One of the interesting aspects of all the “officialising” the Ursula von der Leyen Bluesky account stuff is how it has created a discussion about verification of identity on social networks and – although seldom expressed as such – posed the question of what the social network itself (or the company behind it) should do about verification.
The problem is that verification means one of two things, but these meanings overlap.
The first is the rather literal and cold “is this person or institution who they say they are on this network?”
The second is “is this person somehow a person of significance (a journalist, politician, celebrity) who needs some special legitimation?”
The discussion on Bluesky inevitably comes back to the second category, because that is what Twitter, in the pre-Elon Musk days, largely did. Motivated by a court case against Twitter in 2009 due to an impersonation problem, Twitter at its initiative sought to verify celebrities (as this archived blog post from Biz Stone explains). From about 2016 onwards Twitter opened up a system to allow people to apply to be verified (archived explanation here), which was shut down due to an inundation of requests, and was then re-opened again, with the aim of using a person having a Wikipedia page about them as a sort of entry criterion for verification.
The heart of the problem was demonstrated most clearly after Jason Kessler, the organiser of a white nationalist rally, was verified. Twitter realised it had a problem, that it explained thus (source):
Verification was meant to authenticate identity & voice but it is interpreted as an endorsement or an indicator of importance. We recognize that we have created this confusion and need to resolve it. We have paused all general verifications while we work and will report back soon
Having personally, around 2016, gone through the administrative process to get my own Twitter account verified, I found the process to be peculiar – why should Twitter judge whether I am influential or not, when all it ought to do is judge if I am who I say I am?
But seen the other way around, if Twitter was to only simply verify identity (as it tried around 2016), it was going to be inundated with requests.
That central conundrum led to the on-off and seemingly arbitrary nature of the Twitter verification process, although in the pre-Musk era users grew to sort of see the blue ticks users were displaying as a kind of badge of importance (and this was sometimes a positive, sometimes a negative sign).
Bluesky – I presume having seen these headaches Twitter faced – has so far pursued a different strategy.
It has not sought to even veer into a discussion of who does or does not justify some sort of special legitimation, but has instead focused on the first question only – is this person or organisation who they say they are?
And to do that has come up with a very different process – to allow users to use domain names as their Bluesky usernames (guide how to do this is here – and you can see how this looks on my account @jonworth.eu here). This system is a technical process that users handle themselves, and IT departments can handle for organisations with multiple accounts (subdomains can also be used). Bluesky makes no judgment as to whether an account is legitimate or not – a user can go through the process, and users consuming content on the platform can see – when an account is using a custom domain – whether that matches the organisation the person works for, or the domain name they use for their personal site.
The system is not entirely foolproof: I could in theory buy a domain name for €20 and still impersonate someone. But then that domain name would have no search history.
So with a little extra searching you can see that jonworth.eu is a domain name I have been using for years for multiple sites, or that the ec.europa.eu in von der Leyen’s username is the main domain used by the European Commission.
There is also a minor issue with interface design – accounts using other domains are not distinguished from any other accounts by any visual sign or icon, an issue Bluesky could perhaps seek to fix.
And this is just the start of it. If you want to find out all the detail about what accounts you can probably trust on Bluesky I have made some diagrams about it – you can find high res versions of these here.
But the crux, ultimately, is this: on Bluesky I can choose to verify myself (or not), and what accounts use their own domain is chosen by those users. Bluesky as a company has no power to verify me, Ursula von der Leyen, or Jason Kessler. And as I see it, that is just fine. Even if – as this week has shown – this radically different way of doing things has confused a bunch of people.
