> If you don't want to verify your age, you can still use its services - but it won't serve you porn or let people send you non-public messages.
> I think that's pretty reasonable.
You lost me right there. Blocking DMs because of draconian age verification is not reasonable. There's nothing inherently problematic about DMs. Someone can be a creep in public just as easily as in DMs.
nomel 2 hours ago [-]
> There's nothing inherently problematic about DMs.
You should definitely talk to some women. They generally have a drastically different, dick filled, experience with DMs. Multiply that by the felonies involved with interacting with a minor, the legal requirements of COPPA, and the PR problems of things like "grooming groups found on <platform>", and the problems become more clear.
Of course, the real issue is parents giving their children unrestricted access to the internet.
Aurornis 8 hours ago [-]
> Someone can be a creep in public just as easily as in DMs.
Definitely not true.
Public messages risk a wide audience seeing the message and recognizing it’s inappropriate, then taking action against the person, reporting them, or highlighting the inappropriate messages for mob reprisals.
This is why predators overwhelmingly prefer private messaging where they can control visibility of their actions to a single vulnerable target.
52 minutes ago [-]
zer00eyz 2 hours ago [-]
> mob reprisals
Great choice of words here, it's an accurate description of the terror of the commons. Force everything into a public venue so we're all watching each other and then get every one invested in reporting on everyone else's behavior.
Meanwhile in the name of "saving the children" from their poor parents we continue to add restrictions, laws and strip rights.
> This is why predators...
We had plenty of these before the internet, the idea that these sorts of laws change any of that is just naive.
Barrin92 2 hours ago [-]
>it's an accurate description of the terror of the commons.
There's no inherent terror in it. Self governing communities on the internet need some means to monitor themselves just like they do offline. Communities before the internet didn't let unknown adults in their community have one-on-one conversations with children unsupervised. That's not a right or a common practice.
Before the internet when you went you joined a community you had to show your face, not a lot of clubs I'm aware of that involve minors where people in a balaclava where welcome.
zer00eyz 40 minutes ago [-]
> There's no inherent terror in it.
Go watch the classic black and white "Frankenstein" for a portrayal of mob justice. Torches and pitchforks!
How about the French Revolution... where the head of the mob meets the same end, with the loss of his head?
> Self governing communities on the internet need some means to monitor themselves just like they do offline.
This is also an accurate description of a lynching. You think we're doing better on line, see reddit getting the Boston bomber wrong.
pessimizer 1 hours ago [-]
> Self governing communities
Bluesky is a company, not a "self-governing community." They didn't have a legislative process to decide to do this.
SV_BubbleTime 4 hours ago [-]
>risk a wide audience seeing the message and recognizing it’s inappropriate
As everyone knows, risk is unacceptable!
And inappropriate is of course an objective classification.
SuperShibe 6 hours ago [-]
>Public messages risk a wide audience seeing the message
Anyone can easily circumvent this by using asymmetric cryptography to encrypt their messages.
Aurornis 5 hours ago [-]
Nobody is going to the trouble of getting their target to set up cryptography tools so they can pass private messages back and forth between public channels.
They're going to move to another platform where they can find targets who have DM functionality available. BlueSky's job is done.
tracker1 3 hours ago [-]
Having to delete the obvious spam "hello" DMs in Telegram is so much fun... Fortunately I'm not that active and only in a couple channels. I still see a couple a day (block/report, etc).
SuperShibe 5 hours ago [-]
No one is going to the trouble of getting their target to GDPR-request their private DMs as well. This misses the point of the blogpost.
jrm4 2 hours ago [-]
Look, DM's are inherently stupid. Just let people post their email addresses and contact THAT way.
Now, of course, I'm not naive -- I understand that this idea is extremely unlikely to catch on and we're probably well past it. But still going to put it out there because I think it makes the most sense.
1970-01-01 10 hours ago [-]
DMs can come from anywhere, globally. This is much different than a public space with limited levels of users and police dispensing arrests on problematic users.
itake 9 hours ago [-]
letters, phone calls, and sms can come from anywhere, globally. There is no middle man reading every message and blocking anything it doesn't like.
Aurornis 8 hours ago [-]
Harassing someone via a phone number leads to a very quick and routine identification by the police.
There’s a nerd gambit where we say well technically you can trace IP addresses too but in practice it’s much faster and easier for police to track someone down by phone number than to go through all the steps of tracing someone’s activity through a service provider and then to their ISP and then to their household.
It’s not the same at all.
firtoz 9 hours ago [-]
If you don't adhere to rules with phone calls and SMS you will get identified very quickly by authorities. That's the point, they have the infrastructure set up like that. For letters, it's a bit different, but if they suspect someone or something they can indeed track things down.
f33d5173 9 hours ago [-]
They can track down the origin of a ip packet as well. To rejoinder the response of "what about vpn" - sms, phone, and letters can all be proxied as well.
TheDong 8 hours ago [-]
Proxying network traffic is wildly easier.
The tor project was built specifically to ensure anonymity for internet traffic, and it works well as far as I know.
Phone numbers are not the same, countries require you to verify your identity to sign up for a phone plan, most sane countries have a government identity tied to each and every phone number, and proxying doesn't change that.
The US is weird in that it has some anti-government-identity stance that makes this way less centralized, but regardless, phone numbers are mostly traceable, there's nothing like tor, and the law also treats sms as more traceable.
Phone plans also cost at least something to sign up for.
I will give you that physical letters can be anonymous, but due to postage stamps it's much more expensive to send them in excess.
extraduder_ire 2 hours ago [-]
I read that as bluesky's response to the UK law being reasonable, not that the law itself is reasonable.
hk1337 9 hours ago [-]
> Someone can be a creep in public just as easily as in DMs.
I would argue that one could be MORE of a creep and lewd in DMs than in public.
edent 10 hours ago [-]
"Hey buddy! You're right. And so mature for your age!"
The reason OSA puts DMs in scope is because they are out of view of the public. If you start creeping on someone where it is viewable, people will call you out.
If you do it in private it becomes "our little secret".
That's how groomers work. Go talk to any kid blackmailed into doing something they didn't want to do. It often starts with private messages.
yard2010 9 hours ago [-]
Tbf this won't solve this horrendous issue but create a new problem just like the stupid cookie banner fiasco.
computerthings 8 hours ago [-]
[dead]
billy99k 10 hours ago [-]
and just why is age verification 'draconian'?
maybewhenthesun 10 hours ago [-]
because there is no way to verify someone's age without removing their privacy protections. No matter what politicians seem to believe it's just not possible.
I've always taught my children never to use their real names online. Precisely to avoid creeps. Mandatory age verification means mandatory identification.
CaptainOfCoit 9 hours ago [-]
I'm not sure if you work in software or not, but it's definitely possible to come up with a schema where you could verify people's age in order to use a platform, without exposing your entire identity to said platform, with a combination of signatures and other cryptographic basics.
Say you have a digital certificate from the government or similar that you use to do your taxes online or whatever, the government could have endpoints where you could use that certificate for signing a proof, that you then hand over to the platform you want to verify your age with. The platform can then confirm it's valid, and that $AGE>X, but they get no other details.
You can even go a bit fancier/more complicated, and the government endpoints wouldn't know what platform you're trying to verify.
sleepychu 9 hours ago [-]
How do I prevent my citizens from sharing their certificates in order to bypass the block?
CaptainOfCoit 8 hours ago [-]
You don't, it's up to citizens to make sure whatever authentication they use can only be used by them, just like how it works for other services today where you authenticate online somehow and the government service assumes you're you since you were able to authenticate.
sleepychu 8 hours ago [-]
My point is that this is either a bearer token (in which case it will be obtainable by proxy) or tied to your identity.
What is the incentive for the citizen to make sure their authentication isn't shared?
CaptainOfCoit 7 hours ago [-]
On the government endpoint, which returns X that the platform uses as "evidence" for you being an adult, yes, that's tied to your identity, as the certificate/whatever is tied to your identity.
But as long as the platform who need to validate that you're an adult don't get your identity, but just the proof, I don't see what the problem is?
> What is the incentive for the citizen to make sure their authentication isn't shared?
What incentives do people today have for keeping their identifications to themselves? Why aren't we all sharing CC numbers? Because we realize some data is "personal" and isn't to be used by others, like our username+passwords or whatever. This isn't exactly a new concept, just look at how it works for anything else that is tied to you.
wasabi991011 1 hours ago [-]
> What incentives do people today have for keeping their identifications to themselves?
Not being liable for loans they didn't take out themselves, being the recipient of government benefits they are owed, etc. I'm sure you have heard of identity theft before, but it sounds like you haven't heard of why it's a bad thing. It's not just a privacy thing.
Ajedi32 3 hours ago [-]
If you share your CC number, someone could steal your money. If you share your anonymous age verification token... someone could pretend to be 18? And by design that token is anonymous and there's no way to prove you were the one they got it from? Doesn't seem like much of a disincentive.
mrmanner 5 hours ago [-]
> On the government endpoint, which returns X that the platform uses as "evidence" for you being an adult, yes, that's tied to your identity, as the certificate/whatever is tied to your identity.
In this scenario the government knows all the age-restricted sites I've visited. I'd argue that is worse than if all the age-restricted sites I've visited know who I am...
(FTR I don't know what I think about age restrictions in general, but I'm pretty sure there's no implementation that comes without negative side effects)
Ajedi32 3 hours ago [-]
Not necessarily. The age verification proof doesn't need to be site-specific. But again, that reduces the incentive "for the citizen to make sure their authentication isn't shared" because there's nothing tying it to them.
I also kinda hate the whole idea of needing explicit permission from the government to access the open web, regardless of whether or not they know which specific sites they're giving me permission to access.
immibis 2 hours ago [-]
There's actually a much better idea that's been floating around. Require over-18 sites to set a certain header. Then anyone who wants to can install a browser on their kid's device that will block pages with the header. There's no privacy implications, no surveillance implications, no need to make VPNs illegal as long as they pass it through; it's just a plain old parental block with a regulation keeping it always up to date. Yes, you may have to stop your kid installing random software on the device to bypass whatever blocking you set up, but you had to do that anyway. If it's Apple or Google they could easily enough require everything in the app store to respect the flag when the device is set to kid mode.
(If the government does the incredibly overbearing thing and does not do the simple and effective and unintrusive thing, it proves their motivations are surveillance)
gjsman-1000 1 hours ago [-]
Already exists; the industry called it RTA (Restricted To Adults). Nobody used it... and it's 19 years old. Complete failure categorized under "we already tried that."
Was it legally mandated? I think that's the main idea GP is proposing. Obviously without any incentive to actually implement it there's no point.
philipkglass 56 minutes ago [-]
I don't think that it matters. The big porn sites have served RTA tags for many years. Android, Windows, macOS, and iOS can all be configured to block adult content tagged with this system. That still hasn't stopped a bunch of states from passing age verification laws ostensibly targeted at protecting children from these sites.
ashdksnndck 2 hours ago [-]
How do they solve this for e-voting?
owisd 8 hours ago [-]
> obtainable by proxy
So no different to the rules around buying an 18+ DVD.
edent 9 hours ago [-]
I don't think that's quite accurate.
Most age verification services use either government providers or 3rd party providers. I show my passport (or whatever) to the third-party. They relay to the site "this user is / isn't over 18". They don't send the DoB, address, photo etc.
So the online service only receives a binary yes/no and nothing else. I don't lose any privacy there.
The third-party knows that you wanted to be verified on service xyz, but not what you do there. Depending on the service I'm using, I may or may not care that they know.
Handing over a passport / licence to get into a bar leaks more information than that.
zx8080 9 hours ago [-]
> I don't lose any privacy there.
By sending your gov ID(s) to a third party? You do! They will leak (or leak and then sell) your ID with your name to those who wants to buy it. With services you've ever authorized with them, and probably the list of services you visit with timestamps. As it's NOT the one-time token, I'm pretty sure it has to be renewed from time to time (12h expiration? 1h? Who knows).
This is a system designed for tracking and control.
pjc50 9 hours ago [-]
You've just leaked your identity to the third party!
These third parties tend to be US based, as well. That always raises privacy questions due to "Safe Harbor". It was completely stupid of the government not to even provide a UK age verification service before putting this in place.
edent 8 hours ago [-]
It isn't a leak if you do it intentionally.
There are lots of age-verification providers in the UK / EU. The industry had plenty of notice this was coming and reacted accordingly.
jayd16 9 hours ago [-]
Shouldn't it at least just give the user a site agnostic token they can relay themselves? Why does the verifier need the site?
edent 8 hours ago [-]
Absolutely. But I assume they want to know which site has made the request so they can bill them properly.
lucumo 8 hours ago [-]
But if you allow that, the third-party has your id and a list of ALL adult sites you visit. If that leaks it's even worse than a single site leaking your id.
itake 9 hours ago [-]
how long does the bar retain access to your ID?
how can you trust 3rd party providers?
edent 8 hours ago [-]
I don't know if you've been to a bar recently. Lots of them stick IDs in a scanner. I handed over my passport to a hotel recently, they took it away and photocopied it.
I'd rather trust an organisation which stakes its business on being secure than handing over my ID to anyone.
immibis 2 hours ago [-]
So if it's really like that then what stops me charging people $5 to verify their account for them? Would I get in trouble for doing that? If so, that just proves it wasn't anonymous and people were right to get me to verify for them.
edent 2 hours ago [-]
Unsurprisingly, the regulations require that providers take adequate steps to verify identities.
In the UK, that usually means being certified by https://accscheme.com/registry/ or similar. Just saying "I asked some random provider to verify" isn't going to cut it.
Incidentally, $5 is around 10x more expensive than most providers.
9 hours ago [-]
tzs 8 hours ago [-]
That's not correct. With a government issued signed digital ID cryptographically bound to a hardware security module you can use a zero-knowledge proof based protocol to prove to any third party site that (1) you have a signed government ID, (2) you have the hardware security module that it was bound to when the government issued it to you, and (3) the date of birth field on that ID says you are older than the site's age threshold.
This reveals no other information to the site.
The EU is on track to deploy such a system by the end of 2026. They are currently doing field testing involving thousands of users.
ranger_danger 2 hours ago [-]
But it still doesn't prove that the person creating the proof is the person who was assigned the government ID, right? What's to stop someone from using their ID to power a bunch of bots?
And AFAIK unless the company has a database/API for all the existing IDs in the world, I would think it doesn't stop forged IDs from existing.
And even then, corrupt employees could still issue forged IDs... there's no guarantee that a single ID equals a single person forever.
immibis 2 hours ago [-]
Yup. For $5 (hypothetically) I'll use my ID to make that ZKP for you, and you can pass it to the site.
So what is the problem? I don’t want my kids sharing real names online. I wouldn’t want them verifying their age with Bluesky either. But that’s fine because I also don’t want them getting porn or DMs on bluesky.
This is win win for kids. It’s not a win for adults who now have to expose their identity.
Ajedi32 3 hours ago [-]
> So what is the problem? [...] It’s not a win for adults
But isn't that exactly the problem? What are you confused about? You think there's no issue with violating the privacy of all adults as long as children are unaffected?
gjsman-1000 2 hours ago [-]
Being an adult is the ability to be responsible for your actions. Arguing for the ability to disclaim any responsibility or risk of responsibility, at the expense of children's safety, is peak child behavior.
This view also makes a mockery of free speech, which was originally intended to allow mature adults to take responsibility and ownership of their actions and beliefs, not run away from them. The idea of running away from your actions and beliefs, in the name of freedom, inverts the entire philosophical foundation.
Ajedi32 2 hours ago [-]
I have no problem with personal responsibility, I do have a problem with mass government surveillance. (Or depending on implementation, merely government control of private communications. Either way it's not a good thing.)
"You must give the government more control of your life or you hate children." is a bad argument.
gjsman-1000 2 hours ago [-]
You're conflating identification with surveillance; which are completely separate issues. Every bar that cards you isn't surveilling you. Every bank that KYCs you isn't obligated to track every purchase; if they do, the reaction is not to ban KYC, but ban the surveillance. Every library card you use to check out, is not obligated to sell your data; if they do, the reaction is to ban data sales, not library cards.
The cypherpunk ideology has convinced you that any form of identity verification equals totalitarian control, which is precisely the absolutist thinking that prevents reasonable child safety measures, and got us here. There's a massive middle ground between 'anonymous free-for-all' and 'government surveillance state' that you're pretending doesn't exist.
You might say that's a slippery slope. However, government at all is a slippery slope, a senator can literally propose anything at any time, and a Supreme Court ruling can practically do whatever it wants. And yet, every attempt at living without a government, has always been worse. The internet right now is like living in an anarchic society with moderators and tech companies as warlords. The warlords don't see a problem with this, but the majority of people underneath know full well there's a government already.
The cypherpunk ideology doesn't keep government out of tech. It just creates worse governments with less accountability and more power.
AAAAaccountAAAA 34 minutes ago [-]
All this word salad and smooth talk about the "middle ground" just worries me even more. We have been living in such an unusual period of peace, prosperity and freedom that the pampered, wealthy segment of the Western people is considering children seeing porn as a some sort of catastrophe, warranting extreme countermeasures. However, meanwhile in the actual reality, people are still being killed on the basis of sexual orientation.
I would support reasonable measures to block children from accessing pornographic content, but making people upload government IDs or biometric data does not belong to the realm of what is reasonable.
gjsman-1000 3 hours ago [-]
Your mistake is that HN, and Silicon Valley, has a religion: Cypherpunk. It's also probably among the dumbest set of ideologies.
No widely accepted philosopher ever sat down and said, "You know what, a free method of communication, with no restrictions, with no connection to identity, will benefit humanity as a whole."
No widely accepted religion ever sat down and said, "You know what, a method of disassociating speech from the person, without restriction, will benefit humanity as a whole."
No founding father of our country ever sat down and said, "You know what, the first amendment is stronger, the further we separate people's identities and morality judgements, from their arguments."
No scientific thought leader ever sat down and said, "You know what, I've done the research, and found kids that are exposed to the internet are 30% more contentious and 22% more forgiving, showing this is the right direction for society."
No classical liberal philosopher who argued for free speech thought this was a good idea. When they argued for free speech, the whole point was allowing people to accept personal responsibility for their opinions and beliefs, without a government forcing responsibility. Free speech for the sake of free speech, without any responsibility, wasn't in their wildest dreams.
This religion is solely, how do I do whatever I want without anyone telling me what I can't do. I want maximum freedom with zero personal responsibility. The only defense that it works out for the good about 0.1% of the time; there might be some dissidents in China who benefit, even though millions of kids are traumatized and 40% of the internet is robot traffic. There's no philosopher behind it, no science behind it, no religion behind it, just pure self-interested narcissistic anarchy.
To quote The Ethereum Foundation: "Rather than bend to knee to Donald Trump, the goal of the cypherpunk movement is to abolish the state in order to maximize human freedom via privacy-enhancing decentralized technologies. After reviewing the history of this deviant group of programmers in the 1980s, what philosophical and technical lessons do the cypherpunks hold for Ethereum today? Censorship-resistant digital cash was only one the start, and the missing parts of their legacy: mixnets and anonymous credentials for identity."
Aloisius 57 minutes ago [-]
Em. Thomas Paine, James Madison, Alexander Hamilton, John Jay, Benjamin Franklin, John Marshall, John Locke, Immanuel Kant, David Hume, Baruch Spinoza, René Descartes and many, many more wrote anonymously.
Some wrote anonymously because they wanted the words to speak for themselves, such as Madison, Hamilton and Jay writing the Federalist Papers.
Some did it because they thought their name might detract from the message - such as Franklin's writings when he was a teenager.
And some others did it to avoid consequences for their opinion - such as when Thomas Paine penned the case for American independence - literally treason. Even Paine's publisher, Benjamin Rush, remained anonymous!
The idea that free speech without responsibility wasn't a consideration seems contradicted by how utterly pervasive it was by classical liberal philosophers and founding fathers and how influential those writings were to the founding of the country and the creation and passage of the first amendment.
immibis 2 hours ago [-]
I think people just don't want the government to surveil everything they do.
Because it axes a liberty humans have enjoyed since we started talking to each other.
gsich 10 hours ago [-]
Because I don't trust any company with handling such verification.
tempfile 10 hours ago [-]
Your reply has been generated! In order to receive your reply, please complete a routine Age Verification check. To verify, simply post a copy of your government-issued ID into the comment box.
FAQs:
Q: Why should I give some stranger on the internet a copy of my government ID?
A:
bArray 8 hours ago [-]
> Your Direct Messages. We store and process your direct messages in order to enable you to communicate directly and privately with other users on the Bluesky App. These are unencrypted and can be accessed for Trust and Safety purposes.
Your private DMs being unencrypted means that they are semi-private DMs. E2E should be enforced everywhere.
extraduder_ire 2 hours ago [-]
They are working on private repo data, Direct Messages were a hack job added in a hurry. It was one of the things people would hound the developers about any time they posted about anything.
Also, "private DMs" would more accurately be called PMs.
OkayPhysicist 6 hours ago [-]
Different contexts have different threat models. If my goal is to have a secure, private conversation with someone, I'll use Signal. If my goal is to communicate some less-than-sensitive information with someone, but the content isn't relevant to anybody else, then an unencrypted DM is fine.
In the context of public-broadcast social media, the service's ability to moderate abusive uses of a DM system is probably more important to me than the ability to have absolute control over who reads my messages.
irusensei 13 hours ago [-]
Bluesky doesn’t sound very decentralized to me.
dpatterbee 12 hours ago [-]
My understanding is that Bluesky is a service built on top of a decentralized protocol, ATProto. This allows users to use alternative hosts for their data instead of the bluesky servers, but if you're using Bluesky then they still hold your data.
I also think the private DMs might be hosted externally to ATProto because that is all meant to be public information or something.
I would assume that the age verification is built at the app layer, so you could use an alternative app (I think they call them AppViews?) to get around the age verification thing. Don't know if alternatives really exist today though, there are probably some.
extraduder_ire 2 hours ago [-]
Age verification is done in the client (app/website) the appview (CTO calls it an appserver now) is the backend that services api requests from the default, and most other, clients. DMs themselves are not stored in ATproto, and are kind of a hack.
You can migrate your PDS (data server) away from bluesky's servers to another host, and as of a few days ago you can migrate back. (only if you initially signed up to bluesky, not if you started off self-hosting)
There's a few, I really like PinkSky which makes BlueSky into Instagram instead of Twitter.
pjc50 13 hours ago [-]
It isn't really, it's "Postel decentralization" (a lot of early internet services people might have assumed were distributed were in fact just a guy, John Postel).
I don't think that matters in this context where the rules apply regardless of decentralization. However, I believe that you can in fact just use the protocol without any of the "age verification" nonsense the UK government has imposed on us.
jrm4 2 hours ago [-]
It sounds like a dumb kind of centralization; yes, you can download all your old stuff, in the hopes that someone else will host it for you eventually.
The smarter thing is the thing we already have with email (and that Mastodon can do) -- you have to place trust somewhere, so do it with whatever decentralized server you choose. I get that it's not robust -- or more specifically you DO have to trust whoever's running the server -- but that's better that the now obvious goofy centralization that Bluesky is now subject to.
Bluesky's apps have the verification, but everything else using the protocol can just not implement it.
numpad0 4 hours ago [-]
yup, completely centralized. The decentralization angle pretty died on spot after anime artists migrating from Twitter was about to hit a critical mass and someone forced them so-called moderation to fix that.
ronbenton 11 hours ago [-]
But isn’t this just referring to the app view? And there can be (and are) many independent implementations of the app view?
cykros 12 hours ago [-]
That's what Jack Dorsey realized too, which is why he's a Nostr guy these days.
throwaway290 11 hours ago [-]
Nostr is just a protocol. on which you can just as easy build centralized platforms:)
konart 7 hours ago [-]
ATProto is a protocol too. No need to use bluesky itself.
Spivak 9 hours ago [-]
It seems like ATProto and Nostr have a similar architecture and similar centralization failure modes in the relay servers. The "you can run your own but in practice nobody does" problem.
irusensei 8 hours ago [-]
According to https://nostr.watch there is a considerable number of operational relays.
From what I understand from BlueSky is that personal PDS can host accounts and content but the network depends on big hubs like the main bluesky instance. It almost feels more like a convenient cost cutting strategy from the company behind BlueSky than actual decentralization. Correct me if I'm wrong.
This sounds worse than Mastodon. As for Nostr is more of a one to many system where a user would sign a message and post it to a bunch of relays where it can be fetched all while said message itself contains hints where to find it.
immibis 2 hours ago [-]
Bluesky is centralised. Using technology that could also hypothetically support a decentralised platform does not make the centralised platform decentralised. https://arewedecentralizedyet.online/
RobotToaster 13 hours ago [-]
It isn't, it relies on a single BGS router server.
nemo44x 12 hours ago [-]
[flagged]
Geezus_42 11 hours ago [-]
Because Twitter people aren't super sensitive... :D
swiftcoder 12 hours ago [-]
Kudos on going through the whole public-facing process. It may be a bit pointless, but it is a good way to unearth process gaps
greatgib 2 hours ago [-]
This proves that bluesky sucks at least as much as Twitter as it is still a walled garden...
pfraze 2 hours ago [-]
We might suck as much as Twitter but not because we’re a walled garden. These rules are applied in our apps, not on other at:// apps, which can decide for themselves what to do about these laws.
petercooper 10 hours ago [-]
I have the same issue. DMs coming in, but no way to see them. I'm not bothered by it and would rather it just be disabled, but they could make them read-only (or even just show the author) while disabling replies (which should still adhere to the OSA).
jayd16 7 hours ago [-]
> If services don't want to provide moderation then they shouldn't let their younger users be exposed to harm.
Isn't that moderation?
latexr 12 hours ago [-]
> Frankly, it is baffling that such a well-funded company takes this long to answer a simple request.
What is frankly baffling is that after the past two decades someone would still believe more money equals better customer service, or that VC-funded companies care even the smallest bit about you.
grues-dinner 12 hours ago [-]
Good human customer service may be a turn off for VCs hoping for a unicorn. It doesn't scale infinitely, so if you need customer service to make your thing go - and presumably you do otherwise you wouldn't have a rep for good service, you'd have no service and no one would notice - your product probably isn't going to go stratospheric.
jeroenhd 12 hours ago [-]
Customer service is one thing, but GDPR data requests are a matter of legal compliance.
From their privacy policy page:
Data Protection Officer: Bluesky has appointed a Data Protection Officer (DPO). You may contact our DPO at Ametros Group Ltd, Lakeside Offices, Thorn Business Park, Rotherwas Industrial Estate, Hereford, Herefordshire, HR2 6JT, dpo@ametrosgroup.com.
Data Protection Representative: Bluesky has appointed a Data Protection Representative (DPR) for both the UK and EU. You may contact Bluesky's EU Representative at Ametros Ltd, Unit 3D, North Point House, North Point Business Park, New Mallow Road, Cork, Ireland, gdpr@ametrosgroup.com. You may contact Bluesky's UK Representative at Ametros Group Ltd, Lakeside Offices, Thorn Business Park, Rotherwas Industrial Estate, Hereford, Herefordshire, England, HR2 6JT, gdpr@ametrosgroup.com.
This shows that the author should file a complaint with the Irish DPA (assuming they're an EU national) or the UK's DPA if they're from there. Bluesky repeatedly exceeded the applicable legal deadlines.
They seem to have outsourced their compliance to https://ametrosgroup.com/ which would probably explain why it takes forever to get them to comply; the people dealing with the legal paperwork don't have access to the API to run a data export because they're a completely different company.
latexr 12 hours ago [-]
I understand that. Over the years I’ve sent several GDPR requests for my data and its deletion, and I always remind the service in the very first message that the law requires a response within thirty days. But I also know that a failure to comply is very hard to fight. These companies avoid the law for as long as they can.
> the author should file a complaint with the Irish DPA
Good luck with that. If you follow the work done by noyb, what you quickly learn is the Irish DPA loves US companies and giving them a pass. They actively defend them. The new Irish DPC commissioner is a former Meta lobbyist.
> "Asked to provide my country of residence and to prove my account ownership by send an email from the address associated with my BSky account."
Hey, when somebody sends you an email asking for personal data, how do you verify that the person making the request is the same as the person who uses the email.
Is the email "From" field safe to trust? Can it be spoofed?
Is it legal to assume that the controller of an email address is the same as the person who created the account using the email address?
If a users inbox has been compromised, can somebody just use GDPR to get all the DMs and data from every other service despite not having passwords to those services?
kace91 12 hours ago [-]
>Is it legal to assume that the controller of an email address is the same as the person who created the account using the email address?
Isn’t that the general practice?
Maybe with extra steps, but most services allow the “I just forgot my password -> I get a recovery email” flow, which trusts that the email from which the account was created is proof of identity. Then you get access to everything else with the password.
shakna 12 hours ago [-]
It's usually only reasonable to ask for a government ID, where you have already verified that in the past. Asking for it is discouraged - as that's you now handling sensitive information you should not store.
You can only use what you know of the client, to verify their request.
Proof of control of the only identity you have, tends to be "fair and reasonable".
edent 11 hours ago [-]
> Hey, when somebody sends you an email asking for personal data, how do you verify that the person making the request is the same as the person who uses the email.
You send a message to the email address listed on the account. You don't reply to the initial email.
To clarify what happened to me. I emailed them from an account which was not the same as the one used to sign up. (I emailed from admin@example, but the BSky address was 1234@example.com)
They replied saying that they required me to email from the address associated with the account.
I logged into BSky, changed the email address (to admin@), then replied to their message.
They then replied to the account's email. I had successfully demonstrated that I was the person in control of the account.
> Is it legal to assume that the controller of an email address is the same as the person who created the account using the email address?
The law is about proportionality. Would a reasonable person / process assume that only the user controls their email? For a social network, probably. If this were a medical service, it might require passing 2FA.
> If a users inbox has been compromised, can somebody just use GDPR to get all the DMs and data from every other service despite not having passwords to those services?
Yes. But they could also do a password reset. Having MFA helps here.
mschuster91 12 hours ago [-]
> Hey, when somebody sends you an email asking for personal data, how do you verify that the person making the request is the same as the person who uses the email.
By the time someone has access to an email account, they could just reset the password and access the data anyway, no loss of trust.
> Is the email "From" field safe to trust? Can it be spoofed?
If it matches the account email address, send the response to that email. A simple spoof will only lead to the user getting a "your gdpr export is ready" but the attacker can't get to the data.
tonyhart7 10 hours ago [-]
I thought bluesky is decentralized tweet so we don't have to deal with verification like this?????
evbogue 7 hours ago [-]
The signed databases can be decentralized, but the index is mostly controlled by Bluesky and most of the 3rd party apps depend on Bluesky API calls. These API calls are not currently applying these tougher filters that the Bluesky social-app applies to the feeds.
Rover222 2 hours ago [-]
"We store and process your direct messages in order to enable you to communicate directly and privately with other users on the Bluesky App. These are unencrypted and can be accessed for Trust and Safety purpose"
Sounds about right for a platform created specifically because another platform stopped censoring things.
edent 2 hours ago [-]
You do know that Twitter's DMs were also unencrypted, right?
Rover222 2 hours ago [-]
Yes, my point is that the Bluesky Trust and Safety committee would probably ban someone for saying trans women aren't women (or whatever opinion is not allowed). Just like old twitter.
Undeniably a low-effort and unhelpful comment on my part.
Rendered at 22:32:53 GMT+0000 (Coordinated Universal Time) with Vercel.
> I think that's pretty reasonable.
You lost me right there. Blocking DMs because of draconian age verification is not reasonable. There's nothing inherently problematic about DMs. Someone can be a creep in public just as easily as in DMs.
You should definitely talk to some women. They generally have a drastically different, dick filled, experience with DMs. Multiply that by the felonies involved with interacting with a minor, the legal requirements of COPPA, and the PR problems of things like "grooming groups found on <platform>", and the problems become more clear.
Of course, the real issue is parents giving their children unrestricted access to the internet.
Definitely not true.
Public messages risk a wide audience seeing the message and recognizing it’s inappropriate, then taking action against the person, reporting them, or highlighting the inappropriate messages for mob reprisals.
This is why predators overwhelmingly prefer private messaging where they can control visibility of their actions to a single vulnerable target.
Great choice of words here, it's an accurate description of the terror of the commons. Force everything into a public venue so we're all watching each other and then get every one invested in reporting on everyone else's behavior.
Meanwhile in the name of "saving the children" from their poor parents we continue to add restrictions, laws and strip rights.
> This is why predators...
We had plenty of these before the internet, the idea that these sorts of laws change any of that is just naive.
There's no inherent terror in it. Self governing communities on the internet need some means to monitor themselves just like they do offline. Communities before the internet didn't let unknown adults in their community have one-on-one conversations with children unsupervised. That's not a right or a common practice.
Before the internet when you went you joined a community you had to show your face, not a lot of clubs I'm aware of that involve minors where people in a balaclava where welcome.
Go watch the classic black and white "Frankenstein" for a portrayal of mob justice. Torches and pitchforks!
How about the French Revolution... where the head of the mob meets the same end, with the loss of his head?
> Self governing communities on the internet need some means to monitor themselves just like they do offline.
This is also an accurate description of a lynching. You think we're doing better on line, see reddit getting the Boston bomber wrong.
Bluesky is a company, not a "self-governing community." They didn't have a legislative process to decide to do this.
As everyone knows, risk is unacceptable!
And inappropriate is of course an objective classification.
Anyone can easily circumvent this by using asymmetric cryptography to encrypt their messages.
They're going to move to another platform where they can find targets who have DM functionality available. BlueSky's job is done.
Now, of course, I'm not naive -- I understand that this idea is extremely unlikely to catch on and we're probably well past it. But still going to put it out there because I think it makes the most sense.
There’s a nerd gambit where we say well technically you can trace IP addresses too but in practice it’s much faster and easier for police to track someone down by phone number than to go through all the steps of tracing someone’s activity through a service provider and then to their ISP and then to their household.
It’s not the same at all.
The tor project was built specifically to ensure anonymity for internet traffic, and it works well as far as I know.
Phone numbers are not the same, countries require you to verify your identity to sign up for a phone plan, most sane countries have a government identity tied to each and every phone number, and proxying doesn't change that.
The US is weird in that it has some anti-government-identity stance that makes this way less centralized, but regardless, phone numbers are mostly traceable, there's nothing like tor, and the law also treats sms as more traceable.
Phone plans also cost at least something to sign up for.
I will give you that physical letters can be anonymous, but due to postage stamps it's much more expensive to send them in excess.
I would argue that one could be MORE of a creep and lewd in DMs than in public.
The reason OSA puts DMs in scope is because they are out of view of the public. If you start creeping on someone where it is viewable, people will call you out.
If you do it in private it becomes "our little secret".
That's how groomers work. Go talk to any kid blackmailed into doing something they didn't want to do. It often starts with private messages.
I've always taught my children never to use their real names online. Precisely to avoid creeps. Mandatory age verification means mandatory identification.
Say you have a digital certificate from the government or similar that you use to do your taxes online or whatever, the government could have endpoints where you could use that certificate for signing a proof, that you then hand over to the platform you want to verify your age with. The platform can then confirm it's valid, and that $AGE>X, but they get no other details.
You can even go a bit fancier/more complicated, and the government endpoints wouldn't know what platform you're trying to verify.
What is the incentive for the citizen to make sure their authentication isn't shared?
But as long as the platform who need to validate that you're an adult don't get your identity, but just the proof, I don't see what the problem is?
> What is the incentive for the citizen to make sure their authentication isn't shared?
What incentives do people today have for keeping their identifications to themselves? Why aren't we all sharing CC numbers? Because we realize some data is "personal" and isn't to be used by others, like our username+passwords or whatever. This isn't exactly a new concept, just look at how it works for anything else that is tied to you.
Not being liable for loans they didn't take out themselves, being the recipient of government benefits they are owed, etc. I'm sure you have heard of identity theft before, but it sounds like you haven't heard of why it's a bad thing. It's not just a privacy thing.
In this scenario the government knows all the age-restricted sites I've visited. I'd argue that is worse than if all the age-restricted sites I've visited know who I am...
(FTR I don't know what I think about age restrictions in general, but I'm pretty sure there's no implementation that comes without negative side effects)
I also kinda hate the whole idea of needing explicit permission from the government to access the open web, regardless of whether or not they know which specific sites they're giving me permission to access.
(If the government does the incredibly overbearing thing and does not do the simple and effective and unintrusive thing, it proves their motivations are surveillance)
https://www.rtalabel.org
You can use it too, just put this in as a meta tag:
<meta name="RATING" content="RTA-5042-1996-1400-1577-RTA" />
Or send the following header:
Rating: RTA-5042-1996-1400-1577-RTA
So no different to the rules around buying an 18+ DVD.
Most age verification services use either government providers or 3rd party providers. I show my passport (or whatever) to the third-party. They relay to the site "this user is / isn't over 18". They don't send the DoB, address, photo etc.
So the online service only receives a binary yes/no and nothing else. I don't lose any privacy there.
The third-party knows that you wanted to be verified on service xyz, but not what you do there. Depending on the service I'm using, I may or may not care that they know.
Handing over a passport / licence to get into a bar leaks more information than that.
By sending your gov ID(s) to a third party? You do! They will leak (or leak and then sell) your ID with your name to those who wants to buy it. With services you've ever authorized with them, and probably the list of services you visit with timestamps. As it's NOT the one-time token, I'm pretty sure it has to be renewed from time to time (12h expiration? 1h? Who knows).
This is a system designed for tracking and control.
These third parties tend to be US based, as well. That always raises privacy questions due to "Safe Harbor". It was completely stupid of the government not to even provide a UK age verification service before putting this in place.
There are lots of age-verification providers in the UK / EU. The industry had plenty of notice this was coming and reacted accordingly.
how can you trust 3rd party providers?
I'd rather trust an organisation which stakes its business on being secure than handing over my ID to anyone.
In the UK, that usually means being certified by https://accscheme.com/registry/ or similar. Just saying "I asked some random provider to verify" isn't going to cut it.
Incidentally, $5 is around 10x more expensive than most providers.
This reveals no other information to the site.
The EU is on track to deploy such a system by the end of 2026. They are currently doing field testing involving thousands of users.
And AFAIK unless the company has a database/API for all the existing IDs in the world, I would think it doesn't stop forged IDs from existing.
And even then, corrupt employees could still issue forged IDs... there's no guarantee that a single ID equals a single person forever.
https://github.com/eu-digital-identity-wallet/av-doc-technic...
https://blog.google/technology/safety-security/opening-up-ze...
https://news.ycombinator.com/item?id=44457390
This is win win for kids. It’s not a win for adults who now have to expose their identity.
But isn't that exactly the problem? What are you confused about? You think there's no issue with violating the privacy of all adults as long as children are unaffected?
This view also makes a mockery of free speech, which was originally intended to allow mature adults to take responsibility and ownership of their actions and beliefs, not run away from them. The idea of running away from your actions and beliefs, in the name of freedom, inverts the entire philosophical foundation.
"You must give the government more control of your life or you hate children." is a bad argument.
The cypherpunk ideology has convinced you that any form of identity verification equals totalitarian control, which is precisely the absolutist thinking that prevents reasonable child safety measures, and got us here. There's a massive middle ground between 'anonymous free-for-all' and 'government surveillance state' that you're pretending doesn't exist.
You might say that's a slippery slope. However, government at all is a slippery slope, a senator can literally propose anything at any time, and a Supreme Court ruling can practically do whatever it wants. And yet, every attempt at living without a government, has always been worse. The internet right now is like living in an anarchic society with moderators and tech companies as warlords. The warlords don't see a problem with this, but the majority of people underneath know full well there's a government already.
The cypherpunk ideology doesn't keep government out of tech. It just creates worse governments with less accountability and more power.
I would support reasonable measures to block children from accessing pornographic content, but making people upload government IDs or biometric data does not belong to the realm of what is reasonable.
No widely accepted philosopher ever sat down and said, "You know what, a free method of communication, with no restrictions, with no connection to identity, will benefit humanity as a whole."
No widely accepted religion ever sat down and said, "You know what, a method of disassociating speech from the person, without restriction, will benefit humanity as a whole."
No founding father of our country ever sat down and said, "You know what, the first amendment is stronger, the further we separate people's identities and morality judgements, from their arguments."
No scientific thought leader ever sat down and said, "You know what, I've done the research, and found kids that are exposed to the internet are 30% more contentious and 22% more forgiving, showing this is the right direction for society."
No classical liberal philosopher who argued for free speech thought this was a good idea. When they argued for free speech, the whole point was allowing people to accept personal responsibility for their opinions and beliefs, without a government forcing responsibility. Free speech for the sake of free speech, without any responsibility, wasn't in their wildest dreams.
This religion is solely, how do I do whatever I want without anyone telling me what I can't do. I want maximum freedom with zero personal responsibility. The only defense that it works out for the good about 0.1% of the time; there might be some dissidents in China who benefit, even though millions of kids are traumatized and 40% of the internet is robot traffic. There's no philosopher behind it, no science behind it, no religion behind it, just pure self-interested narcissistic anarchy.
To quote The Ethereum Foundation: "Rather than bend to knee to Donald Trump, the goal of the cypherpunk movement is to abolish the state in order to maximize human freedom via privacy-enhancing decentralized technologies. After reviewing the history of this deviant group of programmers in the 1980s, what philosophical and technical lessons do the cypherpunks hold for Ethereum today? Censorship-resistant digital cash was only one the start, and the missing parts of their legacy: mixnets and anonymous credentials for identity."
Some wrote anonymously because they wanted the words to speak for themselves, such as Madison, Hamilton and Jay writing the Federalist Papers.
Some did it because they thought their name might detract from the message - such as Franklin's writings when he was a teenager.
And some others did it to avoid consequences for their opinion - such as when Thomas Paine penned the case for American independence - literally treason. Even Paine's publisher, Benjamin Rush, remained anonymous!
The idea that free speech without responsibility wasn't a consideration seems contradicted by how utterly pervasive it was by classical liberal philosophers and founding fathers and how influential those writings were to the founding of the country and the creation and passage of the first amendment.
FAQs:
Q: Why should I give some stranger on the internet a copy of my government ID?
A:
Your private DMs being unencrypted means that they are semi-private DMs. E2E should be enforced everywhere.
Also, "private DMs" would more accurately be called PMs.
In the context of public-broadcast social media, the service's ability to moderate abusive uses of a DM system is probably more important to me than the ability to have absolute control over who reads my messages.
I also think the private DMs might be hosted externally to ATProto because that is all meant to be public information or something.
I would assume that the age verification is built at the app layer, so you could use an alternative app (I think they call them AppViews?) to get around the age verification thing. Don't know if alternatives really exist today though, there are probably some.
You can migrate your PDS (data server) away from bluesky's servers to another host, and as of a few days ago you can migrate back. (only if you initially signed up to bluesky, not if you started off self-hosting)
The following gist is good to glean how the age-verification system works: https://gist.github.com/mary-ext/6e27b24a83838202908808ad528...
I don't think that matters in this context where the rules apply regardless of decentralization. However, I believe that you can in fact just use the protocol without any of the "age verification" nonsense the UK government has imposed on us.
The smarter thing is the thing we already have with email (and that Mastodon can do) -- you have to place trust somewhere, so do it with whatever decentralized server you choose. I get that it's not robust -- or more specifically you DO have to trust whoever's running the server -- but that's better that the now obvious goofy centralization that Bluesky is now subject to.
Bluesky's apps have the verification, but everything else using the protocol can just not implement it.
From what I understand from BlueSky is that personal PDS can host accounts and content but the network depends on big hubs like the main bluesky instance. It almost feels more like a convenient cost cutting strategy from the company behind BlueSky than actual decentralization. Correct me if I'm wrong.
This sounds worse than Mastodon. As for Nostr is more of a one to many system where a user would sign a message and post it to a bunch of relays where it can be fetched all while said message itself contains hints where to find it.
Isn't that moderation?
What is frankly baffling is that after the past two decades someone would still believe more money equals better customer service, or that VC-funded companies care even the smallest bit about you.
From their privacy policy page:
This shows that the author should file a complaint with the Irish DPA (assuming they're an EU national) or the UK's DPA if they're from there. Bluesky repeatedly exceeded the applicable legal deadlines.They seem to have outsourced their compliance to https://ametrosgroup.com/ which would probably explain why it takes forever to get them to comply; the people dealing with the legal paperwork don't have access to the API to run a data export because they're a completely different company.
> the author should file a complaint with the Irish DPA
Good luck with that. If you follow the work done by noyb, what you quickly learn is the Irish DPA loves US companies and giving them a pass. They actively defend them. The new Irish DPC commissioner is a former Meta lobbyist.
https://noyb.eu/en/former-meta-lobbyist-named-dpc-commission...
Hey, when somebody sends you an email asking for personal data, how do you verify that the person making the request is the same as the person who uses the email.
Is the email "From" field safe to trust? Can it be spoofed?
Is it legal to assume that the controller of an email address is the same as the person who created the account using the email address?
If a users inbox has been compromised, can somebody just use GDPR to get all the DMs and data from every other service despite not having passwords to those services?
Isn’t that the general practice?
Maybe with extra steps, but most services allow the “I just forgot my password -> I get a recovery email” flow, which trusts that the email from which the account was created is proof of identity. Then you get access to everything else with the password.
You can only use what you know of the client, to verify their request.
Proof of control of the only identity you have, tends to be "fair and reasonable".
You send a message to the email address listed on the account. You don't reply to the initial email.
To clarify what happened to me. I emailed them from an account which was not the same as the one used to sign up. (I emailed from admin@example, but the BSky address was 1234@example.com)
They replied saying that they required me to email from the address associated with the account.
I logged into BSky, changed the email address (to admin@), then replied to their message.
They then replied to the account's email. I had successfully demonstrated that I was the person in control of the account.
> Is it legal to assume that the controller of an email address is the same as the person who created the account using the email address?
The law is about proportionality. Would a reasonable person / process assume that only the user controls their email? For a social network, probably. If this were a medical service, it might require passing 2FA.
> If a users inbox has been compromised, can somebody just use GDPR to get all the DMs and data from every other service despite not having passwords to those services?
Yes. But they could also do a password reset. Having MFA helps here.
By the time someone has access to an email account, they could just reset the password and access the data anyway, no loss of trust.
> Is the email "From" field safe to trust? Can it be spoofed?
If it matches the account email address, send the response to that email. A simple spoof will only lead to the user getting a "your gdpr export is ready" but the attacker can't get to the data.
Sounds about right for a platform created specifically because another platform stopped censoring things.
Undeniably a low-effort and unhelpful comment on my part.