this post was submitted on 01 Sep 2025
611 points (97.5% liked)

Fediverse

36627 readers
201 users here now

A community to talk about the Fediverse and all it's related services using ActivityPub (Mastodon, Lemmy, KBin, etc).

If you wanted to get help with moderating your own community then head over to !moderators@lemmy.world!

Rules

Learn more at these websites: Join The Fediverse Wiki, Fediverse.info, Wikipedia Page, The Federation Info (Stats), FediDB (Stats), Sub Rehab (Reddit Migration)

founded 2 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
[–] Natanael@infosec.pub 10 points 4 days ago (1 children)

Private posts is planned, but it's not trivial. Mastodon can't exactly brag about their nonintuitive technically just not broadcasted posts, where multiple implementations keep making private messages publicly discoverable due to bugs.

[–] j0j0@lemmy.world 1 points 2 days ago (1 children)

What kind of implementations do you mean? The last time I heard of such a thing (a few years ago), it was fixed within a few hours, and was on a dev instance

[–] Natanael@infosec.pub 1 points 2 days ago (1 children)

Currently Lemmy is leaking likes via the API even if they only should be available to the user's host and community host server

[–] General_Effort@lemmy.world 1 points 1 day ago (1 children)

Federation requires openness and that goes badly with secrecy. You can argue that one has to trust instance owners anyway, but knowing the users and not just the tallies makes uncovering manipulation easier.

[–] Natanael@infosec.pub 1 points 1 day ago (1 children)

It's doable with E2E encryption, but lots of social stuff in large groups requires coordination which is incredibly hard to with a server that has no knowledge of what the data is because it can't index anything, etc.

[–] General_Effort@lemmy.world 1 points 1 day ago (1 children)

It’s doable with E2E encryption,

How?

[–] Natanael@infosec.pub 1 points 1 day ago (1 children)
[–] General_Effort@lemmy.world 1 points 1 day ago (1 children)

Wait. What is the relation to vote federation?

[–] Natanael@infosec.pub 1 points 1 day ago (1 children)

They're implementing E2E encrypted social stuff. Voting privacy and encryption is linked.

Especially when you have users across multiple servers and both want voting privacy AND being able to deal with vote manipulation. You need stuff like pseudonymous commitments per account attested to by the hosting instance, etc. The only thing that's simpler but still private is having instances just digitally sign a total vote tally, which also means you can't detect vote manipulation on other servers at all.

[–] General_Effort@lemmy.world 1 points 1 day ago (1 children)

But accounts are already pseudonymous?

Here's where I am at:

I can check if my votes are federated correctly by checking if any of my votes are suppressed or votes in my name are made up. If my instance sends a different random token with each vote, I can still do that, as long as I know which tokens are assigned to my votes.

But vote tallies can also be manipulated by making up new votes through fake/bot accounts. If a vote can be connected to posts, this can be checked to some degree. Say, if an instance has a lot of voters that never post, that indicates a problem.

I don't see how the second thing with E2EE.

[–] Natanael@infosec.pub 1 points 19 hours ago (1 children)

The very very short TLDR is that anonymization is very hard, but there's auditable cryptographic voting schemes which preserves anonymity by using anonymous cryptographic commitments and one of a bunch of different techniques to count encrypted votes (homomorphic encryption, threshold encryption, etc).

You could set it up so you know which server each set of votes comes from but not which users on the server. You could also make it prove each vote comes from one real account and that no account voted twice. You could even make use of commitments plus ZKP to prove banned accounts can't vote!

It sounds complicated because it is complicated. And somewhat inefficient. But it's possible. And it would be fully encrypted and anonymous voting.

[–] General_Effort@lemmy.world 1 points 19 hours ago (1 children)

You could also make it prove each vote comes from one real account and that no account voted twice.

How would it prove that the account is real? I suspect that the meaning of "real account" is not the opposite of bot or sockpuppet.

[–] Natanael@infosec.pub 1 points 16 hours ago

A discoverable non-banned account. Not from "ghost accounts". If a server creates a massive amount of accounts to use them to vote, you can see that a small server has a disproportionate amount of registered accounts too, which probably will be otherwise inactive. Then you can reject votes from that server.