Me? I prefer to look at how many people visit my blog from each site. It is an imperfect measure - and a vain one - but lets me know where I should be spending my time. No point posting on a network which is just bots talking to each other, right?

Earlier this year I built a stats-counter for my blog. Every time someone clicks from a website which links to my blog, it records that visit in a database. I get to see which blog posts are doing numbers, and where those numbers came from.

Until fairly recently, the Mastodon social network didn't send referer details. I thought that reduced the visibility of the network and lobbied for it to change. As various Mastodon servers upgrade, and admins opt-in, it is becoming more apparent just how much traffic originates from the Fediverse.

Over the last few weeks, here's how many people have clicked from BlueSky and Mastodon to one of my blog posts.

Total	Source
1,607	bsky.app
752	mastodon.social

At first glance, it doesn't look good for our elephantine friends, does it? The butterfly sends over twice the traffic. Game over!

But, of course, while Mastodon.social is the biggest instance - it is far from the only one. What happens if we slide down the long tail? Here's all the Mastodon-ish instances which sent me over 10 clicks.

Total	Source
193	phanpy.social
120	android-app://org.joinmastodon.android/
106	infosec.exchange
62	mas.to
59	mstdn.social
55	social.vivaldi.net
49	wandering.shop
48	fosstodon.org
33	mathstodon.xyz
27	mastodon.online
26	mastodon.scot
24	app.wafrn.net
19	indieweb.social
18	social.lol
17	tech.lgbt
17	toot.wales
16	en.osm.town
16	feditrends.com
14	mstdn.ca
14	piefed.social
12	wetdry.world
11	c.im
11	mastodon.nl
51	Sites sending < 10 clicks

Ah! Add them all up and you get a grand total of 1,773 visitors from Mastodon-powered sites. That's more than BlueSky.

Now, there are some obvious caveats to the data:

• I have a smaller follower count on BlueSky than I do on Mastodon.
• My posts may appeal more to one demographic than another.
• People may have strict privacy controls which suppress the true volume of visitors.
• There's no way to measure how long someone spends reading my posts.
• RSS and newsletter visitors aren't counted.
• Clicks from apps may not always show a referer.
• Some people may be on multiple services.
• Fediverse users can follow the post directly, so don't need to visit the site to read it.

And yet… no matter how you slice it, Fediverse servers are sending as much traffic as BlueSky!

I think this is brilliant. Web services should be able to scale from small to big - and each ActivityPub-powered site helps power the open Internet.

Just for completeness, this is how Reddit, Facebook, LinkedIn, Twitter, and Lemmy do over the same period:

Total	Source
1,158	reddit.com
585	android-app://com.reddit.frontpage/
76	facebook.com
76	https://old.reddit.com/r/programming/
56	https://www.reddit.com/r/programming/
52	youtube.com
41	t.co
38	https://old.reddit.com/r/todayilearned/comments/1nsw7f4/til_in_mongolia_instead_of_a_street_address_a/
31	linkedin.com
27	android-app://io.syncapps.lemmy_sync/
27	https://www.reddit.com/r/todayilearned/comments/1nsw7f4/til_in_mongolia_instead_of_a_street_address_a/
22	https://old.reddit.com/r/programming/comments/1n96ftn/40_years_later_are_bentleys_programming_pearls/
22	lemmy.ca
17	android-app://com.linkedin.android/
16	lemmy.dbzer0.com
14	feddit.org
11	https://www.reddit.com/r/programming/comments/1n96ftn/40_years_later_are_bentleys_programming_pearls/
10	discuss.tchncs.de
10	l.instagram.com
8	lemmy.blahaj.zone
6	https://www.reddit.com/r/GrapheneOS/comments/1m2l84b/considering_making_the_switch_does_google_pay/
6	reddthat.com

If you add up all the Lemmy instances, they send about as much traffic as Facebook and LinkedIn combined. That's not a huge surprise - those platforms hate anyone clicking away to the wider web.

Twitter is basically the Dead Internet. I'm no longer on there, but I do occasionally search it to see who is sharing my posts. The popular posts I write get shared a lot - sometimes by accounts with huge followers - yet there are no comments or retweets and barely and clicks.

I don't do Instagram or Threads, and that might be reflected in their low numbers. But I'm not active on YouTube either - yet people there occasionally link back to me.

Final Thoughts

Firstly, my stats only represent my site. Your site might be very different.

Secondly, I've ignored search engine traffic, big blogs, newsletters, and other sources.

Thirdly, and most importantly, this isn't a competition! The desire for a "winner-takes-all" service is dangerous and disturbing. An ecosystem is at its most vibrant when there are multiple participants each thriving in their own niche.

I want a thousand sites, running a hundred different software stacks, some of which only serve a dozen people, or even a lone participant.

Diversity is strength.

I'll start by saying that I'm moderately positive on Online Safety. If services don't want to provide moderation then they shouldn't let their younger users be exposed to harm.

The social network BlueSky has taken a pragmatic approach to this. If you don't want to verify your age, you can still use its services - but it won't serve you porn or let people send you non-public messages.

I think that's pretty reasonable. I don't use BSky to look at naked mole rats people, and I already have plenty of other messaging accounts. So I haven't verified my age.

There are two slight wrinkles with BSky's implementation. Firstly, there's no way to retrieve DMs which were sent before this restriction came into force. Oh, you can one-click export your data - but it only includes public data. So no DMs.

Secondly, you can't turn off DM from people who have previously messaged you. I asked people to message me to see if they got an error - but it looks like the messages just get silently accepted. I probably look a bit rude if I don't answer them.

Worse still, the DM notification keeps incrementing!

It is possible to turn off DMs - but only if you can access your DM settings. Which you can't if you haven't passed age assurance.

Well, what about GDPR?

BlueSky's privacy policy has this to say about DMs:

Your Direct Messages. We store and process your direct messages in order to enable you to communicate directly and privately with other users on the Bluesky App. These are unencrypted and can be accessed for Trust and Safety purposes.

They go on to say that I may have the right to:

Request Access to and Portability of Your Personal Information, including: (i) obtaining access to or a copy of your personal information; and (ii) receiving an electronic copy of personal information that you have provided to us, or asking us to send that information to another company in a structured, commonly used, and machine-readable format (also known as the “right of data portability”);

So I sent off a Subject Access Request asking specifically for the Direct Messages sent to/from my account.

I was 100% sure that the messages I had sent were my personal data and should be returned to me. I wasn't sure if messages other people had sent to me could be considered personal data. But I figured that the OSA hadn't invalidated GDPR.

Here's what happened:

Timeline

• 2025-07-24 - Sent request to their support desk and received an acknowledgement.
  • Response: "I've gone ahead and shared your request with our team and will follow up with you if any additional information or verification is needed."
• 2025-07-31 - Sent a reminder to them.
  • Response: "We've escalated your concern to our developers and are still waiting for their response and confirmation. We'll get back as soon as we get this information."
• 2025-08-25 - One month later sent an escalation to their legal team reminding them of their obligations.
  • Response: Asked to provide my country of residence and to prove my account ownership by send an email from the address associated with my BSky account.
• 2025-09-05 - Sent yet another chaser.
• 2025-09-13 - Over seven weeks since the initial request. Told them that I wanted to know which data protection authority they were registered with so I could make a formal complaint.
  • Response: "Please be aware that we are currently in the process of making your data available for download. We will notify you as soon as it is ready."
• 2025-09-22 - 8 weeks since the complaint was raised. Sent another chaser asking how long until my data would be ready to download.
• 2025-09-25 - After 64 days they sent me a CSV with my data!

Result

Here's an extract of the CSV. I've lightly redacted the data, but you can see how JSON embedding works.

convoId,sentAt,sender,contents
3kt6f7a2,2025-07-24 05:50:09.339+00,did:plc:pxy4cjqfu5aa6eadtx5,"{""text"": ""Testing testing""}"
3ku4lvbh,2024-06-04 18:17:52.414+00,did:plc:i6misxex577k4q6o7gl,"{""text"": ""Thought this might be up your alley. I've been to a few of them - pretty good crowd. thegeomob.com/post/july-3r..."", ""facets"": [{""index"": {""byteEnd"": 114, ""byteStart"": 85}, ""features"": [{""uri"": ""https://thegeomob.com/post/july-3rd-2024-geomoblon-details"", ""$type"": ""app.bsky.richtext.facet#link""}]}]}"

Thoughts

I didn't have to prove my age. I just proved account ownership and then politely but insistently asked for my data. Frankly, it is baffling that such a well-funded company takes this long to answer a simple request.

Does this expose a gaping whole in the idea of online safety?

No. Not really. I suppose that a theoretical abuser could send messages to a minor and then that minor could go through a Subject Access Request process to try and access them. But that all feels a bit far-fetched and is likely to draw attention to both parties.

But why didn't you just…

This was definitely "playing on hard mode". There were other ways to get my DMs. Here are some alternatives which I didn't try and why I didn't try them.

• Use a VPN to circumvent the geoblock.
  • Why should I have to pay for a VPN, or trust my browsing data to a dodgy 3rd party? I shouldn't have to install and configure software just to work around a crappy design decision.
• Go through age verification.
  • I don't browse BlueSky for the "gentlemen's special interest" section. I already have lots of ways people can contact me. I'm not against a KYC process - but I simply don't need it.
• Use a 3rd party client to download the data.
  • I don't trust my data with 3rd party apps, and neither should you!
• Use the API to read DMs.
  • I wasn't sure if the API required age verification. And, frankly, I couldn't be faffed learning a brand new API.
• Escalate straight to the CEO or via a friend who works there.
  • I like doing things the official way. Not everyone has a friend who works at BSky (thanks <REDACTED>!) and I feel it is better if legal teams get direct feedback from users; not management.
• Ignore this and use a better social network.
  • I go where my friends are. I have lots of friends on Mastodon and other services. BSky is OK, but I'm only there for my friends. But, while they are there, I didn't want an obnoxious DM notification taunting me.

Next Steps

I've emailed BlueSky to ask them to completely disable my inbox and clear my notifications. We'll see how long that takes them!

Fifteen years ago (fuck, I'm old) I started documenting what Twitter's nascent hashtags could and couldn't do.

Back in 2010, this is how the official Twitter site linked hashtags.

Notably, punctuation symbols didn't "count" as part of a tag.

How does modern social media handle something like #Fish&Chips?

• Mastodon links directly to #Fish&Chips
• BlueSky links directly to #Fish&Chips
• Threads links to a search for Fish & Chips

What about normalisation?

Should #Romeo link to #ROMEO and #rOMeO?

On all three of the major social networks, case is insensitive.

But what about the vagueries of Unicode normalisation?

Is #Ŕöméø&Jülíèt the same as #Romeo&Juliet?

Both Threads and Mastodon do some form of decomposition - turning the various accents into their accentless versions.

But BlueSky links to the literal version.

Is that the right thing to do? I don't know.

This literal interpretation of the text in hashtags allows for some interesting steganography - which can be fun, but I wonder if it is what users expect?

And that's what it comes down to. What is technically correct isn't always the same as what users need.

Perhaps most users prefer #ROMEO to link to the same posts as #romeo. Perhaps they think #Romeó should link there too. But no social network, as far as I am aware, has done any user research into the behaviour that users want when interacting with hashtags.

I'd love someone to do some actual research on how people expect a folksonomy to work.

Some people are @whatever.tld and others are @cool.subdomain.funny.lol.fwd.boring.tld

I wanted to know what the distribution is of these domain names. For example, are there more .uk users than .org users?

Shut up and show me the results

You can play with the interactive data

Oh, and the large number of .gy domains is due to The Fediverse Bridge.

Getting the data

BlueSky has an open "firehose" of the data passing through it. Following the sample code I listened for public interactions - people posting, liking, or follows.

From there, I grabbed every username which wasn't on the default .bsky.social domain. I left the code running for a few days until I had over 22,000 usernames.

Note, these data are all public - although I'm not sure if users necessarily realise that. It doesn't include lurkers (people who don't interact). Some of the accounts may have been moved, banned, or deleted.

Drawing a TreeMap

I used Plotly's TreeMap library to draw a static map of all the Top Level Domains (TLD).

As you can see, .com dominates the landscape - but there are quite a few country code TLDs in there as well.

Public Suffixes

Domain names have the concepts of Public Suffixes. For example, users can register domains at .co.uk and .org.uk as well as just plain .uk. The Python tldextract library allowed me to see which domains were public suffixes, so I could attach them to their parent TLD.

I then drew a TreeMap showing this.

Note! You'll need to hack your Plotly installation to allow empty leaf nodes to get in the same style as the first map.

So what? What next?

• Not everyone from, say, Brazil will have a .br domain name - but it is fascinating to see which countries dominate.
• It might be fun to go full "Information Is Beautiful" and turn each ccTLD into its country's flag.
• Are there ethical implications of recording the fact that an account has publicly shared themselves on a social network?
• What percentage of all users have a domain name handle?

Get the code

Everything is open source on GitHub.

What does that mean?

• You tell the service what your website is.
• The service gives you a secret code¹.
• You upload that secret code onto your website.
• The service checks the secret code is on the website.
• If it is, the service says your domain is verified.

On Mastodon, that gives you a green tick next to your link. On BlueSky, it gives you the ability to change your username to your website's name.

This is reasonably strong proof that you are the owner of that website. I don't have the ability to add the secret file I've been given to bbc.co.uk, so I cannot impersonate them.

But it isn't all sunshine and roses. There are some important issues with this process.

Revocation and Revalidation

Let's say an employee has validated alice.big_company.com - what happens when Alice leaves²?

Well, you just delete the secret code from your website, right?

In theory yes. But in practice, no.

From BlueSky:

We're working on adding the ability to revalidate these handles periodically.

And Mastodon:

Verified links are currently verified at each time the profile is updated, but they will only be verified once, when initially entered.

So, at the moment, there is a risk that revalidation isn't completed and revocation never happens³. Accounts which were once trusted may stay trusted, even when they're no longer trustworthy.

Copy Cat Domains

You're chatting with your credit card company's social media account. You see that they've verified the domain.

Wait?! Are they really mastercrrd.info ✅?

There are several practical attacks against humans trying to validate a domain name. A simple misspelling is easy to overlook. There are thousands of top level domains, and you may not be sure if your bank uses .com, .uk, .tech, or something else. It only costs a few quid for an attacker to buy a domain which contains a politician's name.

International domain names mean that homograph attacks are possible.

Humans aren't very clever

Recently, several prominent journalists on BlueSky embarrassed themselves by pronouncing fake accounts to be real. The journalists - with all their resources and contacts - didn't bother to actually verify if the person who registered @KemiBadenoch was really the Leader of the Opposition.

They could have checked her website to see if it linked to the new account. They could have rung up the Tory press office. They could have checked to see if she have verified her account. Or they could have done a dozen other things to verify the facts before posting. They didn't.

These aren't random users blindly reposting. These are highly educated, thoroughly trained fact-finders. Their mission is accuracy and their livelihood depends on being able to report the truth. And yet they just assumed that no one would lie on the Internet.

Would a journalist be able to spot that tailer-swift.fartotron.xyz was an impersonator? I highly doubt it⁴.

Hacks Happen

Even when Twitter was validating celebrities correctly, it didn't stop the accounts getting hacked.

An attacker might compromise your social media account or your domain name registrar.

Just because an account and domain appear verified, it doesn't mean they're legitimate. Is that politician you follow really posting about dietary supplements?

It might be too difficult for large organisation

I've written An Easy Guide To BlueSky Verification. It can be as simple as uploading a single file to your website. Although I have some sympathy for claims that managing the process for hundreds of employees might be difficult.

Based on my calculations around 5% of active BlueSky users have verified their domain.

The alternative isn't much better

Verification is hard. Can an over-worked verification team spot that I've photoshopped a passport so that it looks like someone else's?

There are hundred of famous people called John Williams - which one do you verify?

Also, what are you verifying? In my post on Rethinking Twitter Verification, I pointed out that the ambiguity of verification leads to some weird and non-obvious outcomes.

Final thoughts

There are no simple technological fixes to complex social issues.

But I'm naïve enough to believe that, with time, we can train people to be better at assessing the information they are given.

This opens up verification to small organisations, individuals, and anyone who wants to prove who they are. Brilliant!

Verification means that your @username will change to @Your.Website.com - this means that everyone can see your BlueSky account is owned by that specific website. When you change your name, you keep all your followers and posts.

Here are some organisations and people at risk of impersonation who have already done this:

• UK Newspaper https://bsky.app/profile/theguardian.com
• Trade Union https://bsky.app/profile/utaw.tech
• Labour MPs https://bsky.app/profile/sarahowen.org.uk
• Small Publisher https://bsky.app/profile/canongate.co.uk
• Fun Website https://bsky.app/profile/openbenches.org

There is an easy way to get verified and a hard way. Let's do the easy way!

1) Sign Up For BlueSky

Sign up and register a username. This can be anything you want. For example, I registered edent.bsky.social

2) Change Your User ID

Follow these steps:

1. Visit https://bsky.app/settings
2. Scroll down and select "Change Handle"
3. Click "I have my own domain"
4. Select "No DNS Panel". The screen should look like this:
   • 
5. Type in the domain name you want to verify
6. Click "Copy File Contents"

Keep this web page open.

3) Copy and Save Your DID

On your clipboard, you will have a bit of text which looks like this did:plc:dip7ueksh627fxacagfrdyz2

Save it in a text file called atproto-did

It is very important that the file doesn't end with .txt - it must be called atproto-did and nothing else.

The file should only contain the text you copied. Nothing else.

4) Upload The File To Your Website

This is the only technical bit of the process. You need the ability to upload a file to your website. I don't know whether you use FTP, a control panel, or email things to the person who manages your site.

You need to save the atproto-did file in a folder called /.well-known/

If that folder doesn't exist, create it. The folder name must be typed exactly like that, with the dot at the start.

You can check it has worked by visiting YourWebsite.com/.well-known/atproto-did

If you can see your DID, it worked!

5) Change Your Username

Go back to the "Change Handle" web page you opened in Step 2.

Click "Verify Text File" and then "Update".

6) That's It!

Feel free to share this guide with people and organisations who want to get verified on BSky.

Leave a comment if you found it useful or want me to clarify something.

0. Create an account on the Fediverse using a domain you control
   • For example @user@bots.example.com
1. Follow the Fediverse-ATProto bridge @bsky.brid.gy@bsky.brid.gy
   • Your account will need to be over 2 weeks old and have a name, profile picture, etc.
2. You now have an account on BSky! Its name will be something like user.bots.example.com.ap.brid.gy
3. Get the DID of your account
   • https://public.api.bsky.app/xrpc/app.bsky.actor.getProfile?actor=user.bots.example.com.ap.brid.gy
   • Or https://fed.brid.gy/ap/@user@bots.example.com
4. Add the DID to your domain
   • I think the easiest way is sticking it in a plain text file at bots.example.com/.well-known/atproto-did
5. Use the BSky Debugger to make sure it was successful.
6. Send a Direct Message from the Fediverse to @bsky.brid.gy@bsky.brid.gy. The message must only contain username bots.example.com.
   • That's literally the word username. It isn't your account's username.
7. Wait a few moments.
8. Your bot will now be on BSky as https://bsky.app/profile/bots.example.com!

You can see that https://bot.viii.fi/bot is also available at https://bsky.app/profile/bot.viii.fi

Way back in the mists of time, we dealt with trolls on Usenet with the almighty PLONK - PLaced On Newsgroup Killfile. It meant your newsreader never downloaded their posts. They could rant at you all day long, and you'd never hear from them. It's what we would nowadays call "Mute".

But, whether you're on Usenet or a modern social network, muting someone doesn't actually stop them replying to you. The miscreant can still see your posts, interact with them, quote them. And everyone on that service can see their abuse. Perhaps they will also join in?

Most modern social networks now have the concept of "Block". When Alice blocks Bob, it means Bob cannot see Alice's posts. The service doesn't deliver her content to him. If he goes looking, he can't find it. She is invisible to him.

Except, of course, that's a lie. If Bob logs out of his account, he can see Alice's public content. If he logs into an alternative account, he isn't blocked.

The block is a social signal backed up with mild technical restrictions.

What do I mean by that? Ordinarily, you will have no idea that you have been blocked by someone. They will simply vanish from your screens. You do not receive an alert that you've been blocked. Technical restrictions mean you won't see their posts, nor replies to them. The only way you might know is if you deliberately look for the person blocking you.

Seeing that you have been blocked is a "social signal". It lets you know that your behaviour was unwanted, or that your contributions weren't valued, or that someone just doesn't like you. For most people, that sort of chastisement probably induces a little shame or grief. For others, it is enraging.

Again, it isn't impossible for a blocked user to see content - but technical restrictions means it takes effort. And, it turns out, for all but the most obsessive abusers - a mild bit of UI friction is all that it takes for them to stop.

On a centralised social media platform, like Twitter and Facebook, your blocks are private. The only people who know you have blocked Taylor Swift are you, the platform, and T-Swizzle herself.

On decentralised social media platforms, it is more complicated.

Mastodon / ActivityPub lets you block a user. In doing so, you have to tell that user's server that you don't want them seeing your messages. That means your server knows about the block, their server know, and the user knows. But, crucially, there's nothing to stop a malicious server ignoring your wishes. While your server can mute all the interactions from them, there are only weak technological restrictions on their behaviour.

BlueSky / AT Protocol takes a different (and more worrying) approach. BlueSky tells everyone about your blocks. If Alice blocks Bob - the system lets everyone know. This means that if Bob starts replying to your posts, other clients will know to ignore his interactions with you. I've written more about the dangers of public blocklists over on BSky.

But, crucially, none of these systems actually block users. This isn't like that Black Mirror episode where people are literally blurred out from your eyeballs.

In all cases, a user can log out and see your public posts. They can sign in with an alternative account. And, in the case of decentralised social media, they can choose to ignore the technological restrictions you impose.

Social networks have a responsibility to keep their users safe. That means having enough friction to prevent casual abuse.

But blocking is only a social signal. That's all it ever has been. It is a boop on the nose with a rolled up newspaper. It is a message to tell someone that they might want to adjust their attitude.

You should block - and block often. You should feel empowered to curate an environment that is safe for you. But you should also understand the limitations of the technical controls which underpin these social signals.