Skip to main content

The EU Digital Services Act (DSA) is very bad for everyone

The European Union is, once again, attempting to dictate global policy way outside their jurisdiction. I run uBlock Origin and Ghostery (you should too!), which already deals with the things GDPR was largely concerned with. The GDPR made the average web browsing experience worse, not better. The Digital Services Act (DSA) expands upon GDPR in a way that supposedly targets very large companies but, digging into it, it actually appears to affect businesses of all sizes. Let's say you run a small business and you have a website. That website has a domain (DNS) that is issued by a registrar (e.g. GoDaddy, NameCheap, etc.) and is hosted on a third party service (e.g. a VPS provider like AWS, DigitalOcean, OVH, etc. or a shared hosting provider like 1&1, GoDaddy, etc.) and then speeds up global content delivery of static assets via a CDN (e.g. CloudFlare). If you are a website developer/admin, all of this sounds perfectly normal and completely innocuous to you.

Now let's say someone doesn't like your business for some reason. Maybe you messed up an order or they thought you were impolite to them or it's just a malicious actor picking on your business at complete random. Looking at this analysis of the DSA by a law firm in the EU in the section regarding liability for "intermediary service providers," they write and I quote:

Under the DSA, providers are not liable for content hosted on their service so long as they either do not know the content is illegal or infringing, or they promptly remove or block access to that content once aware that it is illegal or infringing.

The keyword there is "promptly." I'm not sure what the DSA considers "promptly" to mean but let's say three business days is a good base metric. Now imagine you are a registrar, hosting provider, CDN provider, or even an ISP (e.g. a Comcast, CenturyLink, Cox) which handles traffic for 45+ million users for millions of your clients and are thus subject to the DSA. You start receiving claims of violations of the DSA for random websites including little rinky-dink websites for small businesses. Do you waste a bunch of time deeply investigating each and every single claim, especially when tens to hundreds of thousands of claims start piling up, or do you just automatically shut down/block access to the requested websites/domains/hosting and then see who yells? Now how long do you figure it will take bad actors to discover that they can send in claims of illegal/infringing content to registrars, hosting providers, CDN vendors, and even ISPs and thus ruin the Internet for everyone? Although I'll admit that getting U.S.-based ISPs to block access to a website for all of their users under the DSA will be rather difficult, if there's one thing everyone's learned in the last 30 years of the Internet's existence, one should never underestimate the creativity of bad actors. But certainly EU ISPs will oblige the DSA blocking requests - so one day traffic from the EU will simply slow to a trickle and you won't know about it potentially for months or years - and good luck getting unblocked.

Look, I'm no fan of the fact that Gurgle, Ding, Faceplant, Instamicrogram, ElonRenamesHisPersonalFailuresX, Whoisazon, NobodysIn, etc. track user activity across the Interwebs, social media has made the world a much worse place to live, Flapple and other app stores take a 30% commission for not doing any actual work and simultaneously steal successful ideas while actively blocking any competition, and Google is particularly egregious with their consistent ongoing efforts to make web browsers even worse. However, the new EU rules appear to open the door for bad faith actors with malicious intent to take down or block access to any website at any time and you already know every major "intermediate service provider" is going to make the website takedown process fully automated so that they don't have to hire staff to deal with the deluge of takedown requests.

Comments