> I think that's pretty reasonable.
You lost me right there. Blocking DMs because of draconian age verification is not reasonable. There's nothing inherently problematic about DMs. Someone can be a creep in public just as easily as in DMs.
You should definitely talk to some women. They generally have a drastically different, dick filled, experience with DMs. Multiply that by the felonies involved with interacting with a minor, the legal requirements of COPPA, and the PR problems of things like "grooming groups found on <platform>", and the problems become more clear.
Of course, the real issue is parents giving their children unrestricted access to the internet.
Definitely not true.
Public messages risk a wide audience seeing the message and recognizing it’s inappropriate, then taking action against the person, reporting them, or highlighting the inappropriate messages for mob reprisals.
This is why predators overwhelmingly prefer private messaging where they can control visibility of their actions to a single vulnerable target.
As everyone knows, risk is unacceptable!
And inappropriate is of course an objective classification.
Great choice of words here, it's an accurate description of the terror of the commons. Force everything into a public venue so we're all watching each other and then get every one invested in reporting on everyone else's behavior.
Meanwhile in the name of "saving the children" from their poor parents we continue to add restrictions, laws and strip rights.
> This is why predators...
We had plenty of these before the internet, the idea that these sorts of laws change any of that is just naive.
There's no inherent terror in it. Self governing communities on the internet need some means to monitor themselves just like they do offline. Communities before the internet didn't let unknown adults in their community have one-on-one conversations with children unsupervised. That's not a right or a common practice.
Before the internet when you went you joined a community you had to show your face, not a lot of clubs I'm aware of that involve minors where people in a balaclava where welcome.
Bluesky is a company, not a "self-governing community." They didn't have a legislative process to decide to do this.
Anyone can easily circumvent this by using asymmetric cryptography to encrypt their messages.
They're going to move to another platform where they can find targets who have DM functionality available. BlueSky's job is done.
Now, of course, I'm not naive -- I understand that this idea is extremely unlikely to catch on and we're probably well past it. But still going to put it out there because I think it makes the most sense.
There’s a nerd gambit where we say well technically you can trace IP addresses too but in practice it’s much faster and easier for police to track someone down by phone number than to go through all the steps of tracing someone’s activity through a service provider and then to their ISP and then to their household.
It’s not the same at all.
The tor project was built specifically to ensure anonymity for internet traffic, and it works well as far as I know.
Phone numbers are not the same, countries require you to verify your identity to sign up for a phone plan, most sane countries have a government identity tied to each and every phone number, and proxying doesn't change that.
The US is weird in that it has some anti-government-identity stance that makes this way less centralized, but regardless, phone numbers are mostly traceable, there's nothing like tor, and the law also treats sms as more traceable.
Phone plans also cost at least something to sign up for.
I will give you that physical letters can be anonymous, but due to postage stamps it's much more expensive to send them in excess.
I would argue that one could be MORE of a creep and lewd in DMs than in public.
The reason OSA puts DMs in scope is because they are out of view of the public. If you start creeping on someone where it is viewable, people will call you out.
If you do it in private it becomes "our little secret".
That's how groomers work. Go talk to any kid blackmailed into doing something they didn't want to do. It often starts with private messages.
I've always taught my children never to use their real names online. Precisely to avoid creeps. Mandatory age verification means mandatory identification.
Most age verification services use either government providers or 3rd party providers. I show my passport (or whatever) to the third-party. They relay to the site "this user is / isn't over 18". They don't send the DoB, address, photo etc.
So the online service only receives a binary yes/no and nothing else. I don't lose any privacy there.
The third-party knows that you wanted to be verified on service xyz, but not what you do there. Depending on the service I'm using, I may or may not care that they know.
Handing over a passport / licence to get into a bar leaks more information than that.
By sending your gov ID(s) to a third party? You do! They will leak (or leak and then sell) your ID with your name to those who wants to buy it. With services you've ever authorized with them, and probably the list of services you visit with timestamps. As it's NOT the one-time token, I'm pretty sure it has to be renewed from time to time (12h expiration? 1h? Who knows).
This is a system designed for tracking and control.
These third parties tend to be US based, as well. That always raises privacy questions due to "Safe Harbor". It was completely stupid of the government not to even provide a UK age verification service before putting this in place.
There are lots of age-verification providers in the UK / EU. The industry had plenty of notice this was coming and reacted accordingly.
In the UK, that usually means being certified by https://accscheme.com/registry/ or similar. Just saying "I asked some random provider to verify" isn't going to cut it.
Incidentally, $5 is around 10x more expensive than most providers.
how can you trust 3rd party providers?
I'd rather trust an organisation which stakes its business on being secure than handing over my ID to anyone.
Say you have a digital certificate from the government or similar that you use to do your taxes online or whatever, the government could have endpoints where you could use that certificate for signing a proof, that you then hand over to the platform you want to verify your age with. The platform can then confirm it's valid, and that $AGE>X, but they get no other details.
You can even go a bit fancier/more complicated, and the government endpoints wouldn't know what platform you're trying to verify.
What is the incentive for the citizen to make sure their authentication isn't shared?
But as long as the platform who need to validate that you're an adult don't get your identity, but just the proof, I don't see what the problem is?
> What is the incentive for the citizen to make sure their authentication isn't shared?
What incentives do people today have for keeping their identifications to themselves? Why aren't we all sharing CC numbers? Because we realize some data is "personal" and isn't to be used by others, like our username+passwords or whatever. This isn't exactly a new concept, just look at how it works for anything else that is tied to you.
Not being liable for loans they didn't take out themselves, being the recipient of government benefits they are owed, etc. I'm sure you have heard of identity theft before, but it sounds like you haven't heard of why it's a bad thing. It's not just a privacy thing.
In this scenario the government knows all the age-restricted sites I've visited. I'd argue that is worse than if all the age-restricted sites I've visited know who I am...
(FTR I don't know what I think about age restrictions in general, but I'm pretty sure there's no implementation that comes without negative side effects)
I also kinda hate the whole idea of needing explicit permission from the government to access the open web, regardless of whether or not they know which specific sites they're giving me permission to access.
(If the government does the incredibly overbearing thing and does not do the simple and effective and unintrusive thing, it proves their motivations are surveillance)
You can use it too, just put this in as a meta tag:
<meta name="RATING" content="RTA-5042-1996-1400-1577-RTA" />
Or send the following header:
Rating: RTA-5042-1996-1400-1577-RTA
So no different to the rules around buying an 18+ DVD.
This is win win for kids. It’s not a win for adults who now have to expose their identity.
But isn't that exactly the problem? What are you confused about? You think there's no issue with violating the privacy of all adults as long as children are unaffected?
This view also makes a mockery of free speech, which was originally intended to allow mature adults to take responsibility and ownership of their actions and beliefs, not run away from them. The idea of running away from your actions and beliefs, in the name of freedom, inverts the entire philosophical foundation.
"You must give the government more control of your life or you hate children." is a bad argument.
The cypherpunk ideology has convinced you that any form of identity verification equals totalitarian control, which is precisely the absolutist thinking that prevents reasonable child safety measures, and got us here. There's a massive middle ground between 'anonymous free-for-all' and 'government surveillance state' that you're pretending doesn't exist.
You might say that's a slippery slope. However, government at all is a slippery slope, a senator can literally propose anything at any time, and a Supreme Court ruling can practically do whatever it wants. And yet, every attempt at living without a government, has always been worse. The internet right now is like living in an anarchic society with moderators and tech companies as warlords. The warlords don't see a problem with this, but the majority of people underneath know full well there's a government already.
The cypherpunk ideology doesn't keep government out of tech. It just creates worse governments with less accountability and more power.
No widely accepted philosopher ever sat down and said, "You know what, a free method of communication, with no restrictions, with no connection to identity, will benefit humanity as a whole."
No widely accepted religion ever sat down and said, "You know what, a method of disassociating speech from the person, without restriction, will benefit humanity as a whole."
No founding father of our country ever sat down and said, "You know what, the first amendment is stronger, the further we separate people's identities and morality judgements, from their arguments."
No scientific thought leader ever sat down and said, "You know what, I've done the research, and found kids that are exposed to the internet are 30% more contentious and 22% more forgiving, showing this is the right direction for society."
No classical liberal philosopher who argued for free speech thought this was a good idea. When they argued for free speech, the whole point was allowing people to accept personal responsibility for their opinions and beliefs, without a government forcing responsibility. Free speech for the sake of free speech, without any responsibility, wasn't in their wildest dreams.
This religion is solely, how do I do whatever I want without anyone telling me what I can't do. I want maximum freedom with zero personal responsibility. The only defense that it works out for the good about 0.1% of the time; there might be some dissidents in China who benefit, even though millions of kids are traumatized and 40% of the internet is robot traffic. There's no philosopher behind it, no science behind it, no religion behind it, just pure self-interested narcissistic anarchy.
To quote The Ethereum Foundation: "Rather than bend to knee to Donald Trump, the goal of the cypherpunk movement is to abolish the state in order to maximize human freedom via privacy-enhancing decentralized technologies. After reviewing the history of this deviant group of programmers in the 1980s, what philosophical and technical lessons do the cypherpunks hold for Ethereum today? Censorship-resistant digital cash was only one the start, and the missing parts of their legacy: mixnets and anonymous credentials for identity."
This reveals no other information to the site.
The EU is on track to deploy such a system by the end of 2026. They are currently doing field testing involving thousands of users.
And AFAIK unless the company has a database/API for all the existing IDs in the world, I would think it doesn't stop forged IDs from existing.
And even then, corrupt employees could still issue forged IDs... there's no guarantee that a single ID equals a single person forever.
FAQs:
Q: Why should I give some stranger on the internet a copy of my government ID?
A:
Your private DMs being unencrypted means that they are semi-private DMs. E2E should be enforced everywhere.
Also, "private DMs" would more accurately be called PMs.
In the context of public-broadcast social media, the service's ability to moderate abusive uses of a DM system is probably more important to me than the ability to have absolute control over who reads my messages.
I also think the private DMs might be hosted externally to ATProto because that is all meant to be public information or something.
I would assume that the age verification is built at the app layer, so you could use an alternative app (I think they call them AppViews?) to get around the age verification thing. Don't know if alternatives really exist today though, there are probably some.
You can migrate your PDS (data server) away from bluesky's servers to another host, and as of a few days ago you can migrate back. (only if you initially signed up to bluesky, not if you started off self-hosting)
The following gist is good to glean how the age-verification system works: https://gist.github.com/mary-ext/6e27b24a83838202908808ad528...
I don't think that matters in this context where the rules apply regardless of decentralization. However, I believe that you can in fact just use the protocol without any of the "age verification" nonsense the UK government has imposed on us.
The smarter thing is the thing we already have with email (and that Mastodon can do) -- you have to place trust somewhere, so do it with whatever decentralized server you choose. I get that it's not robust -- or more specifically you DO have to trust whoever's running the server -- but that's better that the now obvious goofy centralization that Bluesky is now subject to.
Bluesky's apps have the verification, but everything else using the protocol can just not implement it.
From what I understand from BlueSky is that personal PDS can host accounts and content but the network depends on big hubs like the main bluesky instance. It almost feels more like a convenient cost cutting strategy from the company behind BlueSky than actual decentralization. Correct me if I'm wrong.
This sounds worse than Mastodon. As for Nostr is more of a one to many system where a user would sign a message and post it to a bunch of relays where it can be fetched all while said message itself contains hints where to find it.
Isn't that moderation?
What is frankly baffling is that after the past two decades someone would still believe more money equals better customer service, or that VC-funded companies care even the smallest bit about you.
From their privacy policy page:
Data Protection Officer: Bluesky has appointed a Data Protection Officer (DPO). You may contact our DPO at Ametros Group Ltd, Lakeside Offices, Thorn Business Park, Rotherwas Industrial Estate, Hereford, Herefordshire, HR2 6JT, dpo@ametrosgroup.com.
Data Protection Representative: Bluesky has appointed a Data Protection Representative (DPR) for both the UK and EU. You may contact Bluesky's EU Representative at Ametros Ltd, Unit 3D, North Point House, North Point Business Park, New Mallow Road, Cork, Ireland, gdpr@ametrosgroup.com. You may contact Bluesky's UK Representative at Ametros Group Ltd, Lakeside Offices, Thorn Business Park, Rotherwas Industrial Estate, Hereford, Herefordshire, England, HR2 6JT, gdpr@ametrosgroup.com.
They seem to have outsourced their compliance to https://ametrosgroup.com/ which would probably explain why it takes forever to get them to comply; the people dealing with the legal paperwork don't have access to the API to run a data export because they're a completely different company.
> the author should file a complaint with the Irish DPA
Good luck with that. If you follow the work done by noyb, what you quickly learn is the Irish DPA loves US companies and giving them a pass. They actively defend them. The new Irish DPC commissioner is a former Meta lobbyist.
https://noyb.eu/en/former-meta-lobbyist-named-dpc-commission...
Hey, when somebody sends you an email asking for personal data, how do you verify that the person making the request is the same as the person who uses the email.
Is the email "From" field safe to trust? Can it be spoofed?
Is it legal to assume that the controller of an email address is the same as the person who created the account using the email address?
If a users inbox has been compromised, can somebody just use GDPR to get all the DMs and data from every other service despite not having passwords to those services?
Isn’t that the general practice?
Maybe with extra steps, but most services allow the “I just forgot my password -> I get a recovery email” flow, which trusts that the email from which the account was created is proof of identity. Then you get access to everything else with the password.
You can only use what you know of the client, to verify their request.
Proof of control of the only identity you have, tends to be "fair and reasonable".
You send a message to the email address listed on the account. You don't reply to the initial email.
To clarify what happened to me. I emailed them from an account which was not the same as the one used to sign up. (I emailed from admin@example, but the BSky address was 1234@example.com)
They replied saying that they required me to email from the address associated with the account.
I logged into BSky, changed the email address (to admin@), then replied to their message.
They then replied to the account's email. I had successfully demonstrated that I was the person in control of the account.
> Is it legal to assume that the controller of an email address is the same as the person who created the account using the email address?
The law is about proportionality. Would a reasonable person / process assume that only the user controls their email? For a social network, probably. If this were a medical service, it might require passing 2FA.
> If a users inbox has been compromised, can somebody just use GDPR to get all the DMs and data from every other service despite not having passwords to those services?
Yes. But they could also do a password reset. Having MFA helps here.
By the time someone has access to an email account, they could just reset the password and access the data anyway, no loss of trust.
> Is the email "From" field safe to trust? Can it be spoofed?
If it matches the account email address, send the response to that email. A simple spoof will only lead to the user getting a "your gdpr export is ready" but the attacker can't get to the data.
Sounds about right for a platform created specifically because another platform stopped censoring things.
Undeniably a low-effort and unhelpful comment on my part.