Bluesky
Decentralized social network built on the AT Protocol. Open-source, no link demotion, domain-as-handle verification. 43M+ users. No ads.
What should journalists know about Bluesky?
Bluesky is the only major social platform where links are not algorithmically demoted. That single fact matters more to journalists than any other feature. On X, Meta, and Threads, posting a link to your article means fewer people see it. On Bluesky, a link is a link. The platform has 43 million users as of early 2026, with roughly 1.5-3.5 million daily active users. Growth hit 302% between September 2024 and November 2025, driven by Brazil's X ban and the US election. The verification system is elegant: set your handle to your domain (e.g., @nytimes.com), and your identity is cryptographically tied to your publication. The New York Times and WIRED are Trusted Verifiers who can badge their own journalists directly in the app. Over 309,000 accounts use domain-handle verification. Custom feeds let users build or subscribe to topic-specific algorithms — Bluesky launched Attie in 2025, an AI tool that lets anyone create a feed in plain language. The AT Protocol means your data is portable: you can move your account to a self-hosted Personal Data Server without losing followers. The tradeoff is scale. Bluesky's daily active users are a fraction of X's or Threads'. The audience skews tech-forward and US/Brazil-heavy. Engagement is real but reach is limited compared to legacy platforms. CEO Jay Graber stepped down in March 2026; interim CEO is Toni Schneider (ex-Automattic). The leadership transition adds uncertainty. Jack Dorsey, who funded the original project at Twitter, cut ties in 2024. Revenue is zero — the company has raised $123M but has no monetization in production. Composable moderation (stackable labelers, open-source Ozone tool) is architecturally interesting but under-resourced: roughly 100 moderators for 43M accounts. Pro-Russian bot networks and AI deepfakes have been documented on the platform. The fundamental tension: the AT Protocol's openness means all public posts are fully accessible via API. Anyone can scrape them. There is no privacy for public content. That is a feature for open journalism and a risk for journalists covering sensitive topics.
Journalists who want to share links without algorithmic penalty. Reporters at publications willing to set up domain-handle verification. Beat reporters who benefit from custom feeds (e.g., a climate feed, a courts feed). Newsrooms building direct audience relationships outside Meta and X. Open-source investigators who want API access to public discourse.
Journalists who need to reach mass audiences today — Bluesky's daily active user base is 1.5-3.5M vs. X's 250M+. Reporters covering sensitive topics who need post-level privacy controls — all public posts are API-accessible. Anyone who needs DM encryption — Bluesky DMs are not end-to-end encrypted. Organizations that require stable, well-funded platform governance — Bluesky has zero revenue and just changed CEOs.
Security & Privacy
Data is scrambled while being sent to their servers
Data is scrambled when stored on their servers
Where servers are located — affects which governments can request your data
Privacy policy summary
Bluesky collects account data, IP addresses, device identifiers, and usage analytics. All public posts are accessible via the AT Protocol Firehose API — any third party can read, index, or scrape them. DMs are not end-to-end encrypted; Bluesky can access them. The privacy policy permits sharing data with service providers and in response to legal requests. Bluesky does not sell personal data. The federated architecture means third-party PDS operators set their own data retention policies. Bluesky has acknowledged it cannot enforce consent mechanisms for public data externally. Account deletion removes your data from Bluesky's servers but cannot guarantee removal from third-party indexes or Relay caches.
How to protect yourself:
Do not use Bluesky DMs for sensitive source communications — they are not encrypted. Assume all public posts are permanently archived and API-accessible by anyone. Use domain-handle verification to prove institutional affiliation. Consider self-hosting a Personal Data Server for full data sovereignty. Export your data regularly via Settings. Use a separate, hardened platform (Signal, SecureDrop) for confidential source contact. Enable two-factor authentication. Review which third-party apps have access to your account via Settings > App Passwords. If you leave Bluesky, your handle (domain) stays with you — no platform lock-in on identity.
TLS encryption in transit. Partial encryption at rest — Bluesky has not published details on at-rest encryption for its managed PDS infrastructure. The real risk for journalists is not a data breach but architectural transparency: every public post is API-accessible by design. This is a feature of the AT Protocol, not a bug, but it means public Bluesky content has zero access friction for scrapers, AI trainers, or surveillance actors. DMs lack end-to-end encryption. The moderation team is small relative to the user base. Security vulnerability response has been criticized as slow. Domain-handle verification is a genuine trust innovation — it is cryptographically grounded and does not require platform approval. Data portability via self-hosted PDS is strong in theory but requires technical sophistication. For standard journalism use (sharing work, building audience, monitoring public discourse), the security posture is adequate. For sensitive source communication or any content that should not be public, Bluesky is the wrong tool.
Who Owns This
Known issues
All public posts are fully accessible via the AT Protocol Firehose API. Researchers extracted 1M+ posts including metadata and reply relationships with minimal effort. Bluesky cannot prevent third-party scraping of public content and has acknowledged this openly. DMs are not end-to-end encrypted. Moderation is under-resourced: ~100 moderators for 43M accounts. AFP documented pro-Russian bot networks using AI deepfakes on the platform in early 2025. Security researchers reported multiple vulnerabilities to security@bsky.app with slow or no response — only one report received a single reply. The federated architecture distributes security responsibility across PDS operators with inconsistent standards. CEO transition in March 2026 (Graber to interim CEO Schneider) introduces governance uncertainty at a critical growth phase. Zero revenue and no monetization in production raises long-term sustainability questions. The platform's content moderation philosophy relies on composable labelers — powerful in theory, but most users do not customize their moderation stack.
Pricing
Free. No paid tier yet. Bluesky+ subscriptions (profile customizations, higher-quality video) expected to launch in 2026. Core features will remain free.
This is an editorial assessment based on publicly available information as of 2026-04-03, using our published methodology. Independent security review is pending. Security posture can change at any time. This is not a guarantee of safety.
Something wrong or outdated? Report it.