Yesterday a post popped up on my timeline on Twitter alternative Bluesky purporting to be from European Commissioner for the Internal Market Thierry Breton. I was immediately sceptical – would a Commissioner (and indeed a French Commissioner!) put “EU Commissioner. Digital enforcer. Father.” as his biography?
Turns out my scepticism this time was misguided. Breton’s official X account confirmed the Bluesky account is legitimate.
But the problem remains.
How do you know what is and is not legitimate in a fast-changing social media environment? This problem exists on Bluesky (that seems to have caught on fast – in the Berlin political bubble at least) and the same issue exists on Mastodon.
Twitter’s verification system in the pre-Musk years was a relatively solid guard – the vast majority of politicians, journalists and news organisations on the platform were verified with a blue tick (and you had to provide some documents to Twitter to prove this), so legitimacy was reasonably well assured.
But unlike Twitter that used to have a team dealing with verification requests, neither Mastodon (due to its open source, decentralised nature) nor Bluesky (due to it being a tiny company, and the network being in its infancy) does yet.
The only solution currently available on both platforms is domain name verification.
If you look at my profile on Bluesky you can see I am using the username @jonworth.eu – and if you point a web browser at jonworth.eu it goes to my blog. Not flawless I acknowledge, as someone could theoretically bought a domain name with my name, if anyone were that really that keen to copy my identity.
How you use your own domain name as your username on Bluesky is explained here. The equivalent on Mastodon – link verification – is explained here, and the pic to the right shows how it looks on my Mastodon profile.
Now then think how an institution – like the European Commission, or a university, or a media company could do this. ec.europa.eu, sciencespo.fr or ft.com are intrinsically related to those institutions.
Were Breton on Bluesky posting from @breton.ec.europa.eu (or something like that) then my questioning the legitimacy of the account would easily have been assuaged.
And – to prove the point – I checked whether there was an Ursula von der Leyen on Bluesky. There is not. So I snagged the username @vonderleyen.bsky.social – and will be more than happy to hand it over to the Commission were they to request it. The biography transparently and openly says it is me.
However the ease with which I could do this ought to prompt someone in the European Commission to more seriously think about domain verification on Bluesky – because without it it’s all too easy to be able to take someone’s identity on that network.