I recently learned that voting on lemmy is not anonymous. Anyone can get information about who has upvoted and downvoted a post or comment.

In combination with your IP, this is a massive privacy (maybe even physical security) risk. Also, people can target you for your votes.

Sadly, this is something where I would prefer Reddit over Lemmy. Big tech scrapes data from both places anyways, at least Reddit is safe.

  • discosnails@lemmy.wtf
    103·
    7 hours ago

    I was unaware that it was unclear to anyone but children and the intellectually behind that anything you do on the Internet is traceable to you without significant countermeasures.

  • Dholi@lemmy.caEnglish
    333·
    12 hours ago

    at least Reddit is safe.

    Lmao, what!? Reddit tries their best to know exactly who you are, where you live, your education, where you work, etc… And then they sell that data to anyone.

  • socsa@piefed.socialEnglish
    14·
    10 hours ago

    A lot of people here still refuse to understand that Lemmy, as it currently exists, is a privacy nightmare, and the voting thing is just the top of the iceberg. There are several de-anonymization attacks possible involving dynamically serving different content to different users. This, combined with the public voting makes it possible that someone can dox an account and expose a lot more information than other forums where that information is more private.

    Public votes also open the fediverse up to much worse astroturfing IMO. It’s incredible feedback for bots and trolls to see exactly who is interacting with their posts and comments. It’s frustrating that a bunch of people here have convinced themselves of the opposite, and insist that public voting is the only way to combat brigades and trolls, which is an incredibly shortsighted stance which doesn’t scale nearly as well as it does in the other direction.

  • Luci@lemmy.caEnglish
    152·
    12 hours ago

    I’ll downvote everyone here if I damn well please it!!!

  • Destide@feddit.ukEnglish
    61·
    11 hours ago

    I try not to downvote without commenting so they should be aware

  • omniman@piefed.zipEnglish
    42·
    11 hours ago

    whats the problem with it . you did not liked it you downvoted . its not like they can ban your account

  • Xylight@lemdro.idEnglish
    22·
    1 day ago

    If you’re an instance admin, for any post, you can just click “view votes” and see everything tied to usernames, even outside your own instance. Moderators can too, but it’s restricted to the communities they moderate.

  • Wispy2891@lemmy.world
    32·
    1 day ago

    The IP address thing is not real, though

    Just choose a nickname that is random word+4 random digits and don’t reuse it on other services

    • npdean@lemmy.todayOP
      238·
      1 day ago

      It is nowhere explicitly made clear to users that voting is public. It should be made clear if it is going to be

        • zeca@lemmy.ml
          3·
          8 hours ago

          I think its a fair assumption that most people make that whatever data which isnt explicitly displayed to a regular user is not public. Having likes be public but hidden is misleading.

        • npdean@lemmy.todayOP
          62·
          14 hours ago

          It is made clear because there is an option to see all the votes right next to the like button. Similarly, many sites allow you to go through activity of people you follow.

      • General_Effort@lemmy.world
        42·
        12 hours ago

        An EU resident could sue for emotional damages under the GDPR. Or maybe just complain to data protection authorities.

        One day it will happen.

        • npdean@lemmy.todayOP
          1·
          2 hours ago

          I hope it does. Lemmy should not get benefit of the doubt just because it is open source

      • gazby@lemmy.zip
        141·
        1 day ago

        It’s the other way around here: Everything is public except where it’s made clear that it won’t be (e.g. email address, password).

        For what it’s worth, your instance of choice is particularly negligent in regard to informing its users. Compare lemmy.today/legal to lemmy.world/legal, or their respective signup pages for examples. There’s little that Lemmy itself or the community at large can do about that 😞

        • npdean@lemmy.todayOP
          1·
          2 hours ago

          It needs to be fixed. Every user is having a different user experience during account creation but everyone’s information is being federated equally.

  • M0oP0o@mander.xyz
    257·
    1 day ago

    In combination with your IP, this is a massive privacy (maybe even physical security) risk. Also, people can target you for your votes.

    No.

    • rumba@lemmy.zipEnglish
      44·
      14 hours ago

      It would be unusual to be able to exactly identify someone purely from their IP, but let’s say someone posted from their work IP in a small company. It would substantially lower the bar to dox them.

      Let’s go further and ponder if an authoritarian regime setup an admin and started coorelating dissent ip’s collected from user when they did things like paying parking fines, or signing their online tax forms.

      Let’s say that they collected all that and trained an LLM on it, then when you go to get a passport renewed or are stopped for a traffic violation and ask the LLM if you’re a dangerous person based on their criteria.

      It’s not a direct problem, but it has slippery slope all over it.

      • anarchiddy@lemmy.dbzer0.comEnglish
        6·
        13 hours ago

        IP addresses are not something that can be pulled from just any instance. You would need to be the administrator, and even then you’d only get access to the ip address of just your own instance users. AFAIK, at least - maybe they’ve made efforts to mask ips, too, but im not even sure how that’d work.

        Federated posts and comments are copied from server to server. When someone from .world is looking at a comment from .dbzer0, what they are seeing is information that was synced from the dbzer0 server address, not the user’s.

        There was a brief moment when there was a vulnerability with linked images sent via DM that could route you to an external server and log your IP address, but that has been patched now by most instances.

        As with anything on the internet: assume your activity is not private at all times, or take active precautions to mask your identity, or both. No opsec is perfect and often the only thing standing in the way of a hack or dox is the endurance and motivation of the bad actor.

        • rumba@lemmy.zipEnglish
          1·
          9 hours ago

          IP addresses are not something that can be pulled from just any instance.

          That’s what I thought about votes too. I’d be very happy to know that you can’t access ips the same way you can votes on other nodes by simply being an admin on a given node. Honestly, I never would have guessed lemvotes could exist.

          • anarchiddy@lemmy.dbzer0.comEnglish
            2·
            6 hours ago

            That’s just how a federated exchange needs to work, though. Without sharing which user is creating activity, there would be no way of verifying the legitimacy of activity without some convoluted blockchain process. On the other hand, sharing IP addresses isn’t just unnecessary but more involved.

            There’s frankly no point in making votes private, anyway. Why should it matter who knows how you vote?

        • rumba@lemmy.zipEnglish
          21·
          9 hours ago

          ohh, so you can’t put train a small compendium everything a person wrote then infer things about that person based on their life. Good to know.

          I’ve been dealing with IP’s for about 30 year now, also good to know.

    • moseschrute@lemmy.zip
      4·
      16 hours ago

      You get 3 accounts. Say you want to upvote something. You downvote in 1 account (randomly selected), upvote on another, and upvote on the third. So it’s net +1 and the only way to see how you voted is to piece together all 3 of your accounts voting history. Need more privacy? No problem, just use 5 accounts instead of 3.

      /s

    • Dozzi92@lemmy.world
      8·
      1 day ago

      I did this last night putting my son to bed, said heads you go to bed, tails we stay up. Jokes on him though, double heads. And he fell for it, what a sucker. Hope it works when he’s not four, or I at least don’t need to do it.