/0 Governance

Acknowledged governance topic opened by https://lemmy.dbzer0.com/u/flatworm7591

This is a simple majority vote. The final tally is as follows:

• For: (3), (3), (1), (2), (2)
• Against: (4), (2), (3), (2), (1)
• Local Community: +0.6
• Outsider sentiment: Very Positive
• Total: -0.4
• Percentage: 49.00%

This vote has concluded on 2025-08-09 01:29:16 UTC

Reminder that this is a pilot process and results of voting are not set in stone.

I don't see much point in opting out. The data will still be available to anyone who spins up an instance, and this could lead to a big game of whack-a-mole.

Better would be to push the Lemmy devs to find a universal solution.

Hi, Lemvotes dev here. As you can imagine, I believe votes on the Fediverse should be public, because that's just how ActivityPub works. Votes are sent out to every subscribed instance, which can then do whatever it wants with them.

We need to stop pretending votes on Lemmy are private, they're not. By letting anyone view votes (well, they can do that without Lemvotes by setting up their own instance, Lemvotes just lowers the entry barrier), users can see, for example, who's serially downvoting their posts or a community's posts.

Also, I don't think votes being public ruins Lemmy. They're public on bluesky and (virtually) no one is complaining. Additionally, platforms like kbin and mbin, which are part of the Fediverse, already make votes public. So even without Lemvotes, people can view the votes on posts. Lemvotes just makes it a bit more convenient.

The only way to fully prevent anyone other than dbzer0 admins from viewing votes is to disable federation.

The way lemvotes works right now afaik, is it uses an admin level account to collect voting data from all federated instances, thus enabling the identification of every voter. This method effectively bypasses the guardrails the developers put in place to keep this info more restricted.

Just a technical nitpick, this is inaccurate. Lemvotes queries the Lemmy database directly, so instance admins can plug it into the db and Lemvotes is running. I was considering making Lemvotes its own Fediverse actor, so that (1) setting up an instance of Lemvotes would be easier, and (2) opting out would be simpler by simply defederating lemvotes.org (or wherever the instance is running), but after working on it for a bit (the results of my work are on this git branch), I realized I don't know enough about ActivityPub, and that I don't care enough about Lemvotes or Lemmy to spend my time on this, as I have other projects to work on. In case anyone wants to develop that themselves, they're free to do so! Lemvotes is open source.

Personally I vote against because security through obscurity, isn't. People who want to get this data for malicious purposes can easily get it. It will only affect people trying to do it causally (i.e. To check if someone is a chud).

I personally find the whole voting system in lemmy flawed but that's another story.

Votes are public though, pretending that they're not is just deceiving users.

Anyone who admins a federated instance, and any of their friends, knows vote counts.

But I also have an expectation (mainly from other forms of social media) that users’ votes should be kept private from other users

This is literally just reddit and hackernews, some of the worst and most astro-turfed socmed. Twitter post nazification too I guess.

Against.

• Does not stop voting being public
• Does nothing for privacy, it doesn't stop how federation sends the info required to vote
• Useful for moderators in communities where they have haters despite being self contained.
• Useful for users to know when they have a dedicated hater/fan.

I don't want lemvotes. It sounds like some real reddit shit and it's a terribly dumb word. Not to mention I want less tracking and more anonymity on the internet in general.

Against. ~~As Lena has indicated, this does not require spinning up a full instance and admin account, but just to spin up a copy of LemVotes, which is open source. Easier than that, I've also read that votes are available without admin rights through queries to the Lemmy API. Even easier,~~ the votes are also already public through the *bins and friendica.

EDIT: Lena has clarified that Lemvotes does depend on having a Lemmy instance, and that votes are only available through API to admins.

I understand the use of having a small hurdle to dissuade people, I regularly build them into my scripts at work so people can't accidentally break shit with them. But my point is, removing our instance from LemVotes does not raise that hurdle to any significant degree.

This is a core limitation of ActivityPub. Votes must be sent with username attached for federation to work properly. The data is already out there. Any ActivityPub system that doesn't make them public is just doing so on the front end. It's set dressing, not actual voting privacy.

I don't like that it works this way, but I've chosen to accept it as the cost to be part of the Fediverse, to be uncensorable.

If you want privacy, the path is the same it always has been: rotate accounts regularly.

As far as I'm aware, the only true workaround is in piefed (I think it's piefed at least) where a hidden account with a randomized name is created with your real account, and the hidden one's name is attached to your votes instead of the real account. So it would require your own instance admin to see the link in vote and identity. Or basic levels of observation skills to connect the person posting negative replies is the random username also downvoting.

I also don't like the idea of even being able to opt out. It creates an entirely false sense of security and privacy, and could be seen as a signal that our instance doesn't intend to participate in the wider fediverse transparently and in good faith.

This data isn’t private in the first place. What point is there in opting out of a pinhole when niagara is right there?

I think that opting out only makes it harder to find out who voted what, I can still find out who voted what by opening a post in friendica (though it misses a good bit of info).

Giving users the illusion that their votes are private is dangerous.

Against.

Facade of privacy is worse. Opting out won't do anything, and it might give people false sense of privacy. Let everyone know their votes are public. In my head, voting on lemmy is equivalent of saying "aye" in real life, that is, you are assenting to something publicly.

I in fact consider this to be a feature, it's helpful in detecting votes manipulation.

Against.

To block it would just further a false sense of privacy. The votes are already public, this just makes that data very slightly more accessible. To pretend otherwise is simply burying our heads in the sand.

The fact anyone on db0 would advocate for 'transparency' in the name of surveillance makes me believe either I chose the wrong instance or you did.

Sure, that data is available to admins, but this approach will naturally lead to a chilling effect that directly opposes this instance's supposed principles. I understand the why here, but cannot fathom, with how often data is misconstrued by the malicious in the modern age, anyone would operate or advocate for such a service.

This instance is based greatly on sailing the high seas. Privacy should go hand in hand with that. I don't want my votes to be "investigated" as they reflect my personal opinions and that is sacrosanct.

I'm for the opt-out. I am aware of the fact that anyone who has looked into the subject knows that it's easy to get that info, but there's a difference between "I need to actually put a small amount of effort into it" vs. "I just copy the URL". If someone wants to look it up and jumps through the hoops, that's fine by me, but it shouldn't be an everyday thing.

I personally vote on nearly every post and comment i read, and even tho i don't want to push any agenda or discriminate any user, someone who i perceive as a bad actor or who regularly comments stuff that screams "i need to touch grass" might construe (wrongly) that i target them. Tbh, most of the time i don't look at the username when voting.

(but it is pretty interesting that i have submitted around 71000 votes since the API reddit exodus lol)

Against. Your comment history is even easier to access and it's usually much more sensitive. If you really care about anonymity you need a stronger method.

Downvotes are not a slap in the face. They're the social equivalent of "hey, I disagree with your content or tone". Really it's not a big deal to me if they're public. I've downvoted by accident, or changed my mind before and upvoted later.

Now if you're talking about lemips, a list of user's ip addresses, that's a different story.

Against

This information is already public. Something like kbin or mbin which already shows votes could theoretically be used to show them for any federated instances anyway. It's pointless trying to obscure this information as it's not actually protected in a technical manor. If you didn't want this information public you chose the wrong platform.

Voting for the proposal, would be nice to opt out of extra tracking beyond what already gets tracked/logged during typical Lemmy usage.

But in the grand scheme of things this is more of a Lemmy network problem, if that site exists then surely other sites/tools exist (or will soon) to do the same thing. I've always kind of figured it doesn't take much to start up a Lemmy instance, federate with others, & just start logging the info being sent across the instances (in this case upvotes/downvotes).

You've kind of got me wondering how Piefed handles that but that's another topic really.

I dislike the comments I sometimes see which threaten people downvoting certain things and imply that the only possible reason anyone would downvote is because they are and that they will be stalked and shunned for doing so. I see these kinds of comments in situations where something probably got downvoted because the person was being an asshole or an idiot rather than because downvoters are on the opposite side of their ideology or hateful. So it's like they want to prevent criticism through chilling effects and bullying. I get that it's tough to see that people don't like what you have to say, and that sometimes this is not useful information, but that's what options to hide vote scores are good for, just cut yourself off from this information if you can't engage with it in a healthy way or acknowledge that you might not understand the unstated thoughts of the people clicking up or down.

Even if it is not ultimately concealable information, I think this kind of measure is good because it at least sends a message that toxic vote stalking is disapproved of.

Against.

An illusion of privacy is dangerous. If voting isn't anonymous (it isn't, and wouldn't be after an opt-out) then it's better for users to know that and act accordingly.

Against.

Pretty much eeveeryone have clarified the good reasons Against already, and I share most of them. The one that I want to emphasize more is that regarding this point:

But I also have an expectation (mainly from other forms of social media) [...]

Half the point of lemmy is that it's not like other forms of social media, at least the big ones. This is not Twitter where we know already everyone is nazis, or Reddit where people can just brigand and go bomb-review software projects or stuff like that with impunity. The other half is that it's federated and public. That, by nature, has to somehow include the votes.

We're on lemmy. Let's own it.

I'd like to opt out of lemvotes

Against.

User votes have never been private as it seems. Lemvotes only made this loophole mainstream. This has to be fixed by lemmy devs, an opt out would give a false sense of security and leave the other lemvotes type tools that are not known yet untouched.

Against.

As it turns out, upvotes are public regardless! As that's the case, I really just don't care either way.

I doubt there's any practical way to keep votes 100% private, there's always a workaround. Playing whack a mole on this stupid little thing is not worth it

voting for. i understand the info is available either way, but im in favor of raising the hurdle for this data to be collected.

Voting against, succinctly:

• "opt out" implies unearned trust, from the jump
• mechanically, no data is less or more available, with sufficient motivation
• preferring the illusion of privacy is a self-defeating pattern of behavior, it has run amok
• I'm generally against concentration of info access, on principle

I think there are good reasons to disagree, but I won't make that case as well as someone who does, so I'll leave it to others.

FOR

Yes the data is available to anyone, but at least it involves some technical prowess.

The amount of times i have seen people discuss some users votes and what they interpret into it is just weird. let them at least dig for the stuff a little bit.

from a privacy standpoint it would be great, if the data could even be hidden from admins. while still allowing to do some verification (like in these governance threads). but that is a problem for the lemmy devs.

I'm voting FOR. To be honest, after reading the comments, I do find the argument convincing that we shouldn't enable the illusion of security. But, on the other hand, I strongly believe that creating a tool to specifically investigate particular individuals, even if it was already technically possible, is ripe for abuse.

Literally any barrier to entry can give some angry individual a chance to cool down before they go on a brigade against the target of their rage. I'd slightly prefer if we don't enable them.

All that said, if it's not this tool it will probably be another, so my vote is mostly symbolic.

I don't think so, votes are public by nature, and it is useful to be able to find where and how users vote to make judgements based on vote manipulation. I say this as someone who has dealt with huge amounts of vote manipulation in my own communities.

Although the fact they are offering opt outs from instance admins instead of making it censorship/defederation hardened does make me lose faith in the integrity of lemvotes as a service since it no longer will show a majority of votes due to admins opting out.

Against. Generally I prefer the option of being anonymous, but we shouldn't promote a false sense of security with a tool that doesn't accomplish the job.

ITT people not understanding that their votes are basically public no matter what. This tool might as well be one of a thousand and we're just playing wack-a-mole. Kind of a waste of time to bother with it, instead lemmy should get better.

Against.

A harder question for me is whether or not to get rid of public downvotes altogether. I think most interactions would be less hostile without the downvote option at all.

Against. Votes being public makes me vote better. It stops me from angrily downvoting stuff I dont like when im in a bad mood.

As others have said, it seems that comments and votes on Lemmy are public by default, and the issue of anonymization should be directed towards redesigning how Lemmy and even ActivityPub shares information.

That being said, we on db0 have less control over those softwares because they underpin our instance here on Lemmy. For what we do have control over, I'd expect this instance to preserve the privacy of its users as much as possible.

I also agree with others that opting out of Lemvotes means one more deterrent for bad actors to abuse the system. We don't want to make it easier for people to spy on and stalk others, even if this opting out doesn't fix the root cause.

I vote Aye for now, only so far as we continue this conversation to address privacy overall in the Fediverse.

in FAVOR: even if it's a bit of a facade, it gives off the signal to future devs that privacy is still very much a desired thing, even here, and not an after thought.