¹

tl;dr

Without changing the very essence of the services they provide, it would be close to impossible for any service provider, anywhere in the world, which permits the posting of user-generated content, or interaction between users, to escape the clutches of a UK law, if the current UK government proposals become law.

Purportedly inflicting UK law on a huge number of people who have no reason to even be aware of its existence cannot — in my opinion — be a sensible model for Internet governance.

Introduction

I was pondering over the weekend about the extra-territorial scope of the UK government's "online harms" proposals. In other words, which sites and services around the world will be in scope.

And the more I think about it, the more I think that this is an area of the policy which is underdeveloped, and which needs considerable further attention.

The question running around in my brain was this: what connection must a site or service have with the UK, to fall within the scope of the UK’s proposed "online harms" framework?

Put more simply, is the proposal that the framework applies to every single site, anywhere in the world, which incorporates user-generated content or fosters interaction, just because it is accessible from the UK?

The World Wide* Web (*UK law applies)

As wide as the web

The UK government's "Online Harms White Paper: Full government response to the consultation" says that:

Companies will fall into scope if their services:

• host user-generated content which can be accessed by users in the UK; and/or

• facilitate public or private online interaction between service users, one or more of whom is in the UK.

Read those bits in bold again:

• can be accessed by users in the UK
• an online interaction service where one of the users is in the UK

These tests are both incredibly broad.

But, as far as I know, there has been no substantive discussion of this vital issue, despite spending many months, and many, many words, on "online harms".

The practical impact

The current policy, if reflected in legislation, would impose two separate tests:

• can user-generated content be accessed by someone in the UK (irrespective of whether anyone in the UK actually accesses it)?
• if a service offers "online interaction", is one of the users actually in the UK?

The government's view on scope, and exemptions

The government’s response says that it will “exempt many low-risk businesses with limited functionality".

This includes "reviews and comments on products and services directly delivered by a company, as well as ‘below the line comments’ on articles and blogs".

It expressly says that:

Content published by a news publisher on its own site (e.g. on a newspaper or broadcaster’s website) will not be in scope of the regulatory framework and user comments on that content will be exempted.

(There's no definition of "news publisher", but that's for another blog post. Probably by someone else.)

In any case, it seems that the limitations will apply only to the material scope, rather than the territorial scope, of the framework.

In other words, wherever you are in the world, you would need (if you cared enough; see below) to check if you fell within one the exemptions bestowed upon you by the UK government.

In support of the breadth of the exemptions, the response also says that

"[t]he government estimates that, overall, fewer than 3% of UK businesses in total will be in regulatory scope following the new exemptions".

Which is rather missing the point that, thanks to the extra-territorial effect seemingly desired by the government, the impact will be felt by service providers globally — not just those in the UK, and not just businesses.

Even if that 3% figure was applicable globally, to say that you are passing a law which affects 3% of businesses around the world still seems like a massive impact.

And where did that "3%" figure come from? It seems rather low. Fortunately, it is a cited claim with a footnote, so we have a reference:

DCMS Online Harms research (externally commissioned), 2020, publication date tbc.

Oh.

Luckily, there is a page on gov.uk which says:

This page brings together research commissioned by DCMS related to onlines [sic] harms. It informs government policy to prevent harm related to online activities. It also contains research by the UK Council for Internet Safety.

I have not read the four documents linked from that page word for word, but I have searched for "3%" and "three percent", and there were no relevant results.

So, unless I have missed something — which is possible — I'm not able to find a source for that claim.

When is a “tech company” not a “tech company”?

Note also that the ministerial foreword says that the intention is “to usher in a new age of accountability for tech companies".

You have to read another 4,990 words — about 16 A4 pages — and then click through to a footnote, to find that that statement is, at best, somewhat disingenuous:

“In this document the term ‘company’ is used to refer (where appropriate) to all entities providing in-scope services, including incorporated and unincorporated associations, partnerships and individuals.”

One might be forgiven for thinking that the paper was banging the drum against those miscreant massive “tech companies”, but, in practice, would appear to be a blueprint for imposing obligations on everyone within the framework's material scope, including even private individuals running a server as a hobby.

What does that make the actual scope?

Pulling these strands together, in addition to the "big tech" services which might immediately come to mind, it would seem to leave the following (and many more) in scope:

• a student in India sets up a web service for their school science project about different types of cloud, which allows users to upload photographs of unusual clouds they’ve seen
• someone enables the mail server functionality of their Synology NAS
• a victim of domestic violence in the USA runs a forum where other victims can discuss experiences and survival strategies
• a quiz-lover operates an instance of Jitsi — an open source video conference server — to use for a privacy-friendly online alternative to their weekly pub quiz
• a child in Egypt runs a simple web forum to chat with other fans of their favourite TV programme or toy

Does the UK government really intend to exercise legislative control over these people and their projects, just because their servers are available to people in the UK, or because someone in the UK might chat using them?

If you create a regime with which only large providers with deep pockets can afford to comply, all you will end up with are large providers with deep pockets. And that would be a real shame.

Quick disclaimers

This is not a blogpost about what a site / service provider would have to do to comply

Note that this is not a post about the substantive obligations under the "online harms" framework — it's not about what a site operator would need to do to comply.

First, that's another blogpost in itself (and Graham Smith covers it well in his blog post "The Online Harms edifice takes shape".

Suffice to say, I'm not confident that even a well-lawyered service provider could be certain if they had complied with an obligation to assess if their service entails a "reasonably foreseeable risk of a significant adverse physical or psychological impact on individuals".

Second, to focus on what someone has to do is to miss the point: why would someone with no substantial nexus to the UK have any reason to consider what UK law might or might not say?

And even if the obligations were objectively simple to comply with, if every one of the 190-ish countries in the world asserted that their laws applied to every website accessible to people who lived in their country, that's 190 potentially different "objectively simple" requirements to take into account. It's an approach which simply does not scale.

This is not a blogpost about the consequences of non-compliance

Nor is it a blogpost about the consequences of non-compliance.

This would make for an interesting post, but it deserves a post of its own.

Suffice to say, the proposals include a range of sanctions and consequences, falling back on the idea that UK ISPs could be compelled to block access to non-compliant sites.

User-generated content services: can't you just block people from the UK?

Looking at the first limb, about user-generated content, the current proposal is that, if a site can be accessed by users in the UK — even if no-one in the UK does — it falls within the framework.

So to fall outside the framework, the site must either not have user-generated content, or must not be accessible to people in the UK.

A simplistic answer to a question of "how to avoid the long arm of the UK law" is to say "do not have user-generated content".

In some contexts, that might be acceptable. If, for example, the site is predominantly about editorial content (e.g. a website reviewing cars, or technology), and it has a user discussion forum, or permits comments under articles, the impact of closing those off may be relatively low. (Don't get me wrong, closing everything off globally because of a law in the UK would be a ludicrous outcome.)

If we put that to one side, and assume that that's the purpose of the site and so non-negotiable, the site must either comply with the UK legal requirements, or else ensure that the content cannot be accessed by users in the UK, or face the consequences of non-compliance.

But can a site ensure that it "cannot be accessed by users in the UK"? Let's assume that the site does not want to comply with UK law, but nor does it want to fall foul of it, and so needs to make itself inaccessible to users in the UK. How could they do this?

If the test really is as broad as the policy statement suggests — that your site "can be accessed by users in the UK" — then there is simply no practical way of achieving that.

Here are some of the options, and the reasons why, against a backdrop of such a broad policy direction, they would not suffice.

Ask every user if they are located in the UK, and block those who say "yes"

Yeah, that's not going to fly.

So ban traffic from IP ranges identified as linked to the UK

A common approach to this problem is to use a user's IP address as a proxy for their geolocation.

Depending on the problem you are trying to solve, it might be good enough.

But if the standard you have to meet is "my site cannot be accessed by people in the UK", it will not be enough.

For example, if a user in the UK makes use of a VPN with an exit node outside the UK, their IP address will not be from a range linked to the UK.

And — perhaps unsurprisingly — some groups think that if a block can be circumvented by a VPN, it is insufficient for the purposes of the online harms discussion:

You might be able to ascertain a VPN's users actual IP address by misusing WebRTC, but that's not going to work if a user has not enabled WebRTC in their browser, and it is, at best, an example of the abuse of a technology for seconday purposes.

And if a user accesses your site via Tor, at least some of the time they will not get an IP address from a range linked to the UK, and so would circumvent the block.

Or a user with a mobile SIM from a foreign network, since data sessions are typically "home-routed", and break out via the home, rather than the visited, network.

Well then, block VPNs and Tor-originating traffic too!

Blocking Tor exit nodes is not too tricky — after all, the Tor project publishes a list of exit nodes.

Is it desirable to do so? Of course not!

Not everyone enjoys an unfiltered Internet connection, or can browse the Internet with a high degree of freedom, and Tor provides a valuable — essential, to some — service. Denying access to any site hosting user generated content to all users accessing via Tor because failing to do so would render your site accessible from within the UK seems grossly disproportionate.

Blocking VPNs? That's significantly harder — a constant game of Whack-A-Mole — and, again, will lead to a massive degree of overblocking, in the sense of not just restricting access to VPN-using users from the UK, but VPN-using users from anywhere in the world.

Can this kind of massively broad, far-reaching action really be the legislative intent, just so that a site can attempt to ensure that it cannot be accessed from the UK?

And, unless a site plays a perfect game of Whack-A-Mole, every second of every minute of every hour of every day, and can identify every single IP address of every single VPN provider, their site would still be accessible to people in the UK, and so within scope of the proposal as currently formulated.

Don't forget to block all traffic from mobile networks

A user in the UK, with a SIM from a mobile operator in Germany, is likely to connect to the Internet with an IP address linked to the German operator, and probably connects to the Internet through an interconnection point in Germany.

So you'd need to ban the IP ranges of all non-UK mobile networks, because if you did not, someone in the UK could be using one to access your service.

And obviously you'd need to block the ranges all UK mobile networks too.

The outcome? A site would have to block all traffic from any IP range linked with every cellular network, globally.

Madness? Oh yes.

Fine. Get the actual, real-time, location of every user, and deny access to those in the UK / everyone you don't know for sure is not in the UK!

Impractical, to the point of being essentially impossible. See below.

And remember that if even one person slips through the net, then your site is "accessible to someone in the UK", and so — based on the current proposal — you'd be in scope.

And that's leaving aside the cost and administrative burden, not to mention the privacy implications, imposed on everyone who runs a UGC or interactive site. Is that really proportionate?

Outcome: either remove all user-generated content from your site, or comply with the "online harms" requirements. Or accept the consequences, if any.

We’ve already discussed disabling all user-generated content, and put that to one side.

And we've ruled out making your site inaccessible to all users in the UK, as you could not do that. You could try to do that but, if the legislation follows the policy direction, that may not be sufficient.

Since it is not possible to ensure that your site cannot be accessed by people in the UK, if you want UGC on your site, you would be forced to comply with the UK's laws, or else accept the consequences (if any; there's surely a limit to how many IP addresses the regulator could monitor, manage, and trot to and from court to obtain injunctions to block?).

In other words, the current proposal is that, if you have UGC on your site, you would be subject to UK law, because you could not ensure your site is not accessible to people in the UK.

And that cannot be right.

Leaving aside the massive extra-territorial overreach which this entails, what is a site supposed to do when another country comes up with a similar framework, but with a conflicting provision? You cannot comply with both, unless you can precisely geo-locate a user, and apply the rules based on the user's location (for which, see below).

Or even just a different requirement? For example, if the UK said "no access by people in the UK under 16", and Germany said "no access by people in Germany under 13", a site is left with no option but to apply the more aggressive standard, if they cannot identify a user's location to the (seemingly absolute) standard.

It is unclear to me that anything close to sufficient thought has been given to this broad-sweeping policy position.

How do you tell if a user is actually in the UK right now?

The policy position for UGC sites is whether the site can be accessed by people in the UK.

The policy position for sites that "facilitate public or private online interaction between service users" is phrased differently, and focuses on whether one of the users is in the UK.

This seems to be a tighter condition: not that they merely could be in the UK, but that they actually are in the UK.

But, as I discuss above, trying to ensure your site is not available to people in the UK is going to be approaching, if not actually, impossible, in the vast majority of cases. So even then, you may have little option but to attempt to identify the geo-location of a user, and apply rules accordingly.

So how can a site tell, in real-time, if a user is actually in the UK? Or, indeed, is definitely not in the UK (because if they're definitely not in the UK, then that is fine.)

Spoiler: they cannot.

As with rendering their site inaccessible from the UK, they can try to tell if a user is in the UK, but not more than that, but even that would likely require significant changes to the way they operate.

Technical options for checking if a user is in the UK

The section above discussed blocking access to users from the UK, and concluded that it is not possible to do so in a manner which would let you ensure that your site was not accessible to people in the UK.

The test for services which offer "online interaction" is whether one of the users is in the UK, which is not quite the same thing.

This section looks at the options available to the average provider of online services in terms of identifying for sure whether a user is in the UK, or is else is definitely not in the UK.

The reason I emphasise "the average provider"?

This obligation, as currently proposed, would apply to everyone who falls within the proposal's material scope, not just deep-pocketed "big tech" companies. A solution which is available only to a fraction of those who need it is of little use.

Check if the user is coming from a non-UK IP address

As above, this is inconclusive and easily circumvented.

An IP address may be used as a proxy for location, but it's a pretty weak proxy. VPNs, Tor-routed traffic, and non-UK mobile network SIMs would (or could) all give an IP address not linked with the UK, and yet all could be utilised by a user in the UK.

So you cannot rely on a user's IP address alone.

Require the user to give a landline phone, and ring it to verify they are there

First, how many people have "landlines" any more? I haven't had one for years. That feels like a demographically-challenged solution at best.

Second, when many people say "ring a landline", they probably mean "ring a number which is identified as 'geographic' in the national numbering plan". But long gone are the days when calling a UK geographic number means that the B party is receiving the call in the UK, thanks to VoIP.

For example, if you ring decoded.legal's geographic numbers, our phones and computers will ring wherever we are in the world. The fact you are calling a London number is no guarantee that we are in London (and, 99.9% of the time, we're not).

You might be able to check if a number is in a range which has been allocated to a provider of VoIP services — for example, this screenshot shows some of the ranges which Ofcom has allocated to Twilio — but this is unlikely to give you a complete picture.

For example, if someone has done a "renumber and export", moving the geographic number allocated to their fixed line circuit to a VoIP endpoint, you won't be able to tell that from the numbering plan.

And, in any case, one cannot seriously suggest that, before they access a website, a user has to receive a call on their phone. How many websites do you visit each day? Even if the website only had to verify your location once a day, how many phone calls would that entail? What about anyone trying to access a website when they are away from home?

Post something to the user's home address

Not really a "real-time" option, is it?! (I have a service with a US provider, which insists on posting a second-factor code to me. By the time the letter from the USA has arrived, the code has expired.)

And what about someone who's paid for a international mail redirection service?

Or people who do not have a home address? (Unless the online harms framework will also eradicate homelessness in the UK at the same time, which would be so wonderfully, genuinely, welcome.)

Or those who do, but cannot safely receive post there? Can you imagine someone trying to visit a forum set up by other domestic violence survivors finding that they have to give their home address to receive a two-factor code, to be able to access the site which just might save their life?

And how are you going to ensure that the address someone is giving you is their actual address? You'd need to engage in even more intrusive identity verification, to stop someone from giving the address of a friend willing to receive and hand over a two-factor code.

(And, yes, 2FA-by-post is/was a thing.)

Rely on something else which does some kind of location check

For example, the BBC attempts to make most of its online video streaming platform, iPlayer, available only to people in the UK. This is due to rights agreements.

So could you require someone to record a clip of iPlayer's restricted content and submit that, to prove the user was in the UK?

Again, it's a poor approach:

• use of iPlayer requires a TV licence, which costs quite a lot of money. Requiring a TV licence to access certain websites would lock out those who cannot afford a TV licence, and would impose a significant additional cost on those who do not require a TV licence for the purpose for which it is actually intended.
• I suspect rightsholders would not be unduly happy about the copyright infringement likely inherent in this approach. Could the BBC run a dedicated "prove your location" stream, to circumvent this? Possibly. But is that the purpose of the BBC? No. And it still suffers from the problem above, in terms of excluding those who cannot afford, or have no other reason to need, a TV licence.
• it is potentially a time-limited approach anyway, as the BBC says that it is "interested in being able to allow UK licence fee payers to access BBC iPlayer when they are abroad".
• the systems used by the BBC to inhibit viewing from outside the UK is reasonably good, but no more than that. It's certainly not incapable of circumvention. Presumably, this is good enough for the BBC's agreements with its licensors, but it would be insufficient if a website has to be 100% sure that someone was definintely in, or was definitely not in, the UK.

Ask for a copy of government-issued ID

Flawed from the beginning.

Not everyone has them, so this is an inherently exclusionary approach. We can't be contemplating conditioning access to numerous websites on the possession of official ID.

And, even if they do, all it proves is that they have government-issued documentation. It says nothing about where they are right now. (If I had, for example, a German passport, it does not mean I am in Germany all the time.)

And, as with home address, how do you know that the person is giving you a copy of their passport, as opposed to someone else's?

Information gleaned from the user's browser

Such as browser time, or even something less specific like browser language (e.g. if it is set to en_GB).

Both are easily changed by a moderately tech-savvy user, and so are insufficiently reliable.

Information from a device's camera

Rob Redpath, on Twitter, had an interesting suggestion:

I’d be interested to see if using a device’s camera could be reliable. “Point your camera out of your window” - cross check mapping, weather, time of day, etc

Aside from limiting access to someone using a device with a camera, and with access to a window (and presumably a suitable view) — so no good if you are stuck in a windowless conference room, or are browsing between stations sitting on the London Underground — this feels somewhat speculative.

Require a user's GPS or cellular location

If you were willing to move to an app-only model (and why we want to encourage app-ification of the web, I've no idea), you might be able to require the user's GPS location or cellular location as a condition of accessing content.

And you'd probably need to check that there was no sign of a jailbreak on the device, which might permit location spoofing.

(You might be able to do it without an app, in the phone's browser, relying on location permissions, but I think this is more vulnerable to spoofing.)

This requires all your users have a phone, and so doesn't work for users trying to access using, say, a shared computer in a public library.

And what about not-that-smart smart phones, or feature phones? Does the UK government want an Internet where only those with moderately fancy devices are able to browse?

And what about getting a GPS location inside, or in areas without cellular coverage?

Some kind of HLR look-up / ping? That would likely show if it was an active number on a UK network, and not currently roaming, but it's not a guarantee — the SIM could be in a SIM box, for example (I had a mobile SIM in a dongle connected to an instance of asterisk for a while, and that would have shown my location as being in the UK, wherever in the world I was using it), and it gets trickier with virtual numbering / VoIP.

It might be possible to come up with a solution on this basis, but its not certain, nor trivial. More likely would be a commercial organisation offering to sell location-as-a-service, with some kind of "authenticator" app you had to install on your phone. And, oh boy, I love the idea of giving a third party organisation control over who gets to access what websites.

If you can't tell, treat everyone as if they are in the UK

To ensure you were compliant, if you could not be sure that someone was not in the UK, you would need to treat them as if they were, and either deny them access, or apply rules accordingly.

As above, this way lies madness.

Or do nothing

Of course, there is another option: do nothing. Do not attempt to comply. This works for both UGC and inter-personal communication scenarios.

You might expect your site or service to be rendered less accessible to users in the UK, since the UK government has said that it intends to lean on online intermediaries to deal with sites which do not comply (although these attempts are usually trivially circumventable), but if you do not really care if your service is available to people in the UK or not, that might not be unduly problematic.

The government's plan extends beyond mere site blocking, and also proposes monetary penalties. But if they have no realistic way of getting at your money, this might have no, or very limited, dissuasive effect.

Options for rethinking the policy approach

It's not clear to me that any thought has been given to this, let alone sufficient thought.

Of course, you'll get some people who will say that "if a site cannot tell if someone is accessing from the UK, they should treat them as if they are, and apply the UK's rules". Aside from the massive sense of entitlement which accompanies that — "if in doubt, assume our laws should apply" — it is not a scaleable approach.

It strikes me that this aspect of the proposal needs considerably more thinking, and discussion.

I've set out some options below, and I have no doubt that there are others.

What would be useful is some empirical evidence: for each different potential approach, of the sites and services which are considered to be most harmful, how many would still be within scope?

If it covers most of them, would that be sufficient?

Or will nothing short of preventing every user in the UK from accessing any user-generated content site without UK-approved controls in place suffice?

Exclude services which take reasonable steps to prevent traffic from the UK

As currently written, the policy position is absolute: if your site can be accessed from the UK, and you do not fall within the materiality exceptions, you are withing scope. It pays no heed to the reasonable steps you might have taken to prevent access from the UK.

And, in failing to do so, it demands a standard for online safety that is higher than required of offline safety measures:

• painting a white line on a road does not protect those in the designated "cycle lane" from the multi-tonne powered vehicles with whom they share the road
• we don't fence off our road network, to stop children stumbling into traffic. Or to prevent them from falling into a canal or river. Even fencing by a road outside a school is not so high, that no-one can climb over it. And it typically has a gap, at a crossing, to let people walk onto the road anyway.
• speed bumps make things uncomfortable for a driver who doesn't adhere to the speed limit, but don't stop someone who wants to race.
• near where I live, there is a playground for young children, just a few metres away from a river. There's no fence along the river, and the only protection to stop children from running out of the playground and into the river is a low-height fence, with two gates which are easy to open.

And so on. Yet these measures, many of which are ostensibly in place to preserve life, are defeated trivially.

Does UK law really need to deal with users trying to game the system, and avoid a block, or would it be enough for a site to do something reasonable, such as attempting to block access to IP ranges linked with the UK and returning http status code 451 instead?

This would be consistent with the approach taken in the UK to "site blocking" injunctions since 2011 (which, in practice, are obligations to (ab)use DNS, to return results which are incorrect or to fail to return results). It has been recognised by the courts that the approach is a digital speed bump, and will not deter a determined downloader, but nevertheless it remains an effective, proportionate remedy. If that approach is good enough for the courts as the basis for injunctive relief against problematic content online in one context, it would seem like a reasonable starting point here too.

Of course, someone in the UK might be browsing using a VPN with a non-UK exit node, or via Tor, for reasons other than "trying to avoid the UK's online harms framework". But if we are aiming for a realistic framework, that should not be a problem.

To be clear, even this would be an imposition on the world at large. It would mean that the student in the USA, who built a web service as a science fair project and encouraged people to upload photographs of clouds, would be in scope of the UK's framework if they did not take steps to block access from the UK. And that still seems absurd to me.

Only include sites which direct their activities to, or target, the UK

A second approach would be to move away from the idea of encompassing all sites and services which fall outside the materiality exemptions, and instead apply the framework only to those which intend to receive UK visitors or users.

This is an approach taken in various areas of law and regulation, including the EU GDPR. (For an excellent exposition on the "targeting" principle, see Graham Smith's "Cyberborders and the Right to Travel in Cyberspace".)

If a controller or processor is established in the EU, they are required to comply with the GDPR. An equivalent measure would be to say that, if a service provider was established in the UK, they would be subject to the UK's rules on online harms, although this may just lead to a tech exodus from the UK.

Article 3(2)(a) GDPR imposes obligations irrespective of the controller or processor's place of establishment, by focussing instead on what they are doing:

This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to ... the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union

The test is not whether someone in the EU is receiving the goods or services, but whether the provider is "offering" them to people in the EU.

Recital 23 says that the test is one of intention:

it should be ascertained whether it is apparent that the controller or processor envisages offering services to data subjects in one or more Member States in the Union.

It goes on to give some examples of what might assist in ascertaining this intention, as well as things which do not suffice:

Whereas the mere accessibility of the controller's, processor's or an intermediary's website in the Union, of an email address or of other contact details, or the use of a language generally used in the third country where the controller is established, is insufficient to ascertain such intention, factors such as the use of a language or a currency generally used in one or more Member States with the possibility of ordering goods and services in that other language, or the mentioning of customers or users who are in the Union, may make it apparent that the controller envisages offering goods or services to data subjects in the Union.

In other words, the provider must be directing its services to people in the EU: merely having users in the EU is insufficient.

And if an overseas provider is offering goods and services to people in the EU, the provider needs to comply with the GDPR only in respect of people in the EU, and not all of its users (including people outside the EU). Although the text of the Regulation does not clarify this, recital 23 says:

to ensure that natural persons are not deprived of the protection to which they are entitled under this Regulation, the processing of personal data of data subjects who are in the Union by a controller or a processor not established in the Union should be subject to this Regulation ...

(See our post, The territorial scope of the GDPR, as applied by the High Court, for more detail on this.)

Would this be a sensible approach for the UK's online harms: that the framework should apply to only those service providers who aim to target users in the UK? In my opinion, it is certainly worth considering.

Of the sites and services which are perceived as posing the highest risk, how many would be caught by this approach? And how many of the sites, for which the burden of the regime grossly outweighs the harm they might pose, would fall out of scope?

Other approaches I have not thought of

I'm not pretending that this is a post with all the answers. Not even close.

All I am saying is that, for the numerous reasons above, I am sceptical that we have even begun to ask the right questions when it comes to extra-territorial (purported) impositions.

This needs significant attention, as one of the core issues of the "online harms" regime. Perhaps this is a starting point.