Because someone, eventually, is going to make this post anyway, we might as well get it over with. I know someone posted something a week ago, but I feel something a little more neutral would be useful.
There’s a lot of talk on lemmy.world right now about lemmy.ml at an instance level (edit: see here: https://sh.itjust.works/post/20400058). A lot of it is very similar to the discussions we’ve had here before- accusations of ideologically-based censorship, promotion of authoritarian left propaganda, ‘tankie-ism’, etc. The subject of the admin’s, and Lemmy dev’s, political beliefs is back up as a discussion point. The word defederation is getting thrown around, and some of our beloved sh.it.heads are part of the conversation.
What do people think about lemmy.ml? Is there evidence that the instance is managed in such a way that it creates problems for Lemmy users, and/or users of sh.itjust.works specifically? Are they problems that extend to the entire instance or primary user base, or are the examples referenced generally limited to specific communities/moderators/users? Are people here, in short, interested in putting federation to lemmy.ml to a vote?
To our admin team and moderators: What are your experiences with lemmy.ml? Have you run into any specific problems with their userbase, or challenges related to our being federated with them?
Full disclosure: I have very little personal stake in this. I don’t really engage with posts about international events, I don’t share my political beliefs (such as they are) online beyond “Don’t be a shitbag, help your fellow human out when you can”, and have not run into any of the concerns brought up personally. But I’m also not the kind of user who would butt against this stuff often in the first place.
What I will say is that I have not personally witnessed activites like brigading or promotion of really nasty shit from lemmy.ml. I cannot say this about other instances we defederated from before. But again, this may just be a product of how I use Lemmy, and does not account for the experiences of others.
This is just an opportunity for those who do have strong opinions on this topic to say their piece and, more importantly, share their evidence.
If nothing else, given similar conversations a year ago, this will be an interesting account of what sh.itjust.works looks like today (happy belated cake day everybody!)
First of all, the complaints are not without substance. Some of their admin decisions are highly questionable and obviously politically motivated. However I think the idea of defederation is a huge overreaction.
They have always been left-aligned, despite officially being privacy/FOSS focused. This is largely due to the history of Lemmy, which was created by leftist developers and existed in relative obscurity for a couple of years prior to the reddit API exodus a year ago. They have received a good number of relatively apolitical users since the API exodus due to their branding, but many of those users eventually chose to leave to other servers.
These screenshots from 7/16/23 and 9/5/23 show that lemmy.ml experienced a massive bump in users that quickly ebbed away in the following months. This happened with all Lemmy servers, but beehaw and lemmy.ml had the biggest drop offs.
Right now they are sitting right around 2.5k MAUs, same as us.
I don’t believe it creates problems for Lemmy users, but I can see the argument for why it does. I think there’s a misconception that lemmy.ml is still the flagship instance or new users are being drawn to them, but I just don’t think that’s the case. People dont really recommend lemmy.ml to new users, because it’s already common knowledge about their political leanings. And they’ve never prioritized promotion of that instance on join-lemmy.org or anywhere else that I’m aware of. This is borne out by the data I just shared, which shows their share of the Lemmy userbase has steadily declined over time.
For sh.itjust.works specifically, I don’t agree that it’s creating problems for our users. Our server has literally grown in the garden planted by lemmy.ml users. We are less dependent on lemmy.ml today than ever before, and now is when people decide they want to defederate? That seems really lame and somehow duplicitous.
I think to the extent that there are problems with the lemmy.ml userbase, they have come more recently after hexbear got defederated from most of the fediverse. I think some long time users on hexbear and lemmygrad who got a taste of the wider fediverse decided to move over to lemmy.ml so they could keep pushing their ideology. That’s not ideal but I don’t think defederation of the whole server is a proper response to a handful of hexbear trolls up to their old tricks.
For me personally as an admin, I can confidently say that I don’t feel like lemmy.ml users have been disproportionately involved in bad behavior or trolling. I’ve removed my fair share of hostile comments in political arguments, but no more offensive or combative than stuff I see from our own users, lemmy.world, lemm.ee, or any big server. I haven’t seen them brigading communities or threads, aside from the ones located on their own server, which is obviously fine.
In terms of their admins, I have to acknowledge that they sometimes make mistakes with moderation. But moderation on Lemmy is also a really difficult task. One important factor is that they host a disproportionate number of communities and especially political communities. Here on SJW, our most active communities tend to be fairly non-controversial. I cannot imagine the moderation burden for active political communities such as those hosted on lemmy.world and lemmy.ml, and I’m thankful they’re doing it instead of us.
TLDR Lemmy.ml is basically alright with me, aside from some minor annoyances. I think it’s kinda embarrassing to talk about defederating them when none of us would be here without them. But that’s just my personal opinion, I will of course abide by the wishes of my fellow sh.it.heads.
My concern is that the devs have shown a willingness to keep their finger on the scale and use .ml as a tool for this ideological end in any way possible. If, eg, there is a way for a malicious instance to modify federated content from other instances and republish it, I would confidently say that the .ml devs certainly have the ability, and have shown a willingness to engage in that kind of agitprop. At the very least I think we have to take this threat seriously.
Furthermore, If .ml were to be treated as a state espionage actor, federating with them is exposing your users to very significant risks, as it would be trivial for them to collect identifying information via federation, and to promote malicious or compromised websites by modifying their feeds, or even the feeds of individual users. They could very easily collect identifying information from a target, and then modify a web application to serve malware to that specific user, which they push to the top of that users feed in various ways.
This is an aspect of the fediverse which generally makes me uncomfortable. Even if the core code is safe and audited, there is nothing stopping a malicious admin from running modified versions of the front end or forum code. Again, it would even be possible to only serve such malicious content to individual targets, and federating content with them provides an incredibly convenient threat surface for performing this kind of targeted analysis.
The biggest thing stopping this kind of behavior would be “who the fuck would bother?” And the scale needed to provide cover for the operation. Who? Well, an admin who openly admits they are waging information warfare in the fediverse, that’s who. Or perhaps a dev who appropriates the name of an infamous murdering zealot as a symbol for his “cause.” How? Maybe via one of the largest and most visible instances on the fediverse?
Of course, I have no evidence that this actually happens. It would be incredibly difficult to detect such targeted threats. But the whole combination of the way the admin and devs handle themselves, and the adversarial way they interact with the rest of the fediverse, just triggers all sorts of red flags in the secOps part of my lizard brain, and it bothers me that people don’t seem to be taking these threats seriously.
You raise some interesting points, and I don’t think they should be dismissed out of hand. I have some questions though (some of them are re: your other comments here):
Could you speak to this in a little more detail? Does what you are seeing inherently require functionality beyond what Lemmy’s public release offers natively, or is beyond the scope of something like an automod tool? Asked honestly, I am not an IT professional.
This is obviously a very serious accusation, but let’s put that aside for a moment.
My (limited) understanding is that as a function of using the ActivityPub protocol, it is already trivial to collect identifying information on users of federated services. What makes lemmy.ml unique in this regard - couldn’t a bad actor do this just as easily by other means? Simply it’s comparative size to other instances/services that can be leveraged for this purpose? Aren’t there lower profile means of accomplishing this same thing?
I don’t know enough about how federation works from a technical perspective to speak to feed manipulation when viewing a ‘rogue actor’ instance from a place like sh.itjust.works, but welcome comments/clarifying questions on this point from smarter people than myself. Want to know more, just don’t know what to ask.
Federation exposes potentially quite a bit of user telemetry data through a few different vectors. For example, simply loading a thumbnail from another instance exposes a user’s IP to that host instance. The exact ability for a third instance to tie a specific web request or usage pattern to a specific user is unclear, but is not a large leap. I am working through some specific exploit ideas on a test server I run, but I don’t have a ton of time these days, and it’s difficult to model some of these vectors without real traffic. I can say that so far, if a user interacts with a post soon after making the content request, it’s pretty easy to grab their IP, especially on low traffic content. So if I can see that a user interacts with a niche community (because votes are federated for some strange reason), I can target them that way. I should also be able to set a cookie via the content request, as well as do all the typical browser fingerprinting tricks. Once that association happens, it becomes trivial to serve malicious content to an individual user. This is a very serious threat vector specifically because it’s easy to hide what you are doing from the rest of the world, so it requires vigilance by the target to uncover. If it is done rarely it would be all but impossible to spot.
The broader point is that there is clear motive and plausible opportunity here. From a cyber security perspective, that’s enough to take preventative and protective measures.
I hear you. My perspective may be slightly different from yours because I have more faith in the devs. I believe them when they make statements about supporting privacy and open source. I understand that they have some extreme beliefs regarding political ideology, but I think it’s unfair to use that as evidence that their ethics are compromised in other aspects. They certainly have an agenda, but they also ultimately have principles and I would be quite surprised if they committed such a betrayal.
It’s like the old adage about conservatives being pro-life right up until the baby is born. People compartmentalize their feelings on different issues and parts of their life, and I think that within the compartment of software development, the devs seem quite ethical. Within the compartment of sociopolitical theory, they have opinions that many would characterize as unethical. But I don’t think the latter implies that the former is likely to be compromised.
I’m not really well versed in software, so I can’t offer much in terms of discussing potential vulnerabilities on that level. I’m glad that someone is worrying about it though.
And that brings me to my second point, which is that the Lemmy userbase is chock full of techies, skeptics, and critical thinkers. Even if they did have some grand scheme to propagandize us, I just don’t think it would work. It’d be similar to what’s happening now, with people independently calling them out and then collectively dealing with the issue.
The time when the Lemmy devs could hope to control the evolution of this platform is long past. They’re outnumbered and there is a substantial negative sentiment about them amongst the userbase. I’m really not too worried about the harm they might cause. I’m more concerned about making a rash decision that creates more problems than it solves.
I am not worried about propaganda. I am worried about a state actor performing pattern analysis on my user, trying it to a specific IP address, and then serving me targeted malware. The fediverse is unique in that sense because of the nature of federation exposes a significant amount of user telemetry to a huge number of different internet hosts.
At this point I am 100% convinced that if hexbears could perform cyber attacks at the behest of China, they would do it enthusiastically. And .ml Admins protect hexbears. To me, that’s motive and opportunity, and it would be naive and foolish to trust them given the adversarial nature of the way they interact with the broader fediverse.
What problems does defederation even cause? Do we have sympathy for this tumor? The very fact that they are openly willing to engage in information warfare, and are being marginalized for it only makes the threat bigger in my mind. If they feel like they are losing this war, their behavior will only grow more extreme. I would again like to reiterate that “Dessalines” is literally the historical poster child for “extreme ends justify any means.”
We certainly lose a ton of active communities and users. Potentially, we continue to exacerbate an ideological divide that ultimately results in the complete disintegration of Lemmy, forcing us to start over on another platform and lose many of our gains from the past year.
Yes. It’s not a tumor, it’s an internet community with a large number of communists who want to take down Western capitalism. It’s a couple of developers who had a vision of a link aggregation platform for the people, by the people. I have plenty of sympathy for them, even though I understand they could potentially be dangerous due to their political extremism.
It seems like you’re aggressively trying to eliminate a hypothetical problem, while discounting the very real consequences of defederation. Even if we go through with it and it goes relatively well, it would cause a significant dip in growth and activity, which we desperately need.
I would be much more sympathetic to this idea if they had not shown time and time again that it simply isn’t true.
They have shown absolutely no interest in small-d democratic ideals, and instead continuously double down on small-a authoritarian ideals.
They literally just got kicked off reddit and built a platform that they could control without any interest in higher causes, as far as I can tell. If this was not the case they would not do things like mass ban users for mild dissent, over comments made in other instances. Their interest is entirely self preservation. There is no evidence of service to any higher ideal. They are dead weight, and it’s only a matter of time before they do something which is going to harm the fediverse far more than slow growth will, if they haven’t already.
Ok, I disagree with your assessment of them as people but I guess we’ll just have to wait and see.
It’s good to know that ml users aren’t disproportionately causing problems. That was the impression that I got - they have their overzealous trolls with their own ideological spin but they don’t have disproportionately more trolls than other instances - but I’m not a mod anywhere so I don’t pay attention as closely.
I think ml does have moderation issues, that post on the technology community is not the first time I’ve seen overly aggressive mod actions from them. I’ve left several news and politics communities on ml due to certain users and moderators creating an environment I prefer not to be in. Being a moderator is a hard job, but I genuinely appreciate the transparency and even-handedness from the mods in other large non-ml communities and they show that we can and should expect better from our community moderators.
I think the post over on Technology has the right idea - move the non-political communities off of ml to other instances, the politics communities already have active alternatives due to the mod issues. The Star Trek communities show this is totally possible, but the non-political communities are the least likely to have issues with overzealous moderators (unless you’re foolish enough to engage in politics elsewhere over there and get a blanket ban from all of ml for bullshit reasons…). But a community call to action is harder than a blanket defederation.
I think the moderation issues are more than a minor annoyance, but I agree that defederation, at this point, would be excessive. And I think we’re all happier not addressing the elephant in the room because, well, we wouldn’t be here without them.
Yeah, precisely. It’s a very different situation compared to hexbear, who would flood threads on our server and deliberately try to rile up our users. The problems with lemmy.ml mainly come from users going into their communities and saying things that go against the grain.
If you get banned from lemmy.ml in that situation, I feel like it’s not a bad outcome. Just join the equivalent community somewhere else. Defederating them is almost the equivalent of banning yourself anyway, if you think about it.
Very well said. I completely agree that it behooves us to move a good chunk of communities off lemmy.ml. I think I missed touching on that point in my original comment, thank you for expressing it so well.
This is overwhelmingly the case from what I have seen.
Yeah, embarrassing for them
People picked their fediverse option over others. Had Lemmy not been there, we’d all just be elsewhere. They got the popularity, but are clearly actually disliked by a lot of their users. They should probably self-reflect with that knowledge
Sure, but there’s no reason it can’t be both. They caused an issue with their actions, but we can either continue to make the situation worse or begin to repair the damage, depending on how we react.
I had a different reply typed out but I’ve decided to change it because:
This is such a weird reply. It really feels like you’re claiming that people pointing out that abusing mod powers (objectively a thing being done) are somehow in the wrong for doing so just because the people abusing the power are those who coded the site it’s being done on.
The choices users have to deal with an issue like this are to block (per-user, so they have to discuss it), defederation (a big decision, so discussion), or leaving entirely (in which case theyd want others to come with, so discussion). That is unless shaming the people doing it works, but they’ve kinda shown they don’t care as this is far from the first time this has come up.
How is it at all embarrassing for the users of a forum to discuss on said forum one of their few methods of recourse to people with power on that forum abusing it?
Huh? I never said anything remotely like that. This discussion isn’t about pointing out mod abuse, it’s about potentially defederating lemmy.ml. I support everyone who points out mod abuse, but defederation is a whole other can of worms.
Most users don’t have any issue at all. It’s a vocal minority that antagonize (either deliberately or accidentally) the lemmy.ml users and communities that have been subject to the moderator actions in question.
It’s not. I said it’s kinda embarrassing, because of the possibility of the discussion actually leading to defederation. If we discuss and decide against defederation, I don’t think it’s embarrassing at all. But if we ultimately defederate lemmy.ml just 12 months after joining Lemmy, I would be slightly embarrassed by that choice, yes.
I would see it as a failure of our ability to solve problems and continue to build Lemmy up, and I don’t think lemmy.ml has done anything egregious enough that we have no choice. So ultimately I would see it as an overly sensitive reaction to a fairly pedestrian internet moderation saga.
Because of mod abuse. By ignoring that you’re reframing the whole situation as something else.
Lol
LOL
So your opinion is based on complete bullshit, gotcha
Gotta chime in here - part of why I made this post was exactly this reason. Apologies in advance for length.
As someone who doesn’t participate in communities where political discussions are the norm, I haven’t had issues with lemmy.ml moderators or users. I know others have, but was uncertain how many other users on this instance experienced this, and if they felt the experience was bad/pressing enough that defederation should be seriously considered.
As a personal aside, so far I’ve seen some very useful perspectives, but not enough evidence to seriously support defederation. The only elements that give me pause are Socsa’s concerns, but even then I don’t think the evidence is rock solid at this stage (though defed or not, warrant further consideration). This is just me though, I can’t speak for anyone else.
I think imaqtpie’s POV is valid, though perhaps not phrased the best way (‘antagonize’ carries some connotations that might be distracting). The problems occur when engaging lemmy.ml on topics their mods are, IMO, overly and inappropriately sensitive about. It usually happens in communities where politically-focused discussion is expected. When this happens, they engage in what can reasonably be described as mod abuse. I think we can agree on that.
Is this problem, and its downstream effects, such that all of lemmy.ml - all users without regard to political affiliations/interests/participation levels/whatever, all communities, etc. - should be cut off from sh.itjust.works entirely? If not, are there other approaches this instance should take to mitigate the problems that exist for its users [e.g. coordinating with other groups to migrate key communities off of .ml and support adoption? Community block lists that folks can use, that are one step below blocking a whole instance? Other things I can’t think of?]
Ultimately, we cannot control how lemmy.ml manages their instance/communities hosted there. What exactly are the problems that causes here, what options are reasonable to address them, and how do users of sh.itjust.works want to deal with that. This is what I was aiming to suss out in opening up this discussion.
Another aside: I see you are based at another instance (which is totally fine, all perspectives are welcome at the discussion stage). First question: Do you guys have a similar governance model to sh.itjust.works, and is defed from .ml under consideration? More important second question: if sh.itjust.works continues to be federated with .ml, would you feel it’s warranted for your instance to defed from us?
Was hoping you’d chime in :)
Just thinking out loud here, but question: Do you know if the current version of Lemmy allows for user-level importation of bulk community block lists (kinda like what you see for ad blockers)? I can’t help but wonder if this is a middle-ground for folks who feel defederation is warranted on the basis of discourse, where the problem may actually lay primarily in specific communities based on the topic of interest.
A group of interested parties could get together, review communities worth blocking based on whatever criteria they come up with, make the list available and users who are interested/aligned with the group’s principles could apply it in one go. Saves the effort of having to engage and block on a case-by-case basis, or blocking whole instances if that feels like overkill.
Not certain I’d use something like this, and it brings its own concerns for consideration, but it seems like a happy medium others could be interested in.
You should know by now that I can’t help myself, I like to hear the sound of my own voice 😅
What you’re talking about is really similar to gui.fediseer.com, except that’s on an instance-wide basis. I think it’s a really good idea and seems pretty simple to set up if it’s not already possible.
This particular situation is kind of rare, because typically you’d either want to block the whole instance or just a handful of problem communities. But since lemmy.ml has so many active communities, there are too many bad ones to block manually, and too many good ones to block the whole instance. So yeah, a sharable user-curated community block list would definitely be useful right about now.