No, ActivityPub votes aren't anonymous


Several years ago, I posted this poll on Twitter.

Most of the tech world that I interact with has moved to Mastodon and other ActivityPub-based social networks. Decentralised social media is great. It allows you to be fully in control of what you post, what you see, and how you interact with others.

Of course, there are downsides. No centralised authorities means verification is difficult. Abuse (of all sorts) can only be dealt with in a piecemeal fashion. And anonymity takes a bit of a nosedive.

When you block or mute someone, that information might leak to the offending user. By its nature, you need to send a message to someone else's server in order to interact with them.

So what about polls on the Fediverse? This poll, for example, is gathering sensitive personal information.

In order to vote on the poll, your server sends a message to the poll's server saying "I am user @someone@example.com. I wish to vote for option X. Here is an HTTP signature confirming my message."

Does the receiving server abide by GDPR? Who knows!

The specification around questions is a little ill-defined and the Mastodon documentation is also a bit vague. Neither of them discuss privacy.

There is an excellent blog post by Humberto Rocha looking at Mastodon Poll in ActivityPub. It shows quite clearly that a vote is just a normal message which is passed onto the receiving server.

Services like Mastodon won't let the poll's author see who voted for which option. But that's by convention. There's nothing technical to stop them. Indeed, I understand that the Akkoma social network does show users how users voted.

Of course, on a centralised service like Facebook or Twitter your vote is still recorded somewhere. It can be subpoenaed or looked at by unscrupulous engineers.

Privacy is, of course, a social construct. In some communities it might be sensible to have all votes on the public record. In others, it could be deadly. Some countries have laws mandating strong privacy protections, others less so.

Conduct yourself with that in mind!


Share this post on…

  • Mastodon
  • Facebook
  • LinkedIn
  • BlueSky
  • Threads
  • Reddit
  • HackerNews
  • Lobsters
  • WhatsApp
  • Telegram

3 thoughts on “No, ActivityPub votes aren't anonymous”

  1. said on fietkau.social:

    @Edent Good writeup! To add: originating servers could orchestrate anonymous (on the poll author's side) voting by sending votes from a shadow account instead of the user's real account, moving the knowledge of who voted from the pollster's server to the answerer's. On the fediverse, identity is cheap anyway, so there's not much added potential for abuse. @rimu recently did just that in PieFed, in the context of link aggregator votes.

    Reply | Reply to original comment on fietkau.social
  2. said on social.cryptography.dog:

    @Edent I figured as much, but I wasn't aware that akkoma just exposed votes that way, so thanks for raising this as a possible concern!

    As a sidenote, I find the phrase

    > Privacy is, of course, a social construct

    ...a bit at odds with the definition(s) of privacy that I've seen in literature on the topic.

    It absolutely makes sense in regards to privacy norms, which are more about the choices people tend to make in different cultures, whereas (unqualified) "privacy" usually refers to aspects that can often be quantified.

    For instance, the wikipedia article describes it as

    > the ability of an individual or group to seclude themselves or information about themselves, and thereby express themselves selectively

    Reply | Reply to original comment on social.cryptography.dog
  3. said on sfba.social:

    @Edent

    Huh. I was enjoying the fact that poll answers here did not go to some central data mining server to become part of an inferential profile to help algorithmically target ads… but I think I'm gonna treat all polls now is if they were completely open and therefore skip any that might be vaguely sensitive until this all gets worked out.

    Reply | Reply to original comment on sfba.social

What are your reckons?

All comments are moderated and may not be published immediately. Your email address will not be published.

Allowed HTML: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong> <p> <pre> <br> <img src="" alt="" title="" srcset="">