The Risks of Internet Regulation

On March 14, the U.S. House of Representatives passed legislation that would, if enacted, force Chinese media conglomerate ByteDance to divest itself of TikTok or find the popular social media site banned in the United States. The fear that Beijing has access to the data of 170 million U.S. TikTok users and thus the ability to influence their information diet allowed the bill to sail through the House. The legislation’s approval demonstrates the adversarial nature of the U.S.-China relationship, but it also spotlights a trend in the democratic world of governments promising to transform the Internet from a zone of danger and disinformation to one of safety and trust.

This U.S. legislation, although draconian in its attempt to ban an entire platform, is not isolated. The European Union, the United Kingdom, and many other countries are also targeting online harms, including risks to children’s mental and physical health, hate-fueled incitement, and interference with democratic debate and institutions. These harms are compelling subjects of regulation, but tackling them must be consistent with democratic norms. Human rights law—the framework applicable in all democracies—requires at a minimum a demonstration of the necessity and proportionality of any restriction, along with precision and clarity to limit state discretion to enforce a rule at will. Although a focus on safety and trust is legitimate, it alone cannot succeed if it puts at risk individual rights, including the rights of minors, to freedom of expression, privacy, association, and public participation. When not carefully crafted or constrained, online speech regulation could be used to silence disfavored opinions, censor marginalized groups, limit access to information, and diminish privacy and individual security.

In response to public pressure to clean up the Internet, policymakers in Brussels, London, Washington, and beyond are following a path that, in the wrong hands, could lead to censorship and abuse. Some in Brussels, including in EU institutions and civil society, speak of “an Orban test,” according to which lawmakers should ask themselves whether they would be comfortable if legislation were enforced by Hungary’s authoritarian and censorial Prime Minister Viktor Orban or someone like him. This is a smart way to look at things, particularly for those in the United States concerned about the possibility of another term for former U.S. President Donald Trump (who famously, and chillingly, referred to independent media as enemies of the people). Rather than expanding government control over Internet speech, policymakers should focus on the kinds of steps that could genuinely promote a better Internet.

EUROPE’S MIXED MESSAGES

Europe has made the most promising and comprehensive effort to achieve its goal of an Internet that works for the public interest. The EU has for years been buffeted by arguments that the behemoths of social media—the most prominent of which are U.S. companies including Google, Meta, and X (formerly Twitter)—irresponsibly control the European information environment. Indeed, Brussels has long been concerned with corporate control of personal data, leading the European Court of Justice to establish an individual right to be forgotten against Internet companies in 2014. In 2015, the ECJ invalidated U.S.-European agreements on cross-border personal data transfers, and the temperature rose still further when terrorist and extremist violence broke out in Belgium, France, and Germany, which was alleged to have been facilitated by online communications. Some leaders, including in law enforcement authorities in the United States and Europe, pressed for restrictions on digital security tools including encryption, whereas others, including European commissioner Vera Jourova, have wrestled with a desire to establish rules over U.S. firms while also not wanting to establish, as they said repeatedly, a Brussels-based Ministry of Truth. The EU has thus taken a broad approach, combining privacy law, competition policy, media protection, and social media regulation to address the entire sector.

At the heart of Brussels’ approach to online content is the Digital Services Act. When negotiations over the DSA concluded in April 2022, European Commission Executive Vice President Margrethe Vestager exulted that “democracy is back.” For Vestager and her allies, the DSA asserts the EU’s public authority over private platforms. It restates existing EU rules that require platforms to take down illegal content when they are notified of its existence. In its detailed bureaucratic way, the DSA also goes further, seeking to establish how the platforms should deal with speech that, although objectionable, is not illegal. This category includes disinformation, threats to “civic discourse and electoral processes,” most content deemed harmful to children, and many forms of hate speech. The DSA disclaims specific directives to the companies. It does not require, for instance, the removal of disinformation or legal content harmful to children. Instead, it requires the largest platforms and search engines to introduce transparent due diligence and reporting. Such a step would give the commission oversight power to evaluate whether these companies are posing systemic risks to the public.

Politicization, however, threatens the DSA’s careful approach, a concern that emerged soon after Hamas’s October 7 terrorist attacks on Israel. Posts glorifying Hamas or, conversely, promising a brutal Israeli vengeance immediately began circulating online. Thierry Breton, the European commissioner responsible for implementing the DSA, saw an opportunity and, three days after the attacks, sent a letter to Elon Musk, the CEO of X, and then to Meta, TikTok, and YouTube. “Following the terrorist attacks carried out by Hamas against Israel,” Breton wrote to Musk, “we have indications that your platform is being used to disseminate illegal content and disinformation in the EU.” He urged the platforms to ensure that they had in place mechanisms to address “manifestly false or misleading information” and requested a “prompt, accurate and complete response” to the letters within 24 hours. Breton gave the impression that he was acting in accordance with the DSA, but he went much further, taking on a bullying approach that seemed to presuppose that the platforms were enabling illegal speech. In fact, the DSA authorizes commission action only after careful, technical review.

Although a focus on safety and trust is legitimate, it alone cannot succeed if it puts at risk individual rights.

Breton’s concerns were legitimate: Musk has decimated X’s content and public policy teams and disseminates hateful speech and disinformation; Facebook has a history of failing societies in the face of genocidal incitement; and YouTube has long been accused of allowing the worst sorts of disinformation to gain traction and go viral on its platform. Still, a global coalition of nearly 30 leading online free speech organizations, including Article 19, European Digital Rights, and AccessNow, responded quickly to Breton’s letters, expressing concern that he was opting for an approach of political demand over the DSA’s careful public assessment. The organizations argued that Breton conflated illegal content with disinformation, which is not subject to automatic removal but, instead, to risk assessment and transparency. The DSA requires platforms to act proportionately and with an eye to the protection of fundamental rights—not to act rashly in times of crisis or on the basis of unsubstantiated claims. Breton’s urgency, these organizations argued, could cause the platforms to remove evidence of war crimes, limit legitimate public debate, and censor marginalized voices. It reminded them of how authoritarian governments behave, with regular demands for content removal rather than what is promised by the DSA.

Breton showed that the DSA’s careful bureaucratic design can be abused for political purposes. This is not an idle concern. Last July, during riots in France following the police shooting of a youth, Breton also threatened to use the DSA against social media platforms if they continued to post “hateful content.” He said that the European Commission could impose a fine and even “ban the operation [of the platforms] on our territory,” which are steps beyond his authority and outside the scope of the DSA.

European legal norms and judicial authorities, and the commission rank-and-file’s commitment to a successful DSA, may check the potential for political abuse. But this status quo may not last. It is possible that June’s European Parliament elections will tilt leadership in directions hostile to freedom of expression online. New commissioners could take lessons from Breton’s political approach to DSA enforcement and issue new threats to the social media companies. Indeed, Breton’s actions may have legitimized politicization in ways that could be used to limit public debate rather than going through the careful, if technical, approaches of DSA risk assessment, researcher access, and transparency.

SAVE THE CHILDREN

Whereas Europe focuses on process, the United Kingdom’s attention is more directly on content. Its Online Safety Act, enacted in October 2023, places Internet harms at its center. The British government began considering online safety legislation in 2017 and, since then, has repeatedly pledged “to make Britain the safest place in the world to be online.” Although the Online Safety Act seeks to address many online harms, including terrorist content and harassment, nothing consolidated consensus in favor of the legislation as much as threats to children. In part, this is because of the attention generated by the 2017 suicide of 14-year-old Molly Russell. A 2022 inquest concluded that her death had been influenced by online romanticization of self-harm and discouragement of seeking help from others. Michelle Donelan, the United Kingdom's secretary of state for science, innovation, and technology, responded to the inquest by declaring, “We owe it to Molly’s family to do everything in our power to stop this happening to others. Our Online Safety Bill is the answer.”

It was partly to address this goal that the British Parliament passed the act, a massive piece of legislation that orders technology companies to “identify, mitigate and manage the risks of harm” from content that is either illegal—by promoting terrorism, for example—or harmful, particularly to children. The act delegates some of the hardest questions to Ofcom, the independent British telecommunications regulator. One particularly oblique provision requires companies to act against content where they have “reasonable grounds to infer” that it may be illegal. As has been widely documented, social media companies have a notoriously uneven record in their ability to moderate content, stemming from their inability to assess large volumes of it, let alone evaluate the intent of the user generating it. As the legal analyst Graham Smith has noted, putting new pressure on these platforms could simply cause them to take down potentially controversial content—for instance, robust conversations about the war in Gaza, or any other number of contentious topics—in order to steer clear of controversy or penalties.

One concern is that the British legislation defines content harmful to children so broadly that it could cause companies to block legitimate health information, such as that related to gender identity or reproductive health, that is critical to childhood development and those who study it. Moreover, the act requires companies to conduct age verification, a difficult process that may oblige a user to present some form of official identification or age assurance, perhaps by using biometric measures. This is a complicated area involving a variety of approaches that will have to be the focus of Ofcom’s attention since the act does not specify how companies should enforce this. But as the French data privacy regulator has found, age verification and assurance schemes pose serious privacy concerns for all users, since they typically require personal data and enable tracking of online activity. These schemes also often fail to meet their objectives, instead posing new barriers to access to information for everyone, not just children.

The Online Safety Act gives Ofcom the authority to require a social media platform to identify and swiftly remove publicly posted terrorist or child sexual abuse content. This is not controversial, since such material should not be anywhere on the Internet; child sexual abuse content in particular is vile and illegal, and there are public tools designed to facilitate its detection, investigation, and removal. But the act also gives Ofcom the authority to order companies to apply technology to scan private, user-to-user content for child sexual abuse material. It sounds legitimate, but doing so would require monitoring private communications, at the risk of disrupting the encryption that is fundamental to Internet security generally. If required, it would open the door to the type of monitoring that would be precisely the tool authoritarians would like in order to gain access to dissident communications. The potential for such interference with digital security is so serious that the heads of Signal and WhatsApp, the world’s leading encrypted messaging services, indicated that they would leave the British market if the provision were to be enforced. For them, and those who use the services, encryption is a guarantee of privacy and security, particularly in the face of criminal hacking and interference by authoritarian governments. Without encryption, all communications would be potentially subject to snooping. So far, it seems that Ofcom is steering clear of such demands. Yet the provision stands, leaving many uncertain about the future of digital security in the United Kingdom.

LEGISLATING FOR THE CULTURE WARS

In Washington, meanwhile, U.S. Senators Richard Blumenthal and Marsha Blackburn proposed the Kids Online Safety Act in February 2022, which combines elements of both the EU and the United Kingdom approaches. After its latest modification to address some criticisms, the bill has now received the support of enough senators to give it its best chance of adoption. To be sure, KOSA has some positive elements designed to protect children online. For instance, it has strong rules to prevent manipulative targeted advertising to minors and borrows from some of the DSA’s innovations to boost platforms’ transparency. And rather than demanding specific age verification approaches, KOSA would require the government’s National Institute of Standards and Technology to study alternatives and make proposals about appropriate approaches.

Yet at its core, KOSA regards the Internet as a threat from which young people ought to be protected. The bill does not develop a theory for how an Internet for children, with its vast access to information, can be promoted, supported, and safeguarded. As such, critics including the Electronic Frontier Foundation, the American Civil Liberties Union, and many advocates for LGBT communities still rightly argue that KOSA could undermine broader rights to expression, access to information, and privacy. For example, the bill would require platforms to take reasonable steps to prevent or mitigate a variety of harms, pushing them to filter content that could be said to harm minors. The threat of litigation would be ever present as an incentive for companies to take down even lawful, if awful, content. This could be mitigated if enforcement were in the hands of a trustworthy, neutral body that, like Ofcom, is independent. But KOSA places enforcement not only in the hands of the Federal Trade Commission but also, for some provisions, of state attorneys general—elected officials who have become increasingly partisan in national political debates in recent years. Thus, it will be politicians in each state who could wield power over KOSA’s enforcement. When Blackburn said that her bill pursued the goal of “protecting minor children from the transgender in this culture,” she was not reassuring those fearing politicized implementation. U.S. Senator Ron Wyden, a longtime champion of Internet speech and privacy, warned that KOSA would enable state officials to “wage war on important reproductive and LGBTQ content.” If enforced by the culture warriors in government, KOSA could lead to the situation where young people are denied access to information that could be essential to their own development and ideas.

Even apart from KOSA, states, individual litigants, and the courts are also getting deeply involved in Internet regulation. For example, Texas and Florida adopted laws in 2022 aimed at limiting companies’ ability to moderate content they want to scrub from their platforms. Both states enacted laws that prohibit platforms from “censoring” political content. Texas disallows companies from moderating expression that is lawful even if it violates platform terms of service (for example, certain hateful content, disinformation, and harassment), and it authorizes actions brought by users and by the attorney general. Florida’s law imposes stringent penalties on companies that “de-platform” political candidates, among other actions, and also delegates power to individuals and executive departments to enforce the law, with the possibility of significant damage awards in each instance to the individual claimant. Both have thus created processes according to which politicians can make demands of companies to leave up or remove particular content, putting government directly in the middle of content moderation. This is, then, a demand for regular government monitoring of speech. Both laws are before the Supreme Court, which very well may strike them down. But the trend toward government speech regulation is unlikely to go away.

WRONG WAY

There is no doubt that a long-awaited reckoning for Internet platforms has arrived. Yet for all the harms platforms cause or facilitate, they still remain sources of information and debate for people of all ages in democracies around the world. For all the talk of platform safety, it is user speech that is at issue in these laws, not the underlying business model that makes the platforms so dominant in democracies’ information environments. The fundamental risk of safety-driven efforts is that they fail to protect or promote what is valuable about online speech and access to information. In guarding against this, the EU is far ahead of the others. Brussels has largely taken a process-driven, transparency-focused, risk-assessment approach that, although it imposes pressures on platforms to behave well, mostly avoids giving governments the tools to demand takedowns of specific legal content. It is for this reason that Breton’s political posturing raises such deep concerns among DSA supporters. Not only did he risk company and civil society support for transparency and risk-assessment measures, but he also provided a precedent for others, with possibly nefarious intentions, to weaponize the DSA for their own political purposes.

The picture is not altogether dark. The backlash against Breton’s threats may put the DSA on a sturdy footing as the European Commission works on its implementation, and the legislation could push the platforms toward transparency and risk assessment globally. In the United Kingdom, Ofcom’s early efforts to implement the Online Safety Act suggest it is alert to the risks of over-enforcement and thus may seek to interpret the rules in ways that promote access to information and increase the platforms’ attention to online harms. The U.S. Supreme Court could put the brakes on politicized online speech rules at the state and federal levels, forcing legislators to look for new ways of holding platforms to account.

Without other guardrails, however, there will be a continual risk that government content rules will simply provide new tools for politically motivated parties to crack down on speech they dislike. Instead of focusing single-mindedly on safety, governments should focus on introducing reforms aimed at protecting individuals’ rights, especially privacy and freedom of expression, at the same time as limiting the power and dominance of major platforms. They should be focusing on how to promote diversity of choice and information sources for people online, interoperability among platforms to enable user autonomy, and the health and vitality of access to independent media, particularly public service media.

Certainly the European Union deserves credit as a first mover for a comprehensive approach to Internet harms. But for others who are far behind, a genuine package of reforms must be introduced. At a minimum, it should include comprehensive privacy regulation that addresses the industry’s business model by banning its behavioral tracking of users, marketing of their preferences, and sales to data brokers. Sound and creative antitrust policy must also be introduced to address the legitimate concern that companies are limiting user choice and autonomy and turbocharging their addictive features. Finally, there must be a transparent human rights risk assessment and public oversight of this legislation to limit political intimidation and empower civil society and independent agencies. By taking a content-only focus, with all the tradeoffs that involves, the current race to crack down on Internet harms is unlikely to solve the problems and may lead only to new forms of politicized speech control.