Bluesky has updated its spoofing policy to be “more aggressive” after third-party analysis highlighted verification issues. The Bluesky Safety account said the social media service is removing accounts that impersonate other people or squat on their handles. Bluesky lacks a traditional authentication system, making it easy for malicious users to impersonate others in order to gain attention or deceive others. This may not have been a serious issue before, but the recent influx of new users has brought this issue to the fore.
Users can verify their identity on Bluesky by linking their account to a domain name, but the process isn’t as easy as paying a checkmark fee. You must add a text string to the DNS record associated with your domain so that the URL can be requested. For example, you can claim Bluesky’s Engadget.com handle after going through this self-verification process. Individuals can link their accounts to a personal domain or pay for Bluesky’s custom domain service. In a new announcement, the platform says it is working with organizations and prominent individuals to set up verified handles.
However, once a user authenticates their account, the old handle (usually username.bsky.social) is released and made available to other users who have signed up. Alexios Mantzaris, a third-party researcher at Cornell Tech who analyzed the app’s user base, found that 44% of Bluesky’s 100 most-followed accounts had doppelgangers. As such, Bluesky now requires parody, satire, or fan accounts to be labeled as such in both their handle and profile. If you do not do so, or if one of these elements only indicates the nature of your account, you will be treated as an imposter and will be removed from the platform.
Bluesky now also specifically prohibits identity changes. Accounts that start an impersonation account to acquire new users and then switch to a different identity in an attempt to circumvent a ban will still be launched from the app. Finally, the company said it is considering “additional options to strengthen account authentication,” although they are not yet ready for rollout.
