Worst case scenario, there is an entirely separate, tokenized identity for votes which is authenticated the exact same way, but which is only tied to an identity at the home instance. It would be as if the voting pub is coming from user:socsa-token. It’s effectively a separate user with a separate key. A well behaving instance would only ever publish votes from socsa-token, and comments from Socsa. To the rest of the fediverse socsa-token is simply a user which never comments and Socsa is a user which never votes.

I am not sure key based ID is actually core to AP anyway. The last time I read the spec it kind of hand waved identity management implementation.

Yes, that is why I am arguing in favor of an additional layer of pseudonymous voting.

As far as I understand it all activity originates from the home instance, where users are interacting with federated copies of posts. The unique user token from a well behaving instance follows the user across the fediverse, allowing bulk moderation for voting patterns using that token. The only difference is that it is not explicitly tied to a given user string. That means moderation for vote manipulation gets tracked via a user’s vote token, and moderation for trolling/spam/rule violations happens via their display name. It may be possible that a user is banned from voting but not commenting and vice versa. It’s is a fairly minor change in moderation workflow, which brings a significant enhancement to user privacy.

But not my votes.

For starters datamining my voting patterns for building a deeper interest profile. It should be pretty obvious how this works in terms of user fingerprinting, and the ultimate monetization of Lemmy data. It would be super naive to think that Lemmy will be the one web space immune to this kind of thing. I guarantee you meta already has an army of silent instances doing this.

Worst case scenario, legit state actors use it to target deanonymization attacks at dissidents. I would not be shocked if the …usual suspects… Are engaged in this kind of thing.

Lemmy downvotes really have no consequences though, besides user ego.

And that is still possible with pseudonymous tokens votes. You just end up banning tokens for malicious voting activity, and users for malicious posting activity. It’s at best a very mild adjustment to moderation workflows.

The current trust model already relies on a user’s home instance accurately reporting user activity and not injecting fake activity. Hiding real user votes behind pseudonymous tokens doesn’t change that at all.

As far as I can tell, the activity ranking algorithms don’t actually differentiate between up and down votes anyway. All votes are considered engagement.

Even for delusional tech bro bullshit, the idea that public voting on an anonymous forum will do anything other than create drama is pretty fucking detached from reality.

On Lemmy the concern isn’t even mod abuse - it’s just how much user telemetry is pushed around in plaintext which makes me uncomfortable. I’m sure there are already instances which do nothing but listen to AP traffic actively building activity and interest profiles on Lemmy users. Say what you will, but at least on reddit they have to buy that shit. And if such a rogue admin is even a little bit enterprising, there are a bunch of potential IP deanonymization attacks possible by serving up content targeted to specific users during specific times of day. And probably a bunch of other shady shit I haven’t thought of.

Honestly it’s more than a bit suspicious to me that AP and Lemmy has put seemingly zero effort into mitigating this sort of thing.

It honestly just opens up a whole shitty can of worms. Are admins ready to weigh in every time someone fakes a vote history screenshot showing that so and so up voted a bomb threat before the post got removed?

Agreed. 10/10.

And you don’t even need real crypto here to start. The home instance can just send vote actions as fixed unique tokens. The way the trust framework currently works, this is literally a drop-in replacement and introduces no new spam/brigade vulns which don’t already exist from a rogue instance. It would be imperfect, and may still make it possible to correlate and infer vote patterns for a sufficiently motivated adve, but it would raise the bar for protecting user telemetry by a huge factor with very minimal effort. I’m honestly a bit surprised it hasn’t been done already.

It isn’t true. As far as I can tell there is nothing right now which prevents me from sending a fixed, unique token for any give action from my test instance instead of the user string itself. Only comments would require the real user string, for obvious reasons. Likewise, another instance could ban that token, or the user or both. This actually does nothing to change the trust model, but would significantly enhance privacy and reduce the propagation of user telemetry.

Yes, and this would be fairly easy to make them at least pseudonymous without even needing to modify activitypub itself.

That said, I still don’t support anything which lowers the friction of vote stalking like exposing votes in even more places. Technically people can look up my address from my license plate number if they really care to, but that doesn’t mean I want to list it in bold letters on my windshield.

Right now votes really don’t matter in terms of post sorting so I’m not sure if there’s really a point to this. As far as I understand it, any vote is engagement in terms of making a post active/hot/whatever

Oh I’m sorry, did you want a ride or something? The next bus isn’t for another 15 minutes.

It’s that, plus the next largest instance being practically unusable due to hyper aggressive tankie censorship. Getting banned from .ml for not sucking Stalin’s boot hard enough is practically a rite of passage at this point.

Europeans: Americans are so obsessed with race

Also Europeans:

Yeah no $3k/m isn’t funding their full time dev work with infrastructure. It seems likely they have sources of funding they don’t disclose for whatever reason.

That’s why it’s so brilliant. The weird keeps coming.