We receive takedown notices regularly. They come from individuals, lawyers, companies, and governments. This post is part of a series where we document how we handle them, both the routine cases and those that reveal something worth discussing publicly. Takedown notices that concern child abuse carry a stricter legal burden than most: hosting providers must act within 24 hours. That urgency is appropriate. But it also makes the abuse of such notices particularly damaging. It consumes exactly the attention that genuine cases deserve and undermines the diligence required to evaluate every request carefully. This blog post illustrates that pattern.
What happened
In May 2025, we received a takedown notice from the German Federal Criminal Police Office, the Bundeskriminalamt (BKA). The notice claimed that images of child abuse were being distributed from one of our servers. We evaluated the request immediately. It was clear the claim was unfounded:
- The server named in the request had been offline for approximately six months.
- It was an Invidious instance, a front-end proxy for YouTube, not a content host.
- The first video flagged by the BKA was an excerpt from a conversation with composer Hans Zimmer and David Ebberts.
- The second video was a song by Spanish composer Plácido Domingo.
We replied only tow hours later, asking the BKA for clarification and the basis of their request. We received no response. Given how clearly the case illustrated the misuse of an urgent legal mechanism by a government authority, we forwarded it to netzpolitik.org, a German newsroom covering digital rights and internet policy. One week later, only after netzpolitik.org had contacted the BKA, two emails arrived. The first was an automatically generated reminder claiming we were still distributing child abuse material. The second informed us that all previous notices had been sent in error and should be disregarded.
What we found
The notice contained two links to content the BKA claimed depicted child abuse. Both pointed to publicly available, entirely benign material. The server referenced had not been operational for two years at the time the notice was issued.
The videos are publicly accessible. The links in the BKA notice pointed to our Invidious proxy. Replacing the proxy domain with youtube.com takes you straight to the originals:
Why this matters
Laws governing takedown notices for child abuse material set strict timelines for hosting providers. Miss the deadline, and serious legal penalties follow. That burden is reasonable when the underlying request is legitimate. But the same laws impose no equivalent obligation on those who file the notices. Filing a false notice carries no consequences. When notices are generated automatically, as we believe was the case here, the sender is effectively outsourcing their verification work to us. That is not a workable system. A hosting provider cannot responsibly handle a flood of automated escalation requests while giving each one the attention it deserves.
The timeline of this case makes the point plainly. The BKA did not respond to our request for clarification. The retraction arrived only after a journalist contacted them. We do not think that is a coincidence. Without press pressure, we believe the false notice would never have been formally acknowledged. That is not how accountable enforcement works.
What policymakers can do about this
The Digital Services Act places significant obligations on hosting providers. It should place equivalent obligations on those who issue takedown notices. Filing a false or unverified escalated notice should carry legal consequences. Hosting companies need a clear means to hold abusive filers accountable, whether those filers are bad-faith actors or institutions that simply did not do their homework before hitting send. This asymmetry also has structural consequences. Large platforms can absorb the cost of processing automated requests through AI moderation and content review teams. Companies like FlokiNET cannot. When enforcement design ignores this, hosting consolidates around the few companies large enough to comply. The diversity and decentralisation of the internet shrinks. Enforcing laws against illegal content is a legitimate goal. But the tools used to do it should not systematically disadvantage the smaller providers that keep the internet from becoming the property of a handful of corporations.
