[HN Gopher] Can you use GDPR to circumvent BlueSky's adult conte...
___________________________________________________________________
Can you use GDPR to circumvent BlueSky's adult content blocks?
Author : furkansahin
Score : 106 points
Date : 2025-09-30 08:50 UTC (14 hours ago)
(HTM) web link (shkspr.mobi)
(TXT) w3m dump (shkspr.mobi)
| irusensei wrote:
| Bluesky doesn't sound very decentralized to me.
| pjc50 wrote:
| It isn't really, it's "Postel decentralization" (a lot of early
| internet services people might have assumed were distributed
| were in fact just a guy, John Postel).
|
| I don't think that matters in this context where the rules
| apply regardless of decentralization. However, I believe that
| you can in fact just use the protocol without any of the "age
| verification" nonsense the UK government has imposed on us.
| RobotToaster wrote:
| It isn't, it relies on a single BGS router server.
| dpatterbee wrote:
| My understanding is that Bluesky is a service built on top of a
| decentralized protocol, ATProto. This allows users to use
| alternative hosts for their data instead of the bluesky
| servers, but if you're using Bluesky then they still hold your
| data.
|
| I also think the private DMs might be hosted externally to
| ATProto because that is all meant to be public information or
| something.
|
| I would assume that the age verification is built at the app
| layer, so you could use an alternative app (I think they call
| them AppViews?) to get around the age verification thing. Don't
| know if alternatives really exist today though, there are
| probably some.
| Spivak wrote:
| There's a few, I really like PinkSky which makes BlueSky into
| Instagram instead of Twitter.
| extraduder_ire wrote:
| Age verification is done in the client (app/website) the
| appview (CTO calls it an appserver now) is the backend that
| services api requests from the default, and most other,
| clients. DMs themselves are not stored in ATproto, and are
| kind of a hack.
|
| You can migrate your PDS (data server) away from bluesky's
| servers to another host, and as of a few days ago you can
| migrate back. (only if you initially signed up to bluesky,
| not if you started off self-hosting)
|
| The following gist is good to glean how the age-verification
| system works: https://gist.github.com/mary-
| ext/6e27b24a83838202908808ad528...
| cykros wrote:
| That's what Jack Dorsey realized too, which is why he's a Nostr
| guy these days.
| throwaway290 wrote:
| Nostr is just a protocol. on which you can just as easy build
| centralized platforms:)
| Spivak wrote:
| It seems like ATProto and Nostr have a similar architecture
| and similar centralization failure modes in the relay
| servers. The "you can run your own but in practice nobody
| does" problem.
| irusensei wrote:
| According to https://nostr.watch there is a considerable
| number of operational relays.
|
| From what I understand from BlueSky is that personal PDS
| can host accounts and content but the network depends on
| big hubs like the main bluesky instance. It almost feels
| more like a convenient cost cutting strategy from the
| company behind BlueSky than actual decentralization.
| Correct me if I'm wrong.
|
| This sounds worse than Mastodon. As for Nostr is more of
| a one to many system where a user would sign a message
| and post it to a bunch of relays where it can be fetched
| all while said message itself contains hints where to
| find it.
| konart wrote:
| ATProto is a protocol too. No need to use bluesky itself.
| ronbenton wrote:
| But isn't this just referring to the app view? And there can be
| (and are) many independent implementations of the app view?
| biggestfan wrote:
| The age verification is client side and can easily be bypassed
| with a third party client or even with a userscript
| https://gist.github.com/mary-ext/6e27b24a83838202908808ad528...
|
| Bluesky's apps have the verification, but everything else using
| the protocol can just not implement it.
| numpad0 wrote:
| yup, completely centralized. The decentralization angle pretty
| died on spot after anime artists migrating from Twitter was
| about to hit a critical mass and someone forced them so-called
| moderation to fix that.
| jrm4 wrote:
| It sounds like a dumb kind of centralization; yes, you can
| download all your old stuff, in the hopes that someone else
| will host it for you eventually.
|
| The smarter thing is the thing we already have with email (and
| that Mastodon can do) -- you have to place trust somewhere, so
| do it with whatever decentralized server you choose. I get that
| it's not robust -- or more specifically you DO have to trust
| whoever's running the server -- but that's better that the now
| obvious goofy centralization that Bluesky is now subject to.
| immibis wrote:
| Bluesky is centralised. Using technology that could also
| hypothetically support a decentralised platform does not make
| the centralised platform decentralised.
| https://arewedecentralizedyet.online/
| latexr wrote:
| > Frankly, it is baffling that such a well-funded company takes
| this long to answer a simple request.
|
| What is frankly baffling is that after the past two decades
| someone would still believe more money equals better customer
| service, or that VC-funded companies care even the smallest bit
| about you.
| grues-dinner wrote:
| Good human customer service may be a turn off for VCs hoping
| for a unicorn. It doesn't scale infinitely, so if you need
| customer service to make your thing go - and presumably you do
| otherwise you wouldn't have a rep for good service, you'd have
| no service and no one would notice - your product probably
| isn't going to go stratospheric.
| jeroenhd wrote:
| Customer service is one thing, but GDPR data requests are a
| matter of legal compliance.
|
| From their privacy policy page: Data
| Protection Officer: Bluesky has appointed a Data Protection
| Officer (DPO). You may contact our DPO at Ametros Group Ltd,
| Lakeside Offices, Thorn Business Park, Rotherwas Industrial
| Estate, Hereford, Herefordshire, HR2 6JT, dpo@ametrosgroup.com.
| Data Protection Representative: Bluesky has appointed a Data
| Protection Representative (DPR) for both the UK and EU. You may
| contact Bluesky's EU Representative at Ametros Ltd, Unit 3D,
| North Point House, North Point Business Park, New Mallow Road,
| Cork, Ireland, gdpr@ametrosgroup.com. You may contact Bluesky's
| UK Representative at Ametros Group Ltd, Lakeside Offices, Thorn
| Business Park, Rotherwas Industrial Estate, Hereford,
| Herefordshire, England, HR2 6JT, gdpr@ametrosgroup.com.
|
| This shows that the author should file a complaint with the
| Irish DPA (assuming they're an EU national) or the UK's DPA if
| they're from there. Bluesky repeatedly exceeded the applicable
| legal deadlines.
|
| They seem to have outsourced their compliance to
| https://ametrosgroup.com/ which would probably explain why it
| takes forever to get them to comply; the people dealing with
| the legal paperwork don't have access to the API to run a data
| export because they're a completely different company.
| latexr wrote:
| I understand that. Over the years I've sent several GDPR
| requests for my data and its deletion, and I always remind
| the service in the very first message that the law requires a
| response within thirty days. But I also know that a failure
| to comply is very hard to fight. These companies avoid the
| law for as long as they can.
|
| > the author should file a complaint with the Irish DPA
|
| Good luck with that. If you follow the work done by noyb,
| what you quickly learn is the Irish DPA loves US companies
| and giving them a pass. They actively defend them. The new
| Irish DPC commissioner is a former Meta lobbyist.
|
| https://noyb.eu/en/former-meta-lobbyist-named-dpc-
| commission...
| swiftcoder wrote:
| Kudos on going through the whole public-facing process. It may be
| a bit pointless, but it is a good way to unearth process gaps
| jay_kyburz wrote:
| > "Asked to provide my country of residence and to prove my
| account ownership by send an email from the address associated
| with my BSky account."
|
| Hey, when somebody sends you an email asking for personal data,
| how do you verify that the person making the request is the same
| as the person who uses the email.
|
| Is the email "From" field safe to trust? Can it be spoofed?
|
| Is it legal to assume that the controller of an email address is
| the same as the person who created the account using the email
| address?
|
| If a users inbox has been compromised, can somebody just use GDPR
| to get all the DMs and data from every other service despite not
| having passwords to those services?
| shakna wrote:
| It's usually only reasonable to ask for a government ID, where
| you have already verified that in the past. Asking for it is
| discouraged - as that's you now handling sensitive information
| you should not store.
|
| You can only use what you know of the client, to verify their
| request.
|
| Proof of control of the only identity you have, tends to be
| "fair and reasonable".
| mschuster91 wrote:
| > Hey, when somebody sends you an email asking for personal
| data, how do you verify that the person making the request is
| the same as the person who uses the email.
|
| By the time someone has access to an email account, they could
| just reset the password and access the data anyway, no loss of
| trust.
|
| > Is the email "From" field safe to trust? Can it be spoofed?
|
| If it matches the account email address, send the response to
| that email. A simple spoof will only lead to the user getting a
| "your gdpr export is ready" but the attacker can't get to the
| data.
| kace91 wrote:
| >Is it legal to assume that the controller of an email address
| is the same as the person who created the account using the
| email address?
|
| Isn't that the general practice?
|
| Maybe with extra steps, but most services allow the "I just
| forgot my password -> I get a recovery email" flow, which
| trusts that the email from which the account was created is
| proof of identity. Then you get access to everything else with
| the password.
| edent wrote:
| > Hey, when somebody sends you an email asking for personal
| data, how do you verify that the person making the request is
| the same as the person who uses the email.
|
| You send a message to the email address listed on the account.
| You don't reply to the initial email.
|
| To clarify what happened to me. I emailed them from an account
| which was _not_ the same as the one used to sign up. (I emailed
| from admin@example, but the BSky address was 1234@example.com)
|
| They replied saying that they required me to email from the
| address associated with the account.
|
| I logged into BSky, changed the email address (to admin@), then
| replied to their message.
|
| They then replied to the account's email. I had successfully
| demonstrated that I was the person in control of the account.
|
| > Is it legal to assume that the controller of an email address
| is the same as the person who created the account using the
| email address?
|
| The law is about proportionality. Would a reasonable person /
| process assume that only the user controls their email? For a
| social network, probably. If this were a medical service, it
| might require passing 2FA.
|
| > If a users inbox has been compromised, can somebody just use
| GDPR to get all the DMs and data from every other service
| despite not having passwords to those services?
|
| Yes. But they could also do a password reset. Having MFA helps
| here.
| petercooper wrote:
| I have the same issue. DMs coming in, but no way to see them. I'm
| not bothered by it and would rather it just be disabled, but they
| could make them read-only (or even just show the author) while
| disabling replies (which should still adhere to the OSA).
| tonyhart7 wrote:
| I thought bluesky is decentralized tweet so we don't have to deal
| with verification like this?????
| evbogue wrote:
| The signed databases can be decentralized, but the index is
| mostly controlled by Bluesky and most of the 3rd party apps
| depend on Bluesky API calls. These API calls are not currently
| applying these tougher filters that the Bluesky social-app
| applies to the feeds.
| driverdan wrote:
| > If you don't want to verify your age, you can still use its
| services - but it won't serve you porn or let people send you
| non-public messages.
|
| > I think that's pretty reasonable.
|
| You lost me right there. Blocking DMs because of draconian age
| verification is not reasonable. There's nothing inherently
| problematic about DMs. Someone can be a creep in public just as
| easily as in DMs.
| billy99k wrote:
| and just why is age verification 'draconian'?
| cess11 wrote:
| Because it axes a liberty humans have enjoyed since we
| started talking to each other.
| tempfile wrote:
| Your reply has been generated! In order to receive your
| reply, please complete a routine Age Verification check. To
| verify, simply post a copy of your government-issued ID into
| the comment box.
|
| FAQs:
|
| Q: Why should I give some stranger on the internet a copy of
| my government ID?
|
| A:
| maybewhenthesun wrote:
| because there is no way to verify someone's age without
| removing their privacy protections. No matter what
| politicians seem to believe it's just not possible.
|
| I've always taught my children _never_ to use their real
| names online. Precisely to avoid creeps. Mandatory age
| verification means mandatory identification.
| edent wrote:
| I don't think that's quite accurate.
|
| Most age verification services use either government
| providers or 3rd party providers. I show my passport (or
| whatever) to the third-party. They relay to the site "this
| user is / isn't over 18". They don't send the DoB, address,
| photo etc.
|
| So the online service only receives a binary yes/no and
| nothing else. I don't lose any privacy there.
|
| The third-party knows that you wanted to be verified on
| service xyz, but not what you do there. Depending on the
| service I'm using, I may or may not care that they know.
|
| Handing over a passport / licence to get into a bar leaks
| more information than that.
| pjc50 wrote:
| You've just leaked your identity to the third party!
|
| These third parties tend to be US based, as well. That
| always raises privacy questions due to "Safe Harbor". It
| was completely stupid of the government not to even
| provide a UK age verification service before putting this
| in place.
| edent wrote:
| It isn't a leak if you do it intentionally.
|
| There are lots of age-verification providers in the UK /
| EU. The industry had plenty of notice this was coming and
| reacted accordingly.
| zx8080 wrote:
| > I don't lose any privacy there.
|
| By sending your gov ID(s) to a third party? You do! They
| will leak (or leak and then sell) your ID with your name
| to those who wants to buy it. With services you've ever
| authorized with them, and probably the list of services
| you visit with timestamps. As it's NOT the one-time
| token, I'm pretty sure it has to be renewed from time to
| time (12h expiration? 1h? Who knows).
|
| This is a system designed for tracking and control.
| itake wrote:
| how long does the bar retain access to your ID?
|
| how can you trust 3rd party providers?
| edent wrote:
| I don't know if you've been to a bar recently. Lots of
| them stick IDs in a scanner. I handed over my passport to
| a hotel recently, they took it away and photocopied it.
|
| I'd rather trust an organisation which stakes its
| business on being secure than handing over my ID to
| anyone.
| jayd16 wrote:
| Shouldn't it at least just give the user a site agnostic
| token they can relay themselves? Why does the verifier
| need the site?
| edent wrote:
| Absolutely. But I assume they want to know which site has
| made the request so they can bill them properly.
| lucumo wrote:
| But if you allow that, the third-party has your id and a
| list of ALL adult sites you visit. If that leaks it's
| even worse than a single site leaking your id.
| immibis wrote:
| So if it's really like that then what stops me charging
| people $5 to verify their account for them? Would I get
| in trouble for doing that? If so, that just proves it
| wasn't anonymous and people were right to get me to
| verify for them.
| edent wrote:
| Unsurprisingly, the regulations require that providers
| take adequate steps to verify identities.
|
| In the UK, that usually means being certified by
| https://accscheme.com/registry/ or similar. Just saying
| "I asked some random provider to verify" isn't going to
| cut it.
|
| Incidentally, $5 is around 10x more expensive than most
| providers.
| CaptainOfCoit wrote:
| I'm not sure if you work in software or not, but it's
| definitely possible to come up with a schema where you
| could verify people's age in order to use a platform,
| without exposing your entire identity to said platform,
| with a combination of signatures and other cryptographic
| basics.
|
| Say you have a digital certificate from the government or
| similar that you use to do your taxes online or whatever,
| the government could have endpoints where you could use
| that certificate for signing a proof, that you then hand
| over to the platform you want to verify your age with. The
| platform can then confirm it's valid, and that $AGE>X, but
| they get no other details.
|
| You can even go a bit fancier/more complicated, and the
| government endpoints wouldn't know _what_ platform you 're
| trying to verify.
| sleepychu wrote:
| How do I prevent my citizens from sharing their
| certificates in order to bypass the block?
| CaptainOfCoit wrote:
| You don't, it's up to citizens to make sure whatever
| authentication they use can only be used by them, just
| like how it works for other services today where you
| authenticate online somehow and the government service
| assumes you're you since you were able to authenticate.
| sleepychu wrote:
| My point is that this is either a bearer token (in which
| case it will be obtainable by proxy) or tied to your
| identity.
|
| What is the incentive for the citizen to make sure their
| authentication isn't shared?
| owisd wrote:
| > obtainable by proxy
|
| So no different to the rules around buying an 18+ DVD.
| CaptainOfCoit wrote:
| On the government endpoint, which returns X that the
| platform uses as "evidence" for you being an adult, yes,
| that's tied to your identity, as the certificate/whatever
| is tied to your identity.
|
| But as long as the platform who need to validate that
| you're an adult don't get your identity, but just the
| proof, I don't see what the problem is?
|
| > What is the incentive for the citizen to make sure
| their authentication isn't shared?
|
| What incentives do people today have for keeping their
| identifications to themselves? Why aren't we all sharing
| CC numbers? Because we realize some data is "personal"
| and isn't to be used by others, like our
| username+passwords or whatever. This isn't exactly a new
| concept, just look at how it works for anything else that
| is tied to you.
| mrmanner wrote:
| > On the government endpoint, which returns X that the
| platform uses as "evidence" for you being an adult, yes,
| that's tied to your identity, as the certificate/whatever
| is tied to your identity.
|
| In this scenario the government knows all the age-
| restricted sites I've visited. I'd argue that is worse
| than if all the age-restricted sites I've visited know
| who I am...
|
| (FTR I don't know what I think about age restrictions in
| general, but I'm pretty sure there's no implementation
| that comes without negative side effects)
| Ajedi32 wrote:
| Not necessarily. The age verification proof doesn't need
| to be site-specific. But again, that reduces the
| incentive "for the citizen to make sure their
| authentication isn't shared" because there's nothing
| tying it to them.
|
| I also kinda hate the whole idea of needing explicit
| permission from the government to access the open web,
| regardless of whether or not they know which specific
| sites they're giving me permission to access.
| immibis wrote:
| There's actually a much better idea that's been floating
| around. Require over-18 sites to set a certain header.
| Then anyone who wants to can install a browser on their
| kid's device that will block pages with the header.
| There's no privacy implications, no surveillance
| implications, no need to make VPNs illegal as long as
| they pass it through; it's just a plain old parental
| block with a regulation keeping it always up to date.
| Yes, you may have to stop your kid installing random
| software on the device to bypass whatever blocking you
| set up, but you had to do that anyway. If it's Apple or
| Google they could easily enough require everything in the
| app store to respect the flag when the device is set to
| kid mode.
|
| (If the government does the incredibly overbearing thing
| and does not do the simple and effective and unintrusive
| thing, it proves their motivations are surveillance)
| gjsman-1000 wrote:
| Already exists; the industry called it RTA (Restricted To
| Adults). Nobody used it... and it's 19 years old.
| Complete failure categorized under "we already tried
| that."
|
| https://www.rtalabel.org
|
| You can use it too, just put this in as a meta tag:
|
| <meta name="RATING" content="RTA-5042-1996-1400-1577-RTA"
| />
|
| Or send the following header:
|
| Rating: RTA-5042-1996-1400-1577-RTA
| Ajedi32 wrote:
| Was it legally mandated? I think that's the main idea GP
| is proposing. Obviously without any incentive to actually
| implement it there's no point.
| philipkglass wrote:
| I don't think that it matters. The big porn sites have
| served RTA tags for many years. Android, Windows, macOS,
| and iOS can all be configured to block adult content
| tagged with this system. That still hasn't stopped a
| bunch of states from passing age verification laws
| ostensibly targeted at protecting children from these
| sites.
| Ajedi32 wrote:
| If you share your CC number, someone could steal your
| money. If you share your anonymous age verification
| token... someone could pretend to be 18? And by design
| that token is anonymous and there's no way to prove you
| were the one they got it from? Doesn't seem like much of
| a disincentive.
| wasabi991011 wrote:
| > What incentives do people today have for keeping their
| identifications to themselves?
|
| Not being liable for loans they didn't take out
| themselves, being the recipient of government benefits
| they are owed, etc. I'm sure you have heard of identity
| theft before, but it sounds like you haven't heard of why
| it's a bad thing. It's not just a privacy thing.
| ashdksnndck wrote:
| How do they solve this for e-voting?
| tzs wrote:
| That's not correct. With a government issued signed digital
| ID cryptographically bound to a hardware security module
| you can use a zero-knowledge proof based protocol to prove
| to any third party site that (1) you have a signed
| government ID, (2) you have the hardware security module
| that it was bound to when the government issued it to you,
| and (3) the date of birth field on that ID says you are
| older than the site's age threshold.
|
| This reveals no other information to the site.
|
| The EU is on track to deploy such a system by the end of
| 2026. They are currently doing field testing involving
| thousands of users.
| thescriptkiddie wrote:
| zero-knowledge proofs don't work like that
| tzs wrote:
| https://eprint.iacr.org/2024/2010
|
| https://github.com/eu-digital-identity-wallet/av-doc-
| technic...
|
| https://blog.google/technology/safety-security/opening-
| up-ze...
|
| https://news.ycombinator.com/item?id=44457390
| immibis wrote:
| Yup. For $5 (hypothetically) I'll use my ID to make that
| ZKP for you, and you can pass it to the site.
| ranger_danger wrote:
| But it still doesn't prove that the person creating the
| proof is the person who was assigned the government ID,
| right? What's to stop someone from using their ID to
| power a bunch of bots?
|
| And AFAIK unless the company has a database/API for all
| the existing IDs in the world, I would think it doesn't
| stop forged IDs from existing.
|
| And even then, corrupt employees could still issue forged
| IDs... there's no guarantee that a single ID equals a
| single person forever.
| dpark wrote:
| So what is the problem? I don't want my kids sharing real
| names online. I wouldn't want them verifying their age with
| Bluesky either. But that's fine because I also don't want
| them getting porn or DMs on bluesky.
|
| This is win win for kids. It's not a win for adults who now
| have to expose their identity.
| gjsman-1000 wrote:
| Your mistake is that HN, and Silicon Valley, has a
| religion: _Cypherpunk_. It 's also probably among the
| dumbest set of ideologies.
|
| No widely accepted philosopher ever sat down and said,
| "You know what, a free method of communication, with no
| restrictions, with no connection to identity, will
| benefit humanity as a whole."
|
| No widely accepted religion ever sat down and said, "You
| know what, a method of disassociating speech from the
| person, without restriction, will benefit humanity as a
| whole."
|
| No founding father of our country ever sat down and said,
| "You know what, the first amendment is stronger, the
| further we separate people's identities and morality
| judgements, from their arguments."
|
| No scientific thought leader ever sat down and said, "You
| know what, I've done the research, and found kids that
| are exposed to the internet are 30% more contentious and
| 22% more forgiving, showing this is the right direction
| for society."
|
| No classical liberal philosopher who argued for free
| speech thought this was a good idea. When they argued for
| free speech, the _whole point_ was allowing people to
| accept personal responsibility for their opinions and
| beliefs, without a government forcing responsibility.
| Free speech for the sake of free speech, without any
| responsibility, wasn 't in their wildest dreams.
|
| This religion is solely, _how do I do whatever I want
| without anyone telling me what I can 't do._ I want
| _maximum freedom_ with _zero personal responsibility._
| The only defense that it works out for the good about
| 0.1% of the time; there might be some dissidents in China
| who benefit, even though millions of kids are traumatized
| and 40% of the internet is robot traffic. There 's no
| philosopher behind it, no science behind it, no religion
| behind it, just pure self-interested narcissistic
| anarchy.
|
| To quote The Ethereum Foundation: "Rather than bend to
| knee to Donald Trump, the goal of the cypherpunk movement
| is to abolish the state in order to maximize human
| freedom via privacy-enhancing decentralized technologies.
| After reviewing the history of this deviant group of
| programmers in the 1980s, what philosophical and
| technical lessons do the cypherpunks hold for Ethereum
| today? Censorship-resistant digital cash was only one the
| start, and the missing parts of their legacy: mixnets and
| anonymous credentials for identity."
| immibis wrote:
| I think people just don't want the government to surveil
| everything they do.
| gjsman-1000 wrote:
| https://news.ycombinator.com/item?id=45430811
| Aloisius wrote:
| Em. Thomas Paine, James Madison, Alexander Hamilton, John
| Jay, Benjamin Franklin, John Marshall, John Locke,
| Immanuel Kant, David Hume, Baruch Spinoza, Rene Descartes
| and many, many more wrote anonymously.
|
| Some wrote anonymously because they wanted the words to
| speak for themselves, such as Madison, Hamilton and Jay
| writing the Federalist Papers.
|
| Some did it because they thought their name might detract
| from the message - such as Franklin's writings when he
| was a teenager.
|
| And some others did it to avoid consequences for their
| opinion - such as when Thomas Paine penned the case for
| American independence - literally treason. Even Paine's
| publisher, Benjamin Rush, remained anonymous!
|
| The idea that free speech without responsibility wasn't a
| consideration seems contradicted by how utterly
| _pervasive_ it was by classical liberal philosophers and
| founding fathers and how influential those writings were
| to the founding of the country and the creation and
| passage of the first amendment.
| Ajedi32 wrote:
| > So what is the problem? [...] It's not a win for adults
|
| But isn't that exactly the problem? What are you confused
| about? You think there's no issue with violating the
| privacy of all adults as long as children are unaffected?
| gjsman-1000 wrote:
| Being an adult is the ability to be responsible for your
| actions. Arguing for the ability to disclaim any
| responsibility or risk of responsibility, at the expense
| of children's safety, is peak child behavior.
|
| This view also makes a mockery of free speech, which was
| originally intended to allow mature adults to take
| responsibility and ownership of their actions and
| beliefs, not run away from them. The idea of running away
| from your actions and beliefs, in the name of freedom,
| inverts the entire philosophical foundation.
| Ajedi32 wrote:
| I have no problem with personal responsibility, I do have
| a problem with mass government surveillance. (Or
| depending on implementation, merely government control of
| private communications. Either way it's not a good
| thing.)
|
| "You must give the government more control of your life
| or you hate children." is a bad argument.
| gjsman-1000 wrote:
| You're conflating identification with surveillance; which
| are completely separate issues. Every bar that cards you
| isn't surveilling you. Every bank that KYCs you isn't
| obligated to track every purchase; if they do, the
| reaction is not to ban KYC, but ban the surveillance.
| Every library card you use to check out, is not obligated
| to sell your data; if they do, the reaction is to ban
| data sales, not library cards.
|
| The cypherpunk ideology has convinced you that any form
| of identity verification equals totalitarian control,
| which is precisely the absolutist thinking that prevents
| reasonable child safety measures, and got us here.
| There's a massive middle ground between 'anonymous free-
| for-all' and 'government surveillance state' that you're
| pretending doesn't exist.
|
| You might say that's a slippery slope. However,
| _government at all_ is a slippery slope, a senator can
| literally propose anything at any time, and a Supreme
| Court ruling can practically do whatever it wants. And
| yet, every attempt at living without a government, has
| always been worse. The internet right now is like living
| in an anarchic society with moderators and tech companies
| as warlords. The warlords don 't see a problem with this,
| but the majority of people underneath know full well
| there's a government already.
|
| The cypherpunk ideology doesn't keep government out of
| tech. It just creates worse governments with less
| accountability and more power.
| AAAAaccountAAAA wrote:
| All this word salad and smooth talk about the "middle
| ground" just worries me even more. We have been living in
| such an unusual period of peace, prosperity and freedom
| that the pampered, wealthy segment of the Western people
| is considering children seeing porn as a some sort of
| catastrophe, warranting extreme countermeasures. However,
| meanwhile in the actual reality, people are still being
| killed on the basis of sexual orientation.
|
| I would support reasonable measures to block children
| from accessing pornographic content, but making people
| upload government IDs or biometric data does not belong
| to the realm of what is reasonable.
| Nasrudith wrote:
| Ah yes, the noble calling of protecting the children by
| ensuring they grow up in an Orwellian dystopia they
| aren't allowed to even criticize.
| dpark wrote:
| I was replying to this:
|
| > I've always taught my children never to use their real
| names online. Precisely to avoid creeps. Mandatory age
| verification means mandatory identification.
|
| "Adults shouldn't have to reveal their identities" is a
| totally legitimate concern. It's also very different from
| the child scenario in this case because the entire point
| of revealing the identity is to gain access to features a
| child should not have access to.
| gsich wrote:
| Because I don't trust any company with handling such
| verification.
| 1970-01-01 wrote:
| DMs can come from anywhere, globally. This is much different
| than a public space with limited levels of users and police
| dispensing arrests on problematic users.
| itake wrote:
| letters, phone calls, and sms can come from anywhere,
| globally. There is no middle man reading every message and
| blocking anything it doesn't like.
| firtoz wrote:
| If you don't adhere to rules with phone calls and SMS you
| will get identified very quickly by authorities. That's the
| point, they have the infrastructure set up like that. For
| letters, it's a bit different, but if they suspect someone
| or something they can indeed track things down.
| f33d5173 wrote:
| They can track down the origin of a ip packet as well. To
| rejoinder the response of "what about vpn" - sms, phone,
| and letters can all be proxied as well.
| TheDong wrote:
| Proxying network traffic is wildly easier.
|
| The tor project was built specifically to ensure
| anonymity for internet traffic, and it works well as far
| as I know.
|
| Phone numbers are not the same, countries require you to
| verify your identity to sign up for a phone plan, most
| sane countries have a government identity tied to each
| and every phone number, and proxying doesn't change that.
|
| The US is weird in that it has some anti-government-
| identity stance that makes this way less centralized, but
| regardless, phone numbers are mostly traceable, there's
| nothing like tor, and the law also treats sms as more
| traceable.
|
| Phone plans also cost at least something to sign up for.
|
| I will give you that physical letters can be anonymous,
| but due to postage stamps it's much more expensive to
| send them in excess.
| Aurornis wrote:
| Harassing someone via a phone number leads to a very quick
| and routine identification by the police.
|
| There's a nerd gambit where we say _well technically you
| can trace IP addresses too_ but in practice it's much
| faster and easier for police to track someone down by phone
| number than to go through all the steps of tracing
| someone's activity through a service provider and then to
| their ISP and then to their household.
|
| It's not the same at all.
| edent wrote:
| "Hey buddy! You're right. And so mature for your age!"
|
| The reason OSA puts DMs in scope is because they are out of
| view of the public. If you start creeping on someone where it
| is viewable, people will call you out.
|
| If you do it in private it becomes "our little secret".
|
| That's how groomers work. Go talk to any kid blackmailed into
| doing something they didn't want to do. It often starts with
| private messages.
| yard2010 wrote:
| Tbf this won't solve this horrendous issue but create a new
| problem just like the stupid cookie banner fiasco.
| hk1337 wrote:
| > Someone can be a creep in public just as easily as in DMs.
|
| I would argue that one could be MORE of a creep and lewd in DMs
| than in public.
| Aurornis wrote:
| > Someone can be a creep in public just as easily as in DMs.
|
| Definitely not true.
|
| Public messages risk a wide audience seeing the message and
| recognizing it's inappropriate, then taking action against the
| person, reporting them, or highlighting the inappropriate
| messages for mob reprisals.
|
| This is why predators overwhelmingly prefer private messaging
| where they can control visibility of their actions to a single
| vulnerable target.
| SuperShibe wrote:
| >Public messages risk a wide audience seeing the message
|
| Anyone can easily circumvent this by using asymmetric
| cryptography to encrypt their messages.
| Aurornis wrote:
| Nobody is going to the trouble of getting their target to
| set up cryptography tools so they can pass private messages
| back and forth between public channels.
|
| They're going to move to another platform where they can
| find targets who have DM functionality available. BlueSky's
| job is done.
| SuperShibe wrote:
| No one is going to the trouble of getting their target to
| GDPR-request their private DMs as well. This misses the
| point of the blogpost.
| tracker1 wrote:
| Having to delete the obvious spam "hello" DMs in Telegram
| is so much fun... Fortunately I'm not that active and
| only in a couple channels. I still see a couple a day
| (block/report, etc).
| SV_BubbleTime wrote:
| >risk a wide audience seeing the message and recognizing it's
| inappropriate
|
| As everyone knows, risk is unacceptable!
|
| And inappropriate is of course an objective classification.
| zer00eyz wrote:
| > mob reprisals
|
| Great choice of words here, it's an accurate description of
| the terror of the commons. Force everything into a public
| venue so we're all watching each other and then get every one
| invested in reporting on everyone else's behavior.
|
| Meanwhile in the name of "saving the children" from their
| poor parents we continue to add restrictions, laws and strip
| rights.
|
| > This is why predators...
|
| We had plenty of these before the internet, the idea that
| these sorts of laws change any of that is just naive.
| Barrin92 wrote:
| >it's an accurate description of the terror of the commons.
|
| There's no inherent terror in it. Self governing
| communities on the internet need some means to monitor
| themselves just like they do offline. Communities before
| the internet didn't let unknown adults in their community
| have one-on-one conversations with children unsupervised.
| That's not a right or a common practice.
|
| Before the internet when you went you joined a community
| you had to show your face, not a lot of clubs I'm aware of
| that involve minors where people in a balaclava where
| welcome.
| pessimizer wrote:
| > Self governing communities
|
| Bluesky is a company, not a "self-governing community."
| They didn't have a legislative process to decide to do
| this.
| zer00eyz wrote:
| > There's no inherent terror in it.
|
| Go watch the classic black and white "Frankenstein" for a
| portrayal of mob justice. Torches and pitchforks!
|
| How about the French Revolution... where the head of the
| mob meets the same end, with the loss of his head?
|
| > Self governing communities on the internet need some
| means to monitor themselves just like they do offline.
|
| This is also an accurate description of a lynching. You
| think we're doing better on line, see reddit getting the
| Boston bomber wrong.
| jrm4 wrote:
| Look, DM's are _inherently_ stupid. Just let people post their
| email addresses and contact THAT way.
|
| Now, of course, I'm not naive -- I _understand_ that this idea
| is extremely unlikely to catch on and we 're probably well past
| it. But still going to put it out there because I think it
| makes the most sense.
| extraduder_ire wrote:
| I read that as bluesky's response to the UK law being
| reasonable, not that the law itself is reasonable.
| nomel wrote:
| > There's nothing inherently problematic about DMs.
|
| You should definitely talk to some women. They generally have a
| drastically different, dick filled, experience with DMs.
| Multiply that by the felonies involved with interacting with a
| minor, the legal requirements of COPPA, and the PR problems of
| things like "grooming groups found on <platform>", and the
| problems become more clear.
|
| Of course, the real issue is parents giving their children
| unrestricted access to the internet.
| bArray wrote:
| > Your Direct Messages. We store and process your direct messages
| in order to enable you to communicate directly and privately with
| other users on the Bluesky App. These are unencrypted and can be
| accessed for Trust and Safety purposes.
|
| Your private DMs being unencrypted means that they are semi-
| private DMs. E2E should be enforced everywhere.
| OkayPhysicist wrote:
| Different contexts have different threat models. If my goal is
| to have a secure, private conversation with someone, I'll use
| Signal. If my goal is to communicate some less-than-sensitive
| information with someone, but the content isn't relevant to
| anybody else, then an unencrypted DM is fine.
|
| In the context of public-broadcast social media, the service's
| ability to moderate abusive uses of a DM system is probably
| more important to me than the ability to have absolute control
| over who reads my messages.
| extraduder_ire wrote:
| They are working on private repo data, Direct Messages were a
| hack job added in a hurry. It was one of the things people
| would hound the developers about any time they posted about
| anything.
|
| Also, "private DMs" would more accurately be called PMs.
| jayd16 wrote:
| > If services don't want to provide moderation then they
| shouldn't let their younger users be exposed to harm.
|
| Isn't that moderation?
| Rover222 wrote:
| "We store and process your direct messages in order to enable you
| to communicate directly and privately with other users on the
| Bluesky App. These are unencrypted and can be accessed for Trust
| and Safety purpose"
|
| Sounds about right for a platform created specifically because
| another platform stopped censoring things.
| edent wrote:
| You do know that Twitter's DMs were also unencrypted, right?
| Rover222 wrote:
| Yes, my point is that the Bluesky Trust and Safety committee
| would probably ban someone for saying trans women aren't
| women (or whatever opinion is not allowed). Just like old
| twitter.
|
| Undeniably a low-effort and unhelpful comment on my part.
| greatgib wrote:
| This proves that bluesky sucks at least as much as Twitter as it
| is still a walled garden...
| pfraze wrote:
| We might suck as much as Twitter but not because we're a walled
| garden. These rules are applied in our apps, not on other at://
| apps, which can decide for themselves what to do about these
| laws.
___________________________________________________________________
(page generated 2025-09-30 23:01 UTC)