Pull Request Submitted - Remove reputation protection from downvoted post hiding

in abuse •  last year

Normally when a user's post gets downvoted to a negative r-score, the post is hidden. This is not currently the case if a user's reputation is 65 or above. No matter how many votes a user with reputation 65+ gets, their posts will still get shown.

The idea behind this is that hiding posts was intended to prevent spam/abuse, and users who have earned a 65 reputation are not going to be spamming/abusing. In the rare case where a high rep user goes off the deep-end, the community can downvote them back below 65.

Unfortunately there has recently been a case where 65+ user's account was compromised, and this protection has allowed the malicious user to create posts and comments without fear of being hidden.

Since the protection against getting hidden is creating an exploit for malicious users to take advantage of unsuspecting users, I felt it was best to remove the protection.

I submitted a pull request to remove the protection for 65+ users:


If the pull request is accepted, it will mean that any user (regardless of reputation) can have their posts and comments hidden if they are downvoted to a negative r-score.

Authors get paid when people like you upvote their post.
If you enjoyed what you read here, create your account today and start earning FREE STEEM!
Sort Order:  

Tim you do a lot of good work here which is why I feel safe saying this pull request is doing more harm than good.

Downvoting bots on authors with 65+ reputations ruin the spirit of what you are trying to do with this pull request. For example, I have a bot that follows me around and downvotes most every comment I make by the account name of @veryscamfield. See the downvotes at https://steemd.com/@veryscamfield. This is an account created by @berniesanders and @nextgencrypto that automatically downvotes most of my comments.

Fortunately the reputation protection blocks this downvoting bot from hiding any of my comments with its dust vote. Without this protection, one user could make a bot to automatically downvote any and all of our 65+ reputation authors and automatically hide comments on a huge scale. There is no reason any of us should be expected to setup a bot to then autovote our comments back up to counter what already is prevented.

Your pull request means at no reputation level are we free from a dust voting bot hiding our comments and that it should then be our responsibility to auto upvote our own comments or to do it manually to counter this.

Would you please remove this pull request because it is opening a bigger opportunity for exploitation than the one it hopes to close?


There are pros and cons to the change. I am not dead set on it being made, but I lean more towards the pros outweighing the cons. Ultimately it will be up to Steemit, Inc. whether it is accepted or rejected.

A few questions:

  • It seems like the problem you described is also there for accounts with reputation < 65. It is probably a bad word to use to describe it, but why should level 65 users be exempt from this?
  • Can't it be countered by an auto-upvote bot? We've done this before when accounts like @asshole were randomly flagging tons of users.

Yes the problem is there for accounts less than 65 reputation which is good to catch users that are truly posting spam or comments that should be hidden. For users that are established in the community with over 65 reputation, no amount of downvotes should completely hide a comment because this user has proven themselves to our community a lot to get to 65. If that changes, repeated downvotes will eventually lower the reputation to below 65 and hide comments again.

We want to keep user protections available to authors contributing the most here especially when it comes to preventing abuse from bots. What we have in place with the 65 reputation limit for hiding posts is good because it provides that. There are almost no benefits to removing this protection while a huge annoyance is opened up to anyone over 65 being able to have comments hidden with even a dust downvote.

With the current system, having a downvote bot on someone over 65 is fairly pointless which is good because if someone has given enough here to earn a 65 reputation they should not be subject to having comments hidden by one dust bot autovote and expected to setup a bot or vote manually on their own comments to prevent this.

Authors with 65+ reputations are also more likely to be targeted than a user under 65 reputation simple due to popularity. As with me, more followers = more haters regardless of what I post. Should one account that has never posted or powered up any Steem be able to automatically hide all of your comments or mine? Absolutely not.

If this change goes through, one person would be able to automatically hide every author over 65's comments without having to buy any Steem power. That is a con that outweighs any pro for this change.


I see your concern and I don't disagree, but IMO users getting their accounts stolen through phishing is a bigger issue, even if it doesn't happen very often.


Another 66 reputation account was a victim of the recent phishing attack. Now there are 2 accounts that can post phishing links with little or no resistance. I've seen it take 2 - 15 days to recover an account. How fast can this spread if it is left unchecked.

While I agree this has pros and cons, unless you have another suggestion to stop the spread then I see this as a good temporary measure that could be reversed.


Why would a legitimate 65+ user automatically assume that a countering autovoting bot is needed? That's a bit confusing.

Tim's excellent idea would prevent misuse of stolen accounts and other malicious acts that can negatively impact Steemit.


Misuse of accounts and abuse from over 65 reputation is not that common whereas one person with a downvoting bot could hide every single comment by default on every 65+ reputation user if this update went through. After having a downvoting bot put on me, I see the need for anyone 65+ reputation to avoid having comments hidden by a bot.


I do see it from your perspective but, unsure if you're aware, a second 65+ account was just phished. What would happen if it's your account that's compromised and your reputation is on the line? One wrong click is all it takes man.


I don't see the difference between an account having rep 65+ and account having a rep lower than 65, hence I don't understand you are against removing the strange behaviour of Steemit. A more elaborative comment you can find here: https://steemit.com/abuse/@timcliff/pull-request-submitted-remove-reputation-protection-from-downvoted-post-hiding#@edje/re-timcliff-pull-request-submitted-remove-reputation-protection-from-downvoted-post-hiding-20171024t145903700z


Why protect 65+? Why don't protect 60+? Why don't protect 50+ or even 25+?


Another 66 reputation account was a victim of the recent phishing attack. Now there are 2 accounts that can post phishing links with little or no resistance. I've seen it take 2 - 15 days to recover an account. How fast can this spread if it is left unchecked.

While I agree this has pros and cons, unless you have another suggestion to stop the spread then I see this as a good temporary measure that could be reversed.

Okay... we see one instance where a 65+ user account is misused.

Can we list out the possible negatives or exploits that could be had if the Pull request goes through?

  • does it allow whale battles to go differently? (not that whale battles are ever good...but they do happen)
  • ??

Not sure on this one. But don't mind the discussion.

Just think changes shouldn't be made for one event....usually.


I think it makes sense to do this. A legit user shouldn't have to worry about having this protection in place. Why even have an exclusion for the higher reputation users. They wouldn't be impacted if they carried on as usual. It's no different than allowing special exceptions for those in charge that the little people have to comply to. I say equality for all, @timcliff. Good call.


I agree with you totally @mitneb.
If whales want to attack each others, they should not be immune just because they are whales.

Removing the protection only makes people aware they can't abuse the system just because they have higher reputation and they are privileged.

Thank you @timcliff for suggesting this

Not sure about this, while there's the corner case of a 65+ Rep account being compromised, flag attacks are far more common on the Steem network. I believe there should be some protection for high Rep authors against bad actors. Imagine if you (or any high Rep author) make a comment, and some people (not even a whale) downvotes it baselessly - I wouldn't want it to be hidden.

Of course, the real issue here is that the Reputation system is dysfunctional and needs a complete overhaul. I'm sure that's in the pipeline somewhere for Hivemind's future releases, but probably a long time away. I have also suggested a decentralized judiciary system several times before. Clearly Dan seems to have learned from his mistakes with Steem and working on implementing one in EOS.


Valid points. As far as high rep users being downvoted, it could in theory be countered with an anti-abuse bot. Also, I would assume that they would have enough SP to counter it themselves if they wanted to (at least in most cases).

I'm not 100% set on the change though, and I think it is a good thing to discuss. Ultimately it will be up to Steemit as to whether or not they accept the PR.


No small fish dares to downvote a whale needlessly or without basis. Don't forget whales have the SP at their side.
The only case that High rep people would be affected is if another high rep or high SP downvoted them. In that case, I would like to think that these downvotes are not baseless!

Thank you for sharing and discussing.


I could agree with some protection to higher rep users, however I don't agree this marker shall be at 65+. I see high rep accounts abusing Steemit since the moment they were able to do so, eg having high rep and since HF19 removed many of the anti abusive protection already (eg the removal of limited number of post per day).

I fully agree the Rep system is not correctly implemented. The current Rep system allows users with high Rep to abuse the system without their Rep being effected when receiving downvotes. Also the power required the Rep is for higher Rep users to high, allowing high(er) rep users to abuse the platform for a longer period of time.


Recently I was flag attacked by @firepower a reputation 69 account and his @s4s, an account with 170k+ delegated SP. @firepower even banned me and other users who support me from steemit.chat just because I reveal the fact that he used a comment bot to spam Steemit.

Normally high reputation users have more powerful friends to help them. And low reputation users are helpless when they are treated unfairly.

This kind of protection is not fair. Why don't protect accounts with 60+ or 50+?

Hmmm. I dunno. I guess commandeering 65+ accounts would have to be a prevalent thing. I don't think it is. At least, not to the degree this pull request would be necessary.


Appreciate the input. The PR has not been accepted yet, so discussion (from both sides) is good.

I definitely feel this is a good idea. The biggest issue when it comes to anytime of cyber security is human beings and the trust we give to others.

This would be esepcially prevelent if the user has a very high reputation. With high reputation usually comes more trust. I think it is definitely necessary to be able to hide comments regardless of their level.

Why is there a need for this protection if the 65+ rep trust is inherent. Obviously, if the post garnered enough downvotes to hide the post, that person broke that trust and deserves to have a post hidden.

Just my thoughts.

I don't think rep protection is necessary anyway. Just because it went up doesn't mean you can't lose it.

Good PR @timmcliff. Regardless of your reputation, a bad post (or spam post) should be held in equal regard. If it gets sufficient flags, there is most likely an obvious reason, and so the protection on 65+ rep accounts should not be there. Most 65+ accounts won't need to worry about this, but it makes everyone equally accountable not to abuse the system.

A very good argument. I too believe that all users of the platform should be held to the same standards. Posts should be up or downvoted based on their individual merit and not on whichever reputation score a member has achieved. Greater transparency will greatly reduce the tendency to abuse the platform and facilitate a higher degree of civility.

I think that is a good idea to remove reputation protection. Remove reputation of protection is preventing "abuse of power" conduct. Nice and good idea :)

Honestly I didn't know this rule. For this very case of phishing scamming, I followed the update and see that account still spreading scamming replies. I agree with you in this case.

But it might do more harm than good. We've seen so many flag wars on Steemit, although myself never got incolved in any of those. Removing the SP protection might make it too easy for those who just buy SP to downvote.

Rep itself doesn't fully do justice whether there're more likely to have scammers of low level than of high level. But removing it might make it too easy for scammers as well. 65+ rep users got stolen by a scammer is still a rare case.

My suggestion would be to find a better rep calculation method. BTW, see you at SteemFest.

When it comes to money i think no one can be trusted.

This information is valuable, even more important that you share it now, even before the pull request get's approved and branch merged. Two days ago I have seen a user of 69 reputation if I remember well that was spamming comments with adds so I think this PR could bring necessary modifications right now!

Hello @timcliff I do really agreed with your change proposal, I do also decided to make a post presenting my opinion towards this subject, and also in a expectation that it could bring more people to inside this good discussion.
I'll let a link here, just in case you had some spare time to have a look, I your feedback would be really appreciated!


Thank you for being such a great witnesses !

Steem on!


Great post :)


Oh thank you so much for taking a time to have a look at it !! =D

This is just fair enough to prevent the 65+ reputation user from abusing or spamming their post. It is best to be fair in all areas of discipline.

Nice proposal @timcliff you just did a great thing in steemit world! Thumbs up to you buddy.

You really deserve to be one of the witnesses.


Thanks :)

There shouldn't be such protection in first place. One bad user can act as a gentle and noble user until reach 65 reputation score and then start to reveal his true self. So all measures should be same for everybody. Those who are naturally polite, gentle and ready to follow rules, they shouldn't fear of this.

@timcliff, thanks a lot for sharing that useful information, nice work for the betterment ans development of community also fought against that kind of spams and malicious user.
steem on!

Interesting discussion. This whole downvote issue is a bit scary anyways, as I get worried every now and again thinking.. what if someone decides to hate you and downvotes you just to be mean? The big guys can easily destroy a small fish.

I went through this post of yours and in your list of friends I was of course particularly interested in the artists. When I looked at patimaker's blog, the last three posts were downvoted to nothing and the guy seemed to have given up out of frustration... the posts are hidden and there is no indication of why that happened. Except for one person calling him "scammer", but without explanation.

Since one can make any hidden content visible at the click of a button, I wonder if there might not be a better way to deal with the issue. What if one could only downvote in combination with a comment (maybe even in a separate window), as to why one chose to do so? Regardless of their reputation.. the comments would not only reveal the reasons, but maybe also some of the personality, if someone just throws in two arrogant words and wants to display their power or if someone is genuinely concerned..


That's one of the big problem here, and why downvote can have serious implication, I believe it resulting in the retention rate of the platform....quite a few people join but few really stay around and some are butted out because someone does not agree with their opinion or just make an assumption an rally support to take down the account...there is abuse among high rep account as well and its often ignored, most people would not stick around with the BS and hypocrisy


Yes, I think its the problem in any system... the moment you have people involved, there is always an element of well... chaos.. in lack of a better word.

I want to believe, that all these things like reputation all very well contemplated in search of the best possible way... "unfortunately" its human nature, to always look for alternative paths or even "shortcuts". That's ok, if not even great, because it helps the "life form" to evolve, as long as this behavior doesn't hurt your fellow human. I guess, that's why we developed ethics and rules. So, what do you do, when ethics aren't working for some? You have to add more rules, which this is about, if I understand this correctly. And sometimes an even bigger adjustment seems necessary... I'm sure the developers here are much smarter than I am, but sometimes I think an "outsider" can bring in an idea which may seem silly, but sparks a much better idea in the end.

That's why I'd like to come back to the downvote and flagging issue one more time... every now and again, I see someone from an Asian country with a very low rep making a comment on my blog. As someone living in the so called western world (Germany) I might be tempted to quickly think... ok, another scammer. But that is why I would like to see a feature implemented to make people hesitate and think for a moment. What if that person acts in good faith and doesn't even understand his way could be perceived negatively? They might not speak English and someone told them to copy a phrase and use it as a comment.. not even knowing what it means? They are doing that a few times in an attempt to be nice, get flagged and their rep is down the drain... We measure someones action by what it means in our own culture, but what if there is a completely different mentality behind it?

I think it would be good to follow timcliff's suggestion for the pull request. Also so everyone is accountable for what they are doing. At the same time and for the same reason, negative feedback should only be possible by justifying ones action.


A great idea, @reinhard-schmid! Why not make it possible to see who has cast a down vote just like it is possible to see who casts an upvote for an article. More transparency and accountability is good for the platform. I love the idea of making a comment necessary, but it would be easy enough to put gibberish in the comment, so I don't think that would be effective.


Thank you for your kind answer. See, the thing is, when someone repeatedly downvoted and only added "nonsense comments", it would say something about that person. And just like the platform tries to find ways to defend itself against spam, one might find ways to defend against such... how should I say.. troll-ish behavior..


That's true, @reinhard-schmid. It would still be successful in this way.


There has been a lot of conversations around this. There still isn't really consensus on a solution yet. It is good continue to brainstorm ideas though. It is an important issue to get right.


Its being heavily discussed, I know, but like you say, all the brainstorming will hopefully lead to a better solution eventually. Do you know, what happened to patimaker?


I don't know.

Thanks for the clarification, I kept thinking how it works. Now everything is clear.

This is the first time I read about this 'protection' mechanism. I don't see the difference between an account with rep higher than 65 and one lower, hence I believe the described behaviour needs to be removed. Or at least, the rep level need to be changed to a lower value. I've seen accounts with higher rep than 65 abusing Steemit, and I'm pretty sure this had nothing to do with a stolen account. My argument to remove this to me strange behaviour is that when someone miss-uses an account, it shall be made invisible regardless of rep. The question we can ask is "shall the UI enforce hiding of accounts/posts/comments when it gets downvotes?". I personally believe it shall be configurable by the user since many of the community members are in favour of freedom and why shall the UI then hide posts/comments when it gets downvotes? Just make clear it got downvotes, maybe with an icon so it is quickly seen? On the other hand, I understand the hiding feature of the Steemit UI, it ma prevent abusing posts and comments to get more rewards.\ which effects the reward payout distribution.

BTW, don't you think we should debate another topic on downvoting? The weight the votes gets based on Steem Power? Although I never run stats, I have the feeling (some of) the early adopters of Steemit who gained a lot of Steem Power and Rep over time, may misuse and abuse Steemit and nobody is able to do something against them, we simple have to little Steem Power abuse fighters in our community, while we for sure have to little high rep accounts that fight abuse.


Nothing wrong with continuing to debate it, but we are a long way away from consensus on any changes to the blockchain protocol on that.

I don't think anyone should be an exception to the rules. I am for that pull. Good idea. We already have corrupt politicians escaping justice because of their high standing. Steemit shouldn't emulate that concept.

I read your post and upvote it, its a good sharing for me as a newbie, thx @timcliff. You are so kind to share a good info

I'm all for this. Selective protectionism does nothing for the website or for Steem by direct association.

a good and wise initiative to make this community a better place.

Regardless of reputation score, everyone puts their reputation on the line every time a post or comment is published, every time a vote is cast whether upward or downwards. If I post schlock with a rep score of 53 it will never rise and will likely fall.

For the rep score to mean anything it must be administered equally among all the members whether plankton or whale. Otherwise, we will definitely end up with too-powerful people in a centralized clique and steemit will not realize its potential as a decentralized community of equality among members.

If there are those among us who already think they are above the rules they've laid out for the community, then action is necessary now. Either we are equal here, or we are not.

Kudos Tim.

Yes, it would have greatly complicated the life of scammers. And then they have only to crack a user with a high reputation, and they can with impunity post any links.

Good request to prevent abuse. Same law for all so that no one can be able to spam...///...///...///

You can't imagine how discouraging this is for little minnows. Here we swim - completely ignored, but you all have big business up top and none of it is any good.

Use your power to downvote away! Keep fighting up there in your chats! Leave the minnows with their 50 cent payouts. They will survive or not - but no one cares in the land of angry whales.

I think this is a great idea as everyone wants to achieve higher reputation so having less protection for 65+ reps insures that they have to follow the same rules as every other user regardless of rep. I have always said that there needs to be more transparency on the steemit platform.Downvotes should be restricted to spamming, bad content or abusing steemit. But even abusing the power of downvoting should be transparent with a record each week or month of those who downvoted. Users are downvoted and may not know why so maybe some comment system on downvotes thatare going to affect that users rep.

Good Idea and Indeed a fair scenario I think.
Your posts and comments will be hidden if they are down voted to a negative score. :) That will make you think twice before doing anything.. :)

I agree with the move.
Why should someone have protection just because their reputation is high?
This is a form of elitism, of which I am strongly against.
In my country of Norway, we have a saying : "No one is above and no one is below"
Just as in the "real world" a person takes years to build a reputation, and they can also destroy it in a second too. Reputation was the old fashioned way of self policing. No one should be immune.
Look at the case of the notorious Jimmy Savile of the BBC- His reputation protected him for his entire life but we now know he abused that reputation to abuse children.

I applaud this move @timcliff - If we are ever to have an true equal society, no one should have extra protection just because of their reputation.

wish i have those hands & keep upvoting such as this creative post!!

I don't think rep protection is necessary anyway. Just because it went up doesn't mean you can't lose it.

Nice point, I agree with your stand.
For a 65+ reputation account to have such immunity is not fare at all. There is no guarantee or assurance that such a person wont default, abuse or go against the rules of the game.

I think this is fine because as we can see with berniesanders you can have hidden posts and still get plenty of interaction if people want to see what you have to say.

Thanks for clarifying, Tim.
I had wondered how the comment hiding worked.

This explains your previous post. I did not even know the existence of this protection.

While STINC is closed lip about everything going on with ddos and glitches and such, I think it is good to see witnesses like you @timcliff and @lukestokes to be active in actions like this or calls for updates and accountibility from steemit inc.

I really don't know what the answer is on this one. I guess I would say treat everyone equally... Even 65+ steemians.


I have often thought downvote power should be a function of reputation, unless that got fixed its a much more common issue that someone buys a bunch of steem just to downvote others, even though their own rep is in the minus.


There are problems with that, as reputation in it's current from is easily gameable and not part of consensus.


I heard it before, just suprised its not being added to the chain. Of course a bigger problem right now is page loading and updates times :)


Thanks for sharing!

Thanks for giving the chance to enjoy this beautiful news!!

Very good content

Duplicate comment - so sorry - I'm getting this often today.