I recently learned that voting on lemmy is not anonymous. Anyone can get information about who has upvoted and downvoted a post or comment.

In combination with your IP, this is a massive privacy (maybe even physical security) risk. Also, people can target you for your votes.

Sadly, this is something where I would prefer Reddit over Lemmy. Big tech scrapes data from both places anyways, at least Reddit is safe.

  • omniman@piefed.zipEnglish
    2·
    11 minutes ago

    whats the problem with it . you did not liked it you downvoted . its not like they can ban your account

  • Dholi@lemmy.caEnglish
    161·
    1 hour ago

    at least Reddit is safe.

    Lmao, what!? Reddit tries their best to know exactly who you are, where you live, your education, where you work, etc… And then they sell that data to anyone.

  • Destide@feddit.ukEnglish
    21·
    24 minutes ago

    I try not to downvote without commenting so they should be aware

  • Luci@lemmy.caEnglish
    82·
    2 hours ago

    I’ll downvote everyone here if I damn well please it!!!

  • Xylight@lemdro.idEnglish
    20·
    14 hours ago

    If you’re an instance admin, for any post, you can just click “view votes” and see everything tied to usernames, even outside your own instance. Moderators can too, but it’s restricted to the communities they moderate.

    • moseschrute@lemmy.zip
      7·
      6 hours ago

      So if a bad actor wanted to get aces to vote data, they could setup and instance and have it federate with any instance they want to extract voting data from?

      • Xylight@lemdro.idEnglish
        6·
        4 hours ago

        Yes, it’s very simple too. You don’t even need to extract anything from a database or do some complicated stuff. As an admin you have free access to all moderation tools no matter where the post is from, including the option to “view votes”.

  • Wispy2891@lemmy.world
    29·
    22 hours ago

    The IP address thing is not real, though

    Just choose a nickname that is random word+4 random digits and don’t reuse it on other services

    • npdean@lemmy.todayOP
      186·
      15 hours ago

      It is nowhere explicitly made clear to users that voting is public. It should be made clear if it is going to be

      • General_Effort@lemmy.world
        21·
        1 hour ago

        An EU resident could sue for emotional damages under the GDPR. Or maybe just complain to data protection authorities.

        One day it will happen.

      • dirtydocmark@sh.itjust.works
        116·
        4 hours ago

        Why would it need to be made clear? Likes on Facebook are public, nowhere does it say “liking this photo will alert every friend you have that you just liked your stepdaughters’ friends’ bikini pic from 2 years ago.”

        I like the public vote system. Anonymous systems have a much greater potential for abuse.

        Accounts are easy enough to make that you can just burn your account every few months if you’re that worried.

        • npdean@lemmy.todayOP
          42·
          3 hours ago

          It is made clear because there is an option to see all the votes right next to the like button. Similarly, many sites allow you to go through activity of people you follow.

          • dirtydocmark@sh.itjust.works
            35·
            3 hours ago

            You can see the number of votes here too. Why does your hand need to be held? It’s the fucking internet, guy.

            • npdean@lemmy.todayOP
              3·
              3 hours ago

              I can see the number of votes but not who voted. This gives the impression that this information is not available publicly. However, it can be accessed by anyone on third party websites.

              • dirtydocmark@sh.itjust.works
                42·
                3 hours ago

                Then don’t vote? Nobody is forcing you to interact with the content and it’s kind of hilarious you’d consider it a security/privacy violation.

                And then you put the cherry on top by saying “reddit is safe.”

      • gazby@lemmy.zip
        131·
        14 hours ago

        It’s the other way around here: Everything is public except where it’s made clear that it won’t be (e.g. email address, password).

        For what it’s worth, your instance of choice is particularly negligent in regard to informing its users. Compare lemmy.today/legal to lemmy.world/legal, or their respective signup pages for examples. There’s little that Lemmy itself or the community at large can do about that 😞

  • M0oP0o@mander.xyz
    225·
    23 hours ago

    In combination with your IP, this is a massive privacy (maybe even physical security) risk. Also, people can target you for your votes.

    No.

    • rumba@lemmy.zipEnglish
      34·
      4 hours ago

      It would be unusual to be able to exactly identify someone purely from their IP, but let’s say someone posted from their work IP in a small company. It would substantially lower the bar to dox them.

      Let’s go further and ponder if an authoritarian regime setup an admin and started coorelating dissent ip’s collected from user when they did things like paying parking fines, or signing their online tax forms.

      Let’s say that they collected all that and trained an LLM on it, then when you go to get a passport renewed or are stopped for a traffic violation and ask the LLM if you’re a dangerous person based on their criteria.

      It’s not a direct problem, but it has slippery slope all over it.

      • anarchiddy@lemmy.dbzer0.comEnglish
        5·
        2 hours ago

        IP addresses are not something that can be pulled from just any instance. You would need to be the administrator, and even then you’d only get access to the ip address of just your own instance users. AFAIK, at least - maybe they’ve made efforts to mask ips, too, but im not even sure how that’d work.

        Federated posts and comments are copied from server to server. When someone from .world is looking at a comment from .dbzer0, what they are seeing is information that was synced from the dbzer0 server address, not the user’s.

        There was a brief moment when there was a vulnerability with linked images sent via DM that could route you to an external server and log your IP address, but that has been patched now by most instances.

        As with anything on the internet: assume your activity is not private at all times, or take active precautions to mask your identity, or both. No opsec is perfect and often the only thing standing in the way of a hack or dox is the endurance and motivation of the bad actor.

  • yermaw@sh.itjust.works
    193·
    24 hours ago

    Seems like a good thing to me. Should be a better known feature.

    How would I go about seeing this information for myself?

    • mic_check_one_two@lemmy.dbzer0.comEnglish
      6·
      4 hours ago

      Yeah, at worst it’s a necessary evil to prevent a rogue user on a second instance from mass downvoting. Your username is tied to your vote, because otherwise a rogue user could just spam downvotes at whatever they didn’t like.

      Instance 1 has a post. Instance 2 has a user who disagrees with that post. User is able to spam downvotes, because instance 2 is not binding their username to the vote. So Instance 1 has no way of knowing if the votes are multiple different users, or all one user. The only real solution here is to disable external voting, but the entire point of the fediverse is cross-compatibility and self-hosting. By binding the username to the vote, instance 1 is able to detect repeat votes and disregard them.

      • anarchiddy@lemmy.dbzer0.comEnglish
        3·
        2 hours ago

        Important to note here, too, is that ip addresses of users arent synced across instances.

        This is only a problem for people who care about the reputation of their user account - which is something people should be rotating out anyway if they care about their privacy.

    • moseschrute@lemmy.zip
      3·
      6 hours ago

      You get 3 accounts. Say you want to upvote something. You downvote in 1 account (randomly selected), upvote on another, and upvote on the third. So it’s net +1 and the only way to see how you voted is to piece together all 3 of your accounts voting history. Need more privacy? No problem, just use 5 accounts instead of 3.

      /s

    • Dozzi92@lemmy.world
      8·
      23 hours ago

      I did this last night putting my son to bed, said heads you go to bed, tails we stay up. Jokes on him though, double heads. And he fell for it, what a sucker. Hope it works when he’s not four, or I at least don’t need to do it.

  • jason@discuss.onlineEnglish
    381·
    1 day ago

    Russia really should just leave Ukraine, though. (Sorry, I just saw the context for this a few minutes ago and can’t help myself).

  • teft@piefed.socialEnglish
    463·
    19 hours ago

    I like piefed because it lets you see at a glance if someone is a serial downvoter. On each piefed user profile is a thing called “attitude” and it’s a ratio of your upvotes vs downvotes. 100% means the person doesn’t downvote people. 50% means they downvote and upvote equally. 0% is only downvotes. Edit: I saw someone today with negative % so it must be 100% is all upvotes. 0% is half upvotes half downvotes. -100% is all downvotes.

    It shows up for people outside piefed too so i see you too lemmy angry people.

  • TrickDacy@lemmy.world
    88·
    1 day ago

    Why are you saying IP addresses are publicly shown here and why is (almost) no one correcting you? That would’ve been an enormous privacy risk that would’ve required intentionally fucking users over. Just doesn’t even make sense to write what you did about IP addresses. Seems like you’re just hoping to cause some panic.