I'll start by saying that I'm moderately positive on Online Safety. If services don't want to provide moderation then they shouldn't let their younger users be exposed to harm.

The social network BlueSky has taken a pragmatic approach to this. If you don't want to verify your age, you can still use its services - but it won't serve you porn or let people send you non-public messages.

I think that's pretty reasonable. I don't use BSky to look at naked mole rats people, and I already have plenty of other messaging accounts. So I haven't verified my age.

There are two slight wrinkles with BSky's implementation. Firstly, there's no way to retrieve DMs which were sent before this restriction came into force. Oh, you can one-click export your data - but it only includes public data. So no DMs.

Secondly, you can't turn off DM from people who have previously messaged you. I asked people to message me to see if they got an error - but it looks like the messages just get silently accepted. I probably look a bit rude if I don't answer them.

Worse still, the DM notification keeps incrementing!

It is possible to turn off DMs - but only if you can access your DM settings. Which you can't if you haven't passed age assurance.

Well, what about GDPR?

BlueSky's privacy policy has this to say about DMs:

Your Direct Messages. We store and process your direct messages in order to enable you to communicate directly and privately with other users on the Bluesky App. These are unencrypted and can be accessed for Trust and Safety purposes.

They go on to say that I may have the right to:

Request Access to and Portability of Your Personal Information, including: (i) obtaining access to or a copy of your personal information; and (ii) receiving an electronic copy of personal information that you have provided to us, or asking us to send that information to another company in a structured, commonly used, and machine-readable format (also known as the “right of data portability”);

So I sent off a Subject Access Request asking specifically for the Direct Messages sent to/from my account.

I was 100% sure that the messages I had sent were my personal data and should be returned to me. I wasn't sure if messages other people had sent to me could be considered personal data. But I figured that the OSA hadn't invalidated GDPR.

Here's what happened:

Timeline

• 2025-07-24 - Sent request to their support desk and received an acknowledgement.
  • Response: "I've gone ahead and shared your request with our team and will follow up with you if any additional information or verification is needed."
• 2025-07-31 - Sent a reminder to them.
  • Response: "We've escalated your concern to our developers and are still waiting for their response and confirmation. We'll get back as soon as we get this information."
• 2025-08-25 - One month later sent an escalation to their legal team reminding them of their obligations.
  • Response: Asked to provide my country of residence and to prove my account ownership by send an email from the address associated with my BSky account.
• 2025-09-05 - Sent yet another chaser.
• 2025-09-13 - Over seven weeks since the initial request. Told them that I wanted to know which data protection authority they were registered with so I could make a formal complaint.
  • Response: "Please be aware that we are currently in the process of making your data available for download. We will notify you as soon as it is ready."
• 2025-09-22 - 8 weeks since the complaint was raised. Sent another chaser asking how long until my data would be ready to download.
• 2025-09-25 - After 64 days they sent me a CSV with my data!

Result

Here's an extract of the CSV. I've lightly redacted the data, but you can see how JSON embedding works.

convoId,sentAt,sender,contents
3kt6f7a2,2025-07-24 05:50:09.339+00,did:plc:pxy4cjqfu5aa6eadtx5,"{""text"": ""Testing testing""}"
3ku4lvbh,2024-06-04 18:17:52.414+00,did:plc:i6misxex577k4q6o7gl,"{""text"": ""Thought this might be up your alley. I've been to a few of them - pretty good crowd. thegeomob.com/post/july-3r..."", ""facets"": [{""index"": {""byteEnd"": 114, ""byteStart"": 85}, ""features"": [{""uri"": ""https://thegeomob.com/post/july-3rd-2024-geomoblon-details"", ""$type"": ""app.bsky.richtext.facet#link""}]}]}"

Thoughts

I didn't have to prove my age. I just proved account ownership and then politely but insistently asked for my data. Frankly, it is baffling that such a well-funded company takes this long to answer a simple request.

Does this expose a gaping whole in the idea of online safety?

No. Not really. I suppose that a theoretical abuser could send messages to a minor and then that minor could go through a Subject Access Request process to try and access them. But that all feels a bit far-fetched and is likely to draw attention to both parties.

But why didn't you just…

This was definitely "playing on hard mode". There were other ways to get my DMs. Here are some alternatives which I didn't try and why I didn't try them.

• Use a VPN to circumvent the geoblock.
  • Why should I have to pay for a VPN, or trust my browsing data to a dodgy 3rd party? I shouldn't have to install and configure software just to work around a crappy design decision.
• Go through age verification.
  • I don't browse BlueSky for the "gentlemen's special interest" section. I already have lots of ways people can contact me. I'm not against a KYC process - but I simply don't need it.
• Use a 3rd party client to download the data.
  • I don't trust my data with 3rd party apps, and neither should you!
• Use the API to read DMs.
  • I wasn't sure if the API required age verification. And, frankly, I couldn't be faffed learning a brand new API.
• Escalate straight to the CEO or via a friend who works there.
  • I like doing things the official way. Not everyone has a friend who works at BSky (thanks <REDACTED>!) and I feel it is better if legal teams get direct feedback from users; not management.
• Ignore this and use a better social network.
  • I go where my friends are. I have lots of friends on Mastodon and other services. BSky is OK, but I'm only there for my friends. But, while they are there, I didn't want an obnoxious DM notification taunting me.

Next Steps

I've emailed BlueSky to ask them to completely disable my inbox and clear my notifications. We'll see how long that takes them!

Food can be delicious, but certain foods can cause people physical pain or, in some cases, death.

In most parts of the civilised world, governments have food safety laws. They mandate how to properly prepare, store, label, and serve food.

In the UK, the laws are onerous for a large food manufacturers because we recognise that introducing pathogens into the supply-chain could cause mass harm.

But even small food shops are subject to food safety regulations. They have to show that their staff are trained to keep customers safe because, again, mislabelled food can kill.

What about if you're cooking for yourself - do you need to have a food hygiene certificate? No. You are trusted to look after yourself and your family.

How about if you invite friends round for dinner - are there any laws governing that? Again, no. It's probably sensible to ask about allergies, but there aren't any regulations about serving friends undercooked burgers.

Having a big BBQ? Here's some general guidance which is easy to follow if you want to keep people safe.

What about starting to get a little bigger? Want to do a lot of cooking for a charity event? You don't need to register as food business nor do you need a hygiene certificate, but you do need handle food safely.

Serving food to a vulnerable group? You need to take special care - especially around pathogens and common allergies.

And, as you start to professionalise and sell food, you'll need to register and consider food safety training.

That all sounds pretty sensible, doesn't it? Food can cause harm. You can do what you like domestically, but ought to take care. If you start interacting with the public, there's some basic guidance, when you get bigger there's more admin because there's more risk. Food Safety is important.

So let's talk about Online Safety.

Ofcom are now charged with regulating online safety in the UK and they've started to produce guidance about what that means.

Can online material cause harm? Yes. Anyone who has seen distressing images knows how frightening and upsetting they can be. Violent threats might be from someone with no intention of acting upon them, but the threat itself is terrifying and you have no way of knowing whether it will lead to physical harm. Some content is specifically designed to give people dangerous eating disorders. Society at large is harmed when young people are radicalised into violent ideologies. Some websites encourage suicide.

Online harms are real harms. It's easy to make jokes about the police arresting people for memes, but the reality is much grimmer than the headlines. So - for better or worse - the government are trying to reduce the harms present in online spaces.

If you accept that certain online activity can have a detrimental effect on people, what guidance and regulations would you create?

The official guidance is vast⁰ and seems daunting. Some people are freaking out. But the prosaic reality seems much less terrifying. And, in many ways, similar to food safety laws.

Running your own website just for yourself? Basically there doesn't seem to be a problem. You probably shouldn't do anything to harm yourself. If you're publishing other people's comments, you probably moderate them anyway to prevent spam and, hopefully, you're not publishing the ones with illegal images.

Starting to get a bit bigger, maybe running a forum? You need to think about what risks you face. Are people likely to upload dangerous content? What steps could you take to prevent that? It's probably a good idea to set an acceptable use policy and document how you'll respond if one of your users does something which might be harmful. These sorts of things are pretty standard, so hopefully not a big imposition.

Dealing with lots of user generated content? You're going to need a big "report abuse" button near it. But, again, if you've been running a service for any length of time, you've probably already done that. People post stupid stuff all the time and users are always reporting each other to a moderator.

Do you have user-to-user private communications on your site? What will you do if someone complains that they are being groomed, threatened, harassed, or otherwise made to feel unsafe? Sorry if I sound like a broken record on this but, again, this is the basic sort of community hygiene most sites should have already implemented.

Primarily targetting children? Again, I hope that you already have processes in place to ensure that they're not being exploited to unwittingly exposed to content that may harm them.

I'm not going to lie; there is a lot of documentation to review. Far too much for a small site to cope with¹. There's a basic checker to see if your service is in scope but not much else yet. Having started to grind through it, there's very little that seems unreasonable to a small website owner like me.

In many ways, I liken it to GDPR. When that came in to force, lots of sites said that they were simply unable to comply with the regulatory burden. I don't doubt some of them closed, but do you really want to interact with a site which won't protect your email address and other data? That's a bit like choosing to eat a kebab from a restaurant which doesn't keep its raw and cooked meat separately.

Small restaurants need to protect their customers from food-based harm.

Small organisations need to protect their users from data-privacy harm.

Small websites need to protect their users from online-related harm.

As a website owner, at what level do you think people need protecting from your actions?

But.

OK, that's the most positive spin I could put on it. How do I really feel?

Well, look. Most of this is a massively over-engineered piece of crap. You can see where every possible policy objective was crammed in with no thought about the holistic experience. The way this has been (mis)communicated has been terrible - and that isn't helped by the lack of concise guidance and available tooling.

Seriously, if your policy can only be expressed in dozens of PDF files then something has gone seriously wrong. When individuals have to take time to create a usable summaries, that indicates a massive failure in process.

There's a whole bunch of stuff around pornographic services which troubles me. Not because I produce any² but because porn has been a traditional "over-reach" subject. Sex education, especially in the QUILTBAG community, is often treated as pornographic rather than educational.

I'm quite annoyed at both age "verification" and CSAM scanning requiring site owners to pay large commercial companies to provide these services. If something is mandatory, there should be a publicly provided option.

While I don't think small sites should be completely exempt - it would be far too easy for a deliberately harmful site to use that as an excuse - there needs to be more recognition that the Web isn't just Facebook and TikTok. Most of this seems to be written for large organisations. Which means small organisations are scrambling to understand what it means for them - join the Promising Trouble community to find out more.

The Web isn't the "Wild West" - it has been an established platform for decades. All the "crying wolf" about government censorship makes our industry look ridiculous - but it is easy to see why it happens when policies are this badly communicated.

Frankly, it was irresponsible for Ofcom to launch all this guidance without providing the tooling to help users understand which parts of it are necessary to them³. And I'll bet they didn't do any user testing before publication.

So we're at a stage where everyone is losing their minds over what should be a simple codification of existing best practice.

The cumulative effect of legislation mandating data protection, accessibility, security, and protection from harms is probably a good thing. I don't want a web which leaks my information, hurts my disabled friends, causes a DDoS, and exposes people to content they don't want to see.

But, to return to my original analogy, this guidance is rather like telling every home-baker that they now need to comply with all the rules pertaining to an industrial slaughterhouse.