YSK: Your Lemmy activities (e.g. downvotes) are far from private
Edit: obligatory explanation (thanks mods for squaring me away)...
What you see via the UI isn't "all that exists". Unlike Reddit, where everything is a black box, there are a lot more eyeballs who can see "under the hood". Any instance admin, proper or rogue, gets a ton of information that users won't normally see. The attached example demonstrates that while users will only see upvote/downvote tallies, admins can see who actually performed those actions.
Edit: To clarify, not just YOUR instance admin gets this info. This is ANY instance admin across the Fediverse.
Suppose I'm the President of the Democratic People's Republic of Leopards Eating People's Facia, And now, I want to post a propaganda piece on how Leopards are friendly, cuddly, and do not eat people's faces.
On Reddit, I can post this and get downvoted to oblivion, I could try to request Reddit to hand over the list of users that downvoted my post, but I'm most likely going to be told to kick rocks and I can't do anything. (Assuming I'm not the US/a five eyes country).
With Lemmy/Kbin, I don't even need to ask the owner for this information. All I need to do is spin up my own separate instance and the original server will happily send over the list of usernames that have downvoted the original post. Maybe I can use this list and send out a few friendly leopards...
It's quite literally anyone who has 30 min to set up an instance has access to this data. There's some discussions on GitHub on how to potentially fix this but right now this is the case.
Not just YOUR server admin... Anybody capable of setting up a Lemmy instance has access to this data.
While most people at discuss.tchncs.de may assume that /u/milan and /u/erAck can see this type of thing, it may not be obvious that so can /u/muddybulldog@mylemmy.win or /u/ruud@lemmy.world and every other instance admin in the world can, as well.
Is that what you found out during your experiments?
That seems like a really inefficient and useless implementation to have all instances provide those details to one another, when every instance can simply keep track of it for their own users and pass along the total number.
I would expect they’d collate that information and pass it on at regular intervals to the instance that holds the true version of the post, who then subsequently disseminates that information to subscriber instances.
Then again, I guess you could collate the detailed information in a similar manner.
Not disputing what you’re saying, I assume you’ve tested this out and that’s what you’re reporting, just commenting on the choices made by the project to implement it this way.
It is a pretty big deal. What it essentially means is that you are completely exposed, if you pardon the pun.
And yes, absolutely everyone with basic IT skills has access to this data as it is shared across instances. All it takes is a couple minutes to deploy a docker image and boom, I'm somewhat of an admin myself.
The fact that this data is stored in plain is a major security and privacy issue that makes me rethink this platform.
The moment you make votes anonymous (which would theoretically be possible) you open up a million ways in which votes can be manipulated. So congratulations, that ad post from some random company has 12k upvotes now.
Only alternative is still connecting it to a user, but only registering that they voted (but not if it's an upvote or downvote, that's anonymous again), but then you can never change your vote again afterwards. So if you misclick the downvote button there is no way back.
With the current solutions in place, if you want to remain anonymous: Don't create an account, just lurk. Or don't upvote/downvote/comment on things. It's as easy as that.
Just like putting your real name online and then complaining when others can see it on Facebook.. your account is as anonymous as you want to make it.