Mississippi, Bluesky, Blacksky, the ATmosphere, Mastodon, and the Fediverse

Bluesky's announcement they're blocking access to their app by anybody using a Mississippi IP address has sparked a lot of discussions in the world of decentralized social networks. Before we get to those, though, I'll start by providing some background. If you're already up to speed, feel free to skip ahead! And if you're not sure why everybody's so upset about these age verification laws, there's an appendix with a quick overview of the problems and links to find out more.

• It's not a good situation
• Meanwhile, on Mastodon and elsewhere in the Fediverse
• Some interesting discussions
• Now's a good time to start thinking seriously about some hard questions
• Appendix: Why age verification laws are bad
• Notes

It's not a good situation

Mississippi's law, HB 1126, requires age verification for all users of digital services including forums, chat rooms, and social networks, no matter what the content of the site is. Even though Supreme Court Justice Kavanaugh has said that the law is probably unconstitutional, the Supreme Court denied Net Choice's application to block enforcement, and so here we are.

With fines of up to $10,000 per user, it's easy to see why Bluesky is so concerned.¹ And not just Bluesky: it's not a good situation for anybody running a social network (or a forum, or a chat room). And with age verification requirements in more and more states and countries, it's not a good situation for anybody wanting to be on a social network (or a forum, or a chat room) without sharing their ID or biometrics.

As Bluesky highlighted in their announcement, their decision applies only to the Bluesky app; other apps and services may choose to respond differently. And many in the ATmosphere (the decentralized ecosystem of apps and services using Bluesky's AT Protocol) are indeed responding differently ... for example, Blacksky:

And in Mississippi’s age assurance law puts decentralized social networks to the test on TechCrunch, Sarah Perez reports that "some users in the state report they’ve been able to access Bluesky through third-party clients like Graysky, Skeets, Klearsky, TOKIMEKI, Flashes, or forked versions of the Bluesky app, like Deer.social or Zeppelin."

People in Mississippi can also still use the Bluesky app with a VPN (virtual private network), which hides your real IP and so can claim to be from any state. Good, privacy-protecting VPN software is fairly cheap; Proton VPN has a limited free option; and as I was writing this post, I saw Tech for Palestine's announcement that Boycat (makers of a popular ethical shopping companion) has just introduced Buycat VPN. In the UK, the Online Safety Act's age verification requirements led to a surge in VPN downloads, and presumably the same thing will happen in Mississippi.

Still, many people don't know about these alternatives. Not everybody has the money to spend for a paid VPN. Worse, there are a lot of very shady VPNs out there, including some that send all your data to China or Russia – and some that are owned by a company that has links to Israeli intelligence services. The UK is already floating the idea of making VPNs illegal for minors, and it's certainly imaginable that other governments will follow suit.

So it's not a good situation at all for people in Mississippi. And it's especially not good for people in Mississippi who are already marginalized and targeted, which is why I featured AJ's thread at the top of this post.

All that being said, it's clearly Mississippi legislators who are primarily esponsible for the bad situation. Many digital rights activists applauded Bluesky's decision here – for example, Evan Greer of Fight for the Future

Dozens of other states in the US have or are considering similar age verification legislation, and Congress is considering passing national requirements. If you're in the US, Stop Online ID Checks is a national campaign to fight these kinds of laws.

Elsewhere, the age verification requirements of the UK Online Safety Act have just gone into effect. The EU, Australia, Canada, Brazil, and quite a few other countries are considering similar regulation. So wherever you are, look around to see if there are any active campaigns and get involved!

Meanwhile, on Mastodon and elsewhere in the Fediverse

"Technically, you're probably also breaking laws in Afghanistan, Iran, North Korea and so on. The question is, do you care? I'm not a lawyer, so I can't answer that for you specifically, but 10.000+ fediverse operators across the world get to make that decision for themselves."

– Mastodon gGmbH CEO Eugen Rochko

"In the big picture, the singular fediverse’s decentralised nature looks like a great way of dealing with age verification laws. But once you zoom in further and see a million fediverses, the picture becomes a whole lot more complicated: it means that thousands of (volunteer) server administrators are making difficult decisions. They’ll all have to decide for themselves if and how they want to comply with this new law. The stakes are big: failure t comply can be fined up to $10,000 per violation."

– Laurens Hof says in Fediverse Report #131

Most of the instances (servers) running Mastodon, Pixelfed, GoToSocial, and other Fediverse software are based outside the US, so the tradeoffs for their admins are different than Bluesky. There's certainly something in what Rochko says: it may well be impossible for Mississippi to enforce their law on instances without any US ties.

Fediverse instances in the US, on the other hand, are potentially just as vulnerable as Bluesky – and most of them are quite small, without Bluesky's resources to fight back if Mississippi targets them. So I wasn't surprised to see admins of some US-based instances saying that they plan to follow Bluesky's lead and block Mississippi. I don't know of any Mississippi-based instances, but if any exist they're in a very tough situation, facing a choice between shutting down, doing age verification, or trying to fly below the radar and hope they're not noticed.

Historically, flying under the radar has mostly worked out well so far for the Fediverse. After all, even the largest instance (mastodon.social, which is run by Mastodon gGmbH) is relatively small compared to Bluesky, let alone larger commercial networks, and most instances are much much smaller. Then again, their have been exceptions; the Taliban shut down queer.af in 2024, and switter.at was banned by Cloudflare in 2018 and then shut down in 2022 because of anti-sex work and anti-LGBTQIA2S+ legislative changes in Australia, the UK, and the US. Going forward, whether the Fediverse can continue to fly under the radar really depends how aggressive regulators are.

Since conservative organizations like the Heritage Foundation have talked about why they see it as a good thing that laws like Mississippi's target LGBTQIA2S+ people, there's certainly grounds for concern.

And even instances based outside the US may still be vulnerable. For example, mastodon.social is run by Mastodon gGmbH, which also produces the official mobile apps. Could Mississippi use mastodon.social's non-compliance to pressure Apple and Google to block the Mastodon mobile app? And Rochko's on the board of Mastodon's US-based 501(c)(3) non-profit. Could Mississippi try to use mastodon.social's non-compliance to strip the US non-profit's 501(c)(3) status?

There may be ways around these issues. Rochko has announced he's stepping down as CEO, and Mastodon gGmbH is in the process of handing control to a new (European-based) non-profit organization, so hopefully they're thinking through these kinds of complexities as they reorganize. Still, there's definitely grounds for concern – not just for mastodon.social, but for any instance with ties to the US. As

Some interesting discussions

With all that as background, here are links to some interesting discussions of the Mississipi law as it relates to decentralized social networks.

• Ashton Pittman's Editor's Note | State Law Compels Bluesky to Block Mississippi IPs, on Mississippi Free Press, has perspectives from a media organization directly affected by the law – unsurprisingly, since one of the many intended consequences of laws like this is to limit access to independent media that's critical of the state. "[T]his is a significant blow. We left Twitter earlier this year for a lot of reasons, and have since made Bluesky our main social media platform (it’s also where we have the most followers)."
• Joshua Benton's Mississippi’s onerous new social platform law (and the threat of big fines) has led Bluesky to block its users in the state, connects the law to "Mississippi’s long, sad history of trying to “protect” its citizens from the influence of outside media, often doing so under the banner of protecting children" and the way that "northern Black newspapers like the Chicago Defender that reported on anti-Black violence and advocated for the Great Migration were blocked from circulation in Mississippi."
• Mike Masnick's Mississippi’s Broken Age Verification Law Forces Bluesky To Block All State Users on TechDirt is a deep dive from a Bluesky board member who's written extensively about age verification laws over the years
• Laurens Hof's Some thoughts on Bsky, age verification and mississippi law and followup in (both on Connected Places) are both insightful, as is his earlier Age Verification Laws: Are the New Social Networks Different, Or Not At All?
• wandering.shop admin phildini asks a question that's on a lot of people's minds: "What happens if Bluesky, the main app owned by the company, goes down tomorrow?" Ted Han of the ATProto Community Fund replied with some excellent perspectives, and a very productive discussion ensued. My take: while things would be very chaotic for a while, there are enough independent infrastructure projects in the works that the network be able to start recovering relatively quickly. That being said, the devil is in the details, and there certainly are a lot of details to be worked out. More details here.
• There were also a heck of a lot of discussion involving people from Mastodon and other Fediverse software arguing that this incident proves that Bluesky isn't actually decentralized. This is a tedious enough subject that I moved it ion to a separate post, Can we please stop arguing about whether Bluesky is decentralized?

Now's a good time to start thinking seriously about some hard questions

Hopefully one clear takeaway from the whole situation is that both the ATmosphere and the Fediverse need to start planning more seriously for the possible impact of governmental action that affects a large chunk of the network.

• What happens in the ATmosphere if the fascist US government decides to target Bluesky for its supposed wokeness – and what happens in the Fediverse if the anti-LGBTQIA2S+ US government decides to target it?
• What happens in the Fediverse if regulators in multiple countries decide to target Mastodon for ignoring their laws?
• What happens in either of these networks as jurisdictions around the world add more hostile legislation – age verification, ID checks, and other surveillance and censorship requirements – and authoritarian governments ratchet up their efforts to target dissent, LGBTQIA2S+ people, immigrants, and other marginalized groups?
• Politically, how do we organize and push back against this hostile legislation?

Now's a good time to start thinking seriously about those questions.

Appendix: Why age verification laws are bad

"A broad coalition of organizations dedicated to LGBTQ+ rights, abortion access, rights for youth, privacy, and freedom of speech have issued a letter to US lawmakers warning that online ID check bills, which would mandate highly privacy-invasive age verification through third party companies, would threaten freedom of information, the very usability of the internet, and sacrifice digital privacy, along with sacrificing the young people these laws claim to protect." 

Online ID Checks Will Ruin the Internet: 90 Reproductive Rights, LGBTQ, Civil Rights Groups Speak Up Against Widespread Age Verification Bills, April 25, 2025

With so many age verification bills popping up all over the world, there's plenty of material available about how harmful they are. The Internet Society's amicus brief to the Supreme Court in a case about Texas' age verification law has a particularly good analysis of some of the many reasons these laws are so horrible. Here are some of their section headings:

• Existing Age Verification Technologies Are Often Ineffective and Present Privacy and Security Risks
• The Ineffectiveness of Current Age Verification Methods, Combined with the Technologies’ Security and Privacy Risks, Unconstitutionally BurdenAdults’ Access to Constitutionally Protected Speech and Render [the Law] Both Under and Overinclusive
• Implementing [the Law] With Current Technology Will Necessarily Prevent Some Adults from Accessing Some Protected Content Altogether
• The Security and Privacy Risks Associated with Current Technologies–Including That Sensitive Browsing Activity Will Be Deanonymized–Also Burdens Adults’ Access to Protected Content
• [The Law] Will Also Fail to Achieve its Purpose of Protecting Children
  Because They Can Easily Circumvent Current Age Verification Technologies

If the don't work and has such major downsides, why are so many laws like this getting passed all around the world? For one thing, the people pushing these laws lie: they claim they'll be effective, and that the downsides aren't real. There's a general feeling that kids are at risk online, and legislators are under pressure to do something about it; even if they know the laws are imperfect, well, at least passing them is doing something.

And conservative organizations who support these bills make no secret of the fact that they're designed to attack LGBTQIA2S+ youth; for conservative politicians, that's an attraction too. Progressives don't have this as a goal, and try to craft legislation that protects privacy, but in practice they fall short. My testimony earlier this year on a proposed age verification bill here in Washington state has a good example of this:

"In addition, the bill as written does not restrict sharing information gathered for age estimation purposes with a third party age estimation service based in a state where accessing information about reproductive health care and/or gender-affirming care is criminalized – at which point law enforcement can access this data to target LGBTQ+ youth – as well as anybody seeking abortions or exploring trans or non-binary identities."

And that's in Washington state, where our laws have strong protections for reproductive health care and gender-affirming care. The situation in Mississippi is obviously a lot worse, and their law provides significantly less protections than the insufficient ones in the proposed Washington bill (which thankfully didn't pass). As Mike Masnick says,

"Here at Techdirt, we’ve been warning about the dangerous negative consequences of age verification mandates for years. But even then there are variations in the pure ridiculousness of some of these laws. Some can be dealt with. Some are effectively impossible. Enter Mississippi’s HB 1126."

For a deep dive on the problems with the Mississippi law, see EFF to Fifth Circuit: Age Verification Laws Will Hurt More Than They Help (which summarizes and links out to the brief that Electronic Frontier Foundation, the ACLU, and ACLU of Mississippi filed last October) and the joint amicus brief to the Supreme Court from Foundation for Individual Rights and Expression (FIRE), joined by EFF, Center for Democracy and Technology (CDT), National Coalition Against Censorship (NCAC), Student Press Law Center, and Woodhull Freedom Foundation,

And for an international focus

• Open Rights Group's How to Fix the Online Safety Act: A Rights First Approach looks at the problems with the UK's legislation – and ways to fix it.
• Ange Lavoipierre's With six months until teen social media ban, experts don’t think tech is viable looks at the fiasco-in-progress in Australia.
• EFF's Digital Identities and the Future of Age Verification in Europe and Age Verification in the European Union: The Commission’s Age Verification App look at what's happening in the EU.

If you're in the US, Stop Online ID Checks is a national campaign to fight these kinds of laws.

If you're in the UK, Open Rights Group makes it easy to Tell your MP: The Online Safety Act isn’t working

And if you're in some other country, there's very likely some campaign in process wherever you are!

Notes

¹ There aren't yet (as far as I know) any legal analyses of whether Bluesky blocking Mississippi is enough to comply with the law. If a minor from Mississippi signs up on Bluesky using a VPN or a non-Blueksy app, and Bluesky doesn't do an age check, Bluesky could still get sued. Will the courts view Bluesky's efforts as sufficent, or as an attempt to get around the law? Then again, Megan Farokhmanesh's coverage in Wired quoted a Mississippi state legislator who acknowledged "the potential challenges faced by smaller providers in complying with these standards" and expressed optimism Bluesky and Mississippi will reach an "amicable agreement," so another way to look at Bluesky's decision is as a negotiating tactic.