MuddybulldogYSK: Your Lemmy activities (e.g. downvotes) are far from private
AceticonWell, yeah, it’s put on the database.
It’s the only way to avoid double voting from the same account or to remove the reverse vote if one changes one’s mind and votes the other way.
Did you think that it was any different on Reddit and that no random employee with access to their database could run a similar SQL query with a couple of joins and end up with nicknames, e-mails and IP addresses?!
Do you know who are the Reddit employees with access to their database or a copy of it? Have you had a chance to vet them? I don’t think so.
At least here it’s a bit more transparent.
The only shocking thing in this is that anybody is shocked by it.
It is only shocking if the expectation was set that your votes are private. If you wanted to avoid linking an identifiable account with their votes then you could use a de-identified user account to track a user’s votes.
You could to perform deterministic hashing prior to persisting a vote to ensure that those looking at the database can’t go backwards to find the specific users who voted on a post. But any service that knows the salt and hashing algorithm can start with a user account and determine that user’s voting history.
This allows you to track up/down votes per user without allowing over-priviledged DBAs or malicious actors from poking around voting histories of identifiable users.
Something like Monero’s Ring Signatures might provide some inspiration for truly private upvote history without duplication.
Right. Applying any form of application-level encryption to the account IDs stored in the voting tables would prevent anyone without the secret from being able to find out who voted for what by peeking at the voting tables.
The more I think about this problem, the more solvable it seems to be.