Three Decades of Online Harm Prove That Self-Regulation Was Never Enough
There is a version of the internet regulation debate that treats government oversight as a novel, heavy-handed intrusion into a space that has functioned perfectly well on its own. Advocates of this position argue that platforms are already doing enough, that existing laws are sufficient, and that any legislative intervention risks stifling the innovation that made the internet great. This argument has been made persistently, passionately, and with considerable political effect since the mid-1990s.
It is also demonstrably wrong — and in 2026, the evidence against it is no longer confined to history. Governments are now legislating with a specificity and urgency that would have been unthinkable a decade ago. The United Kingdom has enacted criminal penalties for possessing AI models optimised to generate child sexual abuse material. Prime Minister Keir Starmer used London Tech Week in June 2026 to announce that Britain intends to become the first country where children cannot take, share, or view nude images on their devices — with Apple and Google given three months to comply before legislation kicks in. Apple, for its part, previewed a suite of new child safety features the same month, including mandatory parental controls for under-thirteens that will ship with iOS later in 2026.
TL:DR – These are not proposals. They are policy in motion. And they are the direct consequence of thirty years of documented harm that the industry declined to prevent on its own.
Contents
- Three Decades of Online Harm Prove That Self-Regulation Was Never Enough
- Why the Internet Has Always Needed Guardrails
- The Early Internet Was Not Innocent
- NetMeeting and the Illusion of Safe Video Communication
- ICQ and the Architecture of Exploitation
- CuSeeMe and the Limits of Academic Good Intentions
- Paltalk and the Persistence of Known Harms
- The Communications Decency Act and the Section 230 Bargain
- The Chatroom Era and the Normalisation of Predatory Behaviour
- MySpace, Facebook, and the Scaling of Known Problems
- The Research Base That the Industry Ignored
- The Child Online Protection Act and the Limits of Judicial Deference
- The FOSTA-SESTA Moment and What It Revealed
Why the Internet Has Always Needed Guardrails
The evidence against self-regulation is not theoretical. It is not speculative. It is three decades of documented harm — predatory exploitation, child abuse, radicalization, fraud, and psychological damage — that accumulated precisely because the internet was treated as a regulation-free zone at the exact moment it needed structural guardrails most. The platforms that enabled this harm were not obscure. They were mainstream products used by millions of ordinary people, and the companies behind them knew what was happening on their networks long before the public did.
This article traces that history in detail, because the history matters. Understanding the current regulatory moment requires understanding how we arrived here, what was ignored, and who paid the price for that negligence.
The Early Internet Was Not Innocent
The popular mythology of the early internet frames it as a golden age of open communication — a digital frontier where curious minds connected freely and information flowed without interference. There is some truth to that framing. There was also, from the very beginning, a darker reality running alongside it.
As soon as communication tools existed online, bad actors used them. This is not a retrospective judgment applied unfairly to pioneers who could not have known better. Law enforcement agencies, researchers, child safety advocates, and journalists documented these harms in real time throughout the 1990s, and platforms chose, repeatedly and consistently, to prioritise growth over safety.
The tools that enabled connection also enabled exploitation. The same anonymity that allowed dissidents to speak freely allowed predators to operate without accountability. The same frictionless communication that made the internet exciting made it dangerous for vulnerable users, particularly children and teenagers who were adopting these platforms in enormous numbers with minimal supervision and no meaningful protection.
NetMeeting and the Illusion of Safe Video Communication
Microsoft's NetMeeting, launched in 1996, was one of the first widely distributed video conferencing tools available to ordinary consumers. It was marketed as a business and personal communication tool — a way to see and speak with colleagues and family members across distances. For many users, that is exactly what it was.
For others, it became something else entirely.
NetMeeting allowed users to connect directly with strangers through public directories. The platform's architecture made it straightforward for adults to contact minors, initiate video sessions, and engage in behaviour that would be recognised today as grooming and exploitation. Because the tool operated largely through peer-to-peer connections and Microsoft maintained minimal oversight of how its directory services were being used, the platform became a known venue for child sexual exploitation within years of its launch.
Law enforcement agencies in the United States and the United Kingdom documented cases involving NetMeeting throughout the late 1990s and early 2000s. The Internet Watch Foundation, established in the UK in 1996 specifically to address online child sexual abuse material, was already tracking the use of video communication tools in exploitation cases during this period. Microsoft eventually discontinued the public directory features and ultimately retired NetMeeting, but not before the platform had demonstrated a pattern that would repeat across the industry for the next three decades: build first, address harms later, and only when external pressure made inaction untenable.
ICQ and the Architecture of Exploitation
ICQ, launched by Mirabilis in 1996 and acquired by AOL in 1998, was for a significant period the most popular instant messaging platform in the world. At its peak, it had hundreds of millions of registered users. It was innovative, influential, and genuinely transformative in how people communicated online.
It was also a documented venue for child exploitation, fraud, and criminal coordination from very early in its existence.
ICQ's design prioritised openness. Users could be searched by age, location, and gender. The platform's directory allowed anyone to find and contact anyone else based on demographic criteria. For parents who understood what this meant in practice, it was alarming. For the children using ICQ without parental oversight, it was a structural vulnerability that predators exploited systematically.
The FBI's Innocent Images National Initiative, launched in 1995 and significantly expanded in the late 1990s, documented the use of ICQ and similar instant messaging platforms in the solicitation and exploitation of minors. Congressional testimony from this period, including hearings before the Senate Judiciary Committee, included specific references to ICQ as a tool being used by individuals seeking to contact children for sexual purposes.
What makes the ICQ case particularly instructive is the timeline. The platform launched in 1996. The harms were documented by federal law enforcement within a few years. AOL acquired the platform in 1998, bringing substantial corporate resources to bear. And yet the fundamental architectural features that enabled exploitation — the open directory, the age-searchable database, the minimal identity verification — persisted for years. The platform was not redesigned around safety. It was redesigned around retention and growth, because those were the metrics that mattered to the business.
This is not an accusation without evidence. It is the documented history of a platform that prioritised user acquisition over user protection during a period when the harms were already known and already recorded.
CuSeeMe and the Limits of Academic Good Intentions
CuSeeMe is a particularly important case study because it originated not in a commercial context but in an academic one. Developed at Cornell University in the early 1990s, CuSeeMe was one of the first video conferencing tools available over the internet. It was a genuine technological achievement, and its creators were motivated by legitimate educational and communicative goals.
It was also rapidly adopted for purposes its creators had not intended and did not want.
By the mid-1990s, CuSeeMe had developed a substantial user base that included individuals using the platform for the distribution of sexually explicit material, including content involving minors. The platform's reflector architecture, which allowed multiple users to connect to shared video streams, made it technically suited for broadcast-style distribution of content to large audiences. That same architecture made it useful for distributing illegal content at scale.
The CuSeeMe case illustrates something important about the regulatory debate that is often overlooked: the problem of online harm is not reducible to corporate greed or bad intentions. Academic institutions, open-source developers, and well-meaning technologists have all built tools that were subsequently weaponised for exploitation. The common factor is not malice. It is the absence of structural requirements for safety built into the design and operation of communication platforms.
When safety is optional, it tends to be treated as optional. When it is required by law, it becomes a design constraint that shapes the product from the beginning. This is why the argument that platforms will self-regulate effectively is not supported by the historical record, even when the platforms in question were not primarily motivated by profit.
Paltalk and the Persistence of Known Harms
Paltalk, launched in 1998, combined text chat, voice communication, and video in a way that was genuinely ahead of its time. It built a large and loyal user base, particularly among communities that found its group chat features valuable for social connection, religious discussion, and cultural community-building.
It also became one of the most extensively documented platforms for child exploitation in the early 2000s.
The cases involving Paltalk are not obscure footnotes in legal history. They include prosecutions in multiple jurisdictions, documented by federal law enforcement agencies, involving the use of the platform to produce, distribute, and consume child sexual abuse material. The Internet Crimes Against Children Task Force Program, a federally funded network of law enforcement agencies, documented Paltalk's appearance in exploitation cases throughout the 2000s.
What distinguishes the Paltalk case from some of its predecessors is that it occurred after the harms of unregulated online communication platforms were already well established. By the time Paltalk's exploitation problem was being documented by law enforcement, the internet industry had already had a decade of evidence that open, minimally moderated video and chat platforms attracted predatory behaviour. The pattern was known. The mechanisms were understood. And yet the structural conditions that enabled exploitation were replicated again.
This is the pattern that makes the self-regulation argument so difficult to sustain on the evidence. The argument requires us to believe that platforms will learn from past harms and voluntarily redesign their products around safety. The historical record does not support this belief. What the historical record shows is that platforms learned from past harms and continued building products with the same structural vulnerabilities, because those vulnerabilities were also features that drove engagement and growth.
The Communications Decency Act and the Section 230 Bargain
No account of the internet's regulatory history is complete without examining Section 230 of the Communications Decency Act, signed into law in 1996. Section 230 is often described as "the twenty-six words that created the internet" — a formulation that captures its significance while somewhat obscuring its original intent.
The provision states that "no provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider." In practice, this means that platforms are not legally liable for content posted by their users in the way that publishers are liable for content they publish.
The original rationale for this protection was reasonable. In 1996, the internet was genuinely new, platforms were genuinely small, and the argument that holding them liable for all user content would crush innovation before it could develop had genuine merit. The provision was also intended, in part, to encourage platforms to moderate content without fear that doing so would make them legally responsible for everything they failed to catch.
What happened instead was that Section 230 became a near-absolute shield against accountability, applied in ways that went far beyond its original scope. Courts interpreted it broadly, platforms relied on it extensively, and the incentive to invest seriously in safety was substantially reduced because the legal consequences of failing to do so were minimal.
The harm this created is not hypothetical. It is documented in case after case spanning three decades, in which platforms with knowledge of ongoing exploitation on their networks were shielded from accountability by Section 230 protections. The provision that was intended to encourage responsible moderation became, in practice, a mechanism for avoiding it.
This is not an argument that Section 230 should be eliminated entirely. It is an argument that the version of Section 230 that has existed in practice bears little resemblance to the version that was intended, and that the gap between those two things has had serious consequences for real people.
The Chatroom Era and the Normalisation of Predatory Behaviour
The late 1990s and early 2000s saw the explosive growth of online chatrooms across multiple platforms, including AOL Instant Messenger, Yahoo Chat, MSN Chat, and dozens of smaller services. These platforms attracted enormous numbers of young users, and they attracted predators in proportion.
The scale of exploitation during this period is documented in ways that should make the self-regulation argument impossible to sustain. The FBI's Crimes Against Children Research Center estimated in studies from this period that approximately one in five children who used the internet regularly received unwanted sexual solicitations online. The National Center for Missing and Exploited Children was receiving reports of online enticement numbering in the thousands annually by the early 2000s.
These were not unknown facts. They were published, publicised, and presented to Congress. Platform companies were aware of them. And the industry's response was largely to argue that the problem was one of parental supervision rather than platform design — that education was the solution rather than structural change, and that government intervention would harm innovation.
This argument was made repeatedly and with considerable sophistication. It was also, as the continuing pattern of harm demonstrated, wrong. Education and parental supervision are valuable. They are not substitutes for structural safety requirements built into the platforms themselves. A parent cannot supervise a child's every interaction on a platform designed to facilitate private, anonymous communication with strangers. Placing the entire burden of safety on families while absolving platforms of structural responsibility is not a principled position. It is an industry talking point wearing the costume of a liberty argument.
MySpace, Facebook, and the Scaling of Known Problems
The mid-2000s brought the rise of social networking platforms, and with them the scaling of problems that had been documented for a decade. MySpace, which dominated social networking before Facebook, was the subject of significant law enforcement attention for its role in facilitating contact between adults and minors. State attorneys general from multiple states reached agreements with MySpace in 2008 requiring the platform to implement age verification and safety measures — a settlement that implicitly acknowledged the platform had not been doing enough voluntarily.
Facebook's early history includes its own documented problems with privacy, data exploitation, and the facilitation of harm. The platform's aggressive growth strategy, which prioritised user acquisition and engagement above other considerations, created conditions in which safety was consistently subordinated to scale.
The pattern across all of these platforms is consistent: documented harm, industry resistance to structural change, eventual external pressure from law enforcement or regulators, limited and often inadequate response, and the continuation of harm in modified forms. This is not a pattern that suggests self-regulation works. It is a pattern that demonstrates, repeatedly and across different companies and different eras, that it does not.
The Research Base That the Industry Ignored
One of the most important aspects of the internet harm debate that is consistently underweighted in public discussion is the extent to which the harms were not only documented by law enforcement but studied by academic researchers, often funded by institutions with no particular interest in regulatory outcomes.
Research published in peer-reviewed journals throughout the 2000s and 2010s documented the relationships between platform design, online exposure, and harm. Studies examining the psychological effects of online harassment, the mechanisms of online grooming, the relationship between platform architecture and predatory behaviour, and the inadequacy of existing self-regulatory measures accumulated into a substantial body of evidence.
The American Psychological Association, the American Academy of Pediatrics, and numerous other professional organisations issued statements and published research documenting the harms of unregulated online environments, particularly for children and adolescents. This research did not emerge from nowhere. It emerged from documented patterns of harm that researchers were observing in clinical and community settings.
The industry's response to this research was, in many cases, to fund its own research, to challenge the methodology of studies that produced unfavourable findings, and to argue that the evidence was insufficient to justify regulatory intervention. This response mirrors the playbook used by the tobacco industry in the mid-twentieth century, and the parallel is not coincidental. It is a documented strategy for managing inconvenient scientific evidence.
The Child Online Protection Act and the Limits of Judicial Deference
Congress did not ignore the documented harms of the early internet entirely. The Child Online Protection Act, passed in 1998, attempted to restrict online distribution of material harmful to minors. It was immediately challenged in court, and it spent the better part of a decade in litigation before being struck down by the Third Circuit Court of Appeals in 2008 — a decision the Supreme Court declined to review.
The legal history of COPA is instructive not because the law was necessarily well-designed, but because of what its failure revealed about the difficulty of addressing online harm through existing legal frameworks. The courts applied First Amendment analysis in ways that made it extremely difficult to impose content-based restrictions on online communication, even restrictions targeted at protecting children from demonstrably harmful material.
This legal landscape created a situation in which Congress was constrained in what it could legislate, platforms were shielded by Section 230 from civil liability, and the harms continued to accumulate. The argument that existing law was sufficient to address online harm was not credible in the late 1990s. It is not credible now.
The FOSTA-SESTA Moment and What It Revealed
The passage of the Allow States and Victims to Fight Online Sex Trafficking Act and the Stop Enabling Sex Traffickers Act, collectively known as FOSTA-SESTA, in 2018 was a significant moment in the history of internet regulation, and not only for the reasons most commonly discussed.
The legislation amended Section 230 to remove liability protections for platforms that knowingly facilitated sex trafficking. It was controversial, and the debate around it revealed important fault lines in the regulatory discussion. Critics argued that it would harm sex workers by forcing platforms to shut down spaces where they operated more safely. Supporters argued that it was a necessary step toward holding platforms accountable for known harms.
Both of these things can be true simultaneously, and the complexity of the FOSTA-SESTA debate actually strengthens the case for thoughtful regulation rather than weakening it. The lesson of FOSTA-SESTA is not that regulation is impossible or inevitably harmful. It is that regulation is difficult, requires careful design, and must be developed with input from affected communities. None of those lessons support the argument that regulation should not happen. They support the argument that it should happen carefully and with appropriate expertise.
What FOSTA-SESTA also revealed was that the platforms affected by it had, in many cases, already been aware of the trafficking activity occurring on their networks. Backpage.com, which became a central focus of the legislative debate, was the subject of a Senate Permanent Subcommittee on Investigations report in 2017 that documented the platform's active role in facilitating sex trafficking, including the trafficking of minors. The report found that Backpage had not simply failed to prevent trafficking but had actively modified its moderation practices in ways that made trafficking easier to conduct on the platform.
This is not an edge case. It is a documented example.
