&gt; mob reprisalsGreat choice of words here, it&#x27;s an accurate description of the terror of the commons. Force everything into a public venue so we&#x27;re all watching each other and then get every one invested in reporting on everyone else&#x27;s behavior.Meanwhile in the name of &quot;saving the children&quot; from their poor parents we continue to add restrictions, laws and strip rights.&gt; This is why predators...We had plenty of these before the internet, the idea that these sorts of laws change any of that is just naive.

&gt;risk a wide audience seeing the message and recognizing it’s inappropriateAs everyone knows, risk is unacceptable!And inappropriate is of course an objective classification.

&gt;Public messages risk a wide audience seeing the messageAnyone can easily circumvent this by using asymmetric cryptography to encrypt their messages.

&gt; Someone can be a creep in public just as easily as in DMs.Definitely not true.Public messages risk a wide audience seeing the message and recognizing it’s inappropriate, then taking action against the person, reporting them, or highlighting the inappropriate messages for mob reprisals.This is why predators overwhelmingly prefer private messaging where they can control visibility of their actions to a single vulnerable target.

&gt; There&#x27;s nothing inherently problematic about DMs.You should definitely talk to some women. They generally have a drastically different, dick filled, experience with DMs. Multiply that by the felonies involved with interacting with a minor, the legal requirements of COPPA, and the PR problems of things like &quot;grooming groups found on &lt;platform&gt;&quot;, and the problems become more clear.Of course, the real issue is parents giving their children unrestricted access to the internet.

Look, DM&#x27;s are inherently stupid. Just let people post their email addresses and contact THAT way.Now, of course, I&#x27;m not naive -- I understand that this idea is extremely unlikely to catch on and we&#x27;re probably well past it. But still going to put it out there because I think it makes the most sense.

letters, phone calls, and sms can come from anywhere, globally. There is no middle man reading every message and blocking anything it doesn&#x27;t like.

DMs can come from anywhere, globally. This is much different than a public space with limited levels of users and police dispensing arrests on problematic users.

I read that as bluesky&#x27;s response to the UK law being reasonable, not that the law itself is reasonable.

&gt; Someone can be a creep in public just as easily as in DMs.I would argue that one could be MORE of a creep and lewd in DMs than in public.

Tbf this won&#x27;t solve this horrendous issue but create a new problem just like the stupid cookie banner fiasco.

&quot;Hey buddy! You&#x27;re right. And so mature for your age!&quot;The reason OSA puts DMs in scope is because they are out of view of the public. If you start creeping on someone where it is viewable, people will call you out.If you do it in private it becomes &quot;our little secret&quot;.That&#x27;s how groomers work. Go talk to any kid blackmailed into doing something they didn&#x27;t want to do. It often starts with private messages.

because there is no way to verify someone&#x27;s age without removing their privacy protections. No matter what politicians seem to believe it&#x27;s just not possible.I&#x27;ve always taught my children never to use their real names online. Precisely to avoid creeps. Mandatory age verification means mandatory identification.

Because it axes a liberty humans have enjoyed since we started talking to each other.

Because I don&#x27;t trust any company with handling such verification.

Your reply has been generated! In order to receive your reply, please complete a routine Age Verification check. To verify, simply post a copy of your government-issued ID into the comment box.FAQs:Q: Why should I give some stranger on the internet a copy of my government ID?A:

and just why is age verification &#x27;draconian&#x27;?

&gt; If you don&#x27;t want to verify your age, you can still use its services - but it won&#x27;t serve you porn or let people send you non-public messages.&gt; I think that&#x27;s pretty reasonable.You lost me right there. Blocking DMs because of draconian age verification is not reasonable. There&#x27;s nothing inherently problematic about DMs. Someone can be a creep in public just as easily as in DMs.

They are working on private repo data, Direct Messages were a hack job added in a hurry. It was one of the things people would hound the developers about any time they posted about anything.Also, &quot;private DMs&quot; would more accurately be called PMs.

Different contexts have different threat models. If my goal is to have a secure, private conversation with someone, I&#x27;ll use Signal. If my goal is to communicate some less-than-sensitive information with someone, but the content isn&#x27;t relevant to anybody else, then an unencrypted DM is fine.In the context of public-broadcast social media, the service&#x27;s ability to moderate abusive uses of a DM system is probably more important to me than the ability to have absolute control over who reads my messages.

&gt; Your Direct Messages. We store and process your direct messages in order to enable you to communicate directly and privately with other users on the Bluesky App. These are unencrypted and can be accessed for Trust and Safety purposes.Your private DMs being unencrypted means that they are semi-private DMs. E2E should be enforced everywhere.

We might suck as much as Twitter but not because we’re a walled garden. These rules are applied in our apps, not on other at:&#x2F;&#x2F; apps, which can decide for themselves what to do about these laws.

This proves that bluesky sucks at least as much as Twitter as it is still a walled garden...

Age verification is done in the client (app&#x2F;website) the appview (CTO calls it an appserver now) is the backend that services api requests from the default, and most other, clients. DMs themselves are not stored in ATproto, and are kind of a hack.You can migrate your PDS (data server) away from bluesky&#x27;s servers to another host, and as of a few days ago you can migrate back. (only if you initially signed up to bluesky, not if you started off self-hosting)The following gist is good to glean how the age-verification system works: <a href="https:&#x2F;&#x2F;gist.github.com&#x2F;mary-ext&#x2F;6e27b24a83838202908808ad528b3318" rel="nofollow">https:&#x2F;&#x2F;gist.github.com&#x2F;mary-ext&#x2F;6e27b24a83838202908808ad528...</a>

There&#x27;s a few, I really like PinkSky which makes BlueSky into Instagram instead of Twitter.

My understanding is that Bluesky is a service built on top of a decentralized protocol, ATProto. This allows users to use alternative hosts for their data instead of the bluesky servers, but if you&#x27;re using Bluesky then they still hold your data.I also think the private DMs might be hosted externally to ATProto because that is all meant to be public information or something.I would assume that the age verification is built at the app layer, so you could use an alternative app (I think they call them AppViews?) to get around the age verification thing. Don&#x27;t know if alternatives really exist today though, there are probably some.

It isn&#x27;t really, it&#x27;s &quot;Postel decentralization&quot; (a lot of early internet services people might have assumed were distributed were in fact just a guy, John Postel).I don&#x27;t think that matters in this context where the rules apply regardless of decentralization. However, I believe that you can in fact just use the protocol without any of the &quot;age verification&quot; nonsense the UK government has imposed on us.

It sounds like a dumb kind of centralization; yes, you can download all your old stuff, in the hopes that someone else will host it for you eventually.The smarter thing is the thing we already have with email (and that Mastodon can do) -- you have to place trust somewhere, so do it with whatever decentralized server you choose. I get that it&#x27;s not robust -- or more specifically you DO have to trust whoever&#x27;s running the server -- but that&#x27;s better that the now obvious goofy centralization that Bluesky is now subject to.

The age verification is client side and can easily be bypassed with a third party client or even with a userscript <a href="https:&#x2F;&#x2F;gist.github.com&#x2F;mary-ext&#x2F;6e27b24a83838202908808ad528b3318" rel="nofollow">https:&#x2F;&#x2F;gist.github.com&#x2F;mary-ext&#x2F;6e27b24a83838202908808ad528...</a>Bluesky&#x27;s apps have the verification, but everything else using the protocol can just not implement it.

yup, completely centralized. The decentralization angle pretty died on spot after anime artists migrating from Twitter was about to hit a critical mass and someone forced them so-called moderation to fix that.

But isn’t this just referring to the app view? And there can be (and are) many independent implementations of the app view?

Nostr is just a protocol. on which you can just as easy build centralized platforms:)

That&#x27;s what Jack Dorsey realized too, which is why he&#x27;s a Nostr guy these days.

Bluesky is centralised. Using technology that could also hypothetically support a decentralised platform does not make the centralised platform decentralised. <a href="https:&#x2F;&#x2F;arewedecentralizedyet.online&#x2F;" rel="nofollow">https:&#x2F;&#x2F;arewedecentralizedyet.online&#x2F;</a>

It isn&#x27;t, it relies on a single BGS router server.

Bluesky doesn’t sound very decentralized to me.

Kudos on going through the whole public-facing process. It may be a bit pointless, but it is a good way to unearth process gaps

I have the same issue. DMs coming in, but no way to see them. I&#x27;m not bothered by it and would rather it just be disabled, but they could make them read-only (or even just show the author) while disabling replies (which should still adhere to the OSA).

&gt; If services don&#x27;t want to provide moderation then they shouldn&#x27;t let their younger users be exposed to harm.Isn&#x27;t that moderation?

Good human customer service may be a turn off for VCs hoping for a unicorn. It doesn&#x27;t scale infinitely, so if you need customer service to make your thing go - and presumably you do otherwise you wouldn&#x27;t have a rep for good service, you&#x27;d have no service and no one would notice - your product probably isn&#x27;t going to go stratospheric.

I understand that. Over the years I’ve sent several GDPR requests for my data and its deletion, and I always remind the service in the very first message that the law requires a response within thirty days. But I also know that a failure to comply is very hard to fight. These companies avoid the law for as long as they can.&gt; the author should file a complaint with the Irish DPAGood luck with that. If you follow the work done by noyb, what you quickly learn is the Irish DPA loves US companies and giving them a pass. They actively defend them. The new Irish DPC commissioner is a former Meta lobbyist.<a href="https:&#x2F;&#x2F;noyb.eu&#x2F;en&#x2F;former-meta-lobbyist-named-dpc-commissioner-meta-now-officially-regulates-itself" rel="nofollow">https:&#x2F;&#x2F;noyb.eu&#x2F;en&#x2F;former-meta-lobbyist-named-dpc-commission...</a>

Customer service is one thing, but GDPR data requests are a matter of legal compliance.From their privacy policy page:<pre><code> Data Protection Officer: Bluesky has appointed a Data Protection Officer (DPO). You may contact our DPO at Ametros Group Ltd, Lakeside Offices, Thorn Business Park, Rotherwas Industrial Estate, Hereford, Herefordshire, HR2 6JT, dpo@ametrosgroup.com.

 Data Protection Representative: Bluesky has appointed a Data Protection Representative (DPR) for both the UK and EU. You may contact Bluesky&#x27;s EU Representative at Ametros Ltd, Unit 3D, North Point House, North Point Business Park, New Mallow Road, Cork, Ireland, gdpr@ametrosgroup.com. You may contact Bluesky&#x27;s UK Representative at Ametros Group Ltd, Lakeside Offices, Thorn Business Park, Rotherwas Industrial Estate, Hereford, Herefordshire, England, HR2 6JT, gdpr@ametrosgroup.com.

</code></pre>
This shows that the author should file a complaint with the Irish DPA (assuming they&#x27;re an EU national) or the UK&#x27;s DPA if they&#x27;re from there. Bluesky repeatedly exceeded the applicable legal deadlines.They seem to have outsourced their compliance to <a href="https:&#x2F;&#x2F;ametrosgroup.com&#x2F;" rel="nofollow">https:&#x2F;&#x2F;ametrosgroup.com&#x2F;</a> which would probably explain why it takes forever to get them to comply; the people dealing with the legal paperwork don&#x27;t have access to the API to run a data export because they&#x27;re a completely different company.

&gt; Frankly, it is baffling that such a well-funded company takes this long to answer a simple request.What is frankly baffling is that after the past two decades someone would still believe more money equals better customer service, or that VC-funded companies care even the smallest bit about you.

&gt;Is it legal to assume that the controller of an email address is the same as the person who created the account using the email address?Isn’t that the general practice?Maybe with extra steps, but most services allow the “I just forgot my password -&gt; I get a recovery email” flow, which trusts that the email from which the account was created is proof of identity. Then you get access to everything else with the password.

It&#x27;s usually only reasonable to ask for a government ID, where you have already verified that in the past. Asking for it is discouraged - as that&#x27;s you now handling sensitive information you should not store.You can only use what you know of the client, to verify their request.Proof of control of the only identity you have, tends to be &quot;fair and reasonable&quot;.

&gt; Hey, when somebody sends you an email asking for personal data, how do you verify that the person making the request is the same as the person who uses the email.You send a message to the email address listed on the account. You don&#x27;t reply to the initial email.To clarify what happened to me. I emailed them from an account which was not the same as the one used to sign up. (I emailed from admin@example, but the BSky address was 1234@example.com)They replied saying that they required me to email from the address associated with the account.I logged into BSky, changed the email address (to admin@), then replied to their message.They then replied to the account&#x27;s email. I had successfully demonstrated that I was the person in control of the account.&gt; Is it legal to assume that the controller of an email address is the same as the person who created the account using the email address?The law is about proportionality. Would a reasonable person &#x2F; process assume that only the user controls their email? For a social network, probably. If this were a medical service, it might require passing 2FA.&gt; If a users inbox has been compromised, can somebody just use GDPR to get all the DMs and data from every other service despite not having passwords to those services?Yes. But they could also do a password reset. Having MFA helps here.

&gt; Hey, when somebody sends you an email asking for personal data, how do you verify that the person making the request is the same as the person who uses the email.By the time someone has access to an email account, they could just reset the password and access the data anyway, no loss of trust.&gt; Is the email &quot;From&quot; field safe to trust? Can it be spoofed?If it matches the account email address, send the response to that email. A simple spoof will only lead to the user getting a &quot;your gdpr export is ready&quot; but the attacker can&#x27;t get to the data.

&gt; &quot;Asked to provide my country of residence and to prove my account ownership by send an email from the address associated with my BSky account.&quot;Hey, when somebody sends you an email asking for personal data, how do you verify that the person making the request is the same as the person who uses the email.Is the email &quot;From&quot; field safe to trust? Can it be spoofed?Is it legal to assume that the controller of an email address is the same as the person who created the account using the email address?If a users inbox has been compromised, can somebody just use GDPR to get all the DMs and data from every other service despite not having passwords to those services?

The signed databases can be decentralized, but the index is mostly controlled by Bluesky and most of the 3rd party apps depend on Bluesky API calls. These API calls are not currently applying these tougher filters that the Bluesky social-app applies to the feeds.

I thought bluesky is decentralized tweet so we don&#x27;t have to deal with verification like this?????

Yes, my point is that the Bluesky Trust and Safety committee would probably ban someone for saying trans women aren&#x27;t women (or whatever opinion is not allowed). Just like old twitter.Undeniably a low-effort and unhelpful comment on my part.

You do know that Twitter&#x27;s DMs were also unencrypted, right?

&quot;We store and process your direct messages in order to enable you to communicate directly and privately with other users on the Bluesky App. These are unencrypted and can be accessed for Trust and Safety purpose&quot;Sounds about right for a platform created specifically because another platform stopped censoring things.

Can you use GDPR to circumvent BlueSky's adult content blocks?