YSK: Your Lemmy activities (e.g. downvotes) are far from private

toasteranimation, 11 months ago (edited 10 months ago)

error loading comment

gk99, 11 months ago

Why not? kbin literally has an “activity” button that shows everyone who downvotes, it’s public info. Makes blocking morons a breeze because I can say something like “trans people are cool” and then get rid of everyone who gets angry about it.

If you’re scared of people knowing what you downvote, you might need to change your downvote habits.

kentaromiura, 11 months ago

The fact that this can be abused is quite alarming to be honest. Of course one could create a throwaway just to avoid this, but imagine if some admin of a different instance decide to ban you with a pretext for seeing a downvote on a post saying trans people are not people (which they might have created just to attract people and see who does downvote). Downvoting/Upvoting detailed info should not be visible to anyone imho to keep it transparent.

toasteranimation, 11 months ago (edited 10 months ago)

error loading comment

PixxlMan, 11 months ago

Admins can see literally everything. If you can see it (from your end, like whether you’ve upvoted something), it has to be stored somewhere and of course the server owners can see it

muddybulldog, 11 months ago

Agreed. I think it’s fair to say that most people will consider the fact that their instance admins have access to this data.

What many probably won’t consider is that ANY instance admin across the fediverse has access to much of it. It’s near-zero cost to become an instance admin so the potential number of people who have access is limitless.

moozogew, 11 months ago

Yeah this information has always been available up spez and co

Cosmiques, 11 months ago

YSK: Your Lemmy activities (e.g. downvotes) are far from private

False excuse. It is possible to design protocols that make it impossible to designed entities to see anything.

johanml, 11 months ago

How specifically? What would votes be tied to in such a solution? Could you share a reference or explain more? Btw, there’s nothing preventing any federated instance from vote flooding (with or without anonymization, since it’s not associated with any cost) is there?

QuadratureSurfer, 11 months ago

One example (not the only way to deal with this) is to do what some crypto algorithms have done. Here’s the source code for z cash: github.com/zcash/zcash

Using something similar to this you can hide who is voting for what while being able to trust that the number of votes are accurate.

SilentMobius, 11 months ago

I would hope this would be obvious to anyone. If your client can highlight which posts you have upvoted in the web and app UI then the fact that your user specifically upvoted that post must be recoverable from the instance server and thus must be recoverable by the instance admins. I would not expect anything different.

AncientMariner, 11 months ago

Only the server that you connect to so it can tell you what you voted for. It doesn’t have to share who it was linked to. So voting profiles can be separated from posting as it doesn’t need to be known.

DreamlandLividity, 11 months ago (edited 11 months ago)

Except it is not just your instance and the instance hosting the post (which would make sense). It is every instance in the federation. So if I want to see how you vote, I just need to pay few bucks for hosting and make my own instance.

QuadratureSurfer, 11 months ago

Actually, it’s even easier than that, just make a kbin account then go to any Lemmy instance and you can check the upvotes/downvotes.

sauerkraus, 11 months ago

I also was not expecting how Lemmy is different in that way. I was expecting it to be only accessible to the admins of a user’s instance.

QuadratureSurfer, 11 months ago

Right, but in this case your upvotes/downvotes are public to anyone that has a kbin account, it’s not just the instance Admins that can see.

cakeistheanswer, 11 months ago

Fully expected to be buried since I’m late to the party.

That’s really only half of it, there is no real erasure possible when everyone’s holding a cached copy. Personally… I kind of like it, I don’t hold any value to the words I contribute here as long as they’re for everyone.

But everything and everyone is living in concentric glass houses here.

fulano, 11 months ago

To be fair, I don’t feel comfortable with that. I believe people are so excited about ditching reddit, that they’re in denial about any possible flaw or inconvenience about lemmy.

I hope future updates bring more privacy to the users.

cakeistheanswer, 11 months ago

This is super interesting to me.

I think you’re right in that the user base has the same expectations despite a huge change in the model. But it’s going to be the same on any server, your circle of trust now has to include your instance owner everywhere on the fediverse.

In general there’s no expectation you can delete every email you ever sent either, just your local copies. Most of what you see here is similar with some new attached protocols (votes, markdown etc)

I’m sure we’ll see some evolution, but the entire infrastructure is a call back to when a single service wasn’t directly linked to a single business, and it shouldn’t be treated like one.

In other words I’m not sure the concession isn’t the price you pay to not have reddit/twitter in charge. Because any other architecture that had the convenience of having a single point to delete from is also going to be a single point of failure.

fulano, 11 months ago

I can see where you came from. We can’t expect to be free from powerful corporations without some sort of tradeoff. However, in this particular case, I prefer my upvotes to be private, so I don’t feel like I have any incentive to hit that button again. I will only read and comment from now on, because my comments and posts are what I expect to be public.

Well, the good thing is that we have the option to refrain from voting. But this information isn’t easily available to new users.

cakeistheanswer, 11 months ago

Understandable, and yet if nobody contributes upvotes out of the same concern you end up with nothing standing out in your feed to come comment on. Kind of circular.

On the other hand having an upvote actually attached to your (and I actually mean your handle here) name would likely give it credibility in a weird sense. There’s much less incentive to blindly upvote if it essentially shows what you saw like a slug trail, but if you’re selectively giving oxygen to the best of what you see then that trail is valuable to others who value you. It’s a functional change from competing to push things for their own sake.

Im old! I come from an era where there was no such thing as OPSEC as soon as you interact with another party you cant personally name. For every consumer that was the phone company, or literally right out the door. If you transmit (login credentials, personal info, search queries) the expectation is somewhere, someone or something is logging it. Not even maliciously all the time either, sometimes I got to some of this out of boredom. The corporate Internet just kind of acts like a middle man, because that same problem never went away, just siloed into companies.

Until we get to a future like Transmetropolitan where the expectation is your online presence has some dirty laundry (and hopefully leave out the other stuff), all the bits/bytes, not just upvotes, you transmit should have a limited expectation of privacy. This is just the best/latest reminder because every hack is the same problem, only the company has incentive to keep it quiet so it doesn’t hit their bottom line.

MyFairJulia, 11 months ago

But everything and everyone is living in concentric glass houses here. You might even call that a Glass Onion 😄

NewBrainWhoThis, 11 months ago

What does this mean for admins regarding GDPR? Is lemmy still not GDPR complient? Are there options in place if users request their data?

An issue has already been raised: github.com/LemmyNet/lemmy-ui/issues/1347

dezmd, 11 months ago

Isn’t this an example of how GDPR can be morphed into an exhaustively wild over-reach that exerts control on open systems and end user internet activities despite being hailed as a privacy protector from corporations with teeth that every corp has already worked around?

Does bitcoin’s blockchain ledger violate the GDPR in the same light, where even though a blockchain address is long, it is still identifiable in the same ways a username or even a random email address can by inspecting a data set and running a search for matching entries? If not, couldn’t we just slap the Fediverse data into a blockchain style system for the whole Fediverse that each instance would act as a node on?

/throws gasoline on a fire

MrPoopyButthole, 11 months ago

There is a person working on a blockchain version of Lemmy for the purpose of making the data content addressable and allowing it to be shared in a peer to peer system so that the main instance server gets less load. It seems like GDPR is getting in the way of progress or that devs need to do a lot more work on trust in the swarm to make it work.

ilikekeyboards, 11 months ago

Can’t be too difficult to script and be made automatic. But remember the nature of FED, you’d only be able to request it from the instance you joined

PixxlMan, 11 months ago

I’m pretty sure you could request it from any server. Just because it’s federated doesn’t mean the law doesn’t apply to anyone else with personal data.

sauerkraus, 11 months ago

And it only matters if you care about operating in the jurisdiction of GDPR. Violate it as much as you want if you’re not located there.

Kissaki, 11 months ago

Federation doesn't evade GDPR.

If federation shares data it must do so without violating GDPR.

If your data is hosted on your instance, and shared to other instances, removal must also be shared.

The nature of sharing must at least be obvious and discoverable so you can request info and deletion of updating.

LufyCZ, 11 months ago

The request for removal must be shared, the removal itself not so much.

If the server isn’t located in the EU, it can happily ignore it (and maybe risk getting blocked in the EU sure)

weirdwallace75, 11 months ago

Every piece of information you give someone can be linked to every other piece of information.

Username + Votes is not a hard connection to make.

stagen, 11 months ago

I’m fine with it too. Don’t think I’d be here if I wasn’t okay with sharing these sort of things. If I wanted privacy for my upvotes or downvotes (why tho?), I’d do it anonymously.

And yeah, I upvoted the beans as well. Ate beans 90% of the time as a student. Still farting from it 20 years later.

kuneho, 11 months ago

I’m fine with it.

I mean… you can get information accessing the database. Can anyone access the instance DBs? No. How would you know reddit doesn’t log these in its database somewhere?

On it’s own, it’s not a problem IMO. Why would you want to show all information stored on the frontend? But, if you have to investigate something, it’s not that bad you have stuff in your database that can help it.

Granted, if an admin is a shitface, they can look at these information. And then…? Make fun of downvoting people? Go to other instance and that’s it.

Hazzia, 11 months ago

Reddit would have to keep that info on downvotes stored, right? If they didn’t, it should be trivial to mass downvote something with very few users

kuneho, 11 months ago

Yeah, up/downvotes are somehow has to be tied to the user. If not, a page refresh should “reset” the state and you would be able to vote again.

orangeboats, 11 months ago

Reddit definitely stores upvoters and downvoters of each comment, otherwise it won’t remember which comments you have downvoted.

Gecko, 11 months ago

Why would you want to show all information stored on the frontend?

I’m gonna start out by saying that I don’t know how lemmy’s federation code works. So if I host another instance and federate do I only see the upvote count or also who upvoted? Cause if the only person that can see the count is the admin of the instance the user belongs to, then there’s no need to show it in the frontend. If however all you need to do to see upvote count of all lemmy users, is to host your own lemmy instance, then there should be an easy way to also access that information in the front end to indicate to the user that what they up/down vote is in fact not private.

So for me whether up/down voting is private is less of an issue as long as it’s clearly communicated. Again if only the instance admin the user is part of can see the count, then that’s essentially “private” as you are trusting that entity already ^^

kuneho, 11 months ago

If however all you need to do to see upvote count of all lemmy users, is to host your own lemmy instance, then there should be an easy way to also access that information

I haven’t thought of that, and you may be right on this.

However, I don’t fully understand this part:

there should be an easy way to also access that information in the front end to indicate to the user that what they up/down vote is in fact not private.

But it’s true that my brain today doesn’t really want to work. You mean by some kind of API call can reveal these information?

Gecko, 11 months ago

However, I don’t fully understand this part:

there should be an easy way to also access that information in the front end to indicate to the user that what they up/down vote is in fact not private.

But it’s true that my brain today doesn’t really want to work. You mean by some kind of API call can reveal these information?

Basically what I meant is some way for the user to see who up/down voted what. Maybe hovering the up/down vote button shows a field you can click on that say votes or something and that then redirects you to a different page that shows who upvoted and downvoted that specific post/comment. The exact details don’t really matter. My point was basically that if something is accessible but only via hidden means that are not obvious to the end-user, they may wrongly assume that information is private. So by making it easily accessible to end-user, you also clearly indicate that that information is publicly accessible ^^

dezmd, 11 months ago

Again if only the instance admin the user is part of can see the count, then that’s essentially “private” as you are trusting that entity already

Until you get rouge instances or rogue admins on seemingly reliable instances willing to fuck with vote numbers for money. A full open system does help with accountability and the ability to discover corruption/deception by admins. I’d rather have the openness than allow instances to create their own fiefdoms with no externalized accountability in an open federated system like this.

The scummier versions of old reddit power mods are probably salivating at having their own instance farms to sell upvote services to advertisers and nefarious groups to with the concept of hiding vote details from downstream instances, so it is easier to obfuscate their activities and more difficult for external analysis to discover and expose.

Keep it all open and just advocate and educate the end users to create anonymized user accounts with unique emails if they want their personal privacy.

Resistentialism, 11 months ago

Also. Whilst reddit mods might not get access to that information. It is definitely stored somewhere. On reddit, you can see all your upvoted and downvoted comments and posts. And lets face it. I highly doubt reddit are encrypting that information and hiding decryption keys away from every reddit employee.

I really don’t see the issue here.

wgs, 11 months ago

The point here is that anyone can just spin up their own instance, federate with others, and see these information by inspecting their database.

Having a clear understanding of what is public, what’s local to your instance and what’s private is very important in this context.

kuneho, 11 months ago

yeah, you are right.

I think this is just a “side effect” of the decentralized nature. We need some pragmatical changes in our society to not to see these “side effects” as threats in any way.

wgs, 11 months ago

In a decentralized but federated environment, sharing data is inevitable. In this case it’s important to only share what’s needed when communicating with other instances. For example, if you visit a community through your own instance while being logged in, does the other instance knows about your account being logged in ? It’s not needed, but this information could leak, and this affects your privacy directly. Because what you post is public, but what you visit should be private (or at least, limited to your instance).

trouser_mouse, 11 months ago

I think this is to be expected - some instances have downvotes disabled but that doesn’t seem to be the rule of thumb.

There are quite a few questions about data retention, usage, retrieval, compliance and how it is shared which will need to be addressed as the platform grows.

Countdown for this to be monetised by someone.

Ozymati, 11 months ago

I’m safe, I upboated the beans

IrrationalAndroid, 11 months ago

Are the email addresses encrypted? Please tell me they are. And, additional YSK to y’all: keeping your email address is optional, even though sign up says it is required. Remove it from your page’s settings.

widowhanzo, 11 months ago

Not all instances require email to sing up, I’m signed up without one.

IrrationalAndroid, 11 months ago (edited 11 months ago)

Oh whoops, I deleted my comment almost immediately but it seems like you could see it and answer anyway. Yeah makes sense that it’s not an all-instances thing, it was very weird UI-wise because it said “optional” but then the address still came back when I left it empty, saved and refreshed. Seems like they might have forgotten to remove the “optional” label (or remove the requirement, either of the two).

Koordinator_O, 11 months ago

I never get why people are so protective about their Emailaddress. Just have a spammail account for such instances. If it isn’t a important website or service like banking or whatever -> Spammail account. only login for verification and then let the spamming do its thing in there until you need it again. If it gets hacked you lose only unimportant stuff if any.

ComeHereOrIHookYou, 11 months ago

Agreed, I use email alias services (Simplelogin, duck) whenever I sign up to a new service. Easier to control spam messages just by turning off the alias instead of having to manually add them to spam filters.

Then as a bonus, if a service the alias under in gets hacked. I just need to change passwords plus the virtual credit and debit cards. Ease of mind

IrrationalAndroid, 11 months ago

It’s just that email addresses are often linked to the owner’s name and I don’t feel too comfortable knowing that it’s in cleartext and easy to access without knowing it beforehand. Your advice is good though.

athlon, 11 months ago

For as much as I love Lemmy, its obvious that it is an early software. Mark my words, that’s not the last privacy threat it will experience.

JesusTheCarpenter, 11 months ago

What privacy threat? How is your privacy suddenly exposed by your like or dislike on the post as opposed to this comment?

bug, 11 months ago

Essentially you’re giving away a lot more info about yourself than you might realise. If someone who takes an unfriendly interest in you wants to, they can probably find out a lot more info about your habits, likes, dislikes, interests, political views, waking hours, etc than just what you’ve publicly commented!

daniskarma, 11 months ago

I’ve been in forums where upvotes were public. It’s not something that I expect to be anonymous by design.

That being said. If something is public, it should be clear that is public (and available to everyone), if it’s not it should be protected.

I think Lemmy should go one way or the other, or upvotes are public to everyone, or they are available only for you instance admins.

daniskarma, 11 months ago

I’ve been in forums where upvotes were public. It’s not something that I expect to be anonymous by design.

That being said. If something is public, it should be clear that is public (and available to everyone), if it’s not it should be protected.

I think Lemmy should go one way or the other, or upvotes are public to everyone, or they are available only for you instance admins.

TimewornTraveler, 11 months ago

Edit: Obligatory RIP my inbox.

Can we leave this kinda stuff behind? It is NOT obligatory.

menemen, 11 months ago

Besides that. A “disable inbox notification” option is not available yet, is it?

gsa32, 11 months ago

Redditisms are cringe and always have been. Yes I agree we should leave them behind.

sachasage, 11 months ago

I think nit picking each others speech is the true cringe redditism

Chriszz, 11 months ago

Yes all the bad Reddit jokes and unoriginal lame attempts at garnering upvotes eg making a stupid joke out of a typo (generally unfunny, rare exceptions), I also choose this guy’s wife, take my upvote you bastard, anything along the lines of wow I hate you for making a pun, I’m not crying you are, I feel personally attacked and god knows the list goes on and on

Hopefully these things aren’t just replaced but one can hope

Onionizer, 11 months ago

c/angryupvote

JesusTheCarpenter, 11 months ago

Well, I disagree. Redditsms, or whatever you call them, among other things helped to make reddit as popular as it is (was) right now.

I get you don’t like it personally, but your personal opinion about them being cringe, while respectable, is not a fact.

Bene7rddso, 11 months ago

I agree with both of you. We should leave redditisms behind and create lemmyisms. And yes, they get cringe if overused

Bozicus, 11 months ago

Possibly relatedly, is this a good place to mention beans? I have not figured out where that meme actually came from, but apparently it’s a thing the cool kids are saying.

NotMatt, 11 months ago

I’m going to start throwing “edit: thanks for the gold kind stranger!” on the end of my comments just to induce some nostalgic cringe.

NoTime, 11 months ago

edit: my most upvoted comment is about beans.

teruma, 11 months ago

You are a gentleman and a scholar. /s

Tum, 11 months ago

That’s a pretty common turn-of-phrase in Ireland, I remember hearing it in the early 90s!, and it’s still common to hear it from older generations too. I wouldn’t equate it with reddit slang/culture at all. I wonder when it made its way to reddit?

Cheems, 11 months ago

This.

EDIT: Thanks for the awards kind stranger!

EDIT 2: Rip my inbox

This is all examples of reddit shit that is really dumb. We don’t need to bring it over here