The more people use Fedecan services, the more Fedecan will attract bots.
Which means Fedecan will have to do something for users to prove that they are human. When I joined, you guys had a registration prompt with manual review, but I imagine the prompts you gave could be automatically bypassed by an LLM fairly easily.
The naive solution is to do something like collecting government IDs like Facebook tried at one point. But that'll just drive people away who don't trust Fedecan with that info.
What would be your thoughts (admin thoughts, and community thoughts) to implement some 'proof of unique personhood' process with something like Canada Post Identity+? Basically, Canada Post verifies that users are human and is responsible for taking care of PII, and Fedecan just trusts Canada Post to not let the same user register multiple times. If done well, I think 'Canada Post proves that every user account on this site is a unique human' could be a real selling point for lemmy.ca and pixelfed.ca
Full disclosure, I heard about it in a Reddit thread of people complaining about bugs in it while they try to vote in the Liberal party election. But I bet this is just early adopter bugs, and the Liberal party clearly trusts it with their leadership elections.
Regardless, I think proof of unique personhood is a problem Fedecan will have to solve, and a solution through something as Canadian as the post office just seems more elegant than having the Fedecan admins reinvent the wheel.
I realize you guys (admins) are probably quite busy with IRL work and the Pixelfed launch, so if there was interest in this but no admin capacity to investigate further, I could volunteer to reach out to Canada Post and see what they could offer for non-profit use, including what it would cost Fedecan.
Thoughts?
EDIT: for people concerned about "but then CSIS knows which account is mine", an anonymous credential system like U-Prove could be used to prove "1 lemmy.ca user = 1 unique real person", while cryptographically guaranteeing it is impossible to link any particular lemmy.ca user to any particular human identity.
They would just come in via other federated instances. Bots haven't really been a huge issue yet, but it'll be a Fediverse wide one so we need a solution that would scale like that.
I'm also not keen on any sort of pii link to our users, even if it's Canada post holding that data.
If we're not selling user eyeballs or data, do we care if a user maps to a real person?
The current standard for Fediverse content moderation seems to be for each instance to manage its own content moderation policies, and each instance defederates / block those few instances that are particularly repulsive to them.
Taking content moderation as precedent for the issue of bot mitigation, the onus of mitigating bots will be on the instance admins, where known bot farms just get defederated.
A fair concern, but IMO needing something like this is inevitable. Maybe I'm just "early", but I don't think I'm wrong.
If the concern is ensuring each user can't be linked to a specific set of PII, then an anonymous credential system like U-Prove could cryptographically guarantee that each account belongs to a unique real person, without revealing which real person it is.
(Many anonymous credential protocols, including U-Prove, come with 'single-spend' mechanisms that can be used to ensure one user can't get two accounts.)
Basically, with anonymous credentials, you'd end up with two sets of data: One with whatever PII-linkable info Canada Post gave to Fedecan, and another containing the actual user accounts. But (provided users used Tor to prevent IP address correlation) it'd be cryptographically impossible to link the any of the first to any of the second.
True, but it would at least build a reputation of "1 lemmy.ca user = 1 real person".
I'd say yes, we should care.
I'm not on lemmy to chat with bots; I want to know that when someone responds to me, that they're a real person, and that if five people respond to me, they're five different real people, even if I have no way of knowing who those real people are.
I also want people who see my posts to know there's an IRL person behind them and that my account isn't just one sockpuppet of many, though I don't want them to know my IRL identity.
If I wanted to chat with bots I'd just generate an artificial group chat with a few ChatGPT or DeepSeek agents, lol.
Having pseudonymous identities is one of the reasons I prefer the reddit/threadiverse style of social media to Facebook/IG where alts are heavily discouraged.
I think a lot of people use alts. There are all kinds of scripts and tools and tutorials about how to manage them. If you dont see the need that's fine for you.