Q&A highlight
Posted3 months ago
Key Takeaways
I also think the private DMs might be hosted externally to ATProto because that is all meant to be public information or something.
I would assume that the age verification is built at the app layer, so you could use an alternative app (I think they call them AppViews?) to get around the age verification thing. Don't know if alternatives really exist today though, there are probably some.
I don't use it for that reason. I do use nostr, Mastodon and Lemmy
You can migrate your PDS (data server) away from bluesky's servers to another host, and as of a few days ago you can migrate back. (only if you initially signed up to bluesky, not if you started off self-hosting)
The following gist is good to glean how the age-verification system works: https://gist.github.com/mary-ext/6e27b24a83838202908808ad528...
From what I understand from BlueSky is that personal PDS can host accounts and content but the network depends on big hubs like the main bluesky instance. It almost feels more like a convenient cost cutting strategy from the company behind BlueSky than actual decentralization. Correct me if I'm wrong.
This sounds worse than Mastodon. As for Nostr is more of a one to many system where a user would sign a message and post it to a bunch of relays where it can be fetched all while said message itself contains hints where to find it.
But on Nostr you can build a social app that uses only your relays and your relays can reject anything from everyone else
Bluesky's apps have the verification, but everything else using the protocol can just not implement it.
The smarter thing is the thing we already have with email (and that Mastodon can do) -- you have to place trust somewhere, so do it with whatever decentralized server you choose. I get that it's not robust -- or more specifically you DO have to trust whoever's running the server -- but that's better that the now obvious goofy centralization that Bluesky is now subject to.
I don't think that matters in this context where the rules apply regardless of decentralization. However, I believe that you can in fact just use the protocol without any of the "age verification" nonsense the UK government has imposed on us.
What is frankly baffling is that after the past two decades someone would still believe more money equals better customer service, or that VC-funded companies care even the smallest bit about you.
From their privacy policy page:
Data Protection Officer: Bluesky has appointed a Data Protection Officer (DPO). You may contact our DPO at Ametros Group Ltd, Lakeside Offices, Thorn Business Park, Rotherwas Industrial Estate, Hereford, Herefordshire, HR2 6JT, dpo@ametrosgroup.com.
Data Protection Representative: Bluesky has appointed a Data Protection Representative (DPR) for both the UK and EU. You may contact Bluesky's EU Representative at Ametros Ltd, Unit 3D, North Point House, North Point Business Park, New Mallow Road, Cork, Ireland, gdpr@ametrosgroup.com. You may contact Bluesky's UK Representative at Ametros Group Ltd, Lakeside Offices, Thorn Business Park, Rotherwas Industrial Estate, Hereford, Herefordshire, England, HR2 6JT, gdpr@ametrosgroup.com.
They seem to have outsourced their compliance to https://ametrosgroup.com/ which would probably explain why it takes forever to get them to comply; the people dealing with the legal paperwork don't have access to the API to run a data export because they're a completely different company.
> the author should file a complaint with the Irish DPA
Good luck with that. If you follow the work done by noyb, what you quickly learn is the Irish DPA loves US companies and giving them a pass. They actively defend them. The new Irish DPC commissioner is a former Meta lobbyist.
https://noyb.eu/en/former-meta-lobbyist-named-dpc-commission...
Hey, when somebody sends you an email asking for personal data, how do you verify that the person making the request is the same as the person who uses the email.
Is the email "From" field safe to trust? Can it be spoofed?
Is it legal to assume that the controller of an email address is the same as the person who created the account using the email address?
If a users inbox has been compromised, can somebody just use GDPR to get all the DMs and data from every other service despite not having passwords to those services?
You send a message to the email address listed on the account. You don't reply to the initial email.
To clarify what happened to me. I emailed them from an account which was not the same as the one used to sign up. (I emailed from admin@example, but the BSky address was 1234@example.com)
They replied saying that they required me to email from the address associated with the account.
I logged into BSky, changed the email address (to admin@), then replied to their message.
They then replied to the account's email. I had successfully demonstrated that I was the person in control of the account.
> Is it legal to assume that the controller of an email address is the same as the person who created the account using the email address?
The law is about proportionality. Would a reasonable person / process assume that only the user controls their email? For a social network, probably. If this were a medical service, it might require passing 2FA.
> If a users inbox has been compromised, can somebody just use GDPR to get all the DMs and data from every other service despite not having passwords to those services?
Yes. But they could also do a password reset. Having MFA helps here.
You can only use what you know of the client, to verify their request.
Proof of control of the only identity you have, tends to be "fair and reasonable".
By the time someone has access to an email account, they could just reset the password and access the data anyway, no loss of trust.
> Is the email "From" field safe to trust? Can it be spoofed?
If it matches the account email address, send the response to that email. A simple spoof will only lead to the user getting a "your gdpr export is ready" but the attacker can't get to the data.
Isn’t that the general practice?
Maybe with extra steps, but most services allow the “I just forgot my password -> I get a recovery email” flow, which trusts that the email from which the account was created is proof of identity. Then you get access to everything else with the password.
> I think that's pretty reasonable.
You lost me right there. Blocking DMs because of draconian age verification is not reasonable. There's nothing inherently problematic about DMs. Someone can be a creep in public just as easily as in DMs.
I've always taught my children never to use their real names online. Precisely to avoid creeps. Mandatory age verification means mandatory identification.
Most age verification services use either government providers or 3rd party providers. I show my passport (or whatever) to the third-party. They relay to the site "this user is / isn't over 18". They don't send the DoB, address, photo etc.
So the online service only receives a binary yes/no and nothing else. I don't lose any privacy there.
The third-party knows that you wanted to be verified on service xyz, but not what you do there. Depending on the service I'm using, I may or may not care that they know.
Handing over a passport / licence to get into a bar leaks more information than that.
These third parties tend to be US based, as well. That always raises privacy questions due to "Safe Harbor". It was completely stupid of the government not to even provide a UK age verification service before putting this in place.
There are lots of age-verification providers in the UK / EU. The industry had plenty of notice this was coming and reacted accordingly.
"Do it intentionally" is a funny way to spell "I'm forcing you to do it by law and if you don't you won't be allowed to communicate with other humans in a digital form or access digital content".
And even then it's still a leak when the provider inevitably gets hacked and all your data is out there and you have no legal recourse to get reasonable compensation for it.
how can you trust 3rd party providers?
I'd rather trust an organisation which stakes its business on being secure than handing over my ID to anyone.
The penalties of serving alcohol to under aged are high, potentially losing your license to sell alcohol. Regulators perform random checks with plants to verify proper protocols are followed.
In the UK, that usually means being certified by https://accscheme.com/registry/ or similar. Just saying "I asked some random provider to verify" isn't going to cut it.
Incidentally, $5 is around 10x more expensive than most providers.
In the US, the recent federal bill aimed at age verification is more of an 'honor system', where just a yes/no box would suffice. Their position seems to be that it's not the government's job to try to prove you're not lying.
Japan does the same thing when you buy beer or cigarettes, you just tap "I'm at least 20" on the screen and off you go.
By sending your gov ID(s) to a third party? You do! They will leak (or leak and then sell) your ID with your name to those who wants to buy it. With services you've ever authorized with them, and probably the list of services you visit with timestamps. As it's NOT the one-time token, I'm pretty sure it has to be renewed from time to time (12h expiration? 1h? Who knows).
This is a system designed for tracking and control.
Say you have a digital certificate from the government or similar that you use to do your taxes online or whatever, the government could have endpoints where you could use that certificate for signing a proof, that you then hand over to the platform you want to verify your age with. The platform can then confirm it's valid, and that $AGE>X, but they get no other details.
You can even go a bit fancier/more complicated, and the government endpoints wouldn't know what platform you're trying to verify.
What is the incentive for the citizen to make sure their authentication isn't shared?
But as long as the platform who need to validate that you're an adult don't get your identity, but just the proof, I don't see what the problem is?
> What is the incentive for the citizen to make sure their authentication isn't shared?
What incentives do people today have for keeping their identifications to themselves? Why aren't we all sharing CC numbers? Because we realize some data is "personal" and isn't to be used by others, like our username+passwords or whatever. This isn't exactly a new concept, just look at how it works for anything else that is tied to you.
In this scenario the government knows all the age-restricted sites I've visited. I'd argue that is worse than if all the age-restricted sites I've visited know who I am...
(FTR I don't know what I think about age restrictions in general, but I'm pretty sure there's no implementation that comes without negative side effects)
I also kinda hate the whole idea of needing explicit permission from the government to access the open web, regardless of whether or not they know which specific sites they're giving me permission to access.
Not being liable for loans they didn't take out themselves, being the recipient of government benefits they are owed, etc. I'm sure you have heard of identity theft before, but it sounds like you haven't heard of why it's a bad thing. It's not just a privacy thing.
So no different to the rules around buying an 18+ DVD.
Thus the user never has direct access, yet can use it to issue proof of age.
[1]: https://ageverification.dev/av-doc-technical-specification/d...
I work in software (for way too long, since the 90s) and as far as i can tell any system which can prove your age is at best pseudonymous and needs 3d parties to verify.
Sure, you could create a scheme where only a 'trusted' 3d party has the link between you and your cert. But these days 'trusted' and government is not really a given, sadly. See trump.
This reveals no other information to the site.
The EU is on track to deploy such a system by the end of 2026. They are currently doing field testing involving thousands of users.
And if you can, what stops you from creating accounts and giving them to others?
And AFAIK unless the company has a database/API for all the existing IDs in the world, I would think it doesn't stop forged IDs from existing.
And even then, corrupt employees could still issue forged IDs... there's no guarantee that a single ID equals a single person forever.
This is win win for kids. It’s not a win for adults who now have to expose their identity.
But isn't that exactly the problem? What are you confused about? You think there's no issue with violating the privacy of all adults as long as children are unaffected?
This view also makes a mockery of free speech, which was originally intended to allow mature adults to take responsibility and ownership of their actions and beliefs, not run away from them. The idea of running away from your actions and beliefs, in the name of freedom, inverts the entire philosophical foundation.
"You must give the government more control of your life or you hate children." is a bad argument.
The cypherpunk ideology has convinced you that any form of identity verification equals totalitarian control, which is precisely the absolutist thinking that prevents reasonable child safety measures, and got us here. There's a massive middle ground between 'anonymous free-for-all' and 'government surveillance state' that you're pretending doesn't exist.
You might say that's a slippery slope. However, government at all is a slippery slope, a senator can literally propose anything at any time, and a Supreme Court ruling can practically do whatever it wants. And yet, every attempt at living without a government, has always been worse. The internet right now is like living in an anarchic society with moderators and tech companies as warlords. The warlords don't see a problem with this, but the majority of people underneath know full well there's a government already.
The cypherpunk ideology doesn't keep government out of tech. It just creates worse governments with less accountability and more power.
I would support reasonable measures to block children from accessing pornographic content, but making people upload government IDs or biometric data does not belong to the realm of what is reasonable.
> I've always taught my children never to use their real names online. Precisely to avoid creeps. Mandatory age verification means mandatory identification.
“Adults shouldn’t have to reveal their identities” is a totally legitimate concern. It’s also very different from the child scenario in this case because the entire point of revealing the identity is to gain access to features a child should not have access to.
These schemes are one implementation error away from exposing/tracking peoples identities (even more than they are already tracked).
IMHO kids watching porn is firmly in the domain of parenting, and not a governmental task.
Do you actually believe this? The logical implication of this stance is that stores should be able to legally sell pornography to children.
Fact is that most people are generally very happy to have the government play the part of protector for children. The government in the US stops children from buying tobacco products, marijuana, alcohol, pornography, and many other things deemed dangerous to kids and for the most part people have no problem with that.
When it gets to the internet people suddenly have a problem because age verification is generally synonymous with tracking. And I agree tracking is a huge concern. But let’s not pretend that the government stepping in to protect children is actually an unreasonable thing.
FAQs:
Q: Why should I give some stranger on the internet a copy of my government ID?
A:
The tor project was built specifically to ensure anonymity for internet traffic, and it works well as far as I know.
Phone numbers are not the same, countries require you to verify your identity to sign up for a phone plan, most sane countries have a government identity tied to each and every phone number, and proxying doesn't change that.
The US is weird in that it has some anti-government-identity stance that makes this way less centralized, but regardless, phone numbers are mostly traceable, there's nothing like tor, and the law also treats sms as more traceable.
Phone plans also cost at least something to sign up for.
I will give you that physical letters can be anonymous, but due to postage stamps it's much more expensive to send them in excess.
The cost of such services is irrelevant in the present discussion, as we are dicussing sending targeted malicious messages, not untargeted spam.
There’s a nerd gambit where we say well technically you can trace IP addresses too but in practice it’s much faster and easier for police to track someone down by phone number than to go through all the steps of tracing someone’s activity through a service provider and then to their ISP and then to their household.
It’s not the same at all.
But the reality is the local police don't have jurisdiction either in other localities or other countries.
If it actually worked as you described, toll fraud and scam call centers wouldn't exist.
The reason OSA puts DMs in scope is because they are out of view of the public. If you start creeping on someone where it is viewable, people will call you out.
If you do it in private it becomes "our little secret".
That's how groomers work. Go talk to any kid blackmailed into doing something they didn't want to do. It often starts with private messages.
Definitely not true.
Public messages risk a wide audience seeing the message and recognizing it’s inappropriate, then taking action against the person, reporting them, or highlighting the inappropriate messages for mob reprisals.
This is why predators overwhelmingly prefer private messaging where they can control visibility of their actions to a single vulnerable target.
Anyone can easily circumvent this by using asymmetric cryptography to encrypt their messages.
They're going to move to another platform where they can find targets who have DM functionality available. BlueSky's job is done.
Great choice of words here, it's an accurate description of the terror of the commons. Force everything into a public venue so we're all watching each other and then get every one invested in reporting on everyone else's behavior.
Meanwhile in the name of "saving the children" from their poor parents we continue to add restrictions, laws and strip rights.
> This is why predators...
We had plenty of these before the internet, the idea that these sorts of laws change any of that is just naive.
There's no inherent terror in it. Self governing communities on the internet need some means to monitor themselves just like they do offline. Communities before the internet didn't let unknown adults in their community have one-on-one conversations with children unsupervised. That's not a right or a common practice.
Before the internet when you went you joined a community you had to show your face, not a lot of clubs I'm aware of that involve minors where people in a balaclava where welcome.
Go watch the classic black and white "Frankenstein" for a portrayal of mob justice. Torches and pitchforks!
How about the French Revolution... where the head of the mob meets the same end, with the loss of his head?
> Self governing communities on the internet need some means to monitor themselves just like they do offline.
This is also an accurate description of a lynching. You think we're doing better on line, see reddit getting the Boston bomber wrong.
No, it isn't. It's an accurate description of policing. A standard practice in human societies. If you think not letting anonymous people talk to children amounts to the French Revolution or lynching maybe get out some more. Not how the real world works. Never has, never will. People tolerated it on 90s internet chatrooms because it was all middle aged dudes, doesn't fly when it becomes an actual town square.
You're defending this, as policing?
> If you think not letting anonymous people talk to children
Follow this rational to the end state, and we should all have to keep our kitchen knives chained to the counter because they might be used to stab someone.
Let's ban chemistry cause someone might make a bomb.
Everyone should wear helmets all the time cause they might trip and bump their heads.
Dont tell me you're saving the children with the digital version of "papers please". Dont pass a law where "parenting" is the real and easy solution.
Bluesky is a company, not a "self-governing community." They didn't have a legislative process to decide to do this.
As everyone knows, risk is unacceptable!
And inappropriate is of course an objective classification.
You should definitely talk to some women. They generally have a drastically different, dick filled, experience with DMs. Multiply that by the felonies involved with interacting with a minor, the legal requirements of COPPA, and the PR problems of things like "grooming groups found on <platform>", and the problems become more clear.
Of course, the real issue is parents giving their children unrestricted access to the internet.
This aside from the question of just how fragile many minors are if "exposed" to things like porn.
Anecdote of course, but I was able to view all kinds of dirty stuff well before I was of legal age in my country, and who can forget the now legendary rotten.com website, as just one example. None of this made me or any of my many friends at the time turn into raging pedophile serial killer schoolshooter psychopaths.
These sorts of proposals are in part a rehashing of the utterly idiotic blame game against video games for cases of truly disturbed minors who ended up committing mass murders in the past.
Some people are just going to end up badly disturbed by default or much more systemic causes like a bad home. A mass sanitization of all possible sources of content and media applied to everyone unless they consent to X or Y heavy intrusion won't change that.
If anything, I see rules for content control in minors as a very convenient step by government to kill two birds with one stone: On the one hand, implement more social control, surveillance and normalization of restricting access to unpredictable media (dangerous that for government bureaucrats who want to control narratives). On the other hand, offset blame for systemic problems in a society on "dangerous online content" instead of government's own potential failures in managing a legal system, mental health services or economic administration and etc.
I agree and yet blaming negligent parents doesn’t help the children. These sorts of mandates don’t make any sense when I think about my kids, who have devices quite locked down. These sorts of mandates make a lot of sense when I think about all the kids who have unfettered access to the worst parts of the internet.
Now, of course, I'm not naive -- I understand that this idea is extremely unlikely to catch on and we're probably well past it. But still going to put it out there because I think it makes the most sense.
Others devices are not public property.
I would argue that one could be MORE of a creep and lewd in DMs than in public.
Your private DMs being unencrypted means that they are semi-private DMs. E2E should be enforced everywhere.
In the context of public-broadcast social media, the service's ability to moderate abusive uses of a DM system is probably more important to me than the ability to have absolute control over who reads my messages.
Also, "private DMs" would more accurately be called PMs.
Sounds about right for a platform created specifically because another platform stopped censoring things.
Undeniably a low-effort and unhelpful comment on my part.
Isn't that moderation?
12 more comments available on Hacker News
Not affiliated with Hacker News or Y Combinator. We simply enrich the public API with analytics.