Who owns your ATProto identity?

6/21/2026 at 2:54:54 PM

Most people don’t worry about it for the same reason they don’t worry about GitHub abusing their GitHub account and are even willing to use “login with GitHub” to access their other accounts. Account takeover by a third party is a bigger risk. If you’re concerned about supply chain risks, there are more important concerns than “what if GitHub itself is a bad actor.”

It’s solvable if you’re willing to self-host your PDS.

But I’m skeptical of the attempts to make a PDS an “everything account.” Why should you use the same PDS for your social media posts and your git repos and your blog posts? Seems like we need to get better at locking things down in practice before that kind of centralization?

by skybrian

6/21/2026 at 3:52:11 PM

> Most people don’t worry about it for the same reason they don’t worry about GitHub abusing their GitHub account

Even with GitHub we don’t hand over our private keys to the GitHub server, though.

When I commit to my repos the commits are still signed by the private key that lives on my computer. Someone could take over my GitHub account and they wouldn’t be able to sign commits with the private key on my PC.

They could technically add a new public key and sign new commits with that key, but I could cryptographically point to the change and show that the key changed at time of takeover and disavow it.

by Aurornis

6/21/2026 at 4:46:28 PM

Good point, but how many projects require people to sign their git commits? it's not something I've had to do at all.

If you're not signing them then hosting on GitHub gives GitHub the ability to do arbitrary commits in your name. The repo's HEAD is whatever GitHub says it is.

by skybrian

6/21/2026 at 4:17:23 PM

right but that's possible with tangled too, that's a git specific thing

by throawayonthe

6/21/2026 at 4:36:30 PM

The whole claimed point of ATProto is to avoid stuff like this. If centralization isn't a problem, just use GitHub, or X, because platforms that don't try to decentralize work better.

by pocksuppet

6/21/2026 at 5:23:25 PM

Atproto gives users choice for where their data is hosted as well as the ability to migrate their data to a new host. Users who dont want to put trust in a provider can host it themselves. How is that not an improvement over being locked in to a single centralized provider?

by quasigod

6/21/2026 at 9:08:15 PM

The end of the article explains why this isn’t necessarily better than a centralised service. Yes - you can self host but no one (yes, there a few exceptions) does in practice. Your PDS host can pretend to be you on any atproto application.

by kevinak

6/22/2026 at 12:48:22 AM

How the addition of user choice doesn't make it better. I agree it's suboptimal, but I feel its still a clear improvement over centralized services. Getting to choose who, if anyone, I trust as my provider is better than having no choice.

by quasigod

6/21/2026 at 4:55:25 PM

If you assume that Bluesky won't suddenly turn hostile (we'll get some warning) then being able to migrate your PDS is better than what X gives you and about the same as being able to move your git repo off of GitHub.

by skybrian

6/22/2026 at 3:15:27 PM

We have warning right now with it being a VC-funded company.

by pocksuppet

6/21/2026 at 3:14:23 PM

This "social coding" thing Tangled has going on is cool but I don't want it. I hear they're figuring out private repos but for me, I don't want the same account I use for social for my code.

I'm probably in the minority though.

by NetOpWibby

6/21/2026 at 5:25:50 PM

Note that you don't have to have a social account. And there's work on the semi-distant horizon for creating sub-accounts which are independent but all under a common top level account kinda like how GPG conceptualizes subkeys or cryptocurrencies handle derivation keys.

For the current moment though you can just create an atproto account without creating a bluesky account. Tangled for example supports this on their site by creating one for their PDS and you can always move to another PDS in the future.

The over-arching idea isn't that your code is tied to your socials but rather that you can have a bunch of disparate services that you can interlink over a common identity layer and that those services are only loosely tied to the people/orgs hosting them but could be trivially hosted by anyone else.

by OneDeuxTriSeiGo

6/21/2026 at 7:44:52 PM

Social coding feels like the tiktokification of coding. It's already a thing on GitHub. In the old RMS days of free software, people wrote software and they released it. GitHub tries to make the process more about the issue tracking and stars than about the actual software.

by pocksuppet

6/21/2026 at 11:51:38 PM

I definitely use Github stars as a bookmarking mechanism

by NetOpWibby

6/21/2026 at 4:15:29 PM

Personally I think it should be optional, but meaningfully optional in a way that's technically sound and easier than it is now. I kind of feel like long term I'd want "professional/public" code I'd put my name on, and separate code I'd work on under a pseudonym/handle.

by rafterydj

6/21/2026 at 4:36:02 PM

> I don't want the same account I use for social for my code

Then create separate accounts?

by packetlost

6/21/2026 at 4:34:59 PM

Check out https://radicle.dev then.

by satvikpendem

6/21/2026 at 11:52:49 PM

Radicle is too confusing to me. I want to like it though, it looks cool. I appreciate it doesn't look like a Temu Github like almost every alternative.

by NetOpWibby

6/21/2026 at 7:17:51 PM

Correct, but it’s not decentralized in any meaningful way, which is what a lot of ATProto proponents want you to believe.

No one (not literally of course) self hosts their PDS. Like 99.9%, if not more, are using the Bluesky PDSes.

by kevinak

6/21/2026 at 3:35:02 PM

[dead]

by speedwoof

6/21/2026 at 3:01:14 PM

Who owns your domain name? Hint: it’s probably not you. Your hosting provider could take down your domain, or even steal traffic and direct it to their own IPs

by rbren

6/21/2026 at 3:45:56 PM

This cheap criticism of the headline doesn’t actually apply to the problems brought up in the article:

> Your PDS operator can post as you, like things as you, follow people as you, and it would be cryptographically indistinguishable from your real activity. The signatures are valid.

Your domain name owner or DNS provider cannot redirect your domain name to a different server and cryptographically impersonate you.

by Aurornis

6/21/2026 at 3:51:18 PM

Your DNS provider can obtain a TLS certificate for your domain and cryptographically impersonate https://yourdomain.tld

It's not exactly the same thing but it's close.

by jacobgold

6/21/2026 at 4:00:33 PM

Still not the same thing as in the article. Server side TLS certificates are widely understood to be tied to the current owner of the domain.

In a social protocol or context, I would expect a private key to be in the private control of the individual, such as when someone uses their private key to sign an email or git commit.

The purpose of signing your emails or commits is to provide a good indicator that it actually came from you, not someone who managed to get access to your email account at the time.

by Aurornis

6/21/2026 at 5:37:07 PM

> The purpose of signing your emails or commits is to provide a good indicator that it actually came from you, not someone who managed to get access to your email account at the time.

This is true and it's still true in the ATProto ecosystem but in a different context.

It asserts that events and records are authored by your PDS, not by you specifically. Which is certainly closer to the intent of TLS certs.

And technically you can maintain a PDS proxy that can only host, broadcast events, and receive content but that doesn't have any keys or signing capabilities.

Then you can have a local PDS that does your signing and sends signed events and records (basically signed state updates) to the PDS proxy to actually emit to the network. This then allows you to lock your keys behind a hardware key to better lock everything down. Of course there are trade offs to this. If it requires physical auth then it can only work on one device at a time or you have to self host it homelab style at which point it might just make more sense to host the PDS yourself anyways.

There's a project thats working on this very thing but I've not kept up with it and I can't remember what the name of it is. If any ATproto people in the comments knows the name/link feel free to reply under this to enlighten me + everyone else.

by OneDeuxTriSeiGo

6/21/2026 at 4:59:56 PM

If you use your private key to sign your commit, I don’t see how your PDS can impersonate it. There are different layers here. Your commit is still signed by you and non-impersonatable by the PDS operator. But the ATProto layer signing is under control of the PDS. So in that case you’d see either unsigned or differently signed git commits being reported at the ATProto layer as by you.

That seems entirely normal. The PDS handles ATProto actions but it cannot modify the git signature (obviously!). It’s no different than the fact that GitHub can post that you’ve committed a “verified” badge commit by adding a new signing key to your account and signing new commits with it.

The storage entity can always claim power over this by reporting a new key and signatures with that key. Seems entirely normal.

by arjie

6/21/2026 at 4:07:19 PM

This is why your DNS hosting provider, despite not being the "current owner of the domain", being able to impersonate your site (terminate a cryptographically secure TLS session) with your customers is a similar problem.

I do agree they're not the same but the trust and risk are very similar.

by jacobgold

6/21/2026 at 5:14:53 PM

DNS providers and registrars seem to have a longer trust established, that reduces the risk.

They are similar in that: jerks can be jerks. But one of the jerks I've trusted for 30 years and I hardly know the the other jerk.

by edoceo

6/21/2026 at 5:30:13 PM

Kind of. Your PDS can impersonate you but you can have higher ranked "recovery keys" that can undo/recover all the damage.

Socially whether you can explain off that your PDS acted maliciously or that it was hacked or whatever is a different story but if you keep recovery keys for your DID you can take back control and undo everything your PDS did that you didn't authorise pretty trivially. The UX for it needs to be improved but technically the process is super simple/straight forward.

And those recovery keys provide a mechanism for declaring "hey i didn't do this I was hacked" on top of specific events but nothing for taking advantage of that cryptographic opportunity has been built out yet.

by OneDeuxTriSeiGo

6/21/2026 at 6:38:38 PM

I do. I registered it directly with my ccTLD’s registry, which is a government agency. It’s tied to my national ID number, or to my company’s tax ID.

If my DNS provider messes up, I revoke their DNSSEC keys and point my domain to a different provider.

Domain registration should be national public infrastructure.

by drdexebtjl

6/21/2026 at 3:42:59 PM

Yes you do own your domain, as much as you can own your house. Your hosting provider can only take down your hosting, not your domain. Seizing domain names isn't very common. And by the way, with Web3 domains, you have full ownership via your own private key, with no need to pay rent. Is it possible to lose your house that you own? Yes. It's far more rare to lose a domain you own, by it being seized.

DNSSec is used to prevent unauthorized stealing of domains. Furthermore, if someone does steal one domain you own, they don't steal all your accounts across all domains. If they take over your hosting, that's a fixable problem -- you just repoint the domain.

Now, having said that, I designed the Safebox exactly to prevent these scenarios from happening, and create an actually solid foundation for decentralized social networking, AI workloads, etc. If anyone is interested, probably the best link to begin reading about it is: https://safebots.ai/about (If you do, I'd love to hear your thoughts)

by EGreg

6/21/2026 at 4:00:50 PM

Seizing domains is a lot more common than it used to be though, enough that it's a real concern for me personally, and I'm not sure there is a viable solution at the moment. There is also the concern of countries/governments or specific ISPs simply blocking access to one's domain in various ways... and the number of authoritarian regimes that have been blocking large portions of the Internet has only grown with time.

And regarding DNSSEC... if your domain is taken by the registrar (court order, ToS violation, etc.) or a government that can command the parent TLD to act, they can just revoke your old key and transfer the domain to someone else (or setup a placeholder under their own DNS) and now your protection and all concept of ownership is completely gone without your consent. This happened a few years ago with Epik seizing the soyjakparty and kiwifarms domains, including their hosting from a subsidiary company Terrahost... and KF has never even lost a lawsuit, but there are some specific people that really don't like them, and have gotten adept at claiming ToS violations via every possible company that touches them in order to try to make them go away.

by ranger_danger

6/21/2026 at 4:00:28 PM

In addition to the fact that almost nobody uses DNSSEC, it solves none of the problems indicated by this article.

by tptacek

6/21/2026 at 4:43:05 PM

Right, but neither do these problems apply to domains, as much as they apply to ATProto accounts.

You don't even have the frameworks that are available to protect domains. (Domain lock, transfer, etc.) And registrars are regulated by laws and frameworks in ways ATProto hosts aren't. Don't get me wrong, if a registrar transfers your domain due to a social engineering attack on the registrar, then you might lose it (an attacker almost did this to me once via a SIM swap, and I had to call GoDaddy to prevent the transfers). But that's not the same as, say, hacking the web hosting server.

In any case, tptacek, Safebox is supposed to solve these actual problems, by making sure no one can actually get into the box (no ssh, etc) so it's a "neutral ground" that no one can really "own", "redirect", steal keys or impersonate you. If you read https://safebots.ai/about you'll see what I'm talking about. If you do, I'd love to read any feedback you might have, given your background in security!

by EGreg

6/21/2026 at 4:09:10 PM

> Yes you do own your domain, as much as you can own your house

Uh, no.

I can legally shoot and kill intruders due to castle doctrine and stand your ground laws in my physical home. And legal invasions require being in front of a judge and a search warrant.

A domain can be seized for 'terms of service' (aka kangaroo court) reasons. Stand your ground nor castle doctrine doesn't apply to your digital house.

by nekusar

6/21/2026 at 4:38:21 PM

Let's compare apples to apples, shall we.

How many houses were actually seized, repossessed, commandeered with "eminent domain", slowly taken over via "adverse possession", encroached on with easements and air rights, and whatever else? Versus how many domains?

There is no violence on the internet. You can't shoot intruders. And that's a great thing.

Put in legal terms, you do NOT have this level of ownership to your house... and you certainly do not have sovereign immunity on your land: https://en.wikipedia.org/wiki/Allodial_title

Usually the best you can get is this: https://en.wikipedia.org/wiki/Fee_simple

You probably have something more like this: https://en.wikipedia.org/wiki/Freehold_(law)

What you are describing is more like the king of England being able to shoot people on his own property, and have full sovereign immunity (in theory, I mean recently a British prince was arrested on allegations of far less).

by EGreg

6/21/2026 at 6:11:14 PM

I'm not sure where you're from, but in my state, we have "Castle Doctrine" and "Stand your Ground" laws.

That means if you are a home invader, I can legally shoot and kill you. There'll be an investigation, but both statutes are affirmative defenses to killing.

Its not that I want to, or look forward to it. I don't, and I hope I never have to. But I will, if I'm forced.

by nekusar

6/21/2026 at 7:09:45 PM

I am familiar with it. But even then it applies only “if a person is under an imminent threat of serious physical harm or danger by a guest (or an intruder) in their home, they do not have to attempt to safely escape the situation prior to using physical force; the homeowner may immediately use force to eliminate the threat in their home.”

For example shooting a 5 year old kid who trespassed on your property isnt covered

by EGreg

6/21/2026 at 4:34:37 PM

Domains typically can’t be seized for arbitrary ToS violations, as registrars who do this can lose their accreditation with ICANN (and thus their ability to host domains at all). If the registrar could “frame” you for something like DNS abuse then maybe they could justify a suspension, and if they don’t unsuspend it after you correct the issue, you’d have to file a complaint with ICANN to (hopefully) get it back. If something like this happened and became public, though, the registrar would lose tons of business, as people would develop doubts about the registrar’s reputation.

by iamnothere

6/21/2026 at 4:03:16 PM

If its an Onion (Tor) hostname, you absolutely do own it. Sure, its not memorable being a 128 bit hash. And nobody else can impersonate nor take.

And for lower bandwidth tasks, Tor Onions can't be beat. Just make sure to use 2fa on services you offer to keep the trash out. Things like fail2ban don't work the way you intend.

by nekusar

6/21/2026 at 8:13:18 PM

Let me just require a phone number for my totally anonymous drug-market service

by pocksuppet

6/21/2026 at 3:07:20 PM

But without private keys they can't pretend to be the same you. There is a very big difference here.

by PunchyHamster

6/21/2026 at 3:18:34 PM

Right, if Bluesky ever does do something hinky with your PDS, the operation will be signed with their key and persisted in the operation log which they're unable to touch. You can outright remove Bluesky's key if you want, though I think that only works within some number of days of creating it.

by chuckadams

6/21/2026 at 8:44:02 PM

It's probably one of few places where blockchain would be actually useful; just use it as a history of users keys to validate against, so any domain takeover or similar event would at least not allow stealing user's handle

by PunchyHamster

6/21/2026 at 7:45:36 PM

More importantly, ICANN can seize your domain if you don't comply with US law (e.g. if you call for a boycott of Israel) unless it's under another country's ccTLD.

by pocksuppet

6/21/2026 at 3:11:38 PM

Can you move a DNS record AND make it look like I signed off on it?

The author's concern seems to be more focused on impersonation

by handoflixue

6/21/2026 at 5:36:26 PM

Do you use your own CA? Would you expect users to even notice if the certs were suddenly issued by LetsEncrypt? Or are you signing traffic using something other than TLS, where the domain name doesn't really matter anyway?

by Zambyte

6/21/2026 at 3:08:28 PM

that is why you have did:plc in ATProto but that doesn't resolve the concerns raised in this article.

by opem

6/21/2026 at 3:00:42 PM

One of the core features of AT is the ability to move your repo hosting provider (PDS) at any time. This is the "data portability" problem that ActivityPub never solved.

Bluesky Social, PBC runs a PDS service (bsky.social) for free, there are a number of free public alternatives, and thousands of users self-host.

Self-hosting your own PDS can be done with Raspberry Pi or $5/mo VM and requires very little work. It runs in a Docker container with SQLite.

https://github.com/bluesky-social/pds

by jacobgold

6/21/2026 at 5:18:33 PM

You can host it for free on Cloudflare using my Cirrus PDS: https://cirrus.earth/

by ascorbic

6/21/2026 at 8:50:48 PM

For anyone curious about the issues discussed in this topic, see:

Identity and your signing key https://cirrus.earth/concepts/identity/

> Cloudflare secrets are write-only: once set, they cannot be retrieved through the dashboard or the API. This is good for security and bad for recovery. The wizard prints the key exactly once during pds init. Save it then.

Also:

Back up your signing key https://cirrus.earth/guides/back-up-signing-key/

by skybrian

6/22/2026 at 3:02:02 PM

It's also worth noting that if you're using `did:plc` for your identity (the default for Bluesky and most places) then you can rotate your signing key if you lose it. It's only `did:web` that makes it impossible to recover or rotate a key.

by ascorbic

6/21/2026 at 7:03:53 PM

Brilliant, so happy to learn about this!

by CharlesW

6/21/2026 at 3:17:58 PM

You have the ability to move, as long as Bluesky Social PBC allows it.

They hold the keys for your DID. If they don't allow you to move to another PDS, you can't move. The original theory was that you'd hold the private keys, but that's something that would hugely limit adoption so they decided to hold the keys themselves.

In terms of moving your backlog of posts to a new server, part of the issue is liability (not merely legal liability, but reputational as well). When you have a user on your platform and they're posting stuff, you're moderating them in real time. If they turn out to be a horrible troll, you've get the reports. Let's say a horrible troll has been on EvilServer and EvilServer has been ignoring the reports against them. They now want to move to your GoodServer and bring all their post history with them. As an admin of GoodServer, you can't see that everyone has been reporting this troll for years. They're now moving over lots of horrible, inflammatory, potentially illegal posts to your server.

by mdasen

6/21/2026 at 3:21:45 PM

You can add your own keys to your DID, and IIRC you can even remove bsky's keys within a given timeframe (days).

by chuckadams

6/21/2026 at 3:24:13 PM

You can also opt for a did:web identity using your own domain in which case did:plc is irrelevant to you.

https://atproto.com/specs/did

by jacobgold

6/21/2026 at 5:34:58 PM

You can register a recovery key which allows overriding the signing key. This allows users to move from an adversarial PDS. I do think Bluesky should push for more users to add a recovery key, but I also understand why they haven't.

Moderation tools arent limited to specific PDS's, labels are public. If an account has received many reports it will have been labelled by Bluesky's moderation account and other independent labellers. A PDS can check against these before allowing an account to migrate if they choose to. I'm not sure any are currently doing this, but this is something that can absolutely be improved in current implementations, not an inherent limitation of the architecture.

by quasigod

6/21/2026 at 6:17:47 PM

How to adversarial migrate: https://www.da.vidbuchanan.co.uk/blog/adversarial-pds-migrat...

*requires your own PLC key, which the vast majority of users do not have, protonmail has good prior art here (imo)

by verdverm

6/21/2026 at 7:58:23 PM

Yeah, I think Bluesky should put more effort in getting users to create their own PLC key. It's trivial for someone who knows about it to do it, but of course the average user has no idea what atproto is. They need to explain it in a user-friendly way and have a simple tool to do it.

I'm not aware of what Proton does here, I'll look into that.

by quasigod

6/21/2026 at 8:02:50 PM

When you create a proton account, they create a recovery file for you and have copy about the importance and relevance at that point in onboarding. In other words, users shouldn't have to create their own PLC key, it should be created and downloaded on device automatically. I immediately thought "this is what bluesky should have done" when that happened (proton is recent for me), because this PLC key thing always comes up.

by verdverm

6/21/2026 at 7:21:54 PM

Yes you can but the vast majority don’t, and that is what matters. When Bluesky goes rogue because of profitability issues or VC pressure, the vast vast majority of users lose their identities on the wider network. Users will choose the path of least resistance. It’s all about incentives.

by kevinak

6/21/2026 at 3:13:52 PM

Except it isn't as straightforward as most people would think. The last time I checked this, I think there were some issues with Bluesky app view and it didn't show accounts from a self hosted PDS

by opem

6/21/2026 at 3:20:07 PM

You may have seen a temporary bug.

It's completely straightforward and it works. Tens of thousands of users are doing it successfully.

https://blue.mackuba.eu/stats/

by jacobgold

6/21/2026 at 5:15:11 PM

When was the last time you checked that? That is definitely not currently true and hasnt been for as long as I've used Bluesky.

by quasigod

6/21/2026 at 3:54:49 PM

I think most people don’t need to worry about their host abusing its power to impersonate them, but the cool thing is, the people who do need to/want to worry (journalists, politicians, celebrities, activists, open source maintainers, etc etc etc) can self host a PDS and be a lot safer, and still interact with everyone else.

by varun_ch

6/21/2026 at 5:23:26 PM

Sure, somebody else holds your identity, but it's pretty easy to control it yourself. By its nature if you're using somebody to host your stuff, you're trusting them with it. I made Cirrus so you can self-host your PDS for free, but you still need to trust Cloudflare to run it.

by ascorbic

6/21/2026 at 7:59:29 PM

It’s great that tings like this exist but as long as this is how identities work on ATProto it’s unfortunately going to be a niche thing.

by kevinak

6/22/2026 at 3:05:58 PM

The easy way is to create an account on Bluesky. That's as simple as creating an account on any other social network. The important bit though is that you can then, if you want, migrate to a different host and take your identity with you, or if you're brave you can self-host. This is by its nature something for power users, but regular users can use Bluesky accounts without ever knowing or caring about PDSs, DIDs or signing keys etc.

by ascorbic

6/21/2026 at 3:31:27 PM

So does a CA issuing my certificate, but there is some oversight in what they do.

by Muromec

6/21/2026 at 5:14:12 PM

That's different. While your CA can hand out new certificates, it doesn't know your keys (unless you messed up when uploading your CSRs).

CAs have to prove they're not faking certs through the certificate transparency logs, there's no such limitation on Bluesky.

A more apt comparison is a shared host that does certificate management for you. Those are also often considered less secure, of course.

by jeroenhd

6/21/2026 at 2:50:11 PM

Centralization is always a trap.

No idea why people have such a hard time joining and supporting the Fediverse.

by Noaidi

6/21/2026 at 2:52:41 PM

Because there is no single "default instance that is always a good choice and wouldn't go down randomly because of lack of funding". That's both a strong and a weak side of fedi

by sheo

6/21/2026 at 4:29:06 PM

mastodon.social has been around for a decade now, seems stable enough.

by ftfish

6/21/2026 at 3:11:17 PM

How is the fediverse different. Can't the owner of an instance post as you? Can they read all your data stored on their instance and pass it to anyone they want to?

by iand

6/21/2026 at 2:55:09 PM

Higher friction and fragmentation are Fediverse features (not bugs) that give it a different grain. ATProto has different tradeoffs that lead to a different form of social media. I'm glad both exist, and bridging efforts are worth paying attention to for anyone frustrated with the distinctions.

by webdevladder

6/21/2026 at 8:10:33 PM

Yes - the trade off is centralisation.

by kevinak

6/21/2026 at 3:10:08 PM

Is author new at the whole web thing? Yes, people trust remote web servers. Yes, if you link multiple apps to an identity server (be it atproto, google, or self-hosted OpenID server), and your identity server is compromised, attacker will be able to impersonate you or lock you out.

This is just how the web works, and there is no easy around it without losing features people care about. Sure, you can do client-side encryption and pretend serve can't see the plaintext, but it's just a theatre, see Hushmail incident for example.

And having people export uber-key by default is pretty terrible idea. Sure, allow advanced users (like post author) to do it. But for the common person, the exported key is just another way to get account compromised, via malware or backup provider hacking. Or if they are not backing up stuff, then the key will get lost next time they upgrade.

by theamk

6/21/2026 at 4:33:18 PM

Are you new to the whole p2p thing? This is a terrible standard to hold new technology to. The web is broken.

https://secushare.org/broken-internet

by tarpitt

6/22/2026 at 4:09:29 AM

Yes, I am familiar with multiple solution that want to replace the web. They can solve all sorts of interesting problems, except one: how to get adoption.

I have nothing against people exploring alternative networking systems, but let's be clear: the only reason to run GNUnet (or Nostr, or SSB) is if you are interested in GNUnet/Nostr/SSB itself, or if you want to add exclusivity and wall your garden away from random visitors.

But many people have the opposite goal - they want their content to be accessible, and they want everyone to be able to participate, even if they are a high school student with 10 year old iPhone. And this means web.

So let's talk about how we can actually reach people, and this means figuring out how to get this web thing to work.

by theamk

6/21/2026 at 3:49:26 PM

> Sure, you can do client-side encryption and pretend serve can't see the plaintext, but it's just a theatre,

Keeping a private keep on the client to sign your activity is a fundamental cryptography practice.

If you use a private key to sign your emails or git commits, it’s not security theater.

If you were to have to upload your private key to GitHub or your email provider, that would be severity theater.

> Is author new at the whole web thing?

Unnecessarily mean comment.

by Aurornis

6/22/2026 at 4:46:23 AM

The key word is "web", and all associated ecosystem - the place where local devices are transient, and everything is in the cloud.

I personally have multiple regular PCs, sync the files around, do encrypted backups, and so on. I still have my files from 20 years ago, and I manage my personal keys.

But when I talk to other people, most people aren't like that! They don't do regular backups, they lose files all the time (phone broke -> files are gone), and when they transfer files, they do it via 3rd party, by emailing, dropboxing or uploading to Google Drive.

So how would they handle "private key"?

Most of then will never download the app, and will only use the website. I guess you can use browser web storage to store the key, but next time they run out of space and clear internet files, it would be gone. Or if their phone breaks. Or if the computer starts to behave strangely, so they wipe it all (not exaggerating, I've seen people do that). So keeping the key only in the browser is a terrible idea.

You can force them to download private key, but then what? Most people will simply forget it (after all, "I am just trying out this thing, no need to both with all the complex backups"), and the key will sit in Download folder until the PC/phone breaks. If you got lucky, they'll upload this to Google Drive/iCloud, so that megacrop will have a private key.

But the worst of all, even if you somehow magically get them to preserve the private key, it's useless. Remember, we are talking rogue operator here, and those are very likely the same people who are serving you the webpage and javascript blob that will obtain the key from local storage and decrypt. They will do the same thing hushmail did, which is to modify the webpage so it exfiltrates the private key.

(And yes, all of this can be worked around if you don't use web, and run the stuff locally. But this severely restricts users, and will kill the adoption)

by theamk

6/21/2026 at 3:46:50 PM

> This is just how the web works, and there is no easy around it without losing features people care about [...]

Well, apart from using a separate email address for every single "provider"?

(Spoiler: there's no way I'm going to sign into your service with a shared email ... you get <youservice>@<me>.com)

by logifail

6/21/2026 at 4:09:48 PM

Some services only allow signups from the big free providers like gmail/outlook/etc. because those providers are doing more consistent KYC and anti-spam measures than anyone else by far, and unfortunately it does cut down on the amount of spam by a lot. For most people nowadays you cannot even create a new gmail account without directly linking it to a mobile phone.

by ranger_danger

6/21/2026 at 2:49:12 PM

What's the evidence for this? I'd be very keen to understand. This looks Claude written which is fine but adds an extra layer of skepticism for me.

by triyambakam

6/21/2026 at 7:27:29 PM

You can just read the documentation: https://atproto.com/guides/overview#account-portability

“The signing key is entrusted to the PDS so that it can manage the user's data, but rotation keys can be controlled by the user, e.g. as a paper key. This makes it possible for the user to update their account to a new PDS without the original host's help.”

by kevinak

6/21/2026 at 3:13:48 PM

AI fluff

by noname120

6/21/2026 at 3:27:40 PM

and what makes you say that?

by opem

6/21/2026 at 4:54:50 PM

> It's not the data, it's the keys

is a heading

edit:

>On ATProto, your PDS doesn't just store your Bluesky posts. It stores everything.

>Not just your Bluesky account. Your ability to post, commit, publish, or interact across every ATProto app.

>The repo data itself isn't the issue. It's all public anyway,

>An attacker, a state actor with a warrant, or a rogue employee doesn't just get read access. They get the signing keys

by drdexebtjl

6/21/2026 at 3:30:59 PM

It has all the tells. There are websites which list them, please search "LLM tropes".

by Zopieux

6/21/2026 at 3:59:14 PM

"This was AI" itself has all the tells of an irrational panic which typically accompanies new technology, like UFO sightings in the 1950s. If ever it is still possible to "tell" AI writing, it soon will not be. So best (IMO) just to respond to the substance of the writing and move on.

by bluebarbet

6/21/2026 at 4:03:37 PM

> "This was AI" itself has all the tells of an irrational panic which typically accompanies new technology,

Being able to tell who wrote something doesn't imply irrationality, panicking, or a reaction to new technology.

> like UFO sightings in the 1950s.

UFO sightings stayed confined to the 1950s and were a reaction to new technology?

Or were the UFO sightings in the 1950s the only UFO sightings that were a reaction to new technology?

I'm not sure how this being clarified will be able to explain how identifying the writer of text is the same as a UFO sighting in 1950, but I'm open to it, I try to stay rigorously rational (c.f. X does not imply Y in first pull quote)

> If ever it is still possible to "tell" AI writing, it soon will not be.

Why not?

n.b. I quit my job at Google to build an AI client and have been working on it full time for 3 years. I love AI. I don't think there's a rational argument that justifies the idea it's better to never opine the author of some writing was AI, and the arguments offered here are particularly weak, at their face. As an opinion, solely? Fair enough.

by refulgentis

6/21/2026 at 4:14:29 PM

I think the main problem is you can't really ever tell with a high degree of certainty, people are just guessing based on what they see in an unscientific way. And the fact that AI is trained on human data, meaning what we see is in fact things humans have already done themselves, makes it even harder to "know" for certain IMO.

by ranger_danger

6/21/2026 at 4:29:16 PM

> the main problem is you can't really ever tell with a high degree of certainty

This is false, it is trivial to find humans with 99%+ accuracy[1] and there is a well-known service with 99%+ accuracy when analyzed by 3rd parties with no affiliation.[2]

> people are just guessing based on what they see in an unscientific way

As we see above, this is just guessing in an unscientific way. :) It's important to be rational! We all agree on that. :)

FWIW it did used to be true that the 3rd party services were junk. And I don't support the idea of humans just winging it when there's consequences. The case we're in is about the most mundane and consequence-free, the vast majority of us use AI daily and we're commenting on an internet aggregator that is aggregating a blog article.

[1] People who frequently use ChatGPT for writing tasks are accurate and robust detectors of AI-generated text - https://aclanthology.org/2025.acl-long.267/

[2] Artificial Writing and Automated Detection” - https://bfi.uchicago.edu/insights/artificial-writing-and-aut...

by refulgentis

6/21/2026 at 6:41:21 PM

> This is false, it is trivial to find humans with 99%+ accuracy

Sorry but no, this is also false. AI is largely trained on human data. What it outputs is also largely what a human would output. We could both easily make up the exact same sentences (especially smaller ones) and there is NO way to tell what the real source of a sentence is, especially considering the source can be multiple things (AI and human) at the same time!

There is no amount of literature you could provide or anything you can do or say that would change my mind on this.

by ranger_danger

6/21/2026 at 7:06:23 PM

Humans can write these tropes individually. But we usually don’t write them one after the other over the course of the entire text.

We have our own personal biases towards certain words and sentence structures that don’t match the same biases that post-training favors. We speak egoistically how we want to speak, not necessarily how the listener wants to hear.

We don’t polish every sentence, because not every sentence needs polish.

If a human wrote like this, I would be concerned that they’re spending too much effort into making me feel or thing something, and not enough effort into expressing their own thoughts and emotions. I would be concerned that they’re spending way too much effort into writing blog posts, and not enough effort thinking about the topic they’re writing about. I wouldn’t want to read that either.

by drdexebtjl

6/21/2026 at 7:40:10 PM

You rather undermine your point (with which I agree) in that last sentence!

by bluebarbet

6/21/2026 at 7:38:41 PM

I understand nothing anyone says can ever convince you anything was written by AI. Not much I can say from there. shrugs So I'll just thought dump.

I don't come from much and this reminds me of the rich girl who wondered how anyone could ever tell if anything is true ever in english class last year of high school. Real formative moment for me. It sounds debilitating, but at the very least comparatively to her, people acting like there's no such thing as certainty unless its 100%, and there's no sense in weighing things, allowed me to climb past them without paying the same tolls or having the same advantages.

(for those looking at rationality:

>> This is false, it is trivial to find humans with 99%+ accuracy [link]

> Sorry but no, this is also false...there is no amount of literature you could provide or anything you can do or say that would change my mind on this.

I have science, they have a tortured counter about the nature of certainty that belongs in freshman philosophy class, as it would obviate any discussion of anything ever)

by refulgentis

6/21/2026 at 4:26:19 PM

So I just read the article a bit more closely, and personally I see no reason to panic like you (and others here) are doing. The AI suspicion was presumably triggered by one of the subheadings, which follows the "It's not X, it's Y" schema. At this point it's almost a meme that this betrays AI.

But I say: who cares? The substance and the authenticity are what count. This article made some interesting points, and it was signed off on by a human author. Personally, I'm no more interested in whether the author used AI to produce the text than in whether they used a dictionary or thesaurus, as long as they stand by the words.

This whole "debate" has the feel of religion to it. I'm consistently surprised that there's so much woolly, unfalsifiable thinking on this subject. And here, of all places.

by bluebarbet

6/21/2026 at 6:51:33 PM

It’s not just that subheading, it’s a recurring pattern.

It’s not about authors using AI, it’s about authors not respecting the reader’s time.

Writing has a multiplicative force. The writer only needs to spend time writing it once. The text will reach thousands of readers who will collectively spend a lot more time on it than the author.

If even with that asymmetry, the author is not willing to put effort into writing it, I’m not going to bother reading it, regardless of the text’s substance. I’m just not interested.

by drdexebtjl

6/21/2026 at 7:32:28 PM

With respect, if you cannot tell the two types of writing apart with certainty, then your analysis is akin to superstition.

Speaking for myself (as ever), I am just not bothered by what bothers you. Good writing is good writing. Bad writing is bad writing. Who or what generated it, and how much time it took, is immaterial.

by bluebarbet

6/21/2026 at 7:34:55 PM

I'm glad all the assumptions about other people got walked back, I hope the openness about my personal situation re: AI was concrete proof why everyone identifying AI writing is not a panicking person afraid of it and starting a new religion against it. :) Cheers.

by refulgentis

6/23/2026 at 7:13:07 AM

> I see no reason to panic like you (and others here) are doing

You've already been told it's not a panic, and it's not cool you keep insisting it is. This is a sleezy tactic to make your opponent look less sane than yourself ("stop being so emotional", "calm down", "hey no need to be angry").

by AlexeyBelov

6/21/2026 at 4:31:13 PM

[dead]

by refulgentis

6/21/2026 at 3:29:27 PM

So annoying to read. Meanwhile, the key information ("backup key with higher priority") is mentioned in a sentence without any kind of elaboration or link to some follow-up/how-to.

by Zopieux

6/21/2026 at 3:19:37 PM

Both nostr and atp sucks at key management imo. The Farcaster network does a good job here with their chain of trust model and a smart contract on etherium blockchain to recover identities in case of losing access to a private key. Ironically its also the blockchain aspect of Farcaster for which I never tried it.

by opem

6/21/2026 at 3:47:33 PM

Why aren't the keys stored encrypted?

by skywalqer

6/21/2026 at 5:06:22 PM

Wait what?! For a protocol that incorporates the DID spec this is disappointing to discover. Unless I'm mistaken the DID spec allows provable hierarchical relationships between DID identities – why can't a child DID be created from our master signing identity that has the authority to CRUD on our behalf but still be provably distinct from our root identity?

Not even sure why the PDS would require our signing key that just seems very sloppy to me. As you can tell I know very little about atProto, and I did participate in the development of the DID standard and I am dismayed to see such an inelegant solution in such a promising protocol.

by tengada1

6/21/2026 at 5:13:37 PM

Oops upon closer reading of the article and the comments here i see that the atproto standard does apparently allow for the above, at least to some degree. If there is indeed hierarchical support for the DIDs then you should be able to disavow any child identity from a master identity and leave no public uncertainty (ie the true owner of the key hereby disavows the following sub keys)

So if the worst case scenario presented in this article took place where a PDS was falsifying information and pretending to be you, you could presumably somehow revoke the child key that you provided to the PDS. I'll have to look more closely at this

You could even publish a signed selective retraction (delete the fake posts or mark them as fake) with proof that you control the key 1 level above the key that posted them

by tengada1

6/21/2026 at 8:27:36 PM

The point of the article is that 99.9% of users will not take custodial control of their identity - not that they can’t.

by kevinak

6/21/2026 at 8:48:46 PM

Well it's a very well understood concept in cryptocurrency – you just keep your seed phrase somewhere like on a paper wallet. And if you're less paranoid then millions of people use some thing like MetaMask which there could be an equivalent of for identity management relevant to atProto– or maybe there is?

by tengada1

6/21/2026 at 3:02:48 PM

It seems most ppl who dislike X has already settled, a small amount moved to DeSo like atp or ap, most just stayed or went offline. Unless China GFW magically collapsed, there seems no reason ATProto user base will continue to grow. So, when will the monetization/enshitification phase begin?

I'm asking this not bc I like enshitification, but the app view design seems such a perfect fit for user data mining/targeting, that it's hard to believe it was not part of design consideration in day one.

by jimmydoe

6/21/2026 at 8:09:10 PM

Atproto is not decentralised, it’s faux decentralised. You can technically be sovereign, but incentives and the way things have been done results in massive centralisation - 99.9% of users are on a Bluesky PDS and have not registered a higher priority rotation key. And they won’t, ever, because that’s how humans work.

The day Bluesky decides to enshittify there’s a very real possibility that they might also just stop allowing people to extract their keys and splinter off the network. The enshitification begins when VCs turn upp the heat it they start getting low on cash.

by kevinak

6/21/2026 at 8:23:10 PM

ATP is more decentralized than X at least. Decentralized as a term is almost as loaded as Democratic. :)

Anyway I think we can agree on enshitification is coming soon. I'm just looking for signs of that's actually happening (or a counter theory that it would not happen)

by jimmydoe

6/21/2026 at 2:39:32 PM

This is where non-financial use of blockchain could really shine, IMO. Self-sovereign identity management with a smart contract-based process for recovering ids if keys get lost or hacked. Blockchains are pretty out of favor these days, but I really don't see a better solution for decentralized identity management.

by scyclow

6/21/2026 at 2:54:00 PM

> smart contract-based process for recovering ids if keys get lost or hacked

How would that even work?

by SkiFire13

6/21/2026 at 3:13:35 PM

If someone's account gets lost or hacked, the person with the most incentive to own that account is usually the original owner, so just give it to whoever is willing to pay the most, problem solved. We can call it "proof of stake", where you always stake a certain amount to keep owning your account, and when contested, whoever stakes the most gets it.

Poor people don't deserve rights on the blockchain anyway, it's not like they can afford the transaction fees, if they didn't want their account stolen they should have tried being rich, or buying into nearer the top of the pyramid.

Don't worry about people who pass away or lose internet for an extended period, we'll deal with that in v2, when we get "proof of death" and "proof of internet disconnectivity" on the blockchain somehow.

/s if it's necessary

by TheDong

6/21/2026 at 4:52:53 PM

I think you're right that transaction fees are a key problem. It's ultimately a bandwidth problem. You're bidding for the limited vbytes, and the bidding price only increases with traffic, kicking poor users out.

I think the key thing to recognise with petname systems is that there doesn't need to be this sort of "top-level consensus" as opposed to ecash systems.

You can have two instances of namecoin, say Namecoin1 or Namecoin2. You can just have different domains like alice.nmc1 and bob.nmc2 and have them interoperate properly. You can just keep forking blockchain-based petname systems to overcome the bandwidth/fee problem.

What this means is that Namecoin1 full nodes don't need to synchronize all the domain names on Namecoin2 and vice-versa. Similar to TLDs on DNS. We can imagine that there might be different petname TLDs for different global regions, and they might be merge-mined.

This isn't true for money applications like bitcoin or eth, because by forking BTC or ETH or something, you are creating new coins.

by tarpitt

6/21/2026 at 4:42:53 PM

Perhaps some sort of namecoin or ENS-like petname system with multisig or some type of scripting that enables different recovery methods.

For example, you could set your petname up so it can be controlled by a single keypair, which can be overridden after a certain time by a ring signature based on keypairs held by friends, family, peers, and trusted computing devices you leave in a safe deposit box.

Or maybe you could trust your identity with some centralized entity, but only as part of a 2-of-3 multisig with yourself and another trusted entity.

Basicially namecoin with bitcoin-like scripting controls.

by tarpitt

6/22/2026 at 9:26:21 AM

Do you need a blockchain for that though? There are cryptography schemes to share a secret (e.g. the recovery keys) between multiple parties, requiring at least N of them to get together to recover the original value of the secret.

by SkiFire13

6/21/2026 at 2:45:52 PM

What is the incentive for an individual to participate in a non-financial blockchain?

Bitcoin-style blockchains “work” because everyone gets the possibility of a little reward for all the hassle and non-negligible CPU time of being a node.

by AndrewStephens

6/21/2026 at 5:04:37 PM

Good question, this made me think.

You get a reward for being a mining node, not just any node. Even then, do miners have much incentive to share blocks, other than the ones they mine?

I think the incentive is mutual for most nodes (aside from the mining aspect). People will set up a node to accept transactions in an automated manner, or to have higher confidence in the state of their accounts.

It's like being on the floor of the stock market. People participating want to be where all the information is (for their own benefit), and there is incentive to bring others in and share information (because it increases the amount of information you have).

I suppose you could be a "selfish" node. The bitcoin-equivalent of someone who leeches and never seeds. But the advantage is low relative to the amount of money moving around. Most people don't care about the bandwidth of running a bitcoin node, they care about latency. Unlike bittorrent, there isn't a de-facto finished version of the file being synced: it's a constantly-updating list that everyone wants to have the latest version of. I can't find the words, but this seems to be the fundamental difference.

by tarpitt

6/21/2026 at 2:52:51 PM

What's the incentive for people to participate in file sharing networks? To some degree it's access to a world of free media (same as access to a world of decentralized identities), but to a large degree it's an interesting hobby/excuse to be interested in tech. Some people have racks of hard drives dedicated to hobbies like this, just because it's interesting and is worthy.

by vid

6/21/2026 at 4:18:48 PM

For me the incentive is being able to own an identity that nobody can take away from me. And the assumption is that services will support this type of identity, so I don't have to make accounts on other systems that people can take away and now I've lost all access to any data I had.

by majorchord

6/21/2026 at 4:44:13 PM

I think what you are looking for is something like Mastodon or related activity-pub service. You can run your own instance and nobody can take that away from you. No need to drag a blockchain into it - just host whatever services you need.

by AndrewStephens

6/21/2026 at 4:54:12 PM

except for your domain registrar and your PKI certificate authority

by tarpitt

6/21/2026 at 2:32:03 PM

Probably doesn't matter for the "40M+ users", most of them have churned at this point and growth is negative. This is good critique for the next iteration of open social protocols, but fundamentally atproto did not fail because of technical reasons. The next iteration should make privacy the default and core to protocol, and be very mindful of how the leadership / social dynamics played out.

by verdverm

6/21/2026 at 2:33:14 PM

Based on all the traffic and development activity I'm not sure on what basis one would say "failed"

by singpolyma3

6/21/2026 at 5:12:24 PM

They had a vision and goal to change social media, to get people away from Big Social. They haven't failed in the technical sense of closing, there are less than 1.5M daily (the stats trackers are starting to shut down), but they will also never fulfill on the promises. In the startup world, this is called a zombie company.

One way they failed hard is that they talked about how they were against the investors and VC incentives, then they took $100M from Bain Capital (PE) just after peak user count, but didn't tell us for almost a year. They could have put up a simple $5/month to support the cause, but they took investor money instead. This is why I left.

by verdverm

6/21/2026 at 2:49:38 PM

Source?

What I see here doesn't look good.

https://bluefacts.app/bluesky-user-growth

Never mind the pivot to reddit.

https://www.cnbc.com/2026/06/04/bluesky-twitter-rival-reddit...

by ftfish

6/21/2026 at 2:50:53 PM

What’s the definition of success here? Instagram like user counts?

by adithyassekhar

6/21/2026 at 3:11:30 PM

Arguing that success is purely about the ultra high numbers seems to miss the forest for the trees. Is HN a failure because it did not reach the level of DAU as Reddit? The quality of discussion and community here is certainly substantially higher. I feel the same about Mastodon and Bsky vs Twitter. I’ll take community I actually want to engage with over sheer numbers any day.

by bikelang

6/21/2026 at 5:00:04 PM

Bluesky has about 2-3 year runway, so, we'll see.

Source: Bluesky COO https://conference.publicspaces.net/en/session/growth-and-su... (somewhere towards the end in the Q&A section).

by ftfish

6/21/2026 at 4:01:27 PM

I think critics would settle for commercial viability, given the funding structure.

by tptacek

6/21/2026 at 3:00:32 PM

https://bsky.jazco.dev/stats

by pessimizer

6/21/2026 at 3:06:56 PM

Bluesky / AT is the most successful open social network in history and the only one to become culturally significant. It has been adopted by presidents, celebrities, journalists, and mainstream users.

Bluesky has ~50M registered users and has sustained ~5M monthly active users for long while. There's no reason to believe it will fall substantially below this level.

It is also in the process of adding (decentralized) subcommunities, which I expect to be really cool and have a large impact on growth.

by jacobgold

6/21/2026 at 4:01:54 PM

"Registered users" is a meaningless statistic. Daily active users has consistently declined.

by tptacek

6/21/2026 at 4:12:33 PM

I'd be the last person to downplay the fact that the Bluesky app has a serious retention problem. But it has "broken through" in an incredible way and DAUs/MAUs are quite stable.

Registered users is not at all meaningless. Bluesky has those user's email addresses, the mobile app is still installed on many of their devices, they have accounts, and they can potentially be reactivated.

For example, if Bluesky announced a feature exciting enough, like subcommunities, it could email those 50M users and possibly bootstrap a serious open network competitor to Reddit.

by jacobgold

6/21/2026 at 4:26:34 PM

A chunk of these registered users are apparently "ghost accounts" hosted on a PDS on a trump.com subdomain.

https://bsky.app/profile/tyggero.cz/post/3moskpisnuc2t

Source: https://sifa.id/stats

Statement from Bluesky: https://bsky.app/profile/pfrazee.com/post/3mmp27wwnic2j

by ftfish

6/21/2026 at 4:36:15 PM

Based on your comments, it seems like you're trying to spread FUD?

The stats page you linked to explains exactly what's going on. These spam PLC identities have nothing to do with with the tens of millions of real Bluesky registered users.

Either you misunderstood or you're being intentionally dishonest.

by jacobgold

6/21/2026 at 4:47:43 PM

Never said that, though, plus provided sources. Just adding context for what the total number of users means.

by ftfish

6/21/2026 at 4:53:43 PM

You still seem to be implying the number of real registered users on Bluesky isn't ~50M, which it is. The PLC identity spam you referenced is not being counted in this number.

by jacobgold

6/21/2026 at 5:21:11 PM

It is confusing to say "users" when it is actually "accounts", humans tend to associate "user" with another human, where as "account" can cover people and bots (many on atproto)

eg. I personally had more than a dozen accounts

by verdverm

6/21/2026 at 5:28:07 PM

That's a fair distinction to make but my (educated) guess is that something like 95% of users have a single account on Bluesky.

Most users signed up by downloading the app or visiting the web site and created a single account.

As a point of reference, the official Google Play store independently verifies that the Bluesky app has had 10M+ installs.

https://play.google.com/store/apps/details?id=xyz.blueskyweb...

There are no official stats on the iOS app or web but those are both likely similar or larger sources of users.

by jacobgold

6/21/2026 at 5:58:29 PM

I would counterpoint that a non-insignificant number of the accounts are spam/bots. Jaz's stats overestimate because it does not remove certain accounts which have been takedown/deleted, let alone those that remain. I have shared analysis of this on HN, Bluesky, and Discord to avoid making educated guesses.

The reality is that a significant chunk (>50%) was Blue MAGA, or turned off by them, and I see little prospect that they will reactivate. Outside of the Bluesky echo chamber, there is a deep brand association with Bluesky being primarily political refugees. They see Bluesky as the left-wing Truth Social. I've asked hundreds of people IRL if they have heard of Bluesky, they are far more likely to have this brand association than to have heard of "atproto" (more than half vs 1-2% / can count on one hand).

by verdverm

6/21/2026 at 6:46:34 PM

Sure, it may overestimate the exact count, but that doesn't change the fact that tens of millions of real people have downloaded Bluesky and signed up.

Right now, Bluesky has one large community, which is already great for some people but not most people. Once Bluesky adds Communities, new communities can form, making it interesting to the other 90% of people who were excited initially and then turned off by it being "one note".

by jacobgold

6/21/2026 at 7:00:29 PM

I think your association with Blueksy is painting a rosier picture for yourself than reality portends. Do you know how many of those accounts never added a profile picture or even liked a single post? Do you think people are likely to reactivate to something they checked out once and has only shrunk since? Can ActivityPub/Mastodon add some new feature that will reactivate all the people who tried that out and moved on?

If you'd like to crawl the network to get real data, I built this a while ago https://github.com/verdverm/atmunge (it will take a few days to get sufficient data to do analysis, due to rate-limits)

Certainly Bluesky has stats about mobile app installs / usage. If they were good, they would be sharing those instead of the /users/accounts/ number that feels good but hides the reality. The first step (imo) would be to stop trying to deny reality and start asking why it is the reality. Only then can corrections be made. I don't think the core issues are technical, a missing feature, or a social media modality that was supposed to be built in the atmosphere. (other than my strongly held opinion that public-by-default was the wrong choice and bolting on permissioned spaces now is not a right answer)

I'm personally waiting on the next attempt that learns from AP/AT/Nostr, but makes privacy first core. I think it will be a few years still. Right now more people are shunning social media across the board, it's all so toxic and polarizing regardless of modality and where you use it.

by verdverm

6/21/2026 at 8:12:51 PM

I'm not claiming to know what reality portends, but I do think my guess is about as good as anyone's.

Bluesky did something ActivityPub/Mastodon never did, which is reach a mainstream audience of non-technical people. But its growth has been severely limited for one reason: the network is niche and uninteresting to most people.

Communities are a potential solution to this problem. If they work, it is plausible that tens of millions of users reactivate and, eventually, hundreds of millions of people join the network.

by jacobgold

6/21/2026 at 5:02:57 PM

If that's the case, then I stand corrected, but a source for that claim would be helpful.

by ftfish

6/21/2026 at 5:12:17 PM

I was rounding up, the actual number is ~45 million: https://bsky.jazco.dev/stats (these stats are based on real activity, not PLC identities)

At current rate it will 50M in 6 months.

by jacobgold

6/22/2026 at 3:06:19 AM

Why do you project 10% growth over the next 6 months? Looking at the other metrics on that page which have history (total unique likers, posters, followers), the numbers are flat or declining.

That shape doesn’t seem great for a social media company.

by likpok

6/21/2026 at 4:33:35 PM

I don't believe the firm behind Bluesky can go to an investor and say "look at all these email addresses we have" and raise on that.

by tptacek

6/21/2026 at 4:39:46 PM

Of course investors care about registered users, for the same reason I explained. But yeah, they do care a lot more about retention and growth rate for good reason. Bluesky Social, PBC has raised $120M+ dollars from investors.

by jacobgold