible to make votes private is your care about no manipulation happening. Otherwise any self hosted instance could just communicate any made up amount of votes.

WIPocket,
@WIPocket@lemmy.world avatar

Cant they? Sure, they would have to make up new users instead of simply saying a number, but what is actually preventing that?

sauerkraus,

Yeah anyone can create dummy accounts on an instance.

Wander,
@Wander@yiffit.net avatar

We can monitor actual active users that an instance has. Anything artificial in volumes enough to have an impact would be noticeable in some way to other instances.

lightrush,
@lightrush@lemmy.ca avatar

Can’t someone talk ActivityPub directly and do this? If the instance is responsible to authenticate the users, the instance can just directly talk ActivityPub to the rest of the network and tell it users and votes on the fly, without even Lemmy running there.

QuadratureSurfer,
@QuadratureSurfer@lemmy.world avatar

Given the number of lurkers on Reddit, you would probably end up with a lot of false flags.

CmdrShepard,

E.g. someone using your account to view illegal content in a community you are not a member of, and you being held accountable

Can you explain what you mean here? How would someone else be using your account without your knowledge?

XiELEd,

Your friend or classmate would be like “You’ve got games on your phone?” then when you’re not looking they’ll try to access your social media.

CmdrShepard,

I suppose, but then they’re going to look up illicit content on said account in the hopes of framing you for a crime? That’s quite a stretch.

vinnymac,

I was just providing a scenario that came to mind. I am sure many exist outside the one I described.

Nobody has mentioned crime, so I am not sure where that came from. Accountability can come in many forms, and often on the internet users will be banned or excluded based on their direct actions. However, if views were public, it would be trivial to setup a bot to autoban users from communities before they even join, based solely on what they’ve seen.

xtremeownage,

Sounds to me like they are trying to make scapegoats for looking at illicit content.

vinnymac,

You’re reading too much into my comment.

I am a software engineer, and am always thinking of user experiences in my day job. This is simply the scenario that popped into my mind, but many do exist.

Besides hacking, phishing scams, and pranks. Users trick others all the time into viewing content they didn’t mean to view.

My concern isn’t so much that this can happen at all, but rather that if views were public, how it’d be trivial to write software that auto bans users based on those views. Without great moderation tools, and petitioning it wouldn’t scale well.

xtremeownage,

E.g. someone using your account to view illegal content in a community you are not a member of, and you being held accountable

I may have replied to the incorrect content, but, I meant to reply to this one above.

vinnymac,

As I’ve explained elsewhere, this is just what popped into my mind.

Many scenarios exist where you view content you did not intend on viewing.

For example, have you ever been Rick Rolled?

czech,

Activities are public and easily viewable on kbin. It's been interesting. Seems mostly positive other than people harassing those who down-vote them demanding explanations.

Rhaedas,
Rhaedas avatar

Yes, there was a call-out of someone spamming downvotes from alt accounts last night. Quite humorous when they realized their activity was right there where everyone could see, and they went back and removed the downvotes...not that it changed the post or anyone's memory.

sab,
sab avatar

One thing I really like is that it makes it easy to identify users to block. If there's a post stating that "Nazis are bad" and it has ten downvotes, it's very easy to use that to block future content from trolls and people I'm not interested in hearing from.

newIdentity,

Depends on where it’s posted in. Also this example is pretty low effort. I would downvote it too

deweydecibel, (edited )

Yeah, and guess what? They can do that to you.

Effectively, every single person can use a bot that will automate the blocking of any user that ever downvotes them ever.

Like if I made a post that says I like Nazis, and then waited for the downvotes to pour in. Add every single one of those names to a block list, share that block list with all of my alts and all of my friends, and suddenly you have a whole army of Nazi sympathizers that are invisible to the users that would downvote them.

These hand waving excuses about votes being public are really lacking imagination. This is extremely abusable information, and cursory tools can will be put together to make abusing them simple.

sab,
sab avatar

I think there are some problems about voting being public. I don't think this is one of them.

I don't mind people blocking me, and if I don't appreciate the type of content people provide I'll block them liberally. It's not necessarily anything personal, I'm just cirating my experience.

Furthermore, I strive to be on instances where nazi sympathisers would be banned, and where instances tolerating them would be defederated. The only issue is identifying and weeding out troll accounts.

sauerkraus,

You wouldn’t know that your instance is infested with tankies and fascists. You can’t see their posts because you’re on the block list.

muddybulldog,

Knowing they’re visible on kbin made me realize that most Lemmy users probably weren’t aware, as it’s non-obvious.

czech,

Yea, good call. I wonder if kbin makes them viewable because the activity pub protocol does not allow them to be easily hidden.

muddybulldog,

That’s a pretty reasonable hypothesis. I wouldn’t imagine the motivator was to deliberately create conflict.

XanXic,

It’s apparently because it’s Twitter based and Twitter shows likes and such. Kbin doesn’t really have a like upvote downvotes thing. It’s like a favorite and a boost. It’s weird

czech,

Kbin has normal upvote/downvotes since a recent update.

VerifiablyMrWonka,
VerifiablyMrWonka avatar

Not true.

Both Lemmy and KBin map the same activitypub activities to the same upvote and downvote actions.

JohnEdwa,
JohnEdwa avatar

Currently yes, but before they started federating they didn't. That's why Kbin has both Boost (retweet), and the Favourite (like) is the "upvote", which end up here https://kbin.social/fav - and until very recently, those didn't increase your reputation.

Kbin is (was) less like Reddit and more like Twitter with downvotes.

Teppic,
Teppic avatar

Exactly that, Ernest says as much here:
https://kbin.social/m/youshouldknow@lemmy.world/t/82174/YSK-You-can-view-upvote-and-downvote-information-through-kbin#entry-comment-349825

PixelPassport,

Seems to be Ernest’s attitude about that sort of thing, he doesn’t like to hide things from the average user that someone more technically inclined would still be able to access

its_y,

Excuse my ignorance, still super new to Lemmy. What’s kbin?

Teppic,
Teppic avatar

Spot on:
https://kbin.social/m/youshouldknow@lemmy.world/t/82174/YSK-You-can-view-upvote-and-downvote-information-through-kbin#entry-comment-349825

PixelPassport,

This is what I was thinking of! I’m still learning how to find things on the fediverse, did you use one of the search engines?

Teppic,
Teppic avatar

If you figure out a good way let me know! I knew I'd seen this post but to find it again ... well, I used Google to find a discussion on codeburg, and that had a link back to kbin!

fearout,
fearout avatar

And I like it. It’s pretty earnest :)

PixelPassport,

Yeah I think it’s great! I was on kbin originally but I’m a sucker for a nice app UI. I’ll definitely be using it more once the apps are here.

I also can’t find my lemm.ee community through kbin and I think it’s some kind of federation issue, I’m sure it will get fixed.

its_y,

Excuse my ignorance, still super new to Lemmy. What’s kbin?

PixelPassport,

Kbin is another open source link aggregation program with a different developer that uses the same protocol as Lemmy (ActivityPub), so kbin and Lemmy instances can communicate with each other. If you see anyone with “@kbin.social” after their name then that’s where they’re from. You can check it out yourself here as well kbin.social

theinspectorst,
theinspectorst avatar

Yeah, I had a good natured discussion with a Lemmy user on feddit.uk the other day where they were still inexplicably downvoting my responses each time, despite us both being polite and constructive.

It made me realise that a) they use the downvote button quite differently to how I use it and b) they probably didn't know that I, as a kbinaut, could literally see they were the one downvoting.

livus,
livus avatar

It's so weird when people do that!

WhiteHotaru,

I started a discussion on feddit.de about good discussion practice citing Karl Poppers rules of discussion and the use of the down and upvote buttons.

I think discussion culture in the Fedivers is quite healthy at the moment.

alldreadme,
@alldreadme@lemmy.world avatar

Is this only accessible for the people who host the instance, or for all users?

muddybulldog,

Anybody with access to the database on ANY instance. It would be pretty easy to surface in the UI if someone was so inclined to code it.

atocci,
atocci avatar

Kbin was so inclined. You can see who interacted with any post and how they did right from the default UI.

theinspectorst,
theinspectorst avatar

There's been lots of discussion of this on kbin. I tend to like it. I think it encourages people to stop and think 'why' before they downvote things - compared to Reddit, where people tended to downvote thoughtlessly and often, and which contributed to a culture on some subs that was quite toxic.

lackadaisy,
lackadaisy avatar

I'll probably be a lot less likely to downvote here, just because if something is so inflammatory that I'd want to, I probably don't want to draw their attention to me anyway. But I'm glad to know early on.

JohnEdwa,
JohnEdwa avatar

Ironically Kbin might be the place where people will follow the downvote reddiquette correctly, something that almost never happened in Reddit itself:

Please don't downvote an otherwise acceptable post because you don't personally like it. Think before you downvote and take a moment to ensure you're downvoting someone because they are not contributing to the community dialogue or discussion. If you simply take a moment to stop, think and examine your reasons for downvoting, rather than doing so out of an emotional reaction, you will ensure that your downvotes are given for good reasons.

yip-bonk,
yip-bonk avatar

So if we don’t like it . . . don’t . . downvote it?

Isn’t that, y’know, what the downvote’s for?

That’s cornfusing.

theinspectorst,
theinspectorst avatar

No, that's never what downvotes were for. It's not a 'disagree' button. It's just that Reddit got a bit toxic as it grew and the masses started treating it that way.

toototabon,
@toototabon@lemmy.ml avatar

No? The votes are for what contributes (or not) to a conversation, and deepens the dialogue.

That’s why it’s infuriating when someone is downvoted when they have an unpopular but well-structured opinion, while a one-liner joke gets a million upvotes.

May,
May avatar

Everyone, on kbin u can see who boosted , downvoted/reduced, or upvote/favourited any comment by pressing "more" then "activity". For posts it's at the bottom of the comment section

SomeOtherUsername,

Why are you selecting for long names? 😅

muddybulldog,

So I could squish the column and not show people’s full names.

Redecco,

Is it just user activity that’s public? Curious to know about what is preserved on the backend, like if user removed posts/etc get stored somewhere accessible like this too.

muddybulldog,

Deleted items just get marked as ‘removed’, the content remains in the database. I can see the comment you deleted on lemmy.world/post/955546.

Overwrites appear to replace the original content. I can see when you edited this comment but can’t see what the edit was.

captainjaneway,
@captainjaneway@lemmy.world avatar

What happens if someone posts something illegal? Does the instance owner have to know enough SQL to remove the row and the image connected to it or is there a friendly way to do it in an admin interface?

DocMcStuffin,
@DocMcStuffin@lemmy.world avatar

There’s purge post/comment. I don’t know if there’s an easy way to go backwards and find what post a picture is associated with when that’s the only information you have.

muddybulldog,

There’s pretty much no admin interface at this point.

captainjaneway,
@captainjaneway@lemmy.world avatar

So if someone posts illegal images, it’s up to admins to know how to remove it from their database(s). That might be a bit of a sweaty, scary, moment for some people who can follow instructions to setup an instance but aren’t familiar with databases.

zalack,
zalack avatar

Thems the breaks when using what is essentially alpha software. The devs of both Lemmy and Kbin are aware that the admin tools need work, but stuff takes time.

captainjaneway,
@captainjaneway@lemmy.world avatar

Yeah but maybe we should provide some unix tools which help people delete data from their server. Imagine someone is upset at an admin. So they post cp to the server as revenge and then immediately report the server to the FBI. The poster puts themselves at risk, but it’s much easier to avoid that risk than it is for an admin.

The unix tools can become the base for an actual admin interface, but I don’t have the time for all that lol but scripting something that:

  1. Finds the offending post in the database
  2. Deletes any images in the post from the pictures foder
  3. Deletes the row from the DB

That wouldn’t take too long.

JohnEdwa, (edited )
JohnEdwa avatar

Self removals are hard to sync between instances, so a message you posted and deleted can linger forever.
For example, a message I posted from sopuli.xyz to a pawb.social post and then deleted shows as being deleted on sopuli, but is still visible on pawb.

Mod removals are all publicly listed neatly right here on the mod-log: https://lemmy.world/modlog?page=1&actionType=ModRemoveComment

Amanduh,

Both links appear valid to me

JohnEdwa,
JohnEdwa avatar

Not the post, but the comment. Lemmy doesn't scroll down when you link to a comment for some reason.

Amanduh,

Oh, I'm on kbin on my phone if that matters

Lucidlethargy,

So this is interesting… I thought only kbin visualized voting. Does this mean Lemmy’s users are also tracked on kbin?

hydro033,

Good

RestrictedAccount,

Same as the snoo site

!deleted107246,

deleted_by_author

    •
    Hank,

    I always upvote myself. But I have to think extremely highly about my contribution to even think about boosting it.

    Catch42,
    Catch42 avatar

    I upvote my own posts too, I do try to avoid boosting my own posts. We're from kbin though, I think on Lemmy self-upvotes are automatic.

    !deleted107246,

    deleted_by_author

    •
    FinalFallacy, (edited )
    FinalFallacy avatar

    Isn't that kind of the point? You don't get very far hiding in a social setting. You're on a public website talking to other people. Your posts should be public, comments, etc. At least people should treat all websites or apps they didn't develop personally like they're public. I mean you don't really have a right to privacy in public.

    And I'm not trying to say this with some malicious tone or anything but it's just my view on it.

    pistachio,

    Still unexpected. And that’s the problem.

    Comments are obviously public because I can read them. But there is no “upvoted by xx people (and downvoted by xx)” link I can click to see the list of people who interacted this way with the post. It’s only with API calls or similar that I can access the information.

    Hangglide,

    I am looking forward to new apps having the option to show this kind of information.

    Album,
    @Album@lemmy.ca avatar

    Posts and comments is one thing… It’s inherently public. But I think being able to see up and down vote publically is a tough pill. If you don’t realize your votes can be seen you risk your vote being held against you. If you do know it disincentivizes you to use the vote system to protect yourself from something that should be rather benign.

    mookulator,

    At least you know the instance host isn’t selling your data right? The advertisers already have it 🤪

    mookulator,

    I was kind of joking, but now that I think about it isn’t that better? The problem isn’t really advertisers having your data, it’s companies doing skeezy things to be able to make more money with your data.

    This way, instance hosts are free from that incentive and can just focus on making a good website.

    Vlyn,

    I mean I didn’t upvote or downvote porn on Reddit either. It’s all personal information.

    On Reddit there were plenty of people with access and the data was sold to advertisers.

    Here it’s public, not great but not terrible either. Also makes it easier to battle vote brigading?

    deweydecibel,

    It also makes it easier to profile users and weed out anyone who disagrees about literally anything.

    Like, you guys need to consider not every admin is a paragon of virtue.

    Vlyn,

    But that has always been a thing. Just like Reddit mods banning you from their subreddit just because you posted in another subreddit they didn’t like. It sucks, but it’s nothing new.

    If either a server admin or a community mod doesn’t like you for what you’re doing, they can kick you out. It’s the same as if this was an old time forum and you pissed off the admin.

    With lemmy you have to watch two things:

    1. Trust the instance admin you sign up with, this is where your account data lives, the admin can read everything on your account. Hell, even your password if they manipulated the instance code, so use a random one
    2. Trust the moderators of the communities you interact with. If you interact with a community and the mods there don’t like you, they can just remove your posts for example. Same as with Reddit

    A random person outside of your instance or communities you interact with can’t do much. They can “steal” your posts and comment data and see your votes. But that’s it. They can’t block your account or kick you out of your favorite communities. They could obviously harass you (just your account, not your email), but then you can block them. Or ask the admin to block their entire instance.

    pistachio,

    Still unexpected. And that’s the problem.

    Comments are obviously public because I can read them. But there is no “upvoted by xx people (and downvoted by xx)” link I can click to see the list of people who interacted this way with the post. It’s only with API calls or similar that I can access the information.

    rideranton,
    rideranton avatar

    kbin has the ability to see activity including upvotes, boosts, and downvotes from the UI for entries, comments, and microblogs

    nevernevermore,
    nevernevermore avatar

    I was about to call OP out as a liar but I didn't realise this was specific to kbin.

    Kaldo,
    Kaldo avatar

    The same data is also there on lemmy, there just isn't an UI element to display it. That's why op said admins can see it, but on Kbin users can too.

    Boddhisatva,

    Color me shocked. The only thing I'm wondering is why the name length needs to be greater than 7 for the query?

    AngryHumanoid,

    So he can show the row of data as an example but not display the full username (and doxx those users unintentionally).

    CodeMonkeyDance,

    Nice joins…

    AngryHumanoid,

    I write my joins the same way (instead of JOIN tablename on one row and ON columnnames on the next row) and my coworkers think I’m weird. IT’S EASIER TO READ THIS WAY, DAMMIT.

    Demiurge,
    Demiurge avatar

    Who the hell does the joins like that? SQL already has a fuck ton of lines and they want to separate the statements into more lines? wild.

    I also always use alias instead of the full table name.

    xc2215x,

    Not that surprising.

    moonwalker,

    What about private messages? I assume the person running the instance can read all private messages.

    azuth,

    You don’t have to assume, most instances straight up tell you that the dm function is not secure and to use other means for private messaging.

    ParsnipWitch,

    This is true for almost all social media platforms, though. Including Reddit.

    moonwalker,

    What about private messages? I assume the person running the instance can read all private messages.

    chris,
    @chris@l.roofo.cc avatar

    Exactly

  • All
  • Subscribed
  • Moderated
  • Favorites
  • youshouldknow@lemmy.world
  • DreamBathrooms
  • everett
  • osvaldo12
  • magazineikmin
  • thenastyranch
  • rosin
  • normalnudes
  • Youngstown
  • Durango
  • slotface
  • ngwrru68w68
  • kavyap
  • mdbf
  • InstantRegret
  • JUstTest
  • ethstaker
  • GTA5RPClips
  • tacticalgear
  • Leos
  • anitta
  • modclub
  • khanakhh
  • cubers
  • cisconetworking
  • megavids
  • provamag3
  • tester
  • lostlight
  • All magazines
    •