Update: Thanks mateys for participating! Our instance was really split down the middle on this vote - 49% in favour, 51% against.
After reading all the comments, it honestly seems unlikely to me that private voting will ever be a viable option for Lemmy in any meaningful way, because voting data gets federated out all across the fediverse, so I think on balance the best way forward is just to accept that reality and work under the assumption all votes are public. At least then nobody is lulled into a false sense of security.
Having said that there’s an argument to be made for both sides and I don’t think there’s a “right” answer necessarily. Its more down to personal preference about whether you want/expect private (to the users) voting, or you want to embrace public voting. But until Lemmy can guarantee the privacy of user votes then simply pretending they are private seems like the worst of both worlds.
We might revisit the topic of public/private voting again down the road if Lemmy’s developers provide privacy enhancements in that area though.
Cheers, Unruffled.
Hi again mateys!
As most of you are probably aware, since the development of Lemvotes Lemmy votes are no longer private for users.
The way lemvotes works right now afaik, is it uses an admin level account to collect voting data from all federated instances, thus enabling the identification of every voter. This method effectively bypasses the guardrails the developers put in place to keep this info more restricted.
However, the developer of lemvotes has recently developed an “opt out” for instances that don’t want their user data collected in this way. So now we have a choice of whether or not to continue. For total transparency, I asked the developer to create an opt out because I wanted to give our users the option to choose that path without defederating from the lemvotes instance.
I think there are (at least) two schools of thought on this topic, which I will attempt to succinctly summarize below:
-
Votes should be kept private to users as they were only ever meant to be viewable by instance admins. Making votes public to everyone via lemvotes, when users have a reasonable expectation of privacy when it comes to voting, is a betrayal of user trust. It also leads to arguments and a lot of unnecessary drama, caused by users trawling though each others’ vote histories.
-
It’s good that voting is transparent and that users have the same tools available as admins to conduct their own investigations into other users. This creates a level playing field and helps hold everyone accountable for their voting patterns.
So now you have some of the context, I’d like to ask our community what are your thoughts on lemvotes… is it a social good or a bad idea?
Personally, I quite like it from an admin perspective - it’s a handy tool, and a pretty cool project. But I also have an expectation (mainly from other forms of social media) that users’ votes should be kept private from other users, so I still think it’s problematic from that perspective.
Proposal: To opt out of lemvotes, so that our users’ voting data is kept (at least somewhat) private.
- To vote FOR the proposal to succeed, upvote the post.
- To vote AGAINST the proposal, downvote the post.
This will be a simple majority vote. Similar to the last governance topic, I have no clue what the instance sentiment is towards lemvotes, so let’s find out! Feel free to add your comments below.
Acknowledged governance topic opened by https://lemmy.dbzer0.com/u/flatworm7591
This is a simple majority vote. The final tally is as follows:
- For:
(3), (3), 
(1), (2), 
(2) - Against: (4),
(2), 
(3), (2), (1) - Local Community: +0.6
- Outsider sentiment: Very Positive
- Total: -0.4
- Percentage: 49.00%
This vote has concluded on 2025-08-09 01:29:16 UTC
Reminder that this is a pilot process and results of voting are not set in stone.
deleted by creator
deleted by creator
Waat the hek du thees emoji signifie? (si, soy Nederlandishe)
It’s the instance’s voting system that classifies users according to their description upon registration and/or their donation to the instance, see this thread: https://lemmy.dbzer0.com/post/35557475 (it’s linked in the sidebar)
Leaves me more confused, as the icon I got marked with doesn’t seem to be mentioned.
- For:
I don’t see much point in opting out. The data will still be available to anyone who spins up an instance, and this could lead to a big game of whack-a-mole.
Better would be to push the Lemmy devs to find a universal solution.
Hi, Lemvotes dev here. As you can imagine, I believe votes on the Fediverse should be public, because that’s just how ActivityPub works. Votes are sent out to every subscribed instance, which can then do whatever it wants with them.
We need to stop pretending votes on Lemmy are private, they’re not. By letting anyone view votes (well, they can do that without Lemvotes by setting up their own instance, Lemvotes just lowers the entry barrier), users can see, for example, who’s serially downvoting their posts or a community’s posts.
Also, I don’t think votes being public ruins Lemmy. They’re public on bluesky and (virtually) no one is complaining. Additionally, platforms like kbin and mbin, which are part of the Fediverse, already make votes public. So even without Lemvotes, people can view the votes on posts. Lemvotes just makes it a bit more convenient.
The only way to fully prevent anyone other than dbzer0 admins from viewing votes is to disable federation.
The way lemvotes works right now afaik, is it uses an admin level account to collect voting data from all federated instances, thus enabling the identification of every voter. This method effectively bypasses the guardrails the developers put in place to keep this info more restricted.
Just a technical nitpick, this is inaccurate. Lemvotes queries the Lemmy database directly, so instance admins can plug it into the db and Lemvotes is running. I was considering making Lemvotes its own Fediverse actor, so that (1) setting up an instance of Lemvotes would be easier, and (2) opting out would be simpler by simply defederating lemvotes.org (or wherever the instance is running), but after working on it for a bit (the results of my work are on this git branch), I realized I don’t know enough about ActivityPub, and that I don’t care enough about Lemvotes or Lemmy to spend my time on this, as I have other projects to work on. In case anyone wants to develop that themselves, they’re free to do so! Lemvotes is open source.
Thanks for this insight, it swayed me to vote against the proposal. If votes are already semi-public through federation I’d rather it be transparently public than giving the illusion of privacy.
Thanks for adding your voice here Lena, and for clarifying the technical details.
Also, I don’t think votes being public ruins Lemmy. They’re public on bluesky and (virtually) no one is complaining. Additionally, platforms like kbin and mbin, which are part of the Fediverse, already make votes public. So even without Lemvotes, people can view the votes on posts. Lemvotes just makes it a bit more convenient.
Having read through all the comments (thanks everyone), I’m voting against the proposal. But of course we will respect the voting outcome, whichever way it lands.
I think this is a great write up and shows why it doesn’t make sense to opt out, votes on the fediverse like anything else shared over activitypub are public, an opt out doesn’t change that.
Personally I think that a service like Lemvotes should fight against this as much as possible, some people have and admins have made slanderous and outright evil accusations towards them as a result but it ultimately doesn’t matter. This place is open and public, all activitypub data is shared publicly. If someone running a server doesn’t like that, they should move to whitelist mode or turn federation off entirely.
Providing server admins with easy opt-out while still remaining public hurts the viability of a server like that and encourages decisions based on a false sense of privacy.
what is this supposed to be
/0 bot replies to all participants in a dbzer0 vote, this one is a landlubber (non-dbzer0 user) each user has flairs that weigh the strength of their vote/their opinion.
A drunken sailor? I think anyways
Why did it decide to reply to me lol
It replies to all top-level comments
deleted by creator
I’m not exactly sure what you want here.
-
If you’d like votes to not be federated at all, that would mean instances would only have the local count of votes (i.e. only votes cast by users from that instance), which brings little benefit, and would make small instances unusable.
-
If you’d like only vote counts to be federated, but not who cast the votes, that would allow people to make accounts spamming votes, with admins from other instances being unable to figure out where the spurious votes are coming from. As in the previous example, it would bring little benefit (votes would be private, sure), but it would cripple moderation tools and make post and comment ranking untrustworthy because of potential (virtually) undetectable bots.
deleted by creator
-
Personally I vote against because security through obscurity, isn’t. People who want to get this data for malicious purposes can easily get it. It will only affect people trying to do it causally (i.e. To check if someone is a chud).
I personally find the whole voting system in lemmy flawed but that’s another story.
Yeah I’ve had a change of heart about lemvotes. After reading through all the comments, and realising people only need a kbin or mbin account to see all the votes anyway because of how activitypub works, there is basically no point imo. As many commenters mentioned, opting out of lemvotes will only give the illusion of privacy, and doesn’t address the underlying problem. And given our genAI mods rely on that tool to assess troll accounts, I’m kinda hoping it won’t pass now.
But really if we were to go along with the public voting paradigm that is part of activitypub, then I think Lemmy should really embrace it. Like create a toggle that allows instances to enable public voting, so any user can see who voted on what in the default UI. Might also help reduce vote manipulation once everyone knows its fully public.
Unfortunately displaying the fact that they’re transparent was closed as an issue: https://github.com/LemmyNet/lemmy/issues/4967
If you look through the thread it’s the same as here. Divided between “public is public” and “public should only be public to a technocratic elite” and “I am an ostrich”
🙃
*bin only displays who upvotes, not who downvotes. That said this data is public in the ActivityPub stream rn as you say.
Why flawed? Please elaborate, genuinely curious.
Because up and down don’t provide anywhere enough for signal. I would prefer them be specific positive/negative emojis which would help with filtering and sorting, lead use properly and avoid misunderstandings
Like slashdot?
Ye
This would be so much better
deleted by creator
Votes are public though, pretending that they’re not is just deceiving users.
Anyone who admins a federated instance, and any of their friends, knows vote counts.
But I also have an expectation (mainly from other forms of social media) that users’ votes should be kept private from other users
This is literally just reddit and hackernews, some of the worst and most astro-turfed socmed. Twitter post nazification too I guess.
Against.
- Does not stop voting being public
- Does nothing for privacy, it doesn’t stop how federation sends the info required to vote
- Useful for moderators in communities where they have haters despite being self contained.
- Useful for users to know when they have a dedicated hater/fan.
I don’t want lemvotes. It sounds like some real reddit shit and it’s a terribly dumb word. Not to mention I want less tracking and more anonymity on the internet in general.
This is not going to give anonymity, it at worst gives an increased false sense of anonymity.
Not only could others spin up more copies of lemvotes, last time I checked every mbin instance shows that info freely.For what I’m concerned this proposal would merely make looking up votes slightly less convenient.
Edit: Yep, mbin still shows votes, no login required: Example
Less convenient means more private if more people give up. I don’t expect 100% privacy in my life, but I won’t make it easy for anyone.
Its not making it harder.
Ita barely even less convenient. You can just got to mbin/kbin (without even being logged in) and see the same info. The only reduction in convenience would be one site not showing it.
Votes on Lemmy are not private and you shouldn’t think that they are even remotely, and I think thats something lemvotes does quite well - shine a spotlight on the problem, which should be addressed inside of Lemmy.
Against.
As Lena has indicated, this does not require spinning up a full instance and admin account, but just to spin up a copy of LemVotes, which is open source. Easier than that, I’ve also read that votes are available without admin rights through queries to the Lemmy API. Even easier,the votes are also already public through the *bins and friendica.EDIT: Lena has clarified that Lemvotes does depend on having a Lemmy instance, and that votes are only available through API to admins.
I understand the use of having a small hurdle to dissuade people, I regularly build them into my scripts at work so people can’t accidentally break shit with them. But my point is, removing our instance from LemVotes does not raise that hurdle to any significant degree.
This is a core limitation of ActivityPub. Votes must be sent with username attached for federation to work properly. The data is already out there. Any ActivityPub system that doesn’t make them public is just doing so on the front end. It’s set dressing, not actual voting privacy.
I don’t like that it works this way, but I’ve chosen to accept it as the cost to be part of the Fediverse, to be uncensorable.
If you want privacy, the path is the same it always has been: rotate accounts regularly.
As far as I’m aware, the only true workaround is in piefed (I think it’s piefed at least) where a hidden account with a randomized name is created with your real account, and the hidden one’s name is attached to your votes instead of the real account. So it would require your own instance admin to see the link in vote and identity. Or basic levels of observation skills to connect the person posting negative replies is the random username also downvoting.
I also don’t like the idea of even being able to opt out. It creates an entirely false sense of security and privacy, and could be seen as a signal that our instance doesn’t intend to participate in the wider fediverse transparently and in good faith.
Well stated.
rotate accounts regularly.
Thanks for the reminder.
As Lena has indicated, this does not require spinning up a full instance and admin account, but just to spin up a copy of LemVotes, which is open source.
Lemvotes currently depends on a Lemmy instance, though I could make it independent with Fedify if I had the time and energy.
Easier than that, I’ve also read that votes are available without admin rights through queries to the Lemmy API.
https://lemmy.readme.io/reference/get_post-like-list
the API is admin-only, though votes are federated through activitypub, that’s why instance admins can see them. That’s just how activitypub works.
I also don’t like the idea of even being able to opt out. It creates an entirely false sense of security and privacy, and could be seen as a signal that our instance doesn’t intend to participate in the wider fediverse transparently and in good faith.
yeeeeah, this was the db0 admins’ idea, otherwise my instance might have gotten defederated, which I prefer doesn’t happen. The solution would be, as I said, to make Lemvotes its own fediverse actor, but I don’t have the expertise or energy to do so.
otherwise my instance might have gotten defederated
Umm, wait what?
Lemvotes gets data from my instance, so if I hadn’t made the opt-out option, this community vote would still be run, with the difference that there would be the option of defederating me instead of opting out.
Ah, I see. It sounded quite threatening, tbh (and it technically still is a threat, but now at least I get why it would be necessary to prevent the votes from being counted by Lemvotes…). I hope it won’t be necessary, the poll is close to tipping over to not opting out…
deleted by creator
This data isn’t private in the first place. What point is there in opting out of a pinhole when niagara is right there?
I think that opting out only makes it harder to find out who voted what, I can still find out who voted what by opening a post in friendica (though it misses a good bit of info).
Giving users the illusion that their votes are private is dangerous.
Against.
Facade of privacy is worse. Opting out won’t do anything, and it might give people false sense of privacy. Let everyone know their votes are public. In my head, voting on lemmy is equivalent of saying “aye” in real life, that is, you are assenting to something publicly.
I in fact consider this to be a feature, it’s helpful in detecting votes manipulation.
Against.
To block it would just further a false sense of privacy. The votes are already public, this just makes that data very slightly more accessible. To pretend otherwise is simply burying our heads in the sand.
The fact anyone on db0 would advocate for ‘transparency’ in the name of surveillance makes me believe either I chose the wrong instance or you did.
Sure, that data is available to admins, but this approach will naturally lead to a chilling effect that directly opposes this instance’s supposed principles. I understand the why here, but cannot fathom, with how often data is misconstrued by the malicious in the modern age, anyone would operate or advocate for such a service.
This is exactly why I think we should push for Lemmy as a whole resolving the issue, instead of dealing with vote trackers as they crop up.
That data is available to admins of any instance. Anything federated. That’s an impossibly large number of instances to keep track off over information leaks, especially since votes are saved permanently so any leak of any instance would retroactively expose all votes again.
This is not even starting to touch on other activitypub software interpreting votes as inherently public and showing them as such. On mbin, anyone can see votes.In practice this data simply is irrevocably public until lemmy itself hides it on the protocol layer. Right now, it can’t even be properly obfuscated.
What’s the chilling effect? What kind of power does anonymity of voting (even if that were available on lemmy) confer, considering that comments can’t be anonymous?
deleted by creator
I understand what a chilling effect is. But you can’t post here without your user name being attached to it. So posting is not relevant to this issue about votes, is it?
deleted by creator
As someone pointed out this is already public information for anyone using kbin and mbin. Blocking tools like this doesn’t really change that, or even make it harder to see. People are saying without it you would need to make your own instance to see who voted, but given kbin and mbin exists this is probably false and misleading.
Votes being public is an inherent part of the protocol and the software. There isn’t much that can be done without redesigning both of those things. Even then it would probably be a case of votes per instance, not fully anonymous voting. Doing that could potentially create moderation problems as well.
I feel like this would be better served as a discussion around ActivityPub then and not just Lemmy - and not just ancillary softwares based on Lemmy like Lemvotes
Maybe the whole question is just, should an instance show votes. As in, if an instance truly wanted their votes to be anonymous on activitypub, it couldn’t happen. So those who are not wanting to have their up/down votes seen, should be opting out of up/down voting. While those who don’t care / want their votes to be seen, should be up/down voting.
in the name of surveillance
Who surveils who here, though? I can be surveiled but also surveil the surveiler myself, as long as the person is on an instance that hasn’t opted out. And isn’t viewing people’s old comments a pretty similar sort of “surveillance”? The difference comes mainly from how we’re used to the reddit model where comments are public and votes are private…
Lemvotes has been available for many months, yet there’s been no “chilling effect” on anyone’s behaviour, as far as I see.
This instance is based greatly on sailing the high seas. Privacy should go hand in hand with that. I don’t want my votes to be “investigated” as they reflect my personal opinions and that is sacrosanct.
Understandable but not what this proposal would achieve. The data is available, this is just one of the interfaces showing it.
This one can be easily opted out of, other existing ones cannot.
deleted by creator
This sort of software issue needs to be more well known to be fixed in my experience. To either increase the priority for the existing devs to find a solution until they do, or increase the circle of people aware until someone learns of it that fixes it.
This “first step” would make the issue less well known, since some people would see it as already fixed, or on the way to it. But at the same time, it would do absolutely nothing towards fixing the issue; It wouldn’t even give any dev practice towards it.
If you find compromise solutions, you risk people taking that and not bothering to request an actual solution. Take the switch from IPv4 to IPv6, then making lemvotes useless would be like introducing NAT, a shitty “solution” only partially fixing the problem, yet the reason we have not been forced to switch 25 years ago. And so, since there is no pressure, the world still runs on IPv4.
I think this is one of the cases where you want to only let the issue be fixed the right way, or it’ll never be fixed.
deleted by creator
On ActivityPub, all votes are public by design. They are only hidden so users can focus on discussion rather than “who did what”. Anyone with an AP instance or tools like this can view your sacrosanct opinions whether you opt out or not.
So it seems like this discussion should be aimed moreso at ActivityPub, not Lemvotes
I absolutely agree. What does lemmy achieve over reddit if it is not more private?
Not corporatly owned and federated. Federation has positives and negatives. This has been a known “negative” from the start. It’s why some instances don’t show the down vote arrow, or don’t show either. It’s all about instance choice. But if you opt to vote, it is known by all, because when you click that button, your user just sent a message to everyone on activitypub that you pressed that button.
To echo another user, “should we not be voting about federation with Activity Pub?”
Except that’s not how any of this works. Votes are public via the ActivityPub protocol, which is why this tool is possible in the first place. Kbin ane Mbin make votes public, so all you need to do to see this is use one of those instances federated with dbzero. This kind of comment is just being ignorant of the technology and mechanics in place. If you wanted that kind of privacy you shouldn’t be on this platform. You should probably not be on a public forum with actual usernames. Maybe try 4chan?
Against. Your comment history is even easier to access and it’s usually much more sensitive. If you really care about anonymity you need a stronger method.
Downvotes are not a slap in the face. They’re the social equivalent of “hey, I disagree with your content or tone”. Really it’s not a big deal to me if they’re public. I’ve downvoted by accident, or changed my mind before and upvoted later.
Now if you’re talking about lemips, a list of user’s ip addresses, that’s a different story.
