Passkeys make plausible deniability more difficult. “This user name isn’t necessarily associated with my real world identity” permits some important good things.

I would say it’s important not to conflate privacy with secrecy. If you have a domain with your name on it (e.g. my mspencer.net) but create email aliases for every situation, sites won’t be automatically correlating your addresses with each other. How do they know which addresses are yours and which aren’t? More importantly, if you self host, emails are encrypted in flight and live on your own hardware at rest, so nobody external to any conversation will be snooping on message contents.

I’m sure legally it has no effect, but I have postfix configured to refuse emails with “updated terms” and “updated our terms” in the body. If I still haven’t been notified that a site’s terms have been updated to allow some new horribleness, they can’t claim they made me aware, huh? I guess they’ll just have to send me paper mail if it’s so important to them.

(You could do that too, if you self host postfix / dovecot / roundcube / opendkim and use greylist and RBLs for anti-spam. It’s been effortless for me, after an admittedly grueling initial setup process taking several days to learn and fail with.)

My own “we need” list, from a dork who stood up a web server nearly 25 years ago to host weeb crap for friends on IRC:

We need a baseline security architecture recipe people can follow, to cover the huge gap in needs between “I’m running one thing for the general public and I hope it doesn’t get hacked” and “I’m running a hundred things in different VMs and containers and I don’t want to lose everything when just one of them gets hacked.”

(I’m slowly building something like this for mspencer.net but it’s difficult. I’ll happily share what I learn for others to copy, since I have no proprietary interest in it, but I kinda suck at this and someone else succeeding first is far more likely)

We need innovative ways to represent the various ideas, contributions, debates, informative replies, and everything else we share, beyond just free form text with an image. Private communities get drowned in spam and “brain resource exhaustion attacks” without it. Decompose the task of moderation into pieces that can be divided up and audited, where right now they’re all very top down.

Distributed identity management (original 90s PGP web of trust type stuff) can allow moderating users without mass-judging entire instances or network services. Users have keys and sign stuff, and those cryptographic signatures can be used to prove “you said you would honor rule X, but you broke that rule here, as attested to by these signing users.” So people or communities that care about rule X know to maybe not trust that user to follow that rule.