Bluesky Privacy News

Bluesky integrated Germ DM as the first end-to-end encrypted messenger natively launchable within the Bluesky app, addressing the long-standing privacy gap in unencrypted DMs since May 2024. Germ uses Messaging Layer Security (MLS), an IETF standard, and integrates via AT Protocol so that neither Germ nor Bluesky can decrypt messages.

Bluesky published its inaugural comprehensive transparency report for 2025, covering moderation, legal demands, influence operations, and age assurance. The platform grew 60% to 41.41 million users, processed 9.97 million moderation reports (up 54% year-over- year), removed 2.44 million violating items including 2.08 million accounts, and applied 16.49 million content labels. Law- enforcement requests rose fivefold to 1,470.

Bluesky launched 'Find Friends,' a privacy-focused contact discovery feature requiring mutual opt-in from both parties. Contacts are stored as hashed pairs (user number combined with contact number) with a hardware-separated encryption key, and phone number verification via SMS is required to prevent enumeration attacks. Unlike industry norms, Bluesky sends no automated invites to non-users.

Bluesky launched a formal strike system with severity-based violation tracking and expanded post-reporting categories from 6 to 39, including new categories for youth harassment, eating disorders, and human trafficking content as required by the UK Online Safety Act. Users now receive detailed notifications about enforcement actions, including the specific policy violated, severity level, total violation count, and suspension duration.

Bluesky's overhauled Community Guidelines took effect, reorganized around four principles: Safety First, Respect Others, Be Authentic, and Follow the Rules. The guidelines added specific harm categories aligned with the UK Online Safety Act, EU Digital Services Act, and US TAKE IT DOWN Act, including deepfakes, non-consensual intimate images, and youth-specific harms. A progressive enforcement model and clearer appeals process were introduced.

Bluesky's most significant policy overhaul since launch: the Privacy Policy and Copyright Policy were fully rewritten to comply with the EU Digital Services Act (DSA), UK Online Safety Act (OSA), US TAKE IT DOWN Act, and GDPR. Key changes included enhanced data subject rights disclosures, documentation of safeguards for international data transfers outside the EU/UK, strengthened clarity on deletion limitations inherent in the decentralized AT Protocol architecture, and jurisdiction-specific provisions.

Bluesky blocked all access from Mississippi IP addresses in response to Mississippi's HB1126 age-assurance law, which required age verification for all users and parental consent for minors, with penalties of up to $10,000 per user. Bluesky cited privacy concerns about collecting and storing sensitive personal data, and resource constraints as a smaller platform. In December 2025, Bluesky partially restored access for adults who completed age assurance.

Bluesky announced implementation of age verification for UK users to comply with the Online Safety Act ahead of Ofcom's July 25 enforcement deadline. The system uses Epic Games' Kids Web Services (KWS), offering verification via facial age estimation (powered by Yoti), government ID upload, or credit card check. Users under 18 or who decline verification lose access to adult content and direct messaging. Non-compliance carried fines of up to 18 million GBP or 10% of global revenue.

At SXSW, CEO Jay Graber announced Bluesky was developing a consent framework inspired by robots.txt, allowing users to signal per-account or per-post preferences across four categories: generative AI training, protocol bridging, bulk datasets, and web archiving. Bluesky acknowledged the framework would be a voluntary standard without legal enforceability — third parties could still ignore user preferences.

Bluesky publicly announced its partnership with the UK-based Internet Watch Foundation (IWF) to combat child sexual abuse material. Bluesky had become an IWF member on December 1, 2024, gaining access to the IWF's hash database of known CSAM images for automated detection. The partnership came after the September 2024 Portuguese-language CSAM moderation crisis and amid rapid user growth past 30 million accounts.

Bluesky published its 2024 moderation report, revealing a 17x increase in moderation reports (6.48 million, up from 358,000 in 2023) as users grew from 2.89 million to 25.94 million. Moderators removed 66,308 accounts and automated systems removed another 35,842. The platform applied 5.5 million content labels and fielded 238 law-enforcement requests from Germany, the U.S., Brazil, and Japan, complying with 146 of them.

A Hugging Face employee published a dataset of 1 million Bluesky posts scraped via the public Firehose API, including text, metadata, and users' decentralized identifiers (DIDs). After immediate backlash, the dataset was removed within a day. However, larger datasets quickly appeared — including one of nearly 300 million non-anonymized posts (roughly 42.5% of all Bluesky posts). Bluesky acknowledged it could not enforce consent preferences outside its own systems.

The European Commission stated Bluesky was violating the Digital Services Act (DSA) by failing to report EU user numbers, appoint an EU legal representative, or establish a required transparency page. The Commission referred the matter to national Digital Services Coordinators for enforcement. Bluesky said it was 'actively working with lawyers' to comply.

Brazilian investigative outlet Nucleo reported that Bluesky was failing to moderate Portuguese-language CSAM terms, identifying over 125 profiles sharing or selling child sexual abuse material. The crisis was triggered by Brazil's ban of X in late August 2024, which drove 2.5 million new Brazilian users to Bluesky within a week, creating a moderation backlog with reports spiking to 50,000 per day. Bluesky expanded its Portuguese-language moderation team and hired external contractors.

Bluesky launched its Direct Messages feature without end-to-end encryption. The company disclosed that DMs are stored unencrypted and can be accessed by Bluesky staff for Trust and Safety investigations including spam and coordinated harassment. Privacy advocates warned users against sharing sensitive information via the feature. Bluesky stated encrypted messaging was planned but offered no firm timeline.

Bluesky open-sourced Ozone, its collaborative moderation tool, and launched a 'stackable moderation' system allowing any user or organization to create and operate independent labeling services on the AT Protocol. Users could subscribe to third-party moderation services on top of Bluesky's baseline moderation, introducing a decentralized content governance model with significant privacy implications for how user content is reviewed and labeled across the network.

Bluesky opened registration to the general public, removing the invite-only requirement. Nearly 800,000 new users joined on the first day. All user profiles and posts remained publicly accessible with no private-profile feature; the AT Protocol's decentralized architecture meant data was replicated across relays and third- party services by design.

Bluesky published its first annual moderation report covering 2023, documenting the growth from a small beta to over 3 million registered accounts. The report detailed the hiring of a full-time moderation team, the launch of community moderation features, and the development of internal Trust and Safety infrastructure built from scratch.

Bluesky announced a public web interface allowing non-users to view posts, sparking backlash from users who had no private-profile option. Bluesky reversed course the same day, delaying the public web view and releasing an opt-out tool. However, Bluesky acknowledged the tool only controlled the logged-out view on Bluesky's own app and could not bind third-party AT Protocol apps.

Bluesky's revised Terms of Service and Community Guidelines took effect, incorporating community feedback from the April 2023 content- license controversy. The updated terms narrowed the scope of the content license and made the language clearer and more user- friendly.

Security researcher David Buchanan discovered a vulnerability in Bluesky's core did:plc identity mechanism that allowed hijacking any account's identity by creating lengthened duplicates of existing decentralized identifiers (DIDs). The researcher demonstrated the exploit by changing the handle of the official @bsky.app account. Bluesky acknowledged the report within 34 minutes and deployed a patch the same day.