Myth #03: Code is law.
Riikka Koulu

Myth: Code is law. The software codes have become focal, or even the primary tool for regulating human behaviour and asserting social control. The Internet is also averse to governmental regulation and thus in need of alternative strategies such as self-regulation and regulation by code.


Busted: It is undeniable that coded environments have a normative dimension that influences possible actions of Internet users. However, this does not mean that existing societal and legal structures would automatically disappear or become inefficient in online environments; and neither was this Lessig’s original argument. According to Lessig, technical infrastructure is only one form of cyberspace regulations alongside with law, social norms, and the market. Lessig’s stance can be seen to represent cyberpaternalism, as it depicts concern for the covert, opaque and insidious control that the codes presents, which in Lessig’s view needs to be remedied by legislations and transparency of both online and offline regulations.

Ultimately, code is law is an oversimplification of a much more complex regulatory landscape, reflecting the disbelief in the states’ ability to regulate cyberspace as coined in the 1996 Declaration of Independence Cyberspace and often misquoted for political ends. (#1) The approach does not take into account that modern law is not bound to the state but is also international and pluralistic. (#2) Hence, transnational nature of Internet does not mean that online behaviour would remain beyond the grasp of state and non-state offline actors, as e.g. the attempts to regulate platforms, data governance, and consumer protection in e-commerce demonstrate.

Lessig’s observation that in cyberspace social control is exerted through technological architecture holds true. It also reflects earlier insights into normative technologies, which focused on social engineering through architecture and technological artefacts. As Leenes describes, code is law resembles other “design-based control mechanisms [that] are extremely powerful because they act ex ante rather than ex post” and that do not involve sanctions in the typical sense (Leenes 2012, 147). Technical infrastructure is not sufficient, as it is not able to entirely remove conflicts, which then require ex post mechanisms for dispute resolutions provided by law.

The normativity of technology differs from legal normativity. Hildebrandt describes technological normativity as “the way a particular technological device or infrastructure actually constrains human actions, inviting or enforcing, inhibiting or prohibiting types of behavior”. Unlike legal normativity, technological architecture does not rely on the state’s authority and monopoly of violence nor is it produced through democratic procedure (Hildebrandt 2008, 176).


Truth: Sociolegal scholarship has produced a more complex and nuanced approach to describe the intricate interplay of technical, legal, and social rules that define and regulate human behaviour online. For example, concepts of legal pluralism or techno-regulation can be used to describe the complexity of Internet regulation that consists of multiple state and non-state actors and layers of legal, social, and technical regulation.


Source: Mireille Hildebrandt, Legal and Technological Normativity: More (and Less) Than Twin Sisters (2008) 12(3) Techné: Journal of the Society for Philosophy and Technology (2008), 169-183,; Ronald Leenes: Framing Techno-Regulation: An Exploration of State and Non-State Regulation by Technology, Tilburg Law School Legal Studies Research Paper Series No. 10/2012, available at: