Is HTTP 451 suitable for GDPR blocking?


Hello, it's me - the idiot who helped inspire the HTTP 451 status code.
I graciously allowed Tim Bray to do the hard work of getting it through the IETF process, and now it is an official RFC.

Recently, I've seen lots of people getting het up about its "misuse" - so I want to clarify a few things.

The GDPR (General Data Protection Regulation) gives people in the EU strong data protection rights.

Some companies do not wish to comply with these laws. Those companies block content to people within the EU.

Here's the kicker - they use HTTP 451 "Unavailable for Legal Reasons".

Is this the correct use of the status code? Some people are quite sure that it is not right.

I've had extended discussion with people on social media who are convinced that 451 should only be used in the case of government censorship. Those people are wrong.

Here's what I reckon

The RFC which specifies HTTP 451 does not mention censorship once. Similarly, there are no mentions of governments whatsoever.

From the introduction:

This document specifies a Hypertext Transfer Protocol (HTTP) status code for use when a server operator has received a legal demand to deny access to a resource or to a set of resources that includes the requested resource.

What is a legal demand? And what does it mean to receive one? (I don't want this to go all "It depends upon what the meaning of the word 'is' is" - but I think this is important).

If a court orders you to remove an illicit photo of me wearing a mankini, you would have received a legal demand. 451 would be appropriate.

What about if my lawyer sends you an email which says "Take down that photo of Terence wearing a mankini or we'll sue you for a million quid"? I think 451 would be appropriate.

Let's read further. The actual specification is (emphasis added):

This status code indicates that the server is denying access to the resource as a consequence of a legal demand.

  • One does not have to have specifically received a demand. I've never personally been instructed by the courts not to deface money - it's just what UK law demands.
  • The specification says nothing about the validity of the demand. Perhaps the demand is mistaken, or wrong, or legally deficient - you can still use 451 while attempting to clarify.
  • The RFC doesn't mention specificity. Perhaps the law bans a single page on your site - using 451 on the whole site may make sense for you.

These companies have seen a legal demand from EU countries that their citizens' rights must be protected. If they want to continue to abuse their users' privacy without legal consequence, they should block users who could successfully sue them. 451 is appropriate.

If the only way to access a resource would involve serving content which breaks the law, then 451 is appropriate.

We can take another theoretical example. UK law bans the sale of pistols and some other weaponry. A US site may choose to use 451 to refuse service to users in the UK - even if the site believes in the right to arm bears. They may not have specifically received a legal demand, but UK law does demand that they don't sell to people in its territory.

The easiest fix would be for these companies to comply with the law and respect their users' privacy. That's what the law demands of them.

Media comprehension

I suspect that lots of people get hung up on the number 451 being a direct reference to Ray Bradbury's famous novel about censorship. Except, like in this case, Fahrenheit 451 is not about censorship.

Luckily, the Internet works due to rough consensus and running code. No one gets damaged if an http code is used incorrectly. And if the majority of sites use 451 to protect users from endless data mining, well that's just fine with me.

Anyway, that's what I reckon. Feel free to disagree with me - I promise I won't sue you.
This does not confer any legally binding protection against lawsuits brought by me. All rights reserved. See back of packet for full terms and conditions. Errors and Omissions Excluded. Not valid in the state of Kentucky. Nil illegitimi carborundum.

5 thoughts on “Is HTTP 451 suitable for GDPR blocking?

  1. There should be a 551 or similar equivalent. Doesn't the 400 series errors generally denote temporary errors and 500 series permanent errors? That is, of course, assuming that the intention is to treat the bug as a "not fix" error, we're done.... 😉

    1. 4XX is a client-side error. The client may be able to change or correct their request to get a successful response from the server.

      5XX is a server-side error. The client did nothing wrong, but the server couldn’t fulfill the request at this time.

      In HTTP terminology, these publishers are blaming the client and suggest they move to outside the European Economic Area (EEA) to get a 2XX successful response.

  2. The issue is that GDPR doesn't impose any "demand to deny access to a resource or to a set of resources" in these cases (unless the page in question would be unlawfully distributing personally identifiable information in which case 451 would be appropriate). Instead the problem is that GDPR prevents the site owner and its affiliates from collecting and using the users data in illegal ways - it would be fine to return the resources as requested if the server(s) refrained from collecting and processing your data illegally.

    It's a bit like claiming "it's against the law for me to give you my phone number" with the reasoning "if you call me up I'll try to sell you drugs which is illegal"...

  3. 451 seems right here, but are there cases where this doesn't represent them illegally keeping the user content that was intended to be wiped via GDPR? Like, are there cases where this response code doesn't represent someone definitely doing something illegal on the server-side?

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.