What’s stopping me from doing this? Here we go:
I’m going to start an instance and federate with everyone who will allow it, which is most instances including this one, I believe.
Then I’m going to feed all that data into my new website, called Open Lemmy Stats, where anyone can query the user data ive accumulated. The homepage will be ripe with insights, leaderboards and all kinds of data on prolific users.
Additionally, I’ll display a snapshot/profile of a random user by feeding that users data to GPT4 to make inferences about the user’s political affiliations and display the results.
Worst of all, I’m not going to out my instance for everyone to know it as the one to defederate. In fact, I’m spinning up a few instances that will host innocuous communities that I plan to mod and support to give my instances cover for their true purpose: redundant fediverse datastreams for my site, Open Lemmy Stats.
I’ll also have a store where anyone can buy my collected fediverse data for a handsome sum.
Just kidding I’m not doing any of this. But someone absolutely will or already is working on it. They’ll make a good bit of money too, I’d bet.
This is inspired by a recent post on youshouldknow@lemmy.world where someone highlighted what kind of data instance admins have access to, even for users not on their instance.
I wanted to share this to start a discussion that I find interesting. I’m interested in your thoughts, or to hear more on why this may or may not be possible and if it is, maybe some ideas how to fix that? because obviously such a site would be problematic, but no doubt popular for oh so many reasons.
Edit: typo, I called admins adminis. Corrected.
Edit 2: wanted to credit the post I was referencing from YSK, here it is - https://lemmy.world/post/1033769
Capitalists gonna try and capitalise. I’ve seen lots of people try and create services like this for mastodon.
Great post BTW.
Thank you, I appreciate that!
That’s interesting about mastodon, I’m not exactly surprised, I feel like it’s merely a question of when, not if, apparently that time has already passed for mastodon. I have no doubt folks are already capitalizing or attempting to capitalize on lemmy data in some way or another, or at least letting the data fill their bucket while they figure out how to monetize it.
I don’t think that site would be problematic. After all, we’re just talking about custom interfaces to analyze public data.
A big part of the solution is that users should have an awareness that their activity is public. Every once in a while someone gets burned not knowing that anyone can view what a specific Twitter user or Instagram user liked (like politicians liking risque thirst trap photos).
Another is easy alts and throwaways, with tips to avoid correlations:
- Don’t use the same verified email address
- Don’t reuse usernames, including across platforms
- Try not to use the same instances, such that instance admins can see whether login activity is coming from the same place, unless you absolutely trust that the admins won’t analyze your data OR inadvertently leak their records.
- Be aware of the techniques used to correlate users: analysis of timestamps, linguistic/grammatical quirks, etc.
This is a public place, so people should be aware that this is a public place. That means they can still find this useful space, as with many other public places, but should be aware that the more they do on this platform, the easier it is to correlate with a real life identity.
Thinking about this some more, I don’t mean to put everything on the user.
The platform itself, through its design and architecture and settings, should also do stuff to make super detailed analysis more difficult:
- Don’t log unnecessary metadata, such as views/visits, clicks, scrolls, time spent on specific posts, etc. Information that is never observed/logged can’t be shared/published.
- Don’t share unnecessary information with other instances. For example, with an update to the protocol, an instance might be able to hide which local users voted for what in local threads, while maintaining the proper count internally of what the vote totals are, who has already voted, etc. Non-local users would have to have their votes publicly known, though.
- Make the public nature of each action obvious. Make votes more obviously public through the interface (perhaps by allowing people to view who upvoted or downvoted). Make people’s comment history and like history easy to view within the native interface, so that people understand that the information isn’t private to begin with.
- Commit to deletion in a public, auditable way. Let instance administrators know that being a good citizen on the fediverse requires adherence to norms about privacy and deletion, and have watchdogs publish stats on how long it takes for an instance to delete a comment or vote or whether it retains edit/delete history.
That last point is completely impossible. Don’t forget that I don’t have to run the official lemmy software on my instance. I can make changes: for example, I can add a feature to my instance like “log every post in a separate, local database before deleting it from lemmy”. Nobody else but me will know this feature exists. Or (to be AGPL compliant) have a separate tool to regularly back up my lemmy database, undoing deletions.
As for the second point: I’d say making local votes private and non-local public will be worse for privacy due to causing confusion.
Great point and ideas, I hope to see things like this introduced as the lemmy project matures
Those are good practices if you have privacy concerns.
we’re just talking about custom interfaces to analyze public data
Semi-public. As it stands, only instance admins have access to per-user vote data. Possibly also API users, but I’m not sure the lemmy api has an endpoint for exposing per-user vote data, I believe it just gives you a tally of the up/down votes of posts and comments, but not who made each vote. But most people don’t have the skillset to host their own instance and process the data into something meaningful/easy to digest.
You could make the argument that semi-public is basically public, but I think there is some nuance to be explored:
Once a site like open lemmy stats launches, it becomes trivial for any user to query that data, who upvoted what, who downvoted what, when they up/downvoted it, etc.
There’s a difference between something being available to people motivated enough to get it vs it reaching critical mass and being trivial to access by anyone with a browser. How the data is ultimately used, whether it is used nefariously or not, is going to be up to the people that access openlemmystats and what they wish to use it for.
Which has me considering an analogy, without expressly intending to make this political, please consider the statement “guns don’t kill people, people kill people”. “Openlemmystats doesnt harass political dissenters! The people who use it do!”. One could argue that openlemmystats wouldn’t do anything inherently bad, it’s the people who would use it. Just like with guns, there will likely be debate on whether or not the world would be better without openlemmystats or if we should start doing things to make it impossible for openlemmystats-alike sites to exist.
That said, I mostly agree with you, and I appreciate your privacy suggestions/best practices, good stuff!
Edit: for the record, I think “guns don’t kill people, people do” is a stupid statement, but I thought it was an interesting analogy. That is to say nothing of my feelings on gun control, I’m just not a fan of distilling complex issues into dismissive one line statements.
That YSK thread from yesterday inspired me to create a new account with an anonymous relay email, instead of my personal email. I’m not sure how much I would’ve actually had to worry about if I kept using my personal email, but I figure it’s better to be safe than sorry.
I also probably could’ve just changed the email in my first account instead of creating a brand new account, but I don’t really know how data is persisted or anything. That was another case of better to be safe than sorry.
This was the first time I personally used a relay email and I’m glad I did. I also made a mastodon account using the same email but I’m curious if I change my mind on that or not. Personally I think you did the right thing just making a whole new account. Chances are you didn’t use the first account long enough for it to matter.
Well nothing is stoping you from doing both. It’s not an issue to get another relay email.
Nothing is stopping you. Apart from laws that regulate data collection maybe. IANAL.
Fair point! I was thinking that too, but i settled on the idea that it probably would not stop the folks who would actually do this though
Indeed if it’s not a mage corp then it’s a government. There is no winning here.
Frankly, I think someone should actually do that. Except maybe use open source AI instead of ChatGPT.
The fact is, in a federated setting all this data will be accessible. For example, if lemmy tried to hide who made each vote, and just federate totals, that would allow my malicious instance to report 1M upvotes for my post.
When lemmy tries to hide this data, all this does is instill a false sense of privacy with users. IMHO the best thing is to make all this de facto public data, officially public, so everyone knows and can act accordingly.
As for privacy, I’d say the best thing to do is, keep your account anonymous.
Can your instance not do that as is? Just spin up a bunch of fake users and make them all vote on something?
True - but it’ll be much easier to detect.
I’d wager a fake vote count would be much easier to detect than the same amount of fake users
It’s actually a real problem on reddit where people spin up fake users to manipulate votes. Reddit hasn’t published how they detect that exactly, but one way to do that is to look for bad voting patters, like if one account systematically upvotes/downvotes another. But you pretty much can’t without knowing the votes.
Nice try Zuckerberg
I just want a place for everyone to smoke some meats, yknow, real people stuff
Zuck is just playing with us at this point.
I appreciate the illustration (and even warning) here. I predict things like this will just lead to more people having throwaway accounts. Now instead of just having throwaway accounts for posting shameful stories, you’ll also find people with their “commenting” accounts separate from their “voting” accounts.
The more I see kbin users calling people out for downvoting them, the faster I expect the votes to just become gamed instead of natural. Anything that’s used to draw attention to the way people vote will make this worse.
We’re in the early stages, but as soon as we start seeing communities that ban users based on their voting records, people will just find other ways to obscure things, which will make it even harder for instance admins to address massive misuse of the voting system.
I definitely expect a drawn out game of whack a mole as lemmy devs, instance admins and key contributors start seeing stuff like this pop up, and they develop tools or tech to mitigate abuse, until another exploit is found by bad actors, rinse and repeat.
Some say it’s an inherent flaw with federation/activitypub but I expect/hope it progresses the way other vulnerable tech has.
For example, in the early days of wifi it was pretty trivial to packet sniff (a practice that lets you peer into other folks network activity). Now most sites encrypt their transmitted data and while the packets could be sniffed over an unsecured network, the data within stays safe because it’s encrypted (assuming most sites that deal with sensitive data now encrypt, which in my experience, they do)
Furthermore WIFI as a technology has gone through many iterations, each one bringing with it better and stronger security, to the point where average Joe can setup a secure home network by following the quick start guide included with their router, which these days is essentially plug in, power on, choose a password, and authenticate with your devices.
I expect activitypub and fedi tech to develop in the same way: releasing patches and updates and ammending the standard to combat/mitigate abuse of an open federated platform., it’s gonna take time though.
Edit: typos
I think the biggest concern is getting all participating instances to agree on how to handle the issue.
We’ll start to see more fragmentation of the Fediverse as different instance owners have different views on what should be done. But many of the measures to fight this will only work if all participating instances do the same, whether actively, or by using a new version of the federation standard. Some instances may think the way is to be more transparent, while others may think the way is to obscure the votes more. Now you’ll have the “transparent” fediverse and the “obscure” fediverse with fundamental disagreements with each other on the way things work.
It’s interesting times ahead. Personally, I don’t think federation is the simple answer to all our social media woes like some folks around seem to think. There’s a lot that needs to be addressed, which will be uncovered as more companies like Meta try to get in on it.
biggest concern is getting all participating instances to agree
I see what you mean, that is true if the responsibility ultimately ends up falling on instance owners.
Which is why I’m hoping that the developments instead occur on the Lemmy project itself and other fediverse project code bases. Lemmy devs and contributors will hopefully work on privacy and security as the Lemmy project matures. If instance admins are keeping their instances mostly up to date, there is virtually no (dis)agreement to be had: the mitigation patches will be loaded on the next update.
Of course, anyone can fork lemmy or manually remove these changes from their instance, or some admins may simply refuse to update, but that would reflect badly and privacy minded users may choose move to another instance that has updated to the latest/most secure version of Lemmy and other instance owners can also choose to defederate from instances that leave themselves vulnerable to issues that have been patched out.
Nice play, I already wondered why the page does not load.
So the two biggest issues seem to be:
- Voting is public (but invisible to users who are thus oblivious about it)
- Post/comment history is public, entirely
I’m not sure if (1) can be changed regarding the ActivityPub protocol, but I would appreciate it. There is at least a communication issue since most users probably expect votes to be anonymous.
A shallow research made me hope something like zk-SNARK could be a solution. Voters must be able to identify themselves (to revoke or change their votes later), but servers must be unable to track individual users across multiple votes. A lesser, but still desirable achievement could be to make it impossible to track individual voting behavior across multiple servers.
Agree to @mojo@lemm.ee about (2). It should be possible to restrict how much of my post history others can see. On the other hand, crawlers and scrapers could still gather the data from browsing publicly available posts and comments, and reconstruct individual post histories. This would then resemble (1) again; users expecting some privacy when they actually have not.
I’d go the other way: make these things officially public, so people know they are, and then aren’t taken by surprise.
Private voting can be tricky in a federated setting, because I could have a malicious instance that boosts my posts (I can have it with public votes too, but then it’s easier to detect). Truly private posting history is outright impossible, as you said, due to crawlers.
The way to privacy is to make sure not to dox your account, perhaps alternate 2-3 accounts if it’s really important to you.
I’d go the other way: make these things officially public, so people know they are, and then aren’t taken by surprise.
This has a lot going for it. Simple to implement and to understand. Not much potential for bugs, and not much potential for damage in case of bugs.
I still don’t like it. Not sure how much of that is ‘being used to / habits’, and how much is actual value worth striving for.
Feels like rationally there is a clear winner, but I still have to come to terms with it in acceptance. Good on OP to open this discussion.
I think it has a lot of value. I don’t really see the point of anonymous upvotes in the first place.
I am with you. We could just make all the votes public. I don’t see why votes are worse than comments? Or maybe I misunderstood everyone, but ppl talk like it is. It is good to inform everyone so they know. Many needs to learn how to surf the net. Also I think if ppl feel more responsible will they also act with care
I can imagine a hacky way to anonymise voting would be to have a pool of fake user accounts on your instance. When someone on the instance clicks to up/downvote, a random fake account is used to make the vote instead. This would then kind of work like a vote tumbler and keep the voting anonymous but still work with activity pub.
Maybe activitypub is actually a bit crap and we should all be using something better like nostr though?
From what I understand kbin’s interface shows who upvotes/downvotes
By seeying most reactions ro your post, I can only think that most lemmy users don’t care about privacy at all. Or, at least, didn’t fully understand the implications.
For myself, I’ve already just assumed this stuff is public. I don’t know why I’d assume it was private, in fact. I have a few different accounts and I use them for different things, but anything I want to keep off the public internet doesn’t go on the public internet, on Lemmy or Reddit or Facebook or anywhere. It’s 2023, I think most people have some understanding of this already. Threatening to out data I already assumed no privacy on is not terribly threatening.
Assuming everything is public, on one hand, can help develop better practices, but, on the other, can lead us to stop fighting for our privacy, so I’m always cautious with it.
About the upvotes/downvotes, they give a lot of information about you, and your pattern can be so unique, that a new account could be identified by it. It can also be used for doxing. Having public votes can also lead to metadrama, just like happens in places like facebook with their like system. And don’t forget that it takes just a small mistake to have your identity leaked, and then you have this data available and tied to your person, exposing your psychological behavior and positions on every theme.
Another thing worth mentioning is the email used to join lemmy. This is basically public, eliminating the expected anonymity from a lot o people (remember, most people aren’t tech-savy enough to create a fake one). In time, bots and trolls will become more common and most instances will probably ban fake or temporary emails, forcing the users to use real ones.
It all might not be a great issue now, when we’re small, but if we expect to grow, I think these things will need to be addressed at some point.
Yeah, I almost want to make it now to drive the point home to those folks. (Edit: emphasis on almost)
who cares if they can see my public posts
Misses the whole point, Open Lemmy Stats probably wouldn’t display your posts (lemmy itself does that), it would display all of the analytical inferences to be made from those posts, votes and other activity, revealing more about you than you intended or even were aware of. Which isn’t readily public in the way some folks are making it out to be, it takes some work to get that data and you need sysadmin/database/programming skills to make it manageable and useful. OpenLemmyStats will let anyone of any skill level query your data that otherwise would require you to be, at a minimum, an instance admin to get to.
I like the idea too, but I’d prefer to wait and see what the official devs think about it, and if adding privacy measures is part of the roadmap. Lemmy is still too new and things are still unstable.
You got me at the first half, not gonna lie.
That’s a fucking cute as hell illustration. I’d wear that
I’d love to take credit but that was midjourney (and all the artists that feed its capabilities.)
I think my prompt was “a logo featuring a mouse holding a magnifying glass”
I’ve since realized that I should have said lemming instead of mouse, but a dummy like me can only do so much.
Man that is so amazingly clean for AI, really scary
Was with you until the money point. It’s extremely easy to get this data and there will be many open source versions doing this thing.
But I agree that who upvoted a post shouldn’t be federated.
I totally get what you’re saying.
I think there is (unfortunately) value to be mined from packaging the data conveniently, or offering a subscription service to make it trivial to query for anyone without sysadmin or database skills. Or just throw porn ads on it or some shady ad network that doesn’t mind being placed on questionable sites.
I really think Lemmy, Kbin, and Mastodon need to figure out a way to have a default terms of service that ship with their product which forbids using the API to collect data for commercial purposes.
Additionally, there should be a way for users to indicate licensing for individual posts, with a default license instance admins can set.
That way for-profit instances could be forced to filter out posts with licenses that do not allow for-profit use. Honestly, even just a simple check mark “[ ] allow for-profit republication”, and have two licenses that can be attached: one that allows for-profit use and one that does not.
Whoever’s doing this wouldn’t be using Lemmy, Kbin, or Mastodon code. They’d likely write up some custom ActivityPub service that listened in on that protocol. ActivityPub is an open protocol so trying to put some kind of “no profit” restriction on it at this point would be impossible, and having it on there from the start would have killed its adoption.
Lemmy, Kbin, and Mastodon are all currently licensed under the GPL so good luck trying to retroactively put that genie back in the bottle too. The GPL allows for-profit companies to run the code with no further restrictions.
Europe’s got the GDPR, if you really want to try some kind of legal route to counter this, but I don’t think it’s very likely to work well.
But I agree that who upvoted a post shouldn’t be federated.
This also surprised me. I wonder is it necessary for technical reasons to prevent repeated upvoting of a submission by the same user?
I’m pretty sure there is no particular reason why it’s done this way. It’s just the easiest method to coomunicate upvotes across different servers. There are already a lot of ideas for doing it differently or more efficient (e.g. vote aggregation) but that requires a more sophisticated architecture:
- Vote aggregation also makes faking votes much more efficient and requires different detection methods. Of course, a spam server can also invent users or votes but it’s a bit more complicated.
- Aggregation in any form can be hard to implement because it should be flexible enough to reduce load but not increase delay or make tracking a consistent state even harder. Finding the right configuration will be difficult and go through a lot of trial and error. Should be easier though now that more people are working on the code.
- Keep in mind that Lemmy should also be able to communicate with other services across the Fediverse like Mastodon via ActivityPub. I’m not sure if there is something in the standard for message aggregation yet. It’s definitely being discussed because Mastodon, Pixelfed and Peertube all have or went thorugh the same growth problems as Lemmy in terms of scaling, spam and security concerns. If there’s a good solution it will likely come through the AP standard.
I was thinking yay that sounds like an awesome data visualization platform, that would be great. Until I got to the “just kidding” part.
You are right, all this information is readily available. And we would be really naive if we think that no one is collecting this yet.
You, or someone else, should build this, such that it is clearly visible for everyone what data is available. And not just visible to the select few who builds their own closed data mining systems.
This would be a pretty bad idea. Not only are companies going to steal all the data from that site, but its going to lead to people going through every user’s history to block people who don’t have the same “color politics” as them. Its going to lead to hyper echo chambers, even worse than other social platforms.
I think it would be better if this data is obfusicated even from instance admins. Does this present a bigger challenge in identifying malicious users? Probably, yes. However, it protects the Fediverse first and foremost from the vampire companies stealing consumer data, and protects the Fediverse from becoming the loudest echo chamber on the planet.
Differing opinions, viewpoints, and politics are important to genuine discussion. These “color politics” don’t have to even be part of the discussion to influence what people say. I don’t know about you, but being in a thread where people only ever agree with me and offer no alternative ideas is not a place I want to spend a lot of time in. Because who knows, maybe my ideas are wrong, and I might (shudder), change my mind.
Hey, I completely agree with you, in that the most interesting discussions are among groups where I don’t agree with everyone. This is where I learn and grow as a person.
But in saying that, aren’t you also saying that some people, like you and me, would not use such a database to filter out the users we do not agree with?
And would it not be a logical conclusion to make, that people who likes to build and stay in their echo chambers, would not be more inclined to listen to different opinions just because they don’t have a more efficient tool to sort out people they disagree with?
What I am saying is, all information that is technically available will be collected and analysed. Better make a public and open platform showing everything, such that everyone can see exactly what can be collected and surmised from the already public information, than to keep users blind from what information they actually leak publically.
Wait… the Lemmy logo is a Lemming?? I’ve spent the last 6 days thinking it was a gerbil. And this whole thing was referencing the Lemmiwinks episode of South Park.
I was told it was a lemur…
Even if this was real, I think it’s irrelevant. If you make a public post, then that’s what that means, it’s public. What happened to the saying that once uploaded to the internet, it’s there forever? I always thought this was common knowledge. To prevent these things, it shouldn’t be possible by design. That’s why in Lemmy and Mastodon, the fact I can click anyone’s username and see their entire post history is insane to me. Why there no option to make that private, and why the hell is it public by default?
The same people crying about possible data scraping are the same ones who see zero issue with all your profile data being completely public to any possible random internet query.
The problem is that it is not immediately clear to a user that their voting history is public as an average user cannot view that information.
Not even that, but that is also a huge glaring issue, but I’m referring that I can click on your username and see every comment/post you made since the beginning of your account. Why is that even possible, why is it default, and why is there no option to disable that?
I assumed on Reddit/Twitter they did it so people can be “influencers” or whatever and people can read their feed as content. I don’t want that in the fedi.
Every single thing you do here is visible to absolutely everyone. By the very nature of how the fediverse works, where everyone can set up a server and participate, there is no way around it.
What you can do to mitigate, if you really feel it is a problem, is to have multiple accounts for different communities. This will limit how much of a profile other users can build on you.
You could also rotate accounts over time, and create new ones every month, for example.
People are blowing my mind right now at how ridiculous they are being. The fediverse is an open system that shares information with any server that connects to it. This system cannot work if the information is not shared.
How I think it should be is that for Lemmy for example, is that when ActivityPub queries a thread, it should only find replies that way. If querying a user profile, only basic information should be returned that the user set. Their post/comment history shouldn’t be visible from their profile, only the threads they’re commenting on. Maybe let them see the profile comment/posts if they’re following you.
Even if it didn’t, that would be trivial for anyone to do with the API. If you’re saying things you don’t want people to know you said, don’t use your name. Posting public, discoverable content is the entire point of Lemmy. Hiding what you’re doing wouldn’t solve the problem.
Hiding what you did would only make people think it’s private, giving a false sense of privacy, as it’s obviously visible via the API, and anyone could fetch your whole profile history anyways. Then we would have posts about: “YSK: Your posts and comment history is not private”
Definitely not trivial, you’d have to crawl every single post and every comment to build up profile data on a person. That’s significantly more effort then just pulling an entire post history from a single API call from a user. You’d also be bound to miss data. But I also think posts should have the option to expire, like auto delete this comment or thread after X amount of time, with the option of leaving things be permanent. Who is it really benefiting by making posts stay indefinitely? Mastodon has that feature and it’d be nice to see on Lemmy.
Auto-deleting posts has the problem of destroying any future benefit. In my opinion, the greatest benefit of Reddit is the ability for the public to find answers to niche questions but sharing discussions. Every single person with a problem for looking for an opinion, doesn’t have to find relevant people to ask anew for an answer.
Again, if someone wants to have a private discussion that people can’t just look up, I question why they would Lemmy at all. Something like Matrix or Signal is far more suited to that goal.
Have you thought maybe people don’t want that? Yeah I don’t care about that, I want my privacy and stuff to auto delete, not to be publicly archived forever.
