YSK: Your Lemmy activities (e.g. downvotes) are far from private - eviltoast

Edit: obligatory explanation (thanks mods for squaring me away)…

What you see via the UI isn’t “all that exists”. Unlike Reddit, where everything is a black box, there are a lot more eyeballs who can see “under the hood”. Any instance admin, proper or rogue, gets a ton of information that users won’t normally see. The attached example demonstrates that while users will only see upvote/downvote tallies, admins can see who actually performed those actions.

Edit: To clarify, not just YOUR instance admin gets this info. This is ANY instance admin across the Fediverse.

  • SpaceAape@lemmy.world
    link
    fedilink
    English
    arrow-up
    1
    arrow-down
    3
    ·
    1 year ago

    Okay so say a bad actor gets this information, and wants to use it maliciously. If they goto the users instance and attack the user in posts and comments, then they likely get banned. All this data links back to arbitrary usernames. I dont understand where the actual “threat” is in this data being semi-public.

    • Muddybulldog@mylemmy.winOP
      link
      fedilink
      English
      arrow-up
      6
      arrow-down
      1
      ·
      edit-2
      1 year ago

      It all depends upon how each individual uses the platform. You’d be surprised how many people inadvertently dox themselves over time.

      Not all accounts tie back to arbitrary user names. There are plenty of people who know each other IRL or whose public identities are generally known. There’s a lot more potential eyeballs that can possibly build heatmaps of activity that could out “burner accounts”, for example, or otherwise make connections that aren’t readily apparent via the user interface. An overly- simplified example is I can easily tie your lemmy.world and lemm.ee accounts together without having to jump through any interface hoops. That may be of no concern to you but that doesn’t mean it’s of no concern to anybody else.

      I, some shmuck in his basement, can build a user profile and fingerprint of you the same way so many people are concerned is happening at commercial platforms.

      • Kuma@lemmy.world
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 year ago

        Isn’t this kind of how comments works too tho? You can tell who it is by how they write and you can see what they do care about and when they are active. I assume comments are worth more than just a up vote or down vote. So the votes could also just have been a log in the comment section “x likes this post”. It is good you said it tho so ppl know that votes aren’t anonymous.

      • SpaceAape@lemmy.world
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 year ago

        Well yeah I want people to tie my lemmy.world and lemm.ee accounts to each other, which is why i used the same username, that was intentional. But this username can’t trace back to any of my personal information.

        I get what your saying, but I think this boils down to just using social media responsibly. The downvote/upvote system isnt a privacy exposure point. Even with the timed thing, nobody is upvoting the same thing on 2 accounts at the same exact time. And personally if i vote a post or comment on one account I’m not going to bother voting the same with another account.