Recently, I’ve seen lots of people getting het up about its “misuse” – so I want to clarify a few things.
The GDPR (General Data Protection Regulation) gives people in the EU strong data protection rights.
Some companies do not wish to comply with these laws. Those companies block content to people within the EU.
Here’s the kicker – they use HTTP 451 “Unavailable for Legal Reasons”.
— Ruben Verborgh (@RubenVerborgh) June 9, 2018
Well, this is the first time I've seen a website use the "451: Unavailable For Legal Reasons" HTTP status code. Who would've thought that it would be a result of the GDPR… pic.twitter.com/Nzv7OBO9a0
— Sven Slootweg (@joepie91) June 9, 2018
— Yoshi (@yoshi32768) June 6, 2018
Is this the correct use of the status code? Some people are quite sure that it is not right.
I’ve had extended discussion with people on social media who are convinced that 451 should only be used in the case of government censorship. Those people are wrong.
Here’s what I reckon
The RFC which specifies HTTP 451 does not mention censorship once. Similarly, there are no mentions of governments whatsoever.
From the introduction:
This document specifies a Hypertext Transfer Protocol (HTTP) status code for use when a server operator has received a legal demand to deny access to a resource or to a set of resources that includes the requested resource.
What is a legal demand? And what does it mean to receive one? (I don’t want this to go all “It depends upon what the meaning of the word ‘is’ is” – but I think this is important).
If a court orders you to remove an illicit photo of me wearing a mankini, you would have received a legal demand. 451 would be appropriate.
What about if my lawyer sends you an email which says “Take down that photo of Terence wearing a mankini or we’ll sue you for a million quid”? I think 451 would be appropriate.
Let’s read further. The actual specification is (emphasis added):
This status code indicates that the server is denying access to the resource as a consequence of a legal demand.
- One does not have to have specifically received a demand. I’ve never personally been instructed by the courts not to deface money – it’s just what UK law demands.
- The specification says nothing about the validity of the demand. Perhaps the demand is mistaken, or wrong, or legally deficient – you can still use 451 while attempting to clarify.
- The RFC doesn’t mention specificity. Perhaps the law bans a single page on your site – using 451 on the whole site may make sense for you.
These companies have seen a legal demand from EU countries that their citizens’ rights must be protected. If they want to continue to abuse their users’ privacy without legal consequence, they should block users who could successfully sue them. 451 is appropriate.
If the only way to access a resource would involve serving content which breaks the law, then 451 is appropriate.
We can take another theoretical example. UK law bans the sale of pistols and some other weaponry. A US site may choose to use 451 to refuse service to users in the UK – even if the site believes in the right to arm bears. They may not have specifically received a legal demand, but UK law does demand that they don’t sell to people in its territory.
The easiest fix would be for these companies to comply with the law and respect their users’ privacy. That’s what the law demands of them.
I suspect that lots of people get hung up on the number 451 being a direct reference to Ray Bradbury’s famous novel about censorship. Except, like in this case, Fahrenheit 451 is not about censorship.
Luckily, the Internet works due to rough consensus and running code. No one gets damaged if an http code is used incorrectly. And if the majority of sites use 451 to protect users from endless data mining, well that’s just fine with me.
Anyway, that’s what I reckon. Feel free to disagree with me – I promise I won’t sue you.
This does not confer any legally binding protection against lawsuits brought by me. All rights reserved. See back of packet for full terms and conditions. Errors and Omissions Excluded. Not valid in the state of Kentucky. Nil illegitimi carborundum.