As mentioned elsewhere on this site, I run a number of services myself. A couple of them are hosted by my hosting provider, Blacknight, and the rest are hosted in my own home. Some definitions of the term "self-hosting" would exclude those services hosted by the ISP (this site, and my e-mail service), but given that I am the administrator of both and decide how each is used, I see them as self-hosted, too.

Ever since the GDPR came onto our radars (in 2017 for me!), I have been puzzling about how the various (and increasingly numerous!) laws and regulations apply to people like me.

Some laws don't apply to me because they explicitly exclude operations like mine (typically based on volumes of transactions or the number of users). Others don't apply to me because neither I nor my services are located within the jurisdiction1, 2

But, the thing is, I'm not clear on what laws do apply to me, and what my responsibilities are under those laws.

  • If someone claims something on one of my services infringes copyright, what must I do?
  • If the police contact me to say that there's a comment on one of my services, made by someone else, that is alleged to glorify terrorism, will I be prosecuted if I don't take it down within 1 hour (or 24 hours, whichever applies)? even if I'm not physically capable of doing that so quickly.
  • Am I require to check every federated image against official databases for CSAM detection? If not, and yet if one gets onto a service of mine without my knowledge, am I looking at a long prison sentence?
  • Will I be required to invest in software to scan all posts to my services in order to comply with ridiculous upload filters?3
  • Am I really supposed to keep an eye out for "lawful but awful" stuff on my services?
  • Do I have to require members of my families to move to countries where someone that uses my services lives, to be arrested if I don't follow the hard-to-comprehend laws there?

I've asked around, and there seems to be nothing out there to help me. On one ocassion, back in 2017, I raised this with a panel at a data-protection conference, and the only response I received was something like "I don't know why anyone would want to do that". In a slightly different context, Heather Burns talks about this attitude, too:

… I’m seeing a lot of highly intelligent professionals who seem to think that improving online privacy is a matter of enhancing training and education that developers already have, or nudging them to pull their socks up where their compliance practices have slipped.

I respect all of these professionals and love working with them, so some tough love is called for here. Please don’t take this the wrong way, but when I see these biases being spoken, it makes me want to put my head in my hands and cry. You need to understand what 24 years of coding on the web, and several years of speaking with, writing for, and training development communities taught me about those professionals:

you can work full time on online privacy and still not actually understand it.

Where I have received some form of engagement with my concerns around how regulations apply to self-hosting, it has been interested, but non-productive; or instructive in a frustratingly inaccessible way (assuming, for example, that I understand all the terminology and references to precedential cases).

I'm going to try another tack. I've recently got in contact with the BlueSky Community. This is an organisation started off by Jack Dorsey, formerly of Twitter, which is seeking to build a framework of protocols that will support the "decentralised web".

I'm a bit iffy about the term, and certainly there's a lot of people looking at it thinking "web3" (another term for it) implies cryptocurrencies and, therefore, fast money. I'm not interested in this side of it, and nor – so far as I can tell – is the BlueSky organisation, at least not as a driving concern.

What I would like to do is to get an organisation like BlueSky to appreciate the challenges that self-hosters of decentralised, federated or peer-to-peer services should be concerned about if they want to stay legal, and to then incorporate into the framework some training or other guidance material that will educate self-hosters on the three Rs:

What you are permitted to do as someone with a computer attached to the internet on which is a service or information that other internet users can access?
What you must do as a hoster of information or a service on the internet that others can access, especially if that information or those services include data provided by others.
What may happen to you in a civil or criminal justice sense if you don't abide by those responsibilities.

I don't want any one who wants to contribute to making the world wide web a more robust and decentralised and a less controlled and tolled experience to feel inhibited. I have been told too often by people who use many of the Facebook services as their primary means of communication that what I am doing is dangerous, and that's just not fair. If we all accepted that, then Facebook would end up actually owning the internet. Or Google, or AOL, or SUN or Microsoft or whatever other organisation that has tried that stunt many times over the last 30 years or so.

I would like your help. I don't know everything, and this isn't my area of expertise or work. If you would like to do so, please leave a comment below and I will get back to you privately, or join the BlueSky Community's Legal and Governance [matrix] room and critique my work and help me make it better.



My website used to be hosted on servers in New York state somewhere, but when I needed to move off them about 15 years ago, I specifically chose Ireland to remove the risk of the US "Intelligence Community" – protecting the world from terrorism, for varying definitions of the term – deciding that it had a right to take a copy of my data.


Taiwan is an independent country, Mr. Xi. Turkey perpetrated a genocide of Armenians in 1915, Mr. Erdoğan.


… and that's before we get to the question as to why the hell do politicians use similar legislative approaches for copyright as for the worst of all internet crimes: the production and sharing of sex-abuse imagery!

You can comment on this post below, or on the matrix room here. If you want, you can "Log in" using your [matrix] ID.

All comments are subject to this site's comment policy.