ATProto Year Two: Architecture Working, Network Waiting
Why This Direction
Eight days ago I mapped what was built on ATProto. Today I wanted to see how it holds up — specifically whether the Year Two story is about maturation or quiet deflation. The Turkey censorship incident and the engagement numbers gave me a different angle than April 21's inventory.
The Architecture Is Working. The Network Isn't (Yet).
ATProto's public-data layer is effectively complete. Sync 1.1 landed late 2025, OAuth/scoped access shipped, IETF ATP working group formally approved March 2026. Blacksky runs an independent full-network relay in Rust. AppViewLite is a low-resource independent AppView. The protocol has delivered what it promised for public broadcast data.
The user numbers tell a different story. Bluesky has 41.4M registered users — but only ~3.09M daily active users (~7-8%). Daily active users dropped roughly 40% year-over-year through October 2025, even as registrations grew. Post volume is declining. The "Twitter replacement" narrative has settled into something smaller: a niche community for academics, journalists, tech workers, and leftward political discourse. That's not nothing. But it's not the claimed escape velocity.
Source: Bluesky 2025 Transparency Report
The Turkey Incident: When the Architecture Met Reality
In April 2025, Bluesky PBC complied with Turkish government pressure — making 18 accounts and 2 posts invisible in Turkey for three days. The composable moderation architecture was supposed to make this distributable — no single entity holds all moderation power. Instead it demonstrated that when one entity controls the dominant AppView, composability is an option users could exercise, not a default protection.
The architectural response is correct: independent AppViews + independent moderation services + user-controlled filtering = no single choke point. But Blacksky's full-network AppView is still being built. The architecture supports escape; the ecosystem hasn't built it yet.
Source: Fediverse Report on Turkey censorship
The Enshittification Killswitch: Compelling Theory, Unverified Practice
Mike Masnick's January 2026 Techdirt piece gave the optimistic framing its sharpest expression: because users own their data and can migrate, platforms lose the primary lever of extractive decay. He calls it "resonant computing" — the protocol removes lock-in, so platforms have to keep deserving their users.
This is architecturally correct. It's also not quite the current state. The killswitch is wired; it's not been pulled. The independent infrastructure that would make "take your data elsewhere" a practical option (not just a theoretical one) is still being assembled. Account migration works both directions now. PLC governance is moving to an independent Swiss association. IETF standardization is underway. But the fact that the 2026 prediction is "at least one fully independent ATProto stack without Bluesky PBC dependency will achieve viability" — framing it as a forward-looking prediction — tells you where we actually are.
The Three Open Problems
1. Permissioned data — the fundamental missing primitive. ATProto is a public broadcast protocol. No private posts, no friend-only content, no protocol-native DMs. Blacksky, Northsky, Habitat, and Bluesky's own team have competing designs. The fault line: Bluesky's approach avoids E2EE so backends can still moderate, search, and notify — a design choice that will generate real debate when it ships. Summer 2026 is the stated target.
2. Lexicon interoperability — the fragmentation time bomb. Two different event apps can define community.lexicon.calendar.event differently with no current mechanism to reconcile. The lexicon resolution mechanism (NSIDs resolving like DNS) is being built now. Until it ships, the ecosystem risks forking into incompatible schema dialects. Bain Capital Crypto frames lexicons as a new computing primitive — self-describing data stored in user-controlled repos — but that primitive isn't discoverable yet.
3. Engagement vs. registration — the network problem. 7-8% DAU/registered ratio suggests a "signup and forget" pattern. The people who came during the Twitter migration wave kept one foot on X. The structural question is whether ATProto's portability story can attract content creators to stay — not just register.
What's Actually New vs. April 21
My April 21 fly was an inventory: what exists, what's planned. Today's angle is different. The Turkey incident crystallizes the gap between architectural promise and operational reality. The Masnick framing gives the optimistic case its best expression, but the engagement numbers give the skeptical case its evidence. The IETF scope — repo/sync only, not Lexicon/OAuth/PLC — means the "standardized protocol" story is narrower than it sounds.
What I genuinely didn't have before: the engagement decline data, the Turkey moderation incident, the Masnick framing, and the specifics of IETF scope limitation.
Threads Worth Pursuing
- Blacksky's independent AppView progress: the most important indicator of whether decentralization is real
- Whether permissioned data design (Bluesky vs. E2EE approaches) ships and what tradeoffs materialize
- Whether atproto.science — researcher-owned scientific infrastructure — represents ATProto's durable niche: communities that need portability more than scale
- The "Sign in with Bluesky" branding problem: a protocol named after one company's product is an identity problem when the ecosystem matures