We had a really interesting discussion yesterday about voting on Lemmy/PieFed/Mbin and whether they should be private or not, whether they are already public and to what degree, if another way was possible. There was a widely held belief that votes should be private yet it was repeatedly pointed out that a quick visit to an Mbin instance was enough to see all the upvotes and that Lemmy admins already have a quick and easy UI for upvotes and downvotes (with predictable results ). Some thought that using ActivityPub automatically means any privacy is impossible (spoiler: it doesn't).
As a response, I’m trying this out: PieFed accounts now have two profiles within them - one used for posting content and another (with no name, profile photo or bio, etc) for voting. PieFed federates content using the main profile most of the time but when sending votes to Mbin and Lemmy it uses the anonymous profile. The anonymous profile cannot be associated with its controlling account by anyone other than your PieFed instance admin(s). There is one and only one anonymous profile per account so it will still be possible to analyze voting patterns for abuse or manipulation.
ActivityPub geeks: the anonymous profile is a separate Actor with a different url. The Activity for the vote has its “actor” field set to the anonymous Actor url instead of the main Actor. PieFed provides all the usual url endpoints, WebFinger, etc for both actors but only provides user-provided PII for the main one.
That’s all it is. Pretty simple, really.
To enable the anonymous profile, go to https://piefed.social/user/settings and tick the ‘Vote privately’ checkbox. If you make a new account now it will have this ticked already.
This will be a bit controversial, for some. I’ll be listening to your feedback and here to answer any questions. Remember this is just an experiment which could be removed if it turns out to make things worse rather than better. I've done my best to think through the implications and side-effects but there could be things I missed. Let's see how it goes.
Would banning the voting half of the pseudonymous account not mitigate the immediate issue? Then asking their instance admin to later lookup and ban the associated commentating account.
Well, doesn't that fly in the face of federated autonomy and privacy?
On one end, if it's my instance and I want to ban a user, I want the whole fucking user banned -- not just remove their ability to vote anonymously. If one of my communities or users is being attacked, it's my responsibility to react. If I can't remove the whole problem with a ban, then I have to remove the whole problem with a de-federation. (A thing I fundamentally don't want to do.)
On the other, if some other admin says, "one of your users is being problematic, please tell me who they are," I'm going to tell that other admin to fuck right off because I just implemented a feature that made their votes anonymous. I'm not about to out my users to some rando because they're raining downvotes on MeinHitler69@nazi.hut.
It's a philosophical difference of opinion.
But if the only bad behavior is voting and you can that agent then you've solved the core issue. The utility is to remove the bad behavior, no?
No, the utility is to remove bad users.
To prevent them from engaging in bad behavior.