Edit: obligatory explanation (thanks mods for squaring me away)…
What you see via the UI isn’t “all that exists”. Unlike Reddit, where everything is a black box, there are a lot more eyeballs who can see “under the hood”. Any instance admin, proper or rogue, gets a ton of information that users won’t normally see. The attached example demonstrates that while users will only see upvote/downvote tallies, admins can see who actually performed those actions.
Edit: To clarify, not just YOUR instance admin gets this info. This is ANY instance admin across the Fediverse.
That’s a point that I think a lot of people are missing. Since a lot of this data is propagated, it’s not just their own instance admins they have to be concerned about, it’s any instance admin across the globe. There’s effectively zero cost to become an instance admin.
People are already using it for “good”, e.g. correlating upvotes and downvotes to identify accounts that are related to each other for the purposes of stamping out bot activity. The same method could also be used correlate ALT-accounts, say for example, a hard-right leaning account that has an alternate that interacts regularly in support of LGBTQ+ communities.
Okay so say a bad actor gets this information, and wants to use it maliciously. If they goto the users instance and attack the user in posts and comments, then they likely get banned. All this data links back to arbitrary usernames. I dont understand where the actual “threat” is in this data being semi-public.
It all depends upon how each individual uses the platform. You’d be surprised how many people inadvertently dox themselves over time.
Not all accounts tie back to arbitrary user names. There are plenty of people who know each other IRL or whose public identities are generally known. There’s a lot more potential eyeballs that can possibly build heatmaps of activity that could out “burner accounts”, for example, or otherwise make connections that aren’t readily apparent via the user interface. An overly- simplified example is I can easily tie your lemmy.world and lemm.ee accounts together without having to jump through any interface hoops. That may be of no concern to you but that doesn’t mean it’s of no concern to anybody else.
I, some shmuck in his basement, can build a user profile and fingerprint of you the same way so many people are concerned is happening at commercial platforms.