Terence Eden. He has a beard and is smiling.
Theme Switcher:

Can you use GDPR to Circumvent BlueSky's Adult Content Blocks?

· 4 comments · 1,200 words · Viewed ~13,031 times

In the battle between the Online Safety Act and GDPR, who will win? FIGHT!

I'll start by saying that I'm moderately positive on Online Safety. If services don't want to provide moderation then they shouldn't let their younger users be exposed to harm.

The social network BlueSky has taken a pragmatic approach to this. If you don't want to verify your age, you can still use its services - but it won't serve you porn or let people send you non-public messages.

I think that's pretty reasonable. I don't use BSky to look at naked mole rats people, and I already have plenty of other messaging accounts. So I haven't verified my age.

There are two slight wrinkles with BSky's implementation. Firstly, there's no way to retrieve DMs which were sent before this restriction came into force. Oh, you can one-click export your data - but it only includes public data. So no DMs.

Secondly, you can't turn off DM from people who have previously messaged you. I asked people to message me to see if they got an error - but it looks like the messages just get silently accepted. I probably look a bit rude if I don't answer them.

Worse still, the DM notification keeps incrementing!

A notification counter showing the number 3. The message next to it says I need to complete age assurance.

It is possible to turn off DMs - but only if you can access your DM settings. Which you can't if you haven't passed age assurance.

Well, what about GDPR?

BlueSky's privacy policy has this to say about DMs:

Your Direct Messages. We store and process your direct messages in order to enable you to communicate directly and privately with other users on the Bluesky App. These are unencrypted and can be accessed for Trust and Safety purposes.

They go on to say that I may have the right to:

Request Access to and Portability of Your Personal Information, including: (i) obtaining access to or a copy of your personal information; and (ii) receiving an electronic copy of personal information that you have provided to us, or asking us to send that information to another company in a structured, commonly used, and machine-readable format (also known as the “right of data portability”);

So I sent off a Subject Access Request asking specifically for the Direct Messages sent to/from my account.

I was 100% sure that the messages I had sent were my personal data and should be returned to me. I wasn't sure if messages other people had sent to me could be considered personal data. But I figured that the OSA hadn't invalidated GDPR.

Here's what happened:

Timeline

  • 2025-07-24 - Sent request to their support desk and received an acknowledgement.
    • Response: "I've gone ahead and shared your request with our team and will follow up with you if any additional information or verification is needed."
  • 2025-07-31 - Sent a reminder to them.
    • Response: "We've escalated your concern to our developers and are still waiting for their response and confirmation. We'll get back as soon as we get this information."
  • 2025-08-25 - One month later sent an escalation to their legal team reminding them of their obligations.
    • Response: Asked to provide my country of residence and to prove my account ownership by send an email from the address associated with my BSky account.
  • 2025-09-05 - Sent yet another chaser.
  • 2025-09-13 - Over seven weeks since the initial request. Told them that I wanted to know which data protection authority they were registered with so I could make a formal complaint.
    • Response: "Please be aware that we are currently in the process of making your data available for download. We will notify you as soon as it is ready."
  • 2025-09-22 - 8 weeks since the complaint was raised. Sent another chaser asking how long until my data would be ready to download.
  • 2025-09-25 - After 64 days they sent me a CSV with my data!

Result

Here's an extract of the CSV. I've lightly redacted the data, but you can see how JSON embedding works.

 CSVconvoId,sentAt,sender,contents
3kt6f7a2,2025-07-24 05:50:09.339+00,did:plc:pxy4cjqfu5aa6eadtx5,"{""text"": ""Testing testing""}"
3ku4lvbh,2024-06-04 18:17:52.414+00,did:plc:i6misxex577k4q6o7gl,"{""text"": ""Thought this might be up your alley. I've been to a few of them - pretty good crowd. thegeomob.com/post/july-3r..."", ""facets"": [{""index"": {""byteEnd"": 114, ""byteStart"": 85}, ""features"": [{""uri"": ""https://thegeomob.com/post/july-3rd-2024-geomoblon-details"", ""$type"": ""app.bsky.richtext.facet#link""}]}]}"

Thoughts

I didn't have to prove my age. I just proved account ownership and then politely but insistently asked for my data. Frankly, it is baffling that such a well-funded company takes this long to answer a simple request.

Does this expose a gaping whole in the idea of online safety?

No. Not really. I suppose that a theoretical abuser could send messages to a minor and then that minor could go through a Subject Access Request process to try and access them. But that all feels a bit far-fetched and is likely to draw attention to both parties.

But why didn't you just…

This was definitely "playing on hard mode". There were other ways to get my DMs. Here are some alternatives which I didn't try and why I didn't try them.

  • Use a VPN to circumvent the geoblock.
    • Why should I have to pay for a VPN, or trust my browsing data to a dodgy 3rd party? I shouldn't have to install and configure software just to work around a crappy design decision.
  • Go through age verification.
    • I don't browse BlueSky for the "gentlemen's special interest" section. I already have lots of ways people can contact me. I'm not against a KYC process - but I simply don't need it.
  • Use a 3rd party client to download the data.
    • I don't trust my data with 3rd party apps, and neither should you!
  • Use the API to read DMs.
    • I wasn't sure if the API required age verification. And, frankly, I couldn't be faffed learning a brand new API.
  • Escalate straight to the CEO or via a friend who works there.
    • I like doing things the official way. Not everyone has a friend who works at BSky (thanks <REDACTED>!) and I feel it is better if legal teams get direct feedback from users; not management.
  • Ignore this and use a better social network.
    • I go where my friends are. I have lots of friends on Mastodon and other services. BSky is OK, but I'm only there for my friends. But, while they are there, I didn't want an obnoxious DM notification taunting me.

Next Steps

I've emailed BlueSky to ask them to completely disable my inbox and clear my notifications. We'll see how long that takes them!

Share this post on…

4 thoughts on “Can you use GDPR to Circumvent BlueSky's Adult Content Blocks?”

  2. Bluesky's age gates are fully client-side, the AppView is oblivious to them and trusts the client. I have some private patches to disable it, as well as fix other nag prompts such as email verification. (I have an entire domain, why do you need my email?)

    Reply | Reply to original comment on fireburn.ru

What are your reckons?

All comments are moderated and may not be published immediately. Your email address will not be published.

See allowed HTML elements: <a href="" title="">
<abbr title="">
<acronym title="">
<b>
<blockquote cite="">
<br>
<cite>
<code>
<del datetime="">
<em>
<i>
<img src="" alt="" title="" srcset="">
<p>
<pre>
<q cite="">
<s>
<strike>
<strong>

To respond on your own website, write a post which contains a link to this post - then enter the URl of your page here. Learn more about WebMentions.