anderegg.ca

Why is the Online Safety Act causing Bluesky user growth?

August 2, 2025

Over the past few days, Bluesky has had accelerated user growth. This happened at the same time as the UK’s Online Safety Act came into effect. I don’t know exactly why this is the case, but I have some ideas.

First, I want to start with a quick aside. I think that efforts like the Online Safety Act, KOSA, and Canada’s Bill S-209 are some security-reducing, privacy-invading, speech-restricting, “won’t somebody please think of the children” level bullshit. Here’s an excellent video overview of the issues of S-209 from David Fraser. Here’s more from Michael Geist. S-209 is what might affect me most directly, but its issues are shared among other efforts.

With that out of the way, on to Bluesky. As a social network on the internet, the Bluesky team has to abide by the Online Safety Act or face hefty fines. 1 To do so, they’re requiring age verification to access DMs and some moderation settings. These changes to the app were rolled out on July 23. The next day, and for the days following, the service got a surprising bump in sign-ups from new users. What’s the deal?

I don’t have a full explanation, but I have some thoughts. One guess is that other services could have taken heavy-handed or poorly implemented approaches to moderation. 2 Another possibility is that, if you have to hand over private information to keep using a service, maybe you give it to a service you trust more (or distrust less). It could also be a “grass is greener” kind of thing, and age verification was a good enough excuse to try another service.

There’s one thing that makes Bluesky unique, though. It’s based on a completely open protocol. This isn’t some Linux neckbeard selling point, either. For the protocol to function, all posts have to be publicly accessible. 3 This goes for adult content along with everything else. If you’re scrolling your timeline and see a piece of content that’s blocked for you on the Bluesky app, you can use another service to get to that content. These can easily be run locally, so governments would have a hard time playing whack-a-mole to take them down.

I’ve written about this in more detail previously, but the short version is that Bluesky is an “AppView” on top of the AT Protocol. Data is housed on a series of Personal Data Servers (PDSs), and a Relay service is used to index that data so it can be accessed by AppViews. This design is fairly convoluted, but the aim is for the whole thing to be decentralized. 4 The main upshot is: everything must be open and public for it to work.

Is this why people are flocking to Bluesky recently? No idea. I’m pretty certain most people don’t know this is the case. But if there’s a group of people who’d be motivated to figure it out, one might do well to bet on those with surging hormones and a lot of time on their hands.

Also, I have absolutely no idea how this openness interacts with the law. There are some people running their own PDS instances, but the vast majority of content on the service is hosted by servers managed by the Bluesky team. This means that plenty of adult content is hosted and controlled by Bluesky, available on the open web, and can’t be age limited due to the underlying protocol. Is it enough that the main Bluesky AppView blocks this content without age verification? Who knows! I’m not trying to narc on Bluesky here. It’s just an interesting wrinkle caused by the open system powering the service. Ultimately, I think this is yet another issue with a very stupid law.

  1. Those fines can reach “up to 10% of qualifying worldwide revenue”. Bluesky does not currently generate any meaningful revenue, so I’m not exactly sure how that would work. I’m sure OFCOM would figure something out. 

  2. I previously said that I didn’t have any evidence of this, but Owen Boswarva reached out on Bluesky to note that X in particular had done a poor job implementing age verification. He pointed to a BBC article that outlined some moderation overreach on X and Reddit, and also noted that currently there are only indirect methods of age verification on X, with direct methods (like facial age estimation or ID verification) coming in the future. 

  3. Note that this isn’t the case for DMs. Those are handled outside of the AT Protocol. I think that’s why they’re explicitly mentioned as requiring age verification. 

  4. I’ll skip the usual grumbling about the decentralization issue here. That said, I mean to write an update about this in the near future. The Bluesky team has continued to advance the decentralization story, and there have been interesting developments on this front