WSocial is a new social network designed as a European alternative to X, Bluesky and other platforms. It is owned by a privately funded Swedish company.
Political actors in Europe hope it will become a technical and political counterweight to Elon Musk and Donald Trump. Musk has repeatedly shown that he does not intend to subordinate his understanding of free speech on X to the EU’s more restrictive approach. European Commission President Ursula von der Leyen is therefore also heavily promoting WSocial.
The service promises to comply with European data protection rules and to be particularly secure, not least in order to draw users away from X. Yet these very promises on data protection and sovereignty appear not to be borne out technically. Several indications suggest that, despite all assurances, large amounts of data are being transferred to the US and processed there. That would put them beyond the reach of the EU protections the service advertises.
Checks have shown that the servers used for the service itself are located in Europe. According to an analysis of the app, posted content and identity verification can be assumed to remain in Europe.
Unclear Data Flows
The mandatory identity requirement has drawn criticism, however. The process collects extensive data. An ID document is scanned, the real name is linked to the user name, and the date of birth and biometric data are collected. That alone is problematic because it could conflict with individual national data protection laws, especially since less intrusive forms of verification are available.
The company says all data is deleted once the identification process has been completed. What remains unclear, however, is what happens during verification and whether the data can be protected from unauthorized access at every stage.
According to the available indications, at least metadata could also flow to the US during the verification process. At the same time, the promised anonymity collapses at precisely that point if users may use a pseudonym but the platform knows their real identity.
Questions have also been raised over the system’s infrastructure and how much of it is in fact operated entirely in Europe. Public analyses have cast doubt on that point.
Experts disagree over whether WSocial operates its own AppView and relay infrastructure or whether the service depends too heavily on Bluesky infrastructure. In the first case, with its own purely European infrastructure, security would be assured. In the second, at least large volumes of metadata would flow to the US.
Bluesky at the Core
The service is plainly built on Bluesky. Given the millions spent on developing the service, that is almost a scandal in itself because Bluesky is an open structure that anyone can use free of charge.
That does not make the system bad. It does, however, raise a whole series of questions about where the money went. At least the funds received by the Swedish operator were not public money.
From a security perspective, it will be necessary to establish whether only European Bluesky instances are being accessed or whether data is already being transferred elsewhere at that level too. Interested users can request access to the recently launched beta version, and around 55,000 accounts have so far been allocated. At present, there is still no detailed analysis showing which instances are being contacted, where they are located and for what purpose.
Who Owns the Account?
One of WSocial’s strongest arguments is the AT structure of its accounts. In principle, that means the account belongs to the user, not to the network. If users do not like the platform, they can move their entire account elsewhere.
Yet even with AT protocol networks, the same questions remain. Where is the account actually located? Who stores the data? Where is the user’s feed created? And who processes search queries, and where?
WSocial’s selling points are EU law, European hosting, high data protection standards and so-called “verified humans”. Users must identify themselves before they can publish their own content. The aim is to keep out not only fake accounts but also bots as far as possible.
The service will, however, have to work hard to dispel the justified doubts over whether it is meeting the high security and data protection standards it claims to uphold.