I wrote about W Social when it announced at Davos in January — twice, as it turned out. The first post incorrectly stated W was not AT Protocol-based, because the WEF presentation did not mention it. The information emerged from leaked screenshots during a live stream while my post was being read aloud. The correction followed the same day. What survived the correction: concerns about the branding, the institutional framing, and the decision to hide the most important technical detail at launch. That was January.
Today is the public beta launch. The questions have not resolved — several new ones have arrived — and the context has shifted considerably. Worth a follow-up.
The European Commission Moved In
On 12/06/2026, the ATProto accounts of the European Commission, Ursula von der Leyen, the European Central Bank, and Christine Lagarde were migrated from Bluesky PBC's servers to W Social's PDS. The EC then announced this with apparent pride.
Two things about that.
First: the EC's own Joint Research Centre published a paper eight weeks ago explicitly recommending support for Eurosky — the non-profit, openly governed European ATProto network run by the Modal foundation, which also operates mu.social as an open ATProto AppView — one of several applications that can present the same underlying network data, in the same way different browsers render the same web — and W Social's direct rival in that space. Not W Social. Eurosky. That recommendation appears to have been set aside without comment or explanation.
Second, and more fundamentally: an institution operating at the Commission's scale should not be running its communications through any third-party PDS, regardless of who operates it. Sebastian at eurosky.social makes the point plainly — one moderation decision away from losing control of your own account history. Self-hosting a Personal Data Server is not a technically exotic undertaking at this point. It is the obvious baseline for any institution that takes its own data sovereignty seriously. The fact that this appears not to have entered the decision-making process is, to put it diplomatically, worth noting.
The Closed-Source Problem
This is the part I find hardest to dismiss.
Shortly before the beta launched — and after the EC migration — W Social quietly deleted their public GitHub repository. The w-social-eu/w-social-atproto repo was not deprecated with a forwarding notice. Not archived. Deleted.
The AT Protocol is Apache 2.0 licensed. The implications of forking it and then removing public access to your modified codebase are a question for people with law degrees. The signal it sends, however, requires no legal training to read.
Elena Rossini broke the story and followed it closely. The European Commission published its European Technological Sovereignty Package on 03/06/2026, with open source as a stated core principle. It has now migrated its primary ATProto presence to a platform that has, by the available evidence, gone closed-source. I will not speculate on whether whoever approved the migration knew this. I will note that the two positions are difficult to hold simultaneously.
Aral Balkan of the Small Technology Foundation observed that the standard practice — deprecating a repository with a message pointing to its new home — was not followed here. The deletion was silent. He also described W Social as "just another for-profit Big Tech startup that happens to be based in the EU." That is a harder framing than I would reach for. The concern underneath it is not.
The Point of the Protocol
It is worth being explicit about something that tends to get lost when institutions start announcing social media migrations.
AT Protocol exists because people were dissatisfied with the status quo. Not aesthetically dissatisfied — structurally. The problems it was designed to solve were not slow timelines or bad recommendation algorithms. They were the fundamental power dynamics of centralised platforms: a single company controlling who can speak, what gets amplified, who gets banned, and what happens to your data when the company changes direction or gets acquired. The portable identity, the user-held data, the open federation — none of that is incidental. It is the entire point. The protocol was built to make those failure modes architecturally impossible.
W Social is built on that protocol. And it is now, with the closed-source move and the verified identity requirement and the institutional capture strategy, attempting to reintroduce precisely the conditions ATProto was designed to prevent. Closed codebase: one company controlling the implementation. Tiered identity verification: one company deciding whose participation is prioritised. Pitching to the politically connected: one company positioning itself as the authoritative European social layer, accountable to the institutions it has cultivated rather than to the users it hosts.
And, because W Social is a for-profit company: advertising. CEO Anna Zeiter has confirmed the business model combines ads with micropayments for media partners, with revenue shared based on user engagement. Most ATProto AppViews — mu.social included — are ad-free. That is not an accident. It reflects a design culture that has, until now, treated the attention-harvesting model as one of the things the ecosystem was built to leave behind. W is not leaving it behind.
You can use an open protocol as infrastructure for a closed product. Nothing stops you. But you are not, in any meaningful sense, participating in the open ecosystem — you are extracting from it. The federation still works in the technical sense. The philosophy it was built to embody does not survive the translation.
On Verified Humans
W Social's pitch — to institutions, to policymakers, to the politically connected — centres on verified human users. All real people. No bots. The verification happens through a separate app, W Identity.
Jon Worth has observed that this has been W's deliberate strategy: pitch verification to people who find "real people" self-evidently appealing without thinking through what the system actually requires. It is a smart pitch. What it actually requires, concretely, is a government-issued ID. Cybernews, who got pre-launch access, found that the W Identity app asks users for selfies and identity documents including passport numbers. W Social's own Terms of Service confirm they receive users' passport country and year of birth from W Identity. The biometric data and ID documents are handled by W Identity AB — a separate legal entity — rather than W Social directly, but that is a distinction in data architecture, not a reduction in risk. If faces, passport data, or identity document numbers are leaked, users cannot reset them the way they would a password. Cybernews' security researchers made that point explicitly.
It concentrates risk considerably. It creates structurally tiered participation, where anonymity is available in theory but deprioritised in practice — unverified accounts can read but cannot post or comment. And it is, not coincidentally, something large platforms have been pushing through regulatory channels for years, because verification requirements raise barriers to entry and entrench whoever got there first.
"Real people" sounds obviously good, in the same way "European digital sovereignty" sounds obviously good. The substance of the claim is where things get complicated.
There is also a more fundamental problem with the pitch that does not require engaging with any of its privacy implications: ATProto is an open protocol. Bots already exist on it. They exist on Bluesky, they exist across the network, and nothing about W Social's verification layer changes that — because W can only control what appears in its own AppView, not what exists on the protocol beneath it. A verified W account can still be replied to, followed, and interacted with by automated accounts operating elsewhere in the Atmosphere. The "human only" framing describes a walled garden, not the network. And W is, by design, part of the network.
Where This Leaves Things
W Social launching in public beta today is, in isolation, fine. The ATProto interoperability is real — you can follow and interact with W accounts from Bluesky, from Eurosky, from wherever your PDS lives. That part of the protocol works as intended.
What is not fine is the pattern. A repo deleted without explanation. An EC migration that bypassed an explicit JRC recommendation for a non-profit alternative. An identity verification model designed to appeal to exactly the institutions that have the least reason to have thought carefully about it.
The closed-source move is the one I will be watching. Either it gets reversed — transparently, with explanation — or it does not, and the picture becomes considerably clearer. A platform built on an open protocol that then closes its own codebase is not really participating in an open ecosystem. It is borrowing the ecosystem's credibility while opting out of its obligations. "European" and "built on ATProto" are not, on their own, sufficient conditions for the thing you are building to qualify as trustworthy public infrastructure.
W Social has answered some of these questions and declined to answer others. Today is day one of public beta. I am prepared to be convinced by what comes next.
I am, in the meantime, staying on Eurosky.
Most of the discussion about W's launch that informed this piece was circulating on Bluesky. I read it through mu.social — Eurosky's own ATProto AppView, and the one I personally prefer. The alternative is not theoretical.