PSA: Lemmy votes can be manipulated

This was a problem on reddit too. Anyone could create accounts - heck, I had 8 accounts:

one main, one alt, one "professional" (linked publicly on my website), and five for my bots (whose accounts were optimistically created, but were never properly run). I had all 8 accounts signed in on my third-party app and I could easily manipulate votes on the posts I posted.

I feel like this is what happened when you'd see posts with hundreds / thousands of upvotes but had only 20-ish comments.

There needs to be a better way to solve this, but I'm unsure if we truly can solve this. Botnets are a problem across all social media (my undergrad thesis many years ago was detecting botnets on Reddit using Graph Neural Networks).

Fwiw, I have only one Lemmy account.

The lack of karma helps some. There's no point in trying to rack up the most points for your account(s), which is a good thing. Why waste time on the lamest internet game when you can engage in conversation with folks on lemmy instead.

In case anyone's wondering this is what we instance admins can see in the database. In this case it's an obvious example, but this can be used to detect patterns of vote manipulation.

You can buy 700 votes anonymously on reddit for really cheap

I don't see that it's a big deal, really. It's the same as it ever was.

Web of trust is the solution. Show me vote totals that only count people I trust, 90% of people they trust, 81% of people they trust, etc. (0.9 multiplier should be configurable if possible!)

The nice things about the Federated universe is that, yes, you can bulk create user accounts on your own instance - and that server can then be defederated by other servers when it becomes obvious that it's going to create problems.

It's not a perfect fix and as this post demonstrated, is only really effective after a problem has been identified. At least in terms of vote manipulation from across servers, it could act if it, say, detects that 99% of new upvotes are coming from a server created yesterday with 1 post, it could at least flag it for a human to review.

Reddit admins manipulated vote counts all the time.

expired

This is really important to call out. Also though the bots have gotten so good it would be hard to tell the difference. To be honest though I'm pretty sure reddit was teeming withing them and it didn't really bother me. lol

Honestly, thank you for demonstrating a clear limitation of how things currently work. Lemmy (and Kbin) probably should look into internal rate limiting on posts to avoid this.

I'm a bit naive on the subject, but perhaps there's a way to detect "over x amount of votes from over x amount of users from this instance"? and basically invalidate them?

Votes were just a number on reddit too... There was no magic behind them, and as Spez showed us multiple times: even reddit modified counts to make some posts tell something different.

And remember: reddit used to have a horde of bots just to become popular.

Everything on the internet is or can be fake!

Federated actions are never truly private, including votes. While it's inevitable that some people will abuse the vote viewing function to harass people who downvoted them, public votes are useful to identify bot swarms manipulating discussions.

[This comment has been deleted by an automated system]

PSA: internet votes are based on a biased sample of users of that site and bots

I think people often forget federation is not a new thing, it's a first design for internet communication services. Email, which is predating the Internet, is also federated network and most popular widely adopted of them all modes of Internet communication. It also had spam issues and there where many solutions for that case.

The one I liked the most was hashcash, since it requires not trust. It's the first proof-of-work system and it was an inspiration to blockchains.

maybe we can show a breakdown of which servers the votes are coming from so anything sus can be found out right away. Like, it would be easy enough to identify a bot farm I'd think

This is something that will be hard to solve. You can't really effectively discern between a large instance with a lot of users, and instance with lot of fake users that's making them look like real users. Any kind of protection I can think of, for example based on the activity of the users, can be simply faked by the bot server.

The only solution I see is to just publish the vote% or vote counts per instance, since that's what the local server knows, and let us personally ban instances we don't recognize or care about, so their votes won't count in our feed.

So far, the majority of content that approaches spam I've come across on Lemmy has been posts on !fediverse@lemmy.ml which highlight an issue attributed to the fediverse, but which ultimately have a corollary issue on centralised platforms.

Obviously there are challenges to address running any user-content hosting website, and since Lemmy is a comminity-driven project, it behooves the community to be aware of these challenges and actively resolve them.

But a lot of posts, intentionally or not, verge on the implication that the fediverse uniquely has the problem, which just feeds into the astroturfing of large, centralized media.

Upvotes aren't just a number, they determine placing on the algorithm along with comments. It's easy to censor an unwanted view by mass downvoting it.

IMO, likes need to be handled with supreme prejudice by the Lemmy software. A lot of thought needs to go into this. There are so many cases where the software could reject a likely fake like that would have near zero chance of rejecting valid likes. Putting this policing on instance admins is a recipe for failure.

shocked shocked

Fake/bot accounts have always existed. How many times has a "YouTuber" ran a "giveaway" in their comments section?

You mean to tell me that copying the exact same system that Reddit was using and couldn’t keep bots out of is still vuln to bots? Wild

Until we find a smarter way or at least a different way to rank/filter content, we’re going to be stuck in this same boat.

Who’s to say I don’t create a community of real people who are devoted to manipulating votes? What’s the difference?

The issue at hand is the post ranking system/karma itself. But we’re prolly gonna be focusing on infosec going forward given what just happened

Did anyone ever claim that the Fediverse is somehow a solution for the bot/fake vote or even brigading problem?

I don't have experience with systems like this, but just as sort of a fusion of a lot of ideas I've read in this thread, could some sort of per-instance trust system work?

The more any instance interacts positively (posting, commenting, etc.) with main instance 'A,' that particular instance's reputation score gets bumped up on main instance A. Then, use that score with the ratio of votes from that instance to the total amount of votes in some function in order to determine the value of each vote cast.

This probably isn't coherent, but I just woke up, and I also have no idea what I'm talking about.

People may not like it but a reputation system could solve this. Yes, it's not the ultimate weapon and can surely be abused itself.

But it could help to prevent something like this.

How could it work? Well, each server could retain a reputation score for each user it knows. Every up- or downvote is then modified by this value.

This will not solve the issue entirely, but will make it less easy to abuse.

I wonder if it's possible ...and not overly undesirable... to have your instance essentially put an import tax on other instances' votes. On the one hand, it's a dangerous direction for a free and equal internet; but on the other, it's a way of allowing access to dubious communities/instances, without giving them the power to overwhelm your users' feeds. Essentially, the user gets the content of the fediverse, primarily curated by the community of their own instance.

I would imagine this is the same with bans I imagine there will be a future reputation watchdog set of servers which might be used over this whole everyone follows the same modlog. The concept of trust everyone out of the gate seems a little naive

I‘m not a fan of up- and downvotes, also but not only for the aforementioned reasons. Classic forums ran fine without any of it.

I wonder if there's a machine learning technique that can be used to detect bot-laden instances.

Here’s an idea: adjust the weights of votes by how predictable they are.

If account A always upvotes account B, those upvotes don’t count as much—not just because A is potentially a bot, but because A’s upvotes don’t tell us anything new.

If account C upvotes a post by account B, but there was no a priori reason to expect it to based on C’s past history, that upvote is more significant.

This could take into account not just the direct interactions between two accounts, but how other accounts interact with each of them, whether they’re part of larger groups that tend to vote similarly, etc.

Thank you for this. I'd upvote you, but you've already taken care of that.

Assuming a users upvote history or karma ever meant anything, this demonstrates perfectly it's useless on Lemmy.

Two solutions that I see:

1. Mods and/or admins need to be notified when a post has a lot of upvotes from accounts on the same instance.
2. Generalize whitelists and requests to federate from new instances.

Permanently Deleted

Reddit had/has the same problem. It's just that federation makes it way more obvious on the threadiverse.

Votes are just a number that determine what everybody sees. This will be manipulated by all the bad actors of this world once Lemmy becomes mainstream. Politicians, dictators, Hollywood, tech companies....

I wonder if an instance could only allow votes by users who are part of instances that require email verification or some other verification method. I would imagine that would heavily help reduce vote manipulation on that particular instance.

What is the definition of a "fake account"?

Instances can just defederate with those servers

If we stop spam accounts from brand new or low usage servers those could both be easily mailed (emulated activity, pre-create instances and let them marinate)

I don't know much about how making new instances works, but could someone create instances in large qualities with smaller populations with the goal of giving human moderators too much work to defederate them all?

Wouldn't a detection system be way better? I can see a machine learning model handling this rather well. Correlate the main accounts to their upvoters across all their posts and create a flag if it returns positive. It would be more of a mod tool, really.

I have already ran into a very obvious Russian troll factory account and it really drags down the quality of the place. Freedom of speech shouldn't extend to war criminals and I'd rather leave any clusterfuck that allows it, whether they do it through will or incompetence.

@koper@feddit.nl @fediverse@lemmy.ml oh yeah nothing from servers in terms of numbers can really be trusted

love you lamp

This blog post is fantastic! It's packed with valuable insights and actionable advice. Thanks for sharing such an informative and well-written article. buy Linkedin Connections

Get rid of votes. They suck.

They could try requiring a phone number to sign up. Obviously, you could use temp phone numbers but there’s ways to circumvent that.