Bluesky is bigger than ever. But as a startup social media service wavesthe platform is experiencing some growing pains. Among them: The influx of new users has opened up new opportunities for scammers and impersonators hoping to take advantage of the attention — and Bluesky’s lack of a regular verification system.
A recent analysis by Alexios Mantzarlis, director of the Security Trust and Security Initiative at Cornell Tech, found that 44 percent of the 100 most-followed accounts on Bluesky have at least one “binary,” most of which appear to be “cheap accounts.” a bigger account, right down to the same bio and profile picture,” Mantzarlis said Fake.
Unlike many of its peers, which offer tokens and official badges to government officials, celebrities, and other high-profile accounts, Bluesky takes a more accessible approach to verification. Instead of actively verifying prominent accounts themselves, the company encourages users to use a custom domain name to “authenticate themselves.”
For example, my employer Engadget currently has the handle Bluesky . But if we want to “verify” our account, we can choose to change it to Engadget.com. Some media outlets, e.g The New York Times, Bloomberg and Onion they did it for their official accounts. Individuals can also check using a private website.
However, the process is more complicated than just changing the handle. It also requires institutions to the DNS record associated with their domains. While in some ways this is a clever solution to authentication – only the actual owner of the website can access the DNS record for a domain – it also has a number of drawbacks. This is a manual process that is not available to anyone who wants to be verified. (Bluesky custom domains for users who no longer exist.)
Verification is more complicated for those who want to verify multiple accounts associated with the same domain, which may explain why some outlets, e.g. The New York Times and NPR has custom handles, but don’t extend this check to their correspondents at Bluesky. Even Bluesky’s suggests that organizations seek help from their IT departments.
There are other issues as well. Once you change your handle to match the domain you own, your old nickname (eg enggadget.bksy.social) becomes available again. So you’ll either have to create a new account to “squat” on the old handle, or run the risk of an impersonator taking it over. Even if you add a custom domain, it doesn’t offer perfect protection against spoofing. A dedicated fraudster can use a similar domain and “verify” their fake account.
To make matters more confusing, Bluesky itself gives no indication that the account has been “verified” other than the handle name. There is no visual indicator to distinguish verified accounts from non-verified accounts – such as a check or badge,
To combat this, some Bluesky users come up with their own workarounds. Hunter Walker, investigative reporter Talking Points Memo and early Bluesky user, actively checking , and other high-profile accounts themselves. So far, it has tested more than 330 people, including New York Rep. Alexandria Ocasio-Cortez, Flavor Flav, Mark Cuban and Barbra Streisand.
“I have a pretty high standard for journalism and reporting, and anything I say, I like to triple-check sources,” Walker tells Engadget. “I like to make sure it’s confirmed. By participating in Bluesky, it became clear to me that nothing was confirmed at the basic level.”
Walker estimates he’s spent 16 hours checking accounts over the past few weeks. It has different methods depending on the user, but it often involves communicating with someone from another account that is officially linked, such as a company email address. For celebrities, their reps can often endorse official Bluesky handles.
“I’ve caught a lot of scammers and fakers, and it’s not always who you expect,” Walker said. “Ordinary journalists sometimes have three or four fakers.” He says he’s had requests for unofficial approval, and notes that a number of people he’s approved also use the custom domain. “They want something else … because a domain is not identity verification.”
Walker maintains “starter packs” of journalists and other well-known accounts he approves. Recently, he took it a step further by working with another user to create a custom This will add different emojis to the accounts he approves to make his “approval” more prominent. Subscribers to the service will see 😎 next to celebrities and public figures, and 🌐 next to journalists.
While such efforts may serve as a break, Walker won’t be able to check off every notable score on Bluesky. He Other communities, such as university researchers, may attempt similar ad hoc verification. But, without the help of Bluesky or a third-party identity service, he expects impersonation to remain a problem.
And widespread imitation can often lead to bigger problems for a platform like Bluesky. Cornell Tech’s Mantzarlis noted that Vice President Kamala Harris “had 20 impersonator accounts at one point,” despite never having an official involvement with Bluesky, and said, “The verification alone is an early signal of broader deception and subterfuge by organized disinformation actors.” . platform.
For his part, Bluesky acknowledged that imitation is a problem. one this week, the company said it has seen a “predictable increase in malicious content” coinciding with its recent increase. In a statement to Engadget, Bluesky spokeswoman Emily Liu said the company has “quadrupled” its moderation team, which will help impersonation reports be handled more quickly. Liu also said that Bluesky is “working on easier visual cues that we can use for authentication, so it’s a better user experience,” though it’s not yet clear what form that will take.
But Bluesky, which currently has just 20 full-time employees, is reluctant to consider other approaches to validation outside of specific domains. “We work behind the scenes with official organizations and high-profile individuals such as celebrities and elected officials to verify their accounts on Bluesky with their websites,” Liu said. “Instead of validating domains, we want to put the verification tools in the hands of every organization, rather than making Bluesky the only arbiter of what is valid on the network.”
Bluesky’s reluctance to play the role of checker is understandable in many ways. Authentication has a long and tumultuous history on other platforms. Originally created on Twitter to combat copycats, the symbol quickly became a status symbol. Instagram verification is often used by fraudsters. Both companies now allow users to receive blue badges, although both platforms actively vet certain types of accounts, such as those belonging to government officials.
Bluesky CEO Jay Graber, however, said he was potentially open to alternative approaches to verification. In a live stream on Twitch this week, he said the company could become a “verification provider” “at some point.” TechCrunchwhich comments, said his comments suggest a future system with multiple verification “providers”. Graber added that he was unsure “when” such a scenario would play out.
Walker, who has repeatedly reiterated his belief that “Bluesky has juice,” hopes his endorsement project can push Bluesky to take a different approach. “I really hope that people focus on the issue of trust and identity. The great thing about the open source nature of it all is that we have the chance to build anything on top of it and make it the way we want it to be.”
