Bluesky security features. Is Bluesky safe?

Bluesky logo with VPN shield and a lock. Left is title: Bluesky security features.

Since Bluesky enabled public account registrations in February 2024 the social media platform has gone from strength to strength.

While it lags far behind popular microblogging website Twitter, at the time of writing Bluesky has over 20 million active user accounts. Partly this is due to decisions made by Twitter, such as allowing third parties to train AI models based on users’ public posts.

Amongst the millions of people who have abandoned Twitter/X in favor of Bluesky are numerous celebrities including famed Star Wars actor Mark Hamill

Above all, Bluesky promises – and delivers – better security. In this guide, you’ll learn more about the platform’s architecture, privacy features, and user controls to understand why it has a reputation as a safe, reliable social media platform.

What is Bluesky?

Bluesky is based on the open Authenticated Transfer (AT) protocol standard. In 2021 it was launched as an independent entity. It operates in much the same way as other famous microblogging platforms like Mastodon in that users share short-form posts of up to 300 characters, as well as pictures and videos.

Origins and development

Twitter co-founder and CEO Jack Dorsey first started work on Bluesky in 2019. His original aim was to create a decentralized social media platform to give users as much control as possible over their data. 

After becoming an independent entity, the development of Bluesky Social accelerated in 2022 after Elon Musk’s takeover of Twitter. 

Decentralization in social media

Traditional social media platforms like Twitter follow a centralized model. That is, users must register an account on a central server. Any posts or content they generate is stored on that central server, leaving all data controlled by a single entity.

A decentralized platform does away with this model. Data can be distributed across a network, giving users much greater control over the content they post and who can interact with it.

How Bluesky differs from traditional platforms like Twitter

As Bluesky is built upon the decentralized AT protocol, it can support users creating their own PDS (Personal Data Servers) on which they can register their accounts and interact with other users. This ‘federated’ protocol allows users to choose what data to share and who has access to it. 

Bluesky’s security architecture

The core of Bluesky’s security architecture lies in its decentralized model. The website documentation provides an in-depth explanation of how this works. However, in brief, the underlying AT protocol creates a standard format for data like user identities, followers, and information on social apps. This allows apps like Bluesky’s to interoperate.

User control over personal data

As Bluesky uses the AT protocol, users are identified by domain names. These map to cryptographically secured URLS that secure the user account in data. This makes it extremely difficult for bad actors to compromise user accounts, or create posts impersonating them.

Image of a Bluesky security architecture. User creates account and is assigned decentralized identifier. DID maps to a secured URL. User data is stored in personal data repository (PDR). PDR interacts with other PDRs.

Reduction of centralized points of failure

As we’ve learned, Bluesky allows users to set up personal servers to host repositories of social media data like posts, comments, likes, and follows. Currently, these are limited to 10 accounts per server. These repositories can sync with each other in a federated working model. In other words, users can share social media information without relying on a central server.

At the moment, most users sign up for Bluesky via the main site https://bsky.app/. However, as more people choose to set up independent servers, this protects the network from the kinds of widespread breaches that can compromise millions of accounts at once. Hackers can still compromise a decentralized Bluesky server but the others won’t be affected.

End-to-end encryption

The very best secure messaging apps use end-to-end encryption (E2EE). This makes use of separate digital ‘keys’ to encrypt and decrypt messages. If the key used to decrypt messages never leaves your device, that means that no one except you can read them – not even employees of the messaging platform.

Of course, it’s easy for social media sites to say that they do this which is why you should only trust open-source programs like Signal.

As for Bluesky, while direct messages are supported, they’re not currently secured by E2EE. In other words, if the server on which they’re stored is compromised or seized someone could read anything you’ve sent or received. The Bluesky team has promised that E2EE support is on their 2024 protocol roadmap.

How encryption protects user communications

If you do set up a Bluesky Personal Data Server and it’s compromised you won’t lose access to your account.

When you first register with a server, the software generates a DID (Digital Identity). This in turn creates a ‘recovery’ encryption key. If you keep this in a safe place, you can use it to move your Bluesky account to a new server. 

Comparison with Encryption on Other Platforms

While direct messages may not yet be encrypted, Bluesky’s decentralized approach to managing data is very different from traditional social media platforms like Twitter. While the website may promise to encrypt user data securely to keep it safe, users have no easy way to verify this. With Bluesky, users can store social media data on a server themselves to be sure that the encryption works correctly. 

Open-source protocols

The federated AT protocol, on which Bluesky is based, is an open standard. It’s licensed under both the permissive MIT and Apache open-source licenses. This means that its architecture and all code used are open-source, so anyone can view or modify it. 

Benefits of using open-source technology

The main advantage of basing Bluesky on open-source standards and code is that it offers transparency for how it operates. Users don’t need to trust the platform to keep their data safe, as they can verify it for themselves.

Community Involvement in Security Enhancements

In the words of Linux creator Linus Torvalds, “Many eyes make bugs shallow.” In other words, the community can review open-source code to check for any bugs. Skilled programmers can also suggest improvements and even contribute towards future development of the platform to make it safer.

Transparency in Bluesky’s Security Practices

As we’ve learned, using open-source means account holders can verify for themselves how Bluesky keeps their data safe. Those who choose to set up their own data server also can verify how their information is stored, as well as how security keys are saved securely to prevent their account from being compromised.

User privacy controls

Aside from using open-source code, Bluesky’s website and mobile apps offer privacy controls to allow users to control what information they share.

Customizable privacy settings

Managing who can see and interact with your content.

Unlike Twitter, Bluesky doesn’t currently support setting accounts to ‘private’, so it can’t be seen by others. However, users who do choose to create a post can limit its visibility to certain groups e.g. their followers. Bluesky also supports only allowing replies to posts by followers or disabling replies altogether.

Adjusting settings for maximum privacy

Although Bluesky is an open and public network, the platform does support ‘discouraging’ apps from showing your posts to people who aren’t logged in to a Bluesky account. You can enable this via the app or website privacy settings. From here, you can also enable two-factor authentication (2FA) to secure logins.

Moderation system features

Bluesky includes some automated features to detect harmful content like spam. The platform also includes a reporting feature. If the content is flagged, it’s reviewed by human moderators and then allowed or banned accordingly.

Users can also ‘block’ and ‘mute’ other users. If a Bluesky user chooses to mute another, the other user won’t see a notification. Users can even create moderation lists of accounts to block or mute. Like Twitter, Bluesky supports self-labeling of posts e.g. for sensitive content.

The platform defaults to Bluesky’s moderation algorithm to curate content matched to a user’s needs. However, account holders can switch to other algorithms if they wish.

Data ownership and portability

Bluesky has announced that it is committed to portability for users’ identity, data, payments, and any other service.

This is made possible by the AT protocol, which allows users with a DID (Digital ID) to transfer their accounts to different Bluesky servers or instances whilst still maintaining their data and connections.

Bluesky’s documentation contains detailed steps on how to transfer a user repository to a new server. You can also export your account data in CAR (Compressed Archive) format from within the Bluesky mobile app or website. This doesn’t include media files, which you need to download separately.

Blocking and reporting tools

Bluesky has multiple features for avoiding unwanted interactions. A great way to ensure this when posting is to limit who can reply, such as mentioned users and/or followed users.

Bluesky security features: private servers, decentralization, E2E encryption, open source, security measures against cyber threats.

Reporting mechanisms for abuse and spam

Bluesky has strict community guidelines that forbid harassment and bombarding users with spam. There is an in-app reporting flow and feedback form for users to flag a message or post that violates these guidelines.

Enhancing personal security through user tools

The above-mentioned moderation lists are also a good way to prevent abuse or spam from known bad actors. 

Any accounts added to the block list won’t be able to like, reply, mention, or follow that user. Their posts, replies, and profiles will also be hidden in searches. For this reason, some bloggers have referred to this option as “the nuclear block.”

To get started, users can go to Settings > Moderation > Moderation Lists > New. Next, just visit the profile you want to mute or block, click/tap the … and choose ‘Add to lists’.

Security measures against cyber threats

Phishing

Bluesky’s aforementioned community guidelines forbid using the platform to hack other users or steal their data. Phishing is specifically mentioned and includes using multiple accounts to try to trick other users.

The platform now supports 2FA (two-factor) authentication. Once enabled, if you try to log in to your Bluesky account from a new device or location you’ll need to provide a six-digit code as well as your password. This means if a hacker successfully steals your password via phishing, they still won’t be able to log in to your account.

Combatting bots and fake accounts

Bots are allowed on Bluesky, provided they respect the network rate limits and have a useful/benign purpose e.g. providing daily temperatures. The platform does try to limit the number of malicious bots by requiring new registrations to be confirmed by email. 

Measures to identify and remove bots

The main website doesn’t detail specific measures to detect and remove badly behaved bots, though it’s safe to say that the development team is working on it as these can interfere with people’s peaceful enjoyment of social media.

Ensuring authentic user interactions

Bluesky has adopted a ‘stackable’ approach to moderation. Using its open-source moderation tool Ozone, developers are free to set up custom labels and rules to add another layer of moderation to interactions, better ensuring that users are interacting only with real people – no bots allowed.

Response to security incidents

As a newer platform, it’s not yet clear how Bluesky would respond to a major security breach. In theory, this shouldn’t be an issue on a truly decentralized network. In practice, this is feasible as most users are still registering via the main site.

Bluesky’s protocol for handling breaches

In November 2024, some cryptocurrency scams began to appear on the platform using accounts sporting AI-generated images of Facebook founder Mark Zuckerberg. Bluesky claimed that the network now receives up to 3,000 suspicious activity reports per hour. The accounts were quickly taken down. Bluesky hasn’t publicly stated how it would respond to a more targeted cyberattack designed to breach its systems.

Communication with users during incidents

The official Bluesky channel and blog are often used by the platform to announce new security measures and apologize for outages. Given the company’s emphasis on transparency, it’s likely if there was a major cyber incident these would be put to good use to keep users informed of incidents.

Steps taken to prevent future security issues

Although Bluesky hasn’t shared the details of all its security procedures, its commitment to a federated protocol shows that it wants to develop a secure network without a single point of failure. Using open-source code makes this easier as bugs can be discovered by the community and fixed quickly. 

Comparing Bluesky’s security to other platforms

Bluesky vs. Twitter

As a more popular and older platform, Twitter has been targeted many times in cyber attacks. This includes a breach in 2020 where attackers tricked a Twitter employee into giving them access to 120 accounts, which were then used to carry out a cryptocurrency investment scam.

Since Elon Musk’s takeover of Twitter, there have also been changes to its privacy policy e.g. to allow sharing of customer information with third parties to train AI models.

As a small platform, Bluesky is less likely to be targeted by hackers at present. Its decentralized model also means that users have much greater control over their data, offering better information security.

Bluesky vs. Facebook and Instagram

As a microblogging platform, it’s difficult to compare Bluesky directly with social media sites like Facebook and Instagram.

Both sites are owned by Meta, so follow a centralized model for user account registration and managing data. The company also hasn’t always followed the rules when it comes to data protection. In 2023, Meta was fined 1.2 billion Euros for how it transferred Facebook user data from the EU to the USA.

In 2022, Meta was also fined over 400 million Euros for allowing children to set up Instagram accounts that publicly displayed their phone numbers and email addresses.

These kinds of breaches couldn’t occur on a user account that was set up on a trustworthy decentralized Bluesky personal data server. This is because the user would control their information, so it could only be transferred with their permission. They could also delete sensitive data like phone numbers and even verify it was removed properly.  

Bluesky’s smiling at you

While Bluesky has only been around for a few years, its decentralized architecture and commitment to open-source make for a transparent, secure and user-centric social media platform.

Given the number of times existing social media giants have been hacked and found to be in breach of data protection regulations, platforms like Bluesky are crucial for allowing users to socialize online safely.

As users are signing up all the time, Bluesky must make sure not to become a victim of its own success and scale sustainably whilst still protecting users.

FAQ

Does Bluesky allow NSFW?

Yes. By default adult content is disabled and must be enabled via the web settings at bsky.app. Users can also choose to ‘Show’, ‘Warn’ or ‘Hide’ images with non-sexual nudity.

Is Bluesky legitimate?

Yes. Bluesky is a legitimate social media platform, originally developed by Twitter co-founder Jack Dorsey. He stepped down from Bluesky’s board in May 2024 and the company is now an independent entity.

Does Bluesky take your data?

The platform does collect some data for operational purposes but Bluesky’s emphasis is on giving users control over how their information is stored and used. Registration via the main site means user data is saved on Bluesky’s servers. If you prefer, you can set up your own ‘personal data server’ to store your user account information.

Can anyone join Bluesky?

Yes. As of February 2024, invites are no longer required, so user registrations are open to the public. 

While Bluesky doesn’t discriminate, the URL for the main website is blocked in some countries that practice Internet censorship like China, Russia and Türkiye. 

You can bypass this by using a reliable VPN service like hide.me to establish a secure, encrypted connection to a dedicated VPN server based outside these countries.


We love bringing you this content and hope it helps keep you safe and secure online. Feel free to share it with your friends, too.

Here at hide.me we are all about internet freedom, and we are happy to be in a position to bring that to everyone. That is why we give you a 30-day money-back guarantee on our Premium plan. No questions asked and no logs recorded.

Get hide.me VPN!

If you have any questions, please feel to contact our 24/7 support team either at support@hide.me or via live chat.

Related articles

Christmas Sale

Includes 3 months extra

Days

Hrs

Min

Sec

Get the offer