"Ending the Era of 'Invite Spam'? What Makes Bluesky's Find Friends Different"

"Find Friends"—a feature that has become a standard on social networks—has actually been a "nuisance" for many years. It involves reading your smartphone contacts to determine who else is on the same social network and then sending invitation messages to those not yet registered. While it's a shortcut for users to reconnect, for recipients, it often turns into an unexpected "app solicitation SMS." Moreover, since it involves the strong personal information of phone numbers, there is always a risk of leakage and misuse. When Bluesky announced in December that it would launch "Find Friends" with a "privacy-first" approach, it clearly indicated a strong intention not to simply follow this old successful pattern. TechCrunch

A Declaration Against "Invite Spam"

The point reported by TechCrunch is clear. Bluesky will not automatically send invitation SMS even if you upload your contacts. If it does, it will be limited to a manual action where "the user sends a text to a friend at their own will." Considering that many social networks have used contact matching as a growth hack (a viral conduit), often forcibly sending invitations, this is quite a challenging stance. TechCrunch

However, there is a trade-off here. Since Bluesky is designed to "not store or track individual phone numbers," it cannot pre-determine whether the other party is already on Bluesky. As a result, even if a friend sends an invitation text with good intentions, it may still be received by someone who is "already participating." 9to5Mac refers to this as a "drawback," but considers it a small price to pay for privacy protection. 9to5Mac

Mechanism: Double Opt-In + Number Verification

Bluesky's Find Friends will not match unless the following conditions are met.

• Both parties have enabled Find Friends.

• Both have registered each other in their contacts (one-sided contact registration will not suffice).

• Verify your number via SMS before uploading contacts.

According to TechCrunch, users will enter a six-digit code received via SMS to verify their number, aiming to prevent misuse like "phishing" by randomly inputting numbers to "fish out" if they are on Bluesky. Furthermore, if you don't use it, you won't be "discovered by phone number"—those who don't want to be found by workplace acquaintances can choose not to use the feature. TechCrunch

The service is also being rolled out gradually, initially limited to certain countries (including Japan) for the mobile app. TechCrunch

"Hashed Pairs" + "Separate Hardware Key"—Defense Assuming Leakage

Perhaps the most interesting aspect is that Bluesky is directly addressing "contact matching" as a security design issue. According to TechCrunch and Bluesky's official blog, uploaded phone numbers are stored not as simple hashes but as "hashed pairs" of "your number × the other person's number". This makes reverse engineering difficult even if the data is leaked. Furthermore, the encryption is linked to a hardware security key stored separately from the database. Users can also delete data or opt-out later. TechCrunch

TechCrunch also reports that these technical details were shared in advance as an RFC with the security community to solicit feedback. This implies that Bluesky itself acknowledges that "contact matching often involves risky implementations" and chose to expose its design for discussion rather than deploying it directly. TechCrunch

Why Go This Far: "Cold Start" and "Real Friends"

Bluesky's blog raises the issue that social networks were originally "places to connect with people you actually know," but that has been lost in the noise of algorithms and engagement competition. If the goal is to once again become a "social network where you can meet acquaintances," finding friends is unavoidable. Moreover, in the context of the RFC, Bluesky touches on the "cold start problem of building social graph density" and also mentions user scale. Bluesky

In short, Find Friends is not just an additional feature but a theme close to the core of the service, addressing "how a decentralized (or aspiring to be) social network creates the initial human connections."

Community Reactions on SNS: A Mix of Welcome and Skepticism

This design has already sparked discussions. Here, we summarize the trends focusing on voices from Hacker News and GitHub Discussions as "SNS reactions."

1) "An Idea Like Private Set Intersection"—Suggesting a More Cryptographic Solution

On Hacker News, the related technical area ofPrivate Set Intersection (the idea of finding only the common parts of sets while keeping them secret) was mentioned, with discussions on directions like "avoiding an entire class of attacks by not sharing phone numbers in plaintext." However, there are also comments drawing realistic boundaries, saying "it might be excessive in terms of scale." Hacker News

2) "Security Is Written, But Ultimately, Isn't It About Trusting the Server?"

Similarly, on Hacker News, while the RFC deals with "security," there are skeptical views that "ultimately, it seems to come down to trusting the server/instance." This is a comment with a practical sense, noting the difficulty of reconciling number verification (spoofing countermeasures) with a design that doesn't pass numbers to the server. Hacker News

3) "Phone Numbers Are Dangerous Even When Hashed"—The Issue of Small Number Space

Another comment points out that "phone numbers lack uniqueness and hashes can be addressed with a lookup table," highlighting the so-called "small number space" issue. Bluesky aims to increase reverse engineering difficulty by using "hashed 'pairs'," but user concerns remain strong. Hacker News

4) On GitHub: "Clarify the Specifications More" and "Contacts ≠ Social"

In GitHub discussions, feedback delving into the details of the design is prominent. For example, there is constructive criticism that the explanation regarding **phone number recycling (reassignment of numbers)** is unclear, suggesting that pseudo-code should be shown early on. GitHub

Another comment states, "My phonebook doesn't match my social graph, so I won't use this feature," while indicating that there is no concern as long as it remains opt-in and no unnecessary "additional information for reconciliation" is stored. GitHub

Conclusion: Find Friends as a "Promise" Rather Than a "Feature"

On the surface, Bluesky's Find Friends appears to be an update of "finally having a friend search." However, in substance, it seems to implement a "promise" regarding the balance between privacy and growth by (1) cutting off the temptation to grow through automatic invitations, (2) leaving choice to the "found side" with double opt-in, (3) designing with leakage in mind, and (4) publishing an RFC in advance for external review. TechCrunch

Of course, as long as the material of phone numbers itself is too powerful, the controversy will never completely disappear. As the reactions on Hacker News and GitHub indicate, issues of server trust, number space, and the fundamental argument that "contacts ≠ friends" remain. Hacker News

Still, the attitude of treating contact matching as a "safety design issue" rather than a "growth device" might set a benchmark for other social networks implementing similar features in the future. Bluesky