There Are a Million Fediverses, and They’re All Regulated

We’re at a bit of a strange moment in the history of the Internet. Long-standing assumptions about platform freedoms and responsibilities are being tested by a wave of regulation from countries far and wide, including extranational jurisdiction where all of a sudden people are finding themselves subject to laws of countries they’ve never been to.

The age of self-regulation is ending. In 2021 there were three OECD safety regulators. Today, a mere five years later, there are 28.

The two-year-old Global Online Safety Regulators Network brings together independent regulators to cooperate across jurisdictions, which may lead to alignment across nations and regulations, from Fiji to France.

For social media alone, three countries have implemented age restrictions, five have passed laws ready to implement, and 30 more discussing or under consideration at a national level. For many of us, it’s jarring and unsettling, and this is especially true if you’ve never worked in a regulated industry before.

Internet regulation is generally converging around three main themes:

Platform integrity: the macro responsibility for elections and social discourse.
Individual safety: the proactive duty of care for children and vulnerable people.
Personal agency: mandating data portability and banning manipulative dark patterns.

These new burdens feel sudden and invasive if you’ve spent your career inside the Web’s long-running freedom experiment. For me, however, they follow a pattern I’ve seen before. I think there are some lessons we can learn from – and be better prepared – by looking beyond digital media.

The Myth of Exceptionalism

I started working on the Web in the mid-nineties. It was liberal in the most literal sense, few gatekeepers, no meaningful regulation, and a shared belief that this new thing would disintermediate everything. Media, power, and information were all up for grabs.

“Under construction” signs abounded. Dancing dog gifs ran across Web pages. The Clinton White House specifically told everyone to go nuts, that no amount of regulation could possibly keep up with how fast the Net was innovating. Phrases like “The private sector should lead” and “Governments should avoid undue restrictions” stimulated a self-regulating industry that is now bristling at unwanted government interference.

We built first and worried later. The default assumption was freedom; responsibility was personal rather than systemic. We created a mythos that the Internet was exceptional, as if it were somehow immune to the rules of the offline world.

Then, in 2001, almost by accident, I moved into healthcare.

When Regulation Provokes Outrage

Healthcare is one of the most heavily regulated environments on the planet, and for good reason – lives are at stake. My transition into this world coincided with a wave of mandates designed to break open the black box of medical outcomes. From 1995 to 2000, a range of reforms hit healthcare, built on the back of seminal writings like “To Err is Human” and “Crossing the Quality Chasm“, leading to the creation of state and national report cards on nursing homes, hospitals, physicians and more.

I became one of the people responsible for turning those legal requirements into reality. I was building the databases and public dashboards that the laws now required to make healthcare quality and cost visible to the public. I built, provided data for, consulted or advised on just about every initiative in the US in that decade. I designed and deployed a national data infrastructure for codifying performance, cost and quality data over time. I made a lot of report cards. This made quite a few people very angry.

Clinicians and administrators confronted me directly. They claimed the data was unfair or lacked context. What struck me was that the anger was rarely about the underlying disparities in care. Instead, it was about the act of publication itself, which was now compelled by law. Being made transparent and accountable to the public felt like an attack on their professional identity.

I see that same identity shock today from technologists as they realise their closed systems and unfettered independence are being opened and constrained by similar regulatory tools.

From Hero Culture to Compliance

As healthcare matured, we moved from transparency to interoperability. This arrived with HIPAA in the US. At the time, it was loathed. Technologists complained it was vague, hard to implement, and poorly aligned with how software worked.

Most people assume the P in HIPAA stands for privacy; it actually stands for portability. Regulation did not stop data sharing. It professionalised it, it shifted the focus from institutional protection to patient-centredness.

We saw the same arc in cybersecurity, as privacy and security became more entwined. It began as a bit of a dark art, which was the era of the hero admin. But as harms and threats accumulated, an industry formed, best practices became auditable compliance. SOC 2, ISO 27001, FISMA became common parlance. Risk assessments and incident reporting stopped being optional. Cybersecurity and the regulation that requires and enforces it did not kill innovation, it gave us a shared language for risk, and has had demonstrable benefits to society. Data breach disclosure laws, for example, resulted in a significant drop in identity theft incidents. The ID Theft Center reports a major decline in breach notifications, thanks in the main to data privacy regulations (and the fines that come with ignoring them).

The Internet is Catching Up

The Internet is now at this exact same tipping point. What cybersecurity was to data integrity, modern regulation is to platform safety and rights. The idea of a permanently unregulated Internet is simply not credible anymore.

This is not because regulators hate our freedoms. It’s because the Internet is a fundamental and vital utility that now shapes childhood, mental health, and physical safety. When systems reach that level of impact, they get regulated. Period. Whether it’s Australia’s social media ban for minors, the EU’s Digital Safety Act, or the UK’s Online Safety Act, it’s not even a case of “censorial Europe” versus a “free” America. Half of all US states now require age verification for adult content. This is political reality catching up everywhere at once.

Fediverse Operators

If you run a small server, perhaps a local community hub or a niche interest instance, this can feel incredibly intimidating. Regulation sounds like something designed for platforms with a thousand lawyers and a big shiny office in California.

However, most of these laws, and the regulators that enforce them, follow a principle of proportionality. A regulator’s actions must be lawful, legitimate, and proportional. Lawful means there must be a law allowing official to take action, legitimate means there is a good reason to act, and proportionate means there is no other way to seek the desired outcome, it is the least restrictive option available to the regulator.

You are not being measured against the same yardstick as a multi-billion-dollar platform. The goal is good faith, not perfection. For small services, compliance usually looks like a few clear signals:

Be reachable: have a clear way for authorities and users to contact you on your About page.
Be clear: document your policies and how someone can appeal a decision.
Be informed: use the resources the community is already building.

If a regulator ever comes knocking, they won’t ask why you missed one bad post. They’ll ask “Do you have a process for when things go wrong?” Make sure you have one. And as a start, copy someone else’s. Find a service you like and look at their documentation. Beg, borrow, or steal liberally. Here’s everything I have on toot.wales for example, help yourself.

The early Web was a gift, but freedom without accountability does not scale. There is one Fediverse, there are a million Fediverses, and there are a thousand regulations each of them has to be ever so gently aware of. Learning to live with a regulated Internet is not a failure of imagination. It’s the next phase of our shared responsibility.