from thenexusofprivacy@infosec.exchange to fediverse@lemmy.world on 22 Aug 22:17
https://infosec.exchange/users/thenexusofprivacy/statuses/115074732895227603
There's a lot of discussion of Mississippi's age verification law for social media today, after Bluesky announced they're blocking the state.
Note that Mississippi's requirements go far beyond the Online Safety Act, MIssissippi's law, HB 1126, requires age verification for all users, and parental consent for users under 18., no matter what the content of the site is. Last week the US Supreme Court declined to block the law while it's being challenged in the courts, even though Kavanaugh described it as "likely unconstitutional".
The law clearly should be found unconstitutional - the amicus brief from @CenDemTech, @eff et al discusses why. Still, with the current Supreme Court, who knows; they just the (somewhat narrower) Texas age verification law also should have been found unconstitutional, but SCOTUS said it was okay. So who knows. And of course this is exactly the kind of chilling effect they're aiming for, which is why it's so disappointing that SCOTUS didn't block its enforcement until the case is heard.
As far as I know there isn't any guidance yet for people running fedi instances (or message boards, which are also covered). If you're running a US-based fedi instance, it's might well be worth talking to your lawyer about this. Here's the legislation, and here's the langauge from Section 4 (1)
"A digital service provider may not enter into an agreement with a person to create an account with a digital service unless the person has registered the person's age with the digital service provider. A digital service provider shall make commercially reasonable efforts to verify the age of the person creating an account with a level of certainty appropriate to the risks that arise from the information management practices of the digital service provider."
threaded - newest
This probably shouldn’t be marked NSFW?
@naught101 it shouldn't, but anything posted on Mastodon with a CW is marked as NSFW on Lemmy. Similarly when the post bridged to Bluesky it got marked as "graphic media" lol. Not sure there's anything I can do about it in either case.
Oh wow, did you post this direct from mastodon just by tagging the community? Didn’t realise that works, that’s super cool.
@naught101 yeah, I just tagged the lemmy community ... and yes it is super cool! although, as the NSFW highlights, somewhat clunky around the edges ... if I don't include a CW here then it figures out the title on its own, and it's not always what I want.
Usually Lemmy/PieFed use the first line of a Mastodon post as the title. You shouldn’t need a CW for that.
Yes and these comments also show up on mastodon.
Most do but not all. And similarly most of the replies on Mastodon show up here but not all. So to follow the entire conversation you have to look in both places.
You can tell when posts are from mastodon as they are full of twitterisms like hashtags and @User to reply to comments
But I thought BlueSky was open source and decentralized? /s
EDIT: In case it’s not obvious (as it apparently isn’t to OP) if BlueSky was either of those things then it could not be simply shut down by a CEO.
@Kirk It is. As their announcement says,
Of course, today 99.9%+ of the people using AT Protocol-based services are using Bluesky's app. But that was already in the process of changing, and stuff like this -- and the Online Services Act, and the (very justifiable) desire by Canadians and Europeans and everybody else not to be depending on US company's infrastructure are just giving it more momentum. So, it'll be interesting to see how it works out.
<img alt="No" src="https://startrek.website/pictrs/image/7988fd3c-a84b-4243-9aaa-5c0420138a17.apng">
@Kirk @thenexusofprivacy What's this then?
https://github.com/bluesky-social/pds
https://github.com/bluesky-social/indigo
https://github.com/bluesky-social/atproto
https://github.com/bluesky-social/social-app
That appears to be you avoiding explaining how a CEO of a for-profit company could censor an entire “decentralized” “open source” app for millions of people.
@Kirk they aren't censoring the entire network, just their official client app for it
More evasion. “Client” is Bluesky’s techno jargon for “app”. You still need a BlueSky account to use a client. And you can’t get one of those in Mississippi.
Maybe it would help your argument that the thing BlueSky themselves says is happening is not really happening if you could produce a BlueSky post
that is available inposted from Mississippi?@Kirk Are you there or do you have a VPN there? I have no way of checking how things are looking from those IPs (ProtonVPN has some US addresses, but none in that state)
I am there and it’s not available.
@Kirk Ok, how about this here: https://deer.social/profile/bsky.app/post/3lwzadikbrc2u
That’s just a frontend. It still requires a bsky.app account.
well I mean technically not, Kuba is self-hosting his account at lab.martianbase.net
@Kirk Are you talking about reading posts or making posts or what? You said "produce a BlueSky post that is available in Mississippi", you can view that link in Mississippi.
You’re right good job lol you managed to evade again.
A CEO is censoring a geographical region. That is just not something that can happen on a decentralized platform.
@Kirk Sigh, I'm not evading… I don't know what else I can tell you.
You said you thought it was open source. I showed you links to GitHub. I said they aren't censoring the entire network, just the official client. You said you wanted proof and to show you how you can view a Bluesky post in Mississippi. I showed you two custom clients that you can access from MS and one of those you can sign up through.
But you are evading. The technicalities you speak of are irrelevant to the topic of censorship. The fact that parts of BlueSky are technically open source, or that other BlueSky apps exist is irrelevant to the people who are functionally denied access to speak due to the decision of a single company. There is no other “instance” we can go sign up on like with ActivityPub apps.
(Here is the part where you say I could technically get all my friends to self-host their own PDS as though it is easy and fun).
As evident by Lemmy instances not doing the same thing. /s
There's a difference between being decentralized and doing something illegal, you know?
I agree 100%, BlueSky is not decentralized.
Of course, but whether you're decentralized or not has nothing to do with whether you as someone running a service has to decide for themselves whether to block Mississippi users or risk legal consequences?
Glad we agree that BlueSky is a centralized service.
Yeah? Why was that ever in question in this context?
It wasn’t.
I'm exhausted with all this. And it's not my fight. The fight belongs to the people of Mississippi. They elected their "leaders."
Until I know for sure that I am not on the hook to pay a $10K penalty for each person on my servers, I've blocked all Mississippi IP addresses from logging in and registering on my Mastodon, Piefed, and Friendica servers.
Wyoming will probably be next.
Thanks for the update. It really is exhausting, and depressing; you’re right about Wyoming being next, and there’s loads of others out there as well.
And It really is our fight to. Laws like this are part of a worldwide attack on independent social media, as well as trans and queer people, people looking for reproductive health care, youth in general, and sex workers. It’s a really challenging situation.
Have you blocked the UK as well then? Same sort of thing here.
Otherwise why can’t you ignore Mississippi but can ignore the UK?
On feddit.online I block both the UK and France in addition to Mississippi. However, I believe in a future upgrade, PieFed can be configured to block people from specific countries from accessing NSFW and NSFL communities (feddit.online doesn't allow NSFL communities). When that upgrade happens, I will open it again to the UK and France but keep it closed for Mississippi.
Depends where you reside ?, if you are in the US and dont block a US state you can be prosecuted but what will the UK do ? See the current 4chan brouhaha with the UK for example.
Do you live in Mississippi? Because there’s no reason to capitulate otherwise unless you plan on going there on vacation (no reason to do that either).
Doesn't work that way. States agree to enforce each other's civil orders
incorrect actually
Entirely understandable. Like you say, it's not your fight. This is more so if one creates something and isn't even from the US, if the wankers in a specific US state elect shitty government, that's not on you in a wholly different country to go up against.
Why is this post NSFW???
Joys of federation. lemmy.blahaj.zone/post/30731823/16032284
Considering many countries are implementing this at the same time, I’m not sure there will be any countries left to run an instance from or set a VPN connection at.
US states are turning into legal trolls - that’s how you know the empire is done for.
Thanks for posting about this @thenexusofprivacy@infosec.exchange
I'm interested (in a tired defeatist way) in what I need to do to stay on the right side.
It sounds like geoblocking is probably the quickest legally safe course of action, so perhaps it's bye Mississippi too...
yeah it really is tiring and depressing. It isn’t clear what the risks really are right now, and how that might change over time. It’s also not completely clear how much geoblocking will reduce the risks’ at least with the Online Safety Act, regulators said earlier this year that geoblocking is sufficient – although of course they could change their minds at some point. Really hard to know what to do …
So, if I understand the whole Bluesky thing correctly, there are apps that don’t respect Bluesky’s limitations (like having to log in to view certain posts).
Would those apps skip this as well or is this an actual geo-block?
Other apps can ignore the geoblock. From the Bluesky announcement:
Any recommendations for a good Android app that would ignore things like this?
I’m currently using the Bluesky app because the ones I tried didn’t want to auto open Bluesky links.
not sure, sorry. i tend not to run mobile apps, so mosf of the apps I know of are web apps (deer.social, zeppelin.social, deck.blue etc). there may well be some Android apps out there though!
Its cute how they pretend at protocol is being used by anyone not named bluesky
It’s ignorant how you don’t realize that Spark and Blacksky have built their own stacks on AT Protocol.
oh wow… two
Other sites should join to show the citizens how a blacked-out internet looks like.
We’ve done it before.
Back when reddit was young, before social media apps captured the content. It just doesn’t matter now. Critical mass of the internet is corporations.
No, “other sites” should disobey unjust laws
“It’s decentralized! It’s open!” they’ve said. But, despite all doubts from the very beginning, Bluesky is no option for an open and decentralized web at all. There ARE reasons for protecting users under 18, but cutting a whole state off the platform is simply a certain kind of censorship.
There was hope for this service but the crypto-bro-background and the current state of the USA did a complete disservice to the platform, disqualifying it as an alternative for any federated, decentralized and free network like Mastodon and Co.!
bsky.social/…/08-22-2025-mississippi-hb1126
#fediverse #mississippi #ageVerification
If you run any instance that is federated and has users that could sign in from that state it makes complete sense to block their IP addresses. Why on earth would someone running a Mastodon instance take on risk unlless they were in another country where there was no risk of repercussions.
If you’re just hoping that small fish won’t get fried that’s possibly true. But admins likely won’t want to find out if they will just on principles.
It‘s not only the registration, it‘s the complete usage of the service. Tricky thing.
In my eyes, this will be just the tip of the iceberg. Mississippi now, what reason comes next? DJT wanting to exclude specific groups of users? Cut off whole countries? Who knows… There will be additional reasons and if you ask me, this is just the beginning with the ugly potential to turn into censorship.
Got the point, but surely they will have more legal tools than I do with my single-user Mastodon-instance - which has registrations disabled, but doesn‘t prevent any country from reaching it. 🤷🏼♂️
The way I view it is that Bluesky is a new company that is growing fast, while a site like Pornhub has been around longer and I’m sure has a large legal team that monitors laws all the time. If Pornhub said it was better to cut their losses and see if waiting out and or not seeing a good legal standing to fight with these states, Bluesky likely didn’t have much of a chance.
You need to explain why a mastodon instance in a state without those laws care what a different state does
I don’t need to explain anything. If you want to host something with content that is illegal in another state and you choose to not put up any protections to block users from accessing the content in that state, you very well may be sued some day. If you block users from signing up from those states and/or block those IP addresses from accessing your site, you likely would have grounds for it to be dismissed before ever having to do anything. State lines do not protect you against lawsuits.
Yeah, don’t listen to anybody who says “they can’t fine me or sue me if I’m in a different state” or “they can’t do anything about it if they win.” Of course we don’t know who they’ll target when they start enforcing the law, and it’s possible that the law will be found unconstitutional … still, they can fine you, and they can sue, so if you decide not to geoblock them yet make sure you’re thinking through the risks.
I haven’t seen anything yet on how strong a defense geoblocking Mississippi will be in practice. Bluesky obviously thinks it puts them in a stronger position than not geoblocking, but at this point we really don’t know.
they literally do? what do you think state lines even do?
constitution.congress.gov/…/ALDE_00013024/
If you are fined in one state they will ask your state to enforce the penalty and they are usually legally required to do so by the federal government.
The part of Mississippi saying it may have criminal punishments as well may have more leeway, as you won’t get extradited if it isn’t a felony in most states. But we don’t know what the criminal charges would be. At 10,000 per user signed up from their state though, I’d be weary.
Just be careful, I’m just saying it’s risky. I can see them ceasing your assets in another state because it follows the current laws. Otherwise if you found someone guilty in a state court you would just move to another state and be fine, which we know doesn’t work, or people like the my pillow guy would just move out of Minnesota where he was found guilty, to say Texas.
.
lol yeah ok buddy
How come plenty federated stuff is also blocking people then? Apparently that alone does not help?
ActivityPub instances can do whatever the hell they want, the point is that no CEO decided who has access to all of it.
Each instance still has an owner. Just like the Bluesky CEO, they need to decide whether the (legal) risks are worth it to them and whether they can cover the (legal) costs if needed.
For any individual instance owner, this changes nothing.
yeah but mastodon has thousands of owners and bluesky has one so its different see
That’s easy.
Don’t enter into an agreement to create an account. Accounts owned by service providers on behalf of users are a scam anyway.
Instead, let users create their own credentials and allow them to interface with a service. That makes more sense for users anyway, and it sidesteps this sort of nonsense.
.