Cyberleagle

Monday, 15 June 2026

Back to the borderless future

An internet jurisdiction retrospective

The problem

Since the dawn of the internet we have wrestled with the question of how best to reconcile national laws with the inherently cross-border medium of the internet. We are still at it, with resolution seemingly as far away as ever. The periodic eruptions of controversy when some nation state decides to assert its local laws in a way that others view as exorbitantly extraterritorial are testament to that.

If answers are difficult to come by, the nature of the problem was always obvious. Back in 1999 I described the jurisdictional challenges to national legal systems presented by the internet.

“Time is no longer a barrier: on the Internet content can be delivered instantaneously across geographic and political borders. Distance is irrelevant: not only can messages be transmitted from one part of the globe to another instantaneously, but for the user the location of the content is irrelevant. All that matters is that the content appears on his or her screen. … The Internet also destroys cost barriers.

…

These characteristics give the Internet the potential to erode national legal systems based on geographic and political boundaries. While imposed barriers – customs, immigration, tariff and physical – still remain, the Internet challenges their enforceability. … People responsible for content are vulnerable to enforcement in states in which they live or visit, to which they can be extradited, or in which they have assets. But the information is almost immune. … Once telecommunications links are in place it is extraordinarily difficult for national authorities to prevent information flowing across their borders.” Content on the Internet – Law, Regulation, Convergence and Human Rights (Graham Smith, chapter in ‘International Law and the Hague's 750th Anniversary’, T.M.C. Asser Press, 1999)

That probably overstated the immunity of information to technical border controls, at least in the hands of a sufficiently determined government. Nevertheless, the bits and bytes still tend to fly across borders with a fine disregard for nation state boundaries; and politicians continue to debate the efficacy of geo-blocking and to be exercised by VPNs.

There were some who argued that the internet was nothing new; that we had already had to grapple with cross-border broadcasting. However, a handful of satellite broadcasters bore little resemblance to hundreds of millions of individual online users posting their thoughts direct to a default world-wide audience.

What to do?

How, therefore, can we minimise friction between starkly differing sets of laws and values when, inevitably, they rub up against each other online? Can we achieve peaceful co-existence, or are we condemned to a perpetual contest for superiority between competing national laws? Does that become a race to the most restrictive common denominator? If so, does that matter?

If a nation state feels strongly enough about the values embedded in its own domestic laws, is it entitled to assert those against all visible online content worldwide? Or should it grit its teeth, exercise jurisdictional self-restraint and accept that its citizens may legitimately be able to seek out content created under other legal systems?

What should count as sufficient connection with a country in order for its authorities to assert jurisdiction over foreign online content? Should those domestic authorities take into account the fundamental rights of users in other countries with less restrictive laws? If so, how? Is it legitimate for a domestic authority to co-opt online intermediaries such as search engines to require them to remove content from their services worldwide?

Is it reasonable to insist that, in order to avoid triggering other countries’ laws or jurisdiction, online content must be rendered technically inaccessible by geofencing? What if a geofence can be circumvented?

Those are some of the specific questions that the broad issue of internet jurisdiction throws up. They have been argued over in the courts and in academic scholarship for decades, going back to the mid-1990s. That was the era of Johnson and Post’s celebrated 1996 essay Law and Borders –The Rise of Law in Cyberspace, counterweighed ten years later by Goldsmith and Wu’s Who Controls the Internet?: Illusions of a Borderless World (OUP, 2006).

In the courts, the mid-1990s saw the CompuServe newsgroup and Radikal magazine cases in Germany. Those were followed in 2000 by the French LICRA/Yahoo! litigation over Nazi memorabilia displayed on Yahoo!’s .com auction site. That was the first case to focus expressly on whether mere accessibility of overseas online content should be sufficient to found jurisdiction, and to examine in detail the technical ability of a foreign website to filter out users from (in this case) France. The litigation carried on, on both sides of the Atlantic, until 2006, attracting world-wide attention as it went. It remains a paradigmatic internet jurisdiction case study.

Uta Kohl’s book Jurisdiction and the Internet (CUP) was published in 2007. She asked:

“Traditionally transnational activity has been ‘shared out’ between States with the aid of location-centric rules and these can be adjusted to suit the Internet. But can these rules be stretched indefinitely and what are the costs of squeezing global online activity into nation-state law?”

By 2017 Dan Svantesson was able to introduce his book Solving the Internet Jurisdiction Puzzle (OUP) thus:

“It is fair to say that the topic of ‘Internet jurisdiction’ is currently gaining an unprecedented level of attention. Indeed, at the moment, Internet jurisdiction is one of the most important, and most talked about, topics in Internet law and related fields.”

In March 2021 Julia Hörnle, commenting on her newly published book Internet Jurisdiction Law and Practice (OUP), observed:

“Essentially, jurisdiction is about the legal authority of state actors to act and that legal authority is limited to the population and territory of the state. It ends at the national border. Since this power of a state agent to act is limited to the territory of that state, but the internet’s reach is not so limited, jurisdiction is the fundamental legal concept behind many, if not most, of the troubles of effectively regulating the global internet. National police forces do not (normally) cross international borders.

If the legal concept of jurisdiction challenges effective policing of the internet, you may ask, why can’t we simply change this old legal concept to something more suitable? The problem lies not in the law but in the international political system of governance by nation states, a political system closely tied to national identities, culture, and geo-political realities.”

Whether we are seeking to adapt existing jurisdiction rules or to attempt something more radical, the reality is that when national legal rules clash, dispassionate application of formal rules can be hard to disentangle from culturally influenced views about what the law ought - and ought not - to be. That is well illustrated by the comments of the French court in the LICRA/Yahoo! case, suggesting that it would cost Yahoo! very little to extend its prohibitions on various other kinds of content to symbols of Nazism, and that:

"such an initiative would have the merit of satisfying an ethical and moral requirement shared by all democratic societies" (judgment on geo-filtering measures, 20 November 2000)

That implicitly contrasts the moral weight to be attributed to French law with that to be given to the USA's attachment to freedom of expression.

The history of extraterritorial assertion of local laws on the internet is, unsurprisingly, littered with subject-matter about which passions run high: Nazi memorabilia, obscenity, holocaust denial, terrorism and others.

The most recent controversies have been sparked by various countries’ online safety laws – notably those of the EU and the UK, which (along with some actions of the Brazilian Supreme Court) have attracted the ire of the current US administration.

Online safety is by no means the first, nor will it be the last, subject matter to fuel local enthusiasm to reach out across borders and take aim at non-conforming foreign content. What is perhaps different about online safety is the attempt not just to assert specific content laws against discrete items published online, but to impose entire regulatory regimes on service providers and to penalise non-compliance with administrative regulatory requirements. (In that respect online safety has something in common with EU and UK data protection regimes.)

Whether a foreign service provider has sufficient connection with a state to justify it in asserting a specific content law is a familiar enough question. With a regulatory regime, additional issues arise as to whether a regulatory body such as Ofcom (the UK online safety regulator) is entitled to serve legal notices directly across borders or whether that violates the territorial sovereignty of the state in which the recipient is located. Similar questions have arisen in the context of cross-border evidence requests by law enforcement to online intermediaries.

Lack of consensus

Lack of consensus on jurisdictional self-restraint is perhaps not surprising: cultural and geopolitical sensitivities readily translate into reluctance to cede ground to another country’s less restrictive laws.

2012

“Every so often someone in authority feels the urge to put on blinkers, engage tunnel vision and, casting the internet as chief villain, decide to view the rest of the world as an offshore haven that exists for the sole purpose of subverting his home laws. This even happens at policy level. EU and US authorities have both gained deserved reputations for trying to forcefeed other countries, and each other, with their pet legislative agendas.

In the UK you could argue that we asked for it. Our libel courts willingly adopted the startlingly parochial doctrine, first espoused in the Australian case of Gutnick v Dow Jones, that any website in the world that can be read and comprehended in the UK is published here. Asserting our libel laws against the rest of the world on the basis of minimal UK publication provoked the US to pass the SPEECH Act, preceded by New York’s Libel Terrorism Prevention Act.”

See me, sue me? Cyberleagle, March 2012

It is more frustrating if jurisdictional issues are approached as if the internet has only just been invented and the issues have not been thought about seriously before.

Ultimately, what jurisdictional rules are appropriate for the internet? How far should a nation state’s laws be able to reach extraterritorially? What are the consequences of overreach (in international law terminology, exercise of exorbitant jurisdiction)? What are the practical consequences of different jurisdiction rules?

I have been writing about these issues, on and off, for the best part of 30 years. I hope I can be forgiven for illustrating this thematic retrospective with some extracts from my own efforts. Whatever the reader may think of the views expressed, or how far they have stood the test of time, the exercise does illustrate that while the flashpoints may have changed, the underlying issues have not.

An international convention?

At one time there were suggestions of an international convention to govern the internet. Parallels were drawn with the Law of the Sea Convention. However, the maritime analogy does not really hold water. The internet is not an unowned expanse between states, requiring a separate legal regime to be created for activities that take place in the void between national boundaries. People’s online activities may straddle borders, or move across them instantaneously, but the activities do not in substance occur between them. The issue is one of conflicting laws, not one of no law.

In any case a convention harmonising substantive content laws was always likely to be unachievable. For myself, I was doubtful that it was even desirable; first, because there is intrinsic merit in maintaining a rich and changing variety of substantive content laws worldwide; and second, because any uniform worldwide content law that might be achievable would necessarily have to accommodate nation states with scant regard for liberal principles of freedom of expression.

2019

"The risks attached to a universal convention to address those issues are twofold: that the prospect of agreement is very low; but also that if an agreement were reached, that would inevitably involve significant worldwide compromise of values such as freedom of expression. Those who would have to agree to such a convention include the very governments who so enthusiastically seek to apply their often restrictive domestic laws to internet activities emanating from other countries."

Internet Law and Regulation (5th ed, 2019, Sweet & Maxwell) Graham Smith, Chapter 6 Cross-border liability

In principle a jurisdiction convention — a set of rules about whose laws should apply — should aim to be agnostic as to the substantive merits of competing national laws. However, where content is concerned, value neutrality is something of a chimera: the greater the permissible reach of national laws online, the greater the prospect of exposure to the more restrictive law or regulatory regime.

Mere accessibility and most restrictive common denominator

The most expansive basis for asserting jurisdiction is mere accessibility, also known as country of receipt, country of destination or mere visibility. Even if there is no consensus about what internet jurisdiction rules should look like, from the start there was at least a strong body of opinion that mere accessibility is overreaching in principle, and that in practice it would lead to application of the ‘most restrictive common denominator’, a geographically fragmented internet, or both.

1999

“If increased international co-operation were to result in national laws being extra-territorially enforced, … that would effectively amount to a ‘country of receipt’ rather than ‘country of origin’ regime. Under such a regime someone publishing content on the Internet would have to satisfy himself of its lawfulness in all countries of receipt. This is an extremely onerous and effectively impossible task to achieve. If ‘country of receipt’ were to be reinforced, it would result in a ‘most restrictive common denominator approach to Internet content.”

Content on the Internet – Law, Regulation, Convergence and Human Rights (Graham Smith, chapter in International Law and the Hague's 750th Anniversary, T.M.C. Asser Press, 1999).

Some instruments (including the EU GDPR, the UK GDPR and the EU Digital Services Act) expressly exclude mere accessibility as a basis of jurisdictional competence. However, the consensus against mere accessibility is not universal.

2023

"Over the years a de facto compromise had been emerging, with the steady expansion of the idea that you engage the laws and jurisdiction of another state only if you take positive steps to target it. Recently, however, some states have become more expansive – not least in their online safety legislation.
…
There has long been a consensus against ‘mere accessibility’ as a test for jurisdiction. It leads either to geo-fencing of websites or to global application of the most restrictive common content denominator. That consensus seems to be in retreat.

Moreover, the more exorbitant the assertion of jurisdiction, the greater the headache of enforcement. Which in turn leads to what we see in the UK Online Safety Bill, namely provisions for disrupting the activities of the non-compliant foreign platform: injunctions against support services such as banking or advertising, and site blocking orders against ISPs.

The concern has to be that in their efforts to assert themselves and their local laws online, nation states are not merely re-erecting national borders with a degree of porosity, but erecting Berlin Walls in cyberspace."

Shifting paradigms in platform regulation Cyberleagle, June 2023

The Australian Online Safety Act 2021 asserts regulatory competence on the basis of mere accessibility. The England and Wales Law Commission has recently proposed mere accessibility as the basis of a reformed law of contempt of court by publication.

2026

“Today, the Law Commission exhorts Britannia (or England and Wales, to be exact) to rule the internet worldwide:

“In our view, contempt laws should apply to all material that is accessible in England and Wales.” (Part 1 Report on Liability for Contempt of Court, November 2025 [4.173])

... Ultimately, the policy reasons that the Law Commission has finally relied upon are domestically focused. They do not go into the broader cross-border legal and geo-political aspects that a full discussion of international law and comity could have illuminated.

Such an analysis would have involved considering whether it is reasonable, from the perspective of the foreign state and its citizens, to impose ‘mere accessibility’ liability on persons in another country. It would require consideration of the position of a variety of potential actors: mainstream foreign press and media, individual bloggers and posters, and online platforms."

Britannia rule the internet Cyberleagle, May 2026.

Johnson and Post’s ‘Law and Borders’ paper argued in 1996 that the result of asserting a right to regulate whatever a state’s citizens may access on the Net is that:

“All such Web-based activity, in this view, must be subject simultaneously to the laws of all territorial sovereigns.”

Mere accessibility is a species of the ‘effects’ test in international law, a basis on which states may seek to justify extraterritorial assertion of local law. The effects test was described by David Post in 2015 as:

"a wildly inappropriate doctrine for the Internet Age; if you're subject to jurisdiction where the "effects" of your actions or communications are felt, then given that the "effects" of communications over the Internet can plausibly be felt everywhere and anywhere, simultaneously and instantaneously, the [effects test] has the potential to nullify any and all limits on personal jurisdiction and subject everyone to jurisdiction everywhere - not a reasonable outcome."

Mere accessibility and extraterritoriality go hand in hand:

2001

“[W]e cannot assume that only the content laws that we like will be asserted extraterritorially. Take any regime whose idea of objectionable activities includes political or religious expression. Extraterritoriality is the first step towards requiring all Internet speech to respect the most restrictive national common denominator.”

Letter to The Times legal section, Graham Smith, 30 January 2001.

The late Max Mosley proposed mere accessibility in his 2012 submission to the Leveson Press Inquiry:

“Anyone using the internet must therefore obey the laws in their country. Similarly, they should obey the law in countries where their posts appear. As a practical matter, it is the search engines and service providers which can best prevent breaches of the law outside the country of origin of the original post.”

That prompted my submission to the Inquiry, in which I pondered what I, as the author of the Cyberleagle blog, should do in response to such a rule.

2012

“So faced with Mr Mosley’s proposed rule, what should I do? Should I try to ascertain the most restrictive country’s content laws and comply with those? With the resources of a multinational publisher that is a challenging exercise. For a lone blogger it is preposterous. Even if it could be done the result is a monstrously chilling effect on freedom of expression, whereby I (and my UK readers) are deterred from enjoying the benefits of the UK’s imperfect but nonetheless relatively liberal content laws.

Should I hope that the worst laws will be unenforceable here, hole up in the UK and never set foot in another country (and if so do we wish to encourage such behaviour)? Or will Mr Mosley’s EU-wide law, then international convention, mean that I can be sued or, worst case, extradited, for breach of any non-UK content law, civil or criminal? (Extradition for internet activities can now no longer be regarded as fanciful, even under current laws.)

So should I try to restrict the blog to a UK audience, or to the UK plus a few selected countries whose laws I might be able to research?”

Leveson Press Inquiry Graham Smith, submission on internet jurisdiction, September 2012

The third option may be possible, including at the level of individual posts, on platforms where tools or geofencing plug-ins are available. In my 2012 submission I assumed that the whole blog would have to be geofenced. Whether it is a good thing to incentivise individual users to geofence is a matter for debate.

Positive conduct and the targeting test

One approach that has held out some promise of evolving into a workable compromise is the targeting test.

2004

"From the earliest days of the web, lawyers have asked whether the worldwide availability of a website should of itself be sufficient to trigger worldwide liability. If not, what is the appropriate rule for the internet? A pure country of origin approach is politically difficult to achieve, whereas a country of destination approach exposes online actors to an unreasonable degree of liability. This article discusses whether a directing and targeting rule promises an acceptable solution, and if so how such a test should be formulated in order to prevent it degenerating into a country of destination rule.
…
In general, if a directing and targeting test is to draw an appropriate balance between country or origin and country of receipt, and discourage the erection of national borders in cyberspace, a finding that a website has targeted a particular country should be founded only on positive acts of the website proprietor, not on omissions to act.
...
To require evidence of positive acts is, in the context of the on-line environment, a close analogue to the original assumption underlying many of the rules written for the off-line world, that a trader did not without taking some positive step engage foreign laws and jurisdictions.”

Directing and Targeting - the Answer to the Internet's Jurisdiction Problems? (Graham Smith, Computer Law Review International 5/2004 129-170 May 2004)

2007

“A properly formulated targeting test would mean that, for instance, the court in the French Yahoo! case could not have found that the mere display of Nazi memorabilia was sufficient to violate French law, without some element of targeting or direction at France. Nor would it have been open to it to find jurisdiction, as it did, on the basis that because Nazi memorabilia were of interest to all, the areas containing those items were directed at all countries simultaneously including France. However, it might still have been possible for a court to find that Yahoo's serving up of French banner advertisements to French IP addresses would satisfy a "directed at" test."

Here, There or Everywhere? Cross-border Liability on the Internet (Graham Smith, 2007 C.T.L.R. 41)

2017

"The targeting approach occupies a middle ground, prescribing legal consequences for localisation but stopping short of incentivising or compelling fragmentation. Targeting holds out some promise of allowing national law to be upheld in circumstances when many would think it reasonable that it should do so, while also reducing incentives to fragment the internet.

However the targeting approach can fulfil this promise only if it is formulated in a way that does not slip towards the country of receipt end of the spectrum. If, for instance, a French blogger writing in English were taken to be targeting all English speaking countries by virtue of using the English language, or the whole world by writing about topics of inter national interest, that would be a targeting approach in name only. A targeting approach still requires an underlying commitment to jurisdictional self-restraint on the part of the legislatures and courts that implement it.

Cyberborders and the right to travel in cyberspace (Graham Smith in The Net and the Nation State (ed Kohl, 2017) Chapter 9).

2026

“Directing and targeting of activities has long been thought to be an appropriate ground on which to assert jurisdiction over internet actors.”

Extraterritoriality and the transatlantic free speech wars Cyberleagle, February 2026

Co-opting online intermediaries

Whilst I took issue with Max Moseley’s 2012 visibility test (above), he was not wrong to say that search engines and service providers would be seen as best able to prevent breaches of the law outside the country of origin of the original post.

Co-option of online intermediaries brings into play an important distinction between initial jurisdictional competence and the territorial reach of the measures that a court or regulatory authority may decide to take when exercising that jurisdiction. Court cases seeking to co-opt intermediaries typically boil down to the latter: should a court that has assumed jurisdiction make an order with extraterritorial effect?

The Canadian Google v Equustek and Australian eSafety Commissioner v X cases took different approaches to that question, the latter having more regard to the effect on individual users in other countries. Two CJEU cases have also considered the question: Google v CNIL (C-507/17, 10 January 2019) and Glawischnig-Piesczek v Facebook Ireland Limited (Case C-18/18, 3 October 2019).

2017

"When faced with a bad actor, an ugly set of facts and a demand for an effective remedy it is all the more important that a court should anxiously examine the basis for exercising its power and carefully identify and balance competing factors, even – perhaps especially - where the internet is concerned. …

Where an apparent bad actor thumbs its nose at the court’s authority it is perhaps unsurprising that if a well-resourced global intermediary is haled into court, apparently able to take steps to mitigate damage to the plaintiff at little inconvenience to itself, the tribunal may (if satisfied that it has the power) be inclined to enlist its assistance.

Nevertheless if a future court should contemplate a similar order then a more detailed identification of the rights and interests involved, analysis of any territorial aspects of those rights and consideration of the freedom of speech rights of internet users separate from the sensibilities of states may be key to arriving at an appropriate outcome.”

Worldwide search de-indexing orders: Google v Equustek Cyberleagle, July 2017

2024

“A notable aspect of these passages [in the judgment of Kennett J in eSafety Commissioner v X Corp [2024] FCA 499] is the approach to comity of nations, especially in the balance of convenience section which refers to the effect on millions of people unconnected with the litigation. It stands in significant contrast with the approach of the Canadian Supreme Court in Equustek (a trade mark and confidential information case).”

Internet jurisdiction revisited Cyberleagle, May 2024

The UK Online Safety Act also illustrates the distinction between initial jurisdictional competence and territorial scope of measures: Ofcom is granted regulatory competence over certain intermediary services on the basis of whether the service is 'UK-linked', as defined by the Act. However Ofcom can enforce duties against a service provider only in relation to the design, operation and use of the service as it affects United Kingdom users of the service.

Domestic superiority versus peaceful co-existence

The comments of the French court in LICRA/Yahoo! remain a paradigm example of a national authority asserting the superiority of its local laws over those of another country. That, however, is not a recipe for peaceful co-existence. A measure of jurisdictional self-restraint is required.

2017

"Ideally, in a world of mutually respectful nation states, each country’s legal institutions would behave with modest self-restraint when asserting jurisdiction over cross-border online conduct. They would seek at most to govern activities within the country’s own borders or with an overwhelmingly strong domestic connection. They would refrain from asserting the superiority of their own laws over those of any other country that adhered to core human rights norms. Each country’s institutions would strive to avoid imposing their own country’s laws on activities abroad, either directly or through consequential effects in other countries. Such self-denying behaviour tends to encourage porous or open borders.

At some risk of caricature, in the real online world nation states tend to view the internet as little more than a device designed to undermine the efficacy of their domestic laws. In this view of the world visibility of foreign content is equated to importing the alien laws under which it was made. The parochial temptation to reach out and assert jurisdiction over merely accessible foreign content that contravenes a state’s domestic norms can be all but overwhelming. Laws may be asserted extraterritorially via broad concepts of location of activity and attenuated domestic connecting factors. Self-denying principles, such as that a state should refrain from doing that which it would not have done to it, waver in the face of foreign content that affronts local values. Giving maximum effect to local law may be articulated as a matter of national or regional honour.
...
Targeting rules and country of origin rules both imply recognition that the emancipated internet user’s home state should not seek to impose on its people a total monopoly of local laws in order to insulate them from foreign information– a policy that in the pre-internet physical world was attempted only in the most repressive states. We could go so far as to say that by keeping information out we keep people in: we erect not just a border but a virtual Berlin Wall. There is a risk that states, reacting fearfully and defensively to the inherent global nature of the internet, may adopt a policy of seeking to erect closed borders which are less porous than their pre-internet physical equivalents. By doing so they would deny their people the right to travel in cyberspace.”

Cyberborders and the right to travel in cyberspace (Graham Smith in The Net and the Nation State (ed Kohl, 2017) Chapter 9).

2017

"In one respect we have made progress since 1996. In an increasing number of subject matter areas a targeting test has been held (at least within the EU) to define the territorial scope of a right. Targeting rules hold out the prospect of something approaching a peaceful co-existence regime. Properly formulated and applied, a targeting test (a) lays down that mere accessibility does not trigger the laws or jurisdiction of another country and (b) requires relevant positive conduct, not mere omission, in order to do so.
…
However, the furore that periodically erupts around cross-border internet cases shows that there is still little consensus on these issues. Nuanced approaches may be at greatest risk of being jettisoned when the law in question is said to embody a core value of the state asked to adopt an expansive jurisdictional stance. That is also the time when greatest care should be taken not to let enthusiasm for the perceived merits of domestic law override respect for the different laws of other countries and the principle of peaceful co-existence.”

21 years of cross-border liability on the internet Cyberleagle, August 2017

2018

"Jurisdiction rules are about resolving friction between different legal systems in as agnostic a way as possible, not about ensuring that the best (in someone’s view) law wins.
…
The jurisdictional problems of the internet manifest themselves in both underreach and overreach. There are situations where arrangements between states are no longer providing adequate means to obtain evidence to support criminal investigations. We can no longer assume that the evidence relating to a domestic crime will be held domestically. It could as easily be in a data centre abroad. That would suggest a need to improve procedures for obtaining cross-border evidence.

Conversely, we have situations in which domestic legislatures, agencies and courts are at risk of overreaching in the cause of giving maximum effect to their local laws. That can result in the de facto imposition of those laws in countries with different laws. The concern here is the need for jurisdictional self-restraint.

The challenge is to forge rules that enable cross-border reach when appropriate, yet prevent the exercise of jurisdiction when not appropriate.
…
The premise of jurisdiction rules is that nation states have different laws. The objective where the internet is concerned should be to achieve peaceful co-existence between conflicting national regimes while protecting to the greatest possible extent universal values such as freedom of expression and privacy.

Peaceful co-existence cannot be achieved without compromise. That means taking a broader view than simply a laser-like focus on securing the effectiveness of one country or region’s most cherished laws. It may mean accepting that your country’s citizens can, if they try hard enough, find somewhere on the internet content that complies with another country’s laws and not your own.”

Peaceful coexistence, jurisdiction and the internet Cyberleagle, February 2018

Peaceful co-existence, however, remains far from the norm:

2026

"The transatlantic free speech wars continue to rage.
…

Some, no doubt, will be tempted just to plump for one side or the other, motivated by partisan preference for the EU, UK or US approach to governing speech and online platforms, by broader political affinities, or by views on the propriety or otherwise of deploying visa sanctions for this kind of purpose.

Tempting as that may be, simply to declare 'four legs good, two legs bad' will not do when it comes to considering international law rules and extraterritoriality. Taking sides based purely on a preference for the Digital Services Act or the Online Safety Act over the US First Amendment, or vice versa, does not address the underlying legal issue: how, in the inherently cross-border online world, to go about drawing boundaries - or at least minimise friction - between different national or regional legal systems. A more analytical approach is called for.
…

The more tenuous the connection and the greater the cross-border reach, the more exorbitant the claim to jurisdiction and the less likely that the extraterritoriality can be justified.

That is the theory. In practice, the customary norms of international law tend to be distinctly malleable and, when push comes to shove, to merge into geopolitics.”

Extraterritoriality and the transatlantic free speech wars Cyberleagle, February 2026

Wednesday, 6 May 2026

Britannia rule the internet

Coined in 1740, ‘Britannia! rule the waves’ was a dawn-of-Empire exhortation to assert British naval power worldwide. Today, the Law Commission exhorts Britannia (or England and Wales, to be exact) to rule the internet worldwide:

“In our view, contempt laws should apply to all material that is accessible in England and Wales.” (Part 1 Report on Liability for Contempt of Court, November 2025 [4.173])

The proposed law in question ('contempt by publication') would apply to publication of material that created a substantial risk that the course of justice in active legal proceedings in England and Wales would be seriously impeded or prejudiced. Fault would be established where the defendant knew the proceedings were active or was aware of a risk that they were active.

The Report goes on:

“Given that the risk to the interference with the interference of justice may arise when material is accessible, it is necessary and proportionate for the protection of fair trial rights that the law does not preclude liability on the grounds that the material was uploaded outside the jurisdiction. This broad approach lends itself to clarity, certainty and consistency in the law. Using a VPN or moving briefly into another jurisdiction should not be left open as methods for people ordinarily resident in England and Wales to attempt to avoid liability.” [4.173]

It is a defining feature of the internet that material is inherently accessible worldwide unless positive steps, such as geofencing, are taken to limit its accessibility. Accordingly the Law Commission’s proposal equates to default world-wide applicability. The Report explains further:

“An approach that imposes liability regardless of where and how material has been made available ensures that enforcement is possible in the widest range of circumstances where potentially prejudicial material is available to an audience in England and Wales. Even where enforcement is impractical or not possible, this approach signals that the right to a fair trial is nevertheless important and should be protected.” [4.174]

As well as recommending world-wide online application, the Law Commission has proposed that a single set of liability rules should apply to both publishers and distributors. On the face of it the resulting regime could, de facto, oblige at least some platform operators to monitor for potentially prejudicial user posts if the operator is aware of proceedings being active or of a risk that they are active. However, this aspect of the proposals is not simple. It may be the subject of a future blogpost.

These are not the most auspicious times in which to be proposing world-wide applicability of local laws. The current US administration has, justifiably or not, loudly criticised the extraterritorial reach of European (including UK) online safety laws. None of those laws, it should be said, goes so far as to assert jurisdiction based on mere accessibility of the content.

How to approach cross-border liability on the internet has been a lively topic of academic discussion for many years. For instance in Solving the Internet Jurisdiction Puzzle (2017) Professor Dan Svantesson proposed, as an alternative to the traditional approach rooted in territorial sovereignty, a framework consisting of three core principles upon which exercising jurisdiction could be justified:

(1) There is a substantial connection between the matter and the state seeking to exercise jurisdiction;

(2) The state seeking to exercise jurisdiction has a legitimate interest in the matter; and

(3) The exercise of jurisdiction is reasonable given the balance between the state’s legitimate interests and other interests.

For present purposes the significance of this suggested framework lies mainly in the third principle: it is not enough to consider jurisdictional reach only through the domestic lens of the state asserting jurisdiction. Other interests also have to be considered: typically those of states whose sovereignty may be affected and of persons overseas who may feel incentivised or compelled to modify their conduct as a result of the assertion of jurisdiction, especially if that conduct is lawful in their own country.

In the traditional framework the starting point would be to consider whether the jurisdiction asserted is extraterritorial, and if so to consider whether it can be justified under one of the categories recognised by international law. Questions of reasonableness may arise as part of that assessment, or otherwise as a matter of comity: due respect for the sensitivities of other nation states.

Although principally a state-centric doctrine, comity encompasses the interests of non-state persons in other countries. In a 2024 Australian case concerning the extraterritorial reach of Australia’s online safety legislation, Kennett J. said:

“In so far as the notice [given by the eSafety Commissioner] prevented content being available to users in other parts of the world, at least in the circumstances of the present case, it would be a clear case of a national law purporting to apply to “persons or matters over which, according to the comity of nations, the jurisdiction properly belongs to some other sovereign or State”. Those “persons or matters” can be described as the relationships of a foreign corporation with users of its services who are outside (and have no connection with) Australia. What X Corp is to be permitted to show to users in a particular country is something that the “comity of nations” would ordinarily regard as the province of that country’s government.” (eSafety Commissioner v X Corp [2024] FCA 499, [50])

Worldwide mere accessibility as the jurisdictional threshold is likely to raise comity issues, most obviously with countries that take a significantly less strict approach to commenting on court proceedings; perhaps all the more so if world-wide accessibility is combined with some variety of platform monitoring obligation. Conversely, since comity is founded on mutual respect, some countries might see a precedent for giving their own contempt laws worldwide effect.

Notably, in its response to the Law Commission's July 2024 consultation the Attorney General’s Office suggested that “expanding contempt jurisdiction to cover publication abroad for a foreign audience would breach principles of international comity”. (Report [4.165])

How did the Law Commission arrive at its conclusions? Its work on contempt has a long history, stretching back to a previous Report on Contempt of Court: Juror Misconduct and Internet Publications, published in December 2013 following a 2012 consultation paper. That Report included a defence for prior-published items, which could be disapplied by a notice given by the Attorney General. It was included in the next Criminal Justice and Courts Bill, but then dropped following opposition from, among others, the Society of Editors.

After a gap of nearly ten years the Law Commission commenced a review of contempt of court in 2022. That led to a Consultation Paper in July 2024, a supplementary Consultation Paper in March 2025, and the Report (Part 1) on Liability in November 2025. A further report dealing with remaining issues will be published this year.

The Law Commission’s starting point is that the current law is unclear about its territorial ambit. But exactly how the law should be clarified has been difficult to pin down from the outset. The 2012 Consultation Paper posited, as examples, three possible approaches to publication:

(a) production within England and Wales,

(b) targeting a section of the public in England and Wales, or

The 2013 Report summarised a mixture of consultation responses and recommended that the issue be addressed in a future project on social media.

Some years later, the Law Commission considered territorial scope of a new harmful communications offence that it proposed in its 2021 Report on Modernising Communications Offences. It settled on a test of habitual residence. It made no specific extraterritoriality recommendation in its subsequent 2022 report on Intimate Image Abuse, inviting the government to consider whether the new offences proposed would benefit from specific extra-territorial statutory provision.

The July 2024 Contempt Consultation Paper provisionally recommended that territoriality should be clarified. It identified three principal options:

(a) Place of publication irrelevant (i.e. mere accessibility).

(b) Production or uploading in England and Wales.

(c) As per (b), or production or uploading outside England and Wales by a person habitually resident in England and Wales, or by an organisation with a place of business within England and Wales.

So, compared with the 2012 Consultation Paper a decade earlier, in July 2024 the Law Commission in effect borrowed the habitual residence option from its previously proposed harmful communications offence and dropped the targeting option. The Law Commission’s view was now that the third option might be preferable, but it had not reached a firm provisional conclusion.

Given that in the broader online world targeting is often seen as a reasonable online jurisdictional compromise, it might be asked why the Law Commission dropped it as a provisional option. The Consultation Paper did not give specific reasons, other than noting that only three responses to the 2012 consultation had been in favour of targeting.

However, targeting then reappeared in the November 2025 final Report:

“4.165 Where a more limited approach was favoured then it often took as the discriminating factor whether there was an intention that the publication would reach an audience in England and Wales.

For example, the University of Sheffield CFOM argued that liability should attach also “to any publication accessible in England and Wales, wherever it was produced or uploaded, and whoever produced it, if it was primarily targeted at a section of the public in those two nations”.

The Attorney General’s Office (AGO) said “the administration of justice in England and Wales should seek to protect itself against substantial interference, regardless of the place of publication” but also suggested liability should be limited to circumstances “where the publisher intended that the publication would be accessed by members of the public in England and Wales”.

Gavin Sutter favoured the approach of section 19(11) of the Online Safety Act 2023, which attaches liability to “UK-linked” publications. This refers to publications which have the UK as a target market or their sole target market, or where “the content is or is likely to be of interest to a significant number of UK users”.

The opening sentence could be taken as suggesting that targeting is a matter of subjective intention. Similarly, the conclusion states:

“4.173… A requirement to prove an intention to reach people in England and Wales would add complexity to the law. It may become increasingly challenging as technology evolves and new ways of masking one’s location or reaching audiences become available. The words “addressed to” in the existing definition do not necessarily import a requirement to prove intention, but a definition that does not rely on those words would avoid the risk of an inadvertent limitation.”

However, a targeting test does not have to involve proof of subjective intention. There is a wealth of caselaw in, among other fields, intellectual property law (especially trade marks) that treats targeting as an objectively ascertainable matter. If the Report’s rejection of targeting was predicated on an assumption that subjective intention is a necessary component of a targeting test, that would be unfortunate. But we do not know.

Of course, given its stated policy reasons regarding the importance of a fair trial, the Law Commission might have opted for mere accessibility and worldwide application whatever its understanding of targeting.

The question of reasonableness from the perspective of foreign states and private persons is an undercurrent to the Law Commission's efforts to wrestle with the question of territorial reach since its first consultation paper in 2012. The 2012 paper started with the criminal law, noting that "the complexity in applying these principles of jurisdiction to crimes committed via the internet cannot be understated." As regards contempt under the existing 1981 Act, it observed that:

"There do not appear to be any reported cases of section 2 with a cross-frontier element. It is certainly possible to conceive of circumstances in which they might arise. For example, a US tourist might be murdered in England and Wales in such newsworthy circumstances as to be prominently featured on US news websites. These could be accessed in England and Wales and might give rise to a substantial risk of serious prejudice or impediment at trial. It is unclear whether liability for contempt might arise in such circumstances on the basis of the accessibility of the publication in England and Wales."

The 2012 consultation paper, like the Law Commission's subsequent publications, offered examples with varying degrees of connection to England and Wales. However, reasonableness from the perspective of foreign states and private persons remained an undercurrent, rather than being brought to the surface and analysed in terms of international law and comity.

Ultimately, the policy reasons that the Law Commission has finally relied upon are domestically focused. They do not go into the broader cross-border legal and geo-political aspects that a full discussion of international law and comity could have illuminated.

Such an analysis would have involved considering whether it is reasonable, from the perspective of the foreign state and its citizens, to impose ‘mere accessibility’ liability on persons in another country. It would require consideration of the position of a variety of potential actors: mainstream foreign press and media, individual bloggers and posters, and online platforms.

Analysis of the question of reasonableness might not be the same for all actors. For instance, in 2006 the New York Times blocked UK access to an article on on its website, out of concern for possible breach of UK contempt laws. Its spokesperson said:

"We're dealing with a country that, while it doesn't have a First Amendment, it does have a free press, and it's our position that we ought to respect that country's laws"

But what might be reasonable for the mainstream press might not be reasonable for an individual person. Reasonableness could also be affected by the liability threshold proposed for each kind of actor.

Reasonableness arguments would not necessarily be all in one direction. For instance it might be suggested that broad extraterritoriality could in some circumstances be reasonable for an individual foreign user: that if you choose to discuss publicly proceedings that are self-evidently active in another country you knowingly take a risk as regards that country’s contempt laws. That could lead into human rights questions about the foreseeability of other country’s laws: an analysis that could differ as between individuals, businesses and professionals (Perrin v UK, ECtHR 18 October 2005).

Reasonableness could also be affected by technical ability to geofence specific material, collections of material or an entire site. Such ability could well be different for different kinds of actor.

However, the Report and its precursors do not go into the kind of detailed balancing of domestic against foreign interests implied either by Professor Svantesson's third principle or by comity.

These issues are certainly not simple. A balancing exercise might or might not result in a different conclusion for some or all kinds of actor. But such an exercise would require consideration of the issues from the foreign perspective. To look at the matter simply through a domestic lens does not do full justice to the broader comity and related issues surrounding cross-border internet liability.

Monday, 23 February 2026

Safety by design or systems for content moderation?

The Online Safety Act Network (OSAN) recently published a 10-point plan to amend the Online Safety Act. The plan includes:

“Insert a definition of safety by design into the Act to make clear to Ofcom and services what Parliament intended”.

From a technical drafting perspective clarification might be welcome. The Act says that it “seeks to secure that regulated services are safe by design”. That was added at the last minute in a clause describing the overall purpose of the legislation, but which lacked any definition of ‘safe’ or ‘safe by design’. I discussed here the undoubted difficulties in interpreting what is now Section 1 of the Act.

Of course, before we can craft a definition of safety by design we have to know what it is intended to mean. For myself, I have always regarded much of the theory underlying safety by design as fragile, at least within the context of the Online Safety Act. But putting those doubts on one side, I did think that I had a reasonable idea of what safety by design was intended to be about.

Now I am not so sure.

To recap, this is how I thought safety by design was meant to apply to regulation of online platforms:

Safety by design requires safety to be considered at the design stage, not as an afterthought.

Safety by design should then be applied iteratively via periodic risk assessments, incorporating feedback learned during operation of the service.

Safety by design focuses on platform systems and processes, identifying and addressing those that create or exacerbate a risk of harm (however defined).

Safety by design is not, or at least not primarily, about systems for content moderation.

Safety by design favours non-content-specific, systems-focused measures.

Safety by design is not about automated content detection and filtering.

Safety by design proponents have long criticised the Online Safety Act for being too content-focused. Rather than more and better content moderation, platforms should have to design safety into their systems and processes from the outset. This, so the theory goes, would result in less harm (however that might be conceptualised) occurring on platforms and less need for ex-post content moderation.

There have been variations on these themes: for instance, that a systems focus can include friction measures targeted at specific kinds of content, but which stop short of requiring removal; or that measures can focus on harm arising from certain kinds of content without focusing specifically on the content itself.

Nevertheless, as a general proposition I understood safety by design (a.k.a. ‘systems and processes’) to be about addressing from the outset the design of risk-creating system features, combined with a preference for non-content-related or content-agnostic measures over content-specific measures.

If that is right, safety by design has two elements. It articulates a general approach to safety but is also exclusionary: systems for content moderation (or at least automated filtering systems) are not a safety by design measure. The UK government, it should be said, has taken the opposite view. It regards automated content filtering as a safety by design measure. That is the most obvious difference of view that, if I am right in my understanding of safety by design, would have to be resolved in crafting a statutory definition.

To the extent that safety by design proponents embrace systems for content moderation, that has tended to be as a fall-back for where safety by design measures have not squeezed harm out of the system.

Thus Professor Lorna Woods’ October 2024 paper for OSAN, Safety by Design, although allowing for the possibility of ex post measures as a residual measure, differentiated that from a primary focus on design choices:

“At the moment, content moderation seems to be in tension with the design features that are influencing the creation of the content in the first place, making moderation a harder job. So a ‘by design’ approach is a necessary precondition for ensuring that other ex post responses have a chance of success.

While a “by design” approach is important, it is not sufficient on its own; there will be a need to keep reviewing design choices and updating them, as well as perhaps considering ex post measures to deal with residual issues that cannot be designed out, even if the incidence of such issues has been reduced.”

She distinguished safety by design from techno-solutionism:

“Designing for safety (or some other societal value) does not equate to techno-solutionism (or techno-optimism); the reliance on a “magic box” to solve society’s woes or provide a quick fix. Rather, what it acknowledges is that each technology may have weaknesses and disadvantages, as well as benefits. Further, the design may embody the social values and interests of its creators. A product (or some of its features) may be part of the problem. The objective of “safety by design” is – like product safety – to reduce the tendency of a given feature or service to create or exacerbate such issues.” (emphasis added)

One might think that automated content filtering is the paradigm example of regulatory techno-solutionism. Indeed, as to the Online Safety Act itself, Professor Woods noted its emphasis on systems for content moderation:

“What is rather more explicit in the [Online Safety Act] safety duties is the focus on filtering and moderation, which may have a design element (i.e. the tools are made available within the system and designed to work with the system) but seem more ex post in the way they work.”

Elsewhere Professor Woods has included reactive content take-down systems within safety by design, but as the “last port of call”. (Introducing the Systems Approach and the Statutory Duty of Care (chapter in Perspectives on Platform Regulation, Nomos, 2021).)

We can find other examples of safety by design proponents expressing concern about the Online Safety Act’s focus on systems for content moderation.

Carnegie UK was OSAN’s online safety policy predecessor and, through the work of Professor Woods and William Perrin, was the originator of the proposal for a statutory duty of care. Carnegie UK said in its June 2019 submission to the Online Harms White Paper consultation:

“Worryingly, there are references to proactive action in relation to a number of forms of content (and not just the very severe child sexual abuse and exploitation and terrorist content) which in the light of the emphasis in the codes could be taken to mean a requirement for upload filtering and general monitoring to support that.”

Demos’ submission to the draft Online Safety Bill Committee in September 2021 identified as a primary risk:

“A focus on regulation and moderation of content rather than platform systems which affect the risk of harm arising from that content” (emphasis in original)

and said:

“Although the Bill sets out a systems-based approach, there is a focus on reducing harm through content takedown measures, measuring the incidence of harms online and a focus on enforcing terms and conditions. ... we are concerned that in implementation this will turn into a ‘content-based approach’ by proxy, by prioritising the regulation of content moderation systems above other systems and design changes.”

Demos' April 2022 position paper on the Online Safety Bill argued that:

“The Bill treats a ‘systems’ approach as meaning a ‘systems for dealing with content’ approach…”

The Demos position paper also expressed particular concern about the “strong risk of infringing on either privacy or freedom of expression” in Ofcom’s ability to require use of proactive content moderation technology.

The 5Rights Foundation’s response to Ofcom’s final Illegal Harms Code of Practice in December 2024 said:

“The legislation has a clear objective that services are made “safe by design” but the majority of Ofcom’s proposed measures are not designed to prevent harm occurring in the first place – instead focusing on content moderation and reporting tools. While greater requirements on governance and accountability are welcome, this in itself will not ensure safety by design.”

If content-focused measures, or at least automated filtering, are not a variety of safety by design then a definition of safety by design for insertion in the Act could be expected to exclude measures of that kind; albeit how it could do so when the Act specifically contemplates the imposition of automated content detection and filtering is a conundrum.

But since the government officially regards automated content filtering as a safety by design measure, it would seem highly unlikely that a definition contradicting that could find its way into the Act.

Ofcom’s Online Safety Act implementation

With the closing of Ofcom’s Summer 2025 consultation on additional safety measures, we can assess how far the Code of Practice measures recommended or proposed by Ofcom to date are – and are not – focused on systems for content moderation.

The consultation in fact provides a dual opportunity: to analyse Ofcom’s existing and proposed measures from a safety by design perspective, and to look at how safety by design proponents have reacted to Ofcom’s newest proposals for automated content filtering (in Ofcom terminology, ‘proactive technologies’).

Non-content, reactive content-related and proactive content-related How far have non-content safety by design principles found expression in Ofcom’s implementation of the Online Safety Act?

Regardless of whether there is overlap between systems measures and content moderation measures, we can still conceive of functionality-oriented measures that do not require the platform to make judgements about content, nor involve directly limiting dissemination of content at all. A friction measure such as a warning ‘Did you mean to post without reading the linked article?’ would be an example of such a non-content measure.

Thus we can break down the measures so far recommended or proposed by Ofcom into non-content and content-related. The latter can be further divided into reactive and proactive.

In total, across the Illegal Content, Protection of Children and draft Additional Measures Codes for U2U services, there are (on my reckoning) 73 non-content measures, 27 reactive content-related measures and 12 proactive content-related measures. For illegal content, most of the proactive measures are contained in the Additional Measures consultation and are based on content detection and filtering technology of various kinds.

However, a closer look at the 73 non-content measures reveals that 50 of them are administrative, procedural or information provision: appointing an accountable individual, preparing various written documents, training, complaints and appeals procedures, publishing user support materials and so on. Whilst those are aspects of wider systems design, non-content measures addressed to features and functionality are of more immediate interest.

That leaves 23 non-content measures: 11 in the Illegal Content codes, all of which relate to children (in two cases only partially), and 12 in the Protection of Children codes.

Most of the 23 non-content measures concern technical functionality of the platform. The measures are limited (as required by the Act) to UK users and relate to:

Implementing an age-assurance process (ICU B1, PCU B1)
Use of highly effective age assurance (HEAA) (PCU B2 to B7) (Age assurance does of course indirectly affect the content available to users who are not verified as over-18, as the result of content-related measures predicated on age assurance.)
Safety defaults for child users concerning connection lists, account recommendations and direct messaging (ICU F1)
Removal of five kinds of functionality from child-user livestreams (ICU F3)
Options for user account blocking, disabling comments (for child users, or in some circumstances all registered users) (ICU J1, ICU J2)
Enabling children to give negative feedback on content recommender systems (PCU E3)
Providing information to children, when they restrict content or interactions with other accounts, as to the effect of doing so and further options available (PCU F2)
Options for user blocking and muting, disabling comments (users not determined to be adults by use of HEAA) (PCU J1, PCU J2)
Positive consent to group chat invitations (users not determined to be adults by use of HEAA) (PCU J3)

These examples illustrate that non-content measures are feasible, albeit some of those measures are, at least in part, precursors to content-related measures. Most obviously, age assurance underpins not only some of the non-content measures listed above, but also measures about content that should be hidden from under-18s.

Generally, it is striking how many of Ofcom’s non-content functionality measures are concerned with denying functionality to, or to interactions with, under-18s.

As to content-based measures, the Additional Measures consultation marks a decided shift towards automated content detection. Should these be welcomed as a version of safety by design, deprecated as systems for content moderation, or regarded as a means of addressing residual issues that cannot be designed out?

Safety by design or ex-post? OSAN’s cross-cutting response to Ofcom’s Additional Measures consultation takes issue with Ofcom’s description of some content-related measures, including proactive technology, as being ‘safety by design’:

“While some of the proposed measures - including automated content moderation (para 1.51) and livestreaming (p27) - are framed by Ofcom as being “safer by design”, these are primarily about ex-post mitigations for harmful content (reporting content, or relying on user action after harm has occurred) or introducing a form of safety tech (proactive tech measures) rather than embedding safe design at the level of systems and processes. There is still no understanding of what good service redesign should look like to ensure a more holistic orientation towards safety.” (emphasis added)

However, OSAN’s companion detailed response to the Additional Measures Consultation characterises Ofcom’s proactive technology proposals as safety by design:

“We broadly support the move towards requiring proactive technology as a safety-by-design approach to user safety”.

The detailed response (but not the cross-cutting response) would therefore seem to endorse the government’s view of safety by design.

OSAN also suggested that Ofcom’s principles-based proactive technology proposals could be extended to include intimate image abuse.

Recommender systems The Demos Digital submission endorsed Ofcom’s proposed content-specific approach to recommender systems:

“The Demos Digital team agrees with Ofcom’s proposal to exclude illegal content from recommender systems until the content has been reviewed by content moderation teams.”

After pointing out that “Automated content identification tools are known to struggle with reliability and bias”, Demos Digital then suggested improvements including:

“Because of these risks of inconsistency, Ofcom should provide specific guidance for platforms’ responsible use of automated content identification tools, including: transparency reporting; quality control standards for automated identification systems, including bias, reliability and accuracy; impact assessments for evaluating the automated systems; and model parameters for identifying illegal content. We believe this would alleviate some of the risks of automated content identification systems – such as inconsistencies, inaccuracies, and bias – which could result in the over-exclusion of legal content, or under-exclusion of illegal content.”

At the level of principle it is difficult to see how this reflects a systems-based approach, other than in the sense of systems for moderating content.

Parenthetically, even if a tendency to bias could be alleviated, there is still the insoluble problem that automated content identification tools do not have access to off-platform contextual information that can affect legality of the user content in question.

In its comments on recommender systems OSAN supports limitations on the reach of “content that is harmful in nature”, if accompanied by freedom of expression safeguards such as explanations of how the systems work in practice, and notification of creators when their content is affected so as to allow them to use complaints and appeals processes.

Live-streaming For live-streaming, OSAN has suggested some concrete ways in which Ofcom’s proposed Additional Measures could go further: building in a delay to livestreaming and turning off livestreaming by default for under-18s or under-16s. It describes these as safety by design measures:

“15. Ofcom’s proposals focus on responding to harm after it occurs and content moderation rather than preventing it in the first place. There is no requirement for live-feed delays, which are standard practice in traditional broadcasting, to prevent harmful or illegal content from being aired in real time. Safety-by-design means including proactive measures such as time-delay buffers and real-time risk assessment. There is plenty of guidance available to broadcasters on this topic.” (emphasis added)

However, it then describes them as ex-post measures:

“17. More broadly, we would recommend that Ofcom consider a greater array of ex-post features - e.g. borrowing from broadcasting good practice and building more delay into a live stream as a feature.” (emphasis added)

Is time delay an example of safety by design or an ex-post feature? The distinction would not necessarily matter much, were it not for the fact that a statutory definition of safety by design is proposed. But either way, although a time delay is of itself a non-content measure, its purpose is to enable the platform to make judgements about the content being live-streamed and (if thought necessary) to shut down the stream. OSA describes that as real-time risk assessment. In the context of the Act, those would have to be judgements about illegality or (for child-accessible streams) content harmful to children.

For children, OSAN contemplates a non-content-related measure: turning live-streaming off by default for children, whether under-16 or under-18. It also observes that “A strong understanding of safety-by-design would mean that where livestreaming cannot be delivered safely it shouldn’t be in place.”

Finally, OSAN cites Ofcom’s proposed limitation on livestream screen capture and recording for under-18s (part of ICU F3) as an example of friction.

Safety by design in context

As implementation of the Online Safety Act has progressed, it is perhaps not surprising if it has become less clear how safety by design should translate into concrete measures. The theory of online safety by design, founded on the notion of risk-creating features, was formulated in the context of a range of services and harms that differed greatly from those in scope of the Online Safety Act. The range of services within the Act is far broader and the kinds of harm are much more specific.

In July 2018 Woods and Perrin, working with Carnegie UK, proposed a:

“Virtuous circle of harm reduction on social media. Repeat this cycle in perpetuity or until behaviours have fundamentally changed and harm is designed out.” (Harm Reduction in Social Media, 17 July 2018 )

As to kinds of services, the proposal was aimed at around 10 social media companies each with over 1 million users. By January 2019, after discussion with various stakeholders, the authors had decided to extend the proposal to cover ‘social media and other internet platforms’ regardless of size. Now the Act covers an estimated 25,000 UK services (100,000 or more worldwide), 80% of which are micro-businesses (less than 10 employees).

On the face of it the underlying premise of the harm reduction cycle seems to be that what a user does on a platform is primarily the result of its design. However, the authors of the proposal say that their argument is not that we are 'pathetic dots' in the face of engineered determinism, but that the architecture of the platform nudges us towards certain behaviour (Woods and Perrin, Online harm reduction - a statutory duty of care and a regulator, April 2019.)

Even if it can be said that algorithmically driven social media platforms nudge us towards certain behaviour, how would that apply outside that specific milieu, for instance to plain vanilla discussion forums? And if, even on those large social media platforms, design only nudges rather than determines user behaviour, how far can harm really be designed out of the system?

As to kinds of harms, the safety by design theory is premised on platforms being risk creators. We always then have to ask, risk of what? In the context of the Online Safety Act that means connecting a given feature to a created or exacerbated risk of one of the specific kinds of criminality in scope of the Act, or of specific kinds of content harmful to children.

Within the context of the Act, the theory has never been easy to render into concrete expression:

If the idea is that a user’s decision to post, say, an illegal offer to ferry illegal immigrants across the Channel is down to the design of the platform, that seems implausible.

If the idea is that platform design can prevent such content being encountered, but without descending into content moderation and filtering, how is that to be done? Similarly if the concern is to prevent specific kinds of content being repeated or stimulated.

If it means that recommender algorithms could be designed in ways that lessen the likelihood of their disseminating illegal content, it would have to be explained how that can be achieved without trespassing into content filtering.

If the idea is that platform functionality can be designed to make it harder or slower to post, share or comment on user content generally, or to impose volume limits (a ‘circuit-breaker’), that would fit the theory. However, that kind of friction measure would necessarily strike against desirable and undesirable content alike, raising human rights proportionality issues.

If the idea is that some functionalities should be banned, that would fit a version of the theory that holds that some functionalities cannot be designed safely. But the more general purpose the functionality in question, the greater the impact on legitimate content and the greater the human rights challenge.

If the idea is that harm to children can be prevented by platform design which, for instance, reduces opportunities for adults to contact children, that would fit the theory.

If no connection can be found between a given technical or business model feature of a platform and a risk of a user deciding to behave illegally in a particular way, then the regulator will look somewhere other than those design features to counter illegality: to other design features or, failing that, to systems for moderation.

Professor Woods has suggested that designers should ask themselves: ‘What happens when the bad people get hold of this feature?’ (Introducing the Systems Approach and the Statutory Duty of Care, ibid.) However, that question could be asked of any general purpose functionality, risk-creating or not. On the face of it the question is about possible uses, not whether the feature in question creates or exacerbates a risk of a particular illegal or harmful use. It could be asked of the very act of providing a forum to which users can post. If we are not careful, we rapidly fall into the trap of characterising speech as a risk, not a fundamental right.

It is telling that Ofcom adopted that same approach in its statutory Risk Register: rather than attempt to identify functionalities that inherently create or exacerbate risk of illegality or content harmful to children, it sought to identify features that are used by malefactors as well as by law-abiding users: correlation rather than causation. That led it to list as risk factors general purpose functionality such as the ability to create hyperlinks.

If safety by design turns out to be a poor fit with much of the Online Safety Act, it should be acknowledged that the originators of the safety by design theory never wanted illegality to be the touchstone in the first place. Professor Woods said:

“These categories of harm should be identified by reference to their impact on the victim, not by reference to whether the speech might be considered illegal or not.” (Introducing the Systems Approach and the Statutory Duty of Care, ibid.)

That risks a leap from the frying pan (attributing risk of illegal behaviour to a platform feature) into the fire (pursuing nebulous and subjective kinds of harm). That aside, it would be no surprise if the theory turns out not to map easily on to the Act. It is one thing to say that, for instance, chasing ‘Likes’ trains users to produce ‘response-creating content’ (Introducing the Systems Approach and the Statutory Duty of Care, ibid). It is something else to show that a feature creates a risk of a user committing a specific criminal offence.

It may not be fanciful to think that something has got lost along the way from the 10 or so large social media platforms that the Carnegie UK authors had in mind for their original 2018 proposals, to the broad variety of 100,000 UK and overseas services in scope of the Online Safety Act. If, in essence, the theory was always really about large social media companies, their curation and engagement algorithms and their data-driven business models, it would not be a shock to find that it turns out to have little or no application beyond that.

For platforms where user agency is the predominant factor, and design decisions cannot realistically be regarded as likely to increase or decrease the likelihood of illegality or relevant content harm, logic would suggest that issues that cannot be designed out would most likely be at the forefront, not residual. A fruitless quest for specific illegality- or harm-inducing features could then easily result in a theoretical focus on systems and processes lapsing into systems for content moderation, thence to proactive content filtering technologies.

As to a statutory definition of safety by design, if systems for content moderation, including automated content filtering, are now to some extent embraced as an aspect of safety by design, it is difficult to see how a corresponding statutory definition could place meaningful limits on the kinds of concrete measures contemplated. It would also seem to have moved a very long way from the original conception of safety by design.

If the reality is that we do not have a clear idea of how safety by design is meant to translate into concrete regulatory measures within the context of the Act, that would not be a good starting point for crafting a statutory definition.

The alternative, of course, is that I have always had safety by design wrong and that Parliament knew exactly what it intended in Section 1. If so, mea culpa.