Spain Just Proved Why ISPs Can't Be the Internet's Content Police

Earlier this year, I wrote about Bill S-209 and its deeply flawed premise: that we can protect kids from pornography by conscripting ISPs into blocking content at the network level. My core argument was that IP-level and DNS-level blocking is a sledgehammer, and that the collateral damage would be enormous. At the time, some people pushed back with "well, it would be more targeted than that" or "the technology has improved." Well, Spain just gave us a real-time, ongoing demonstration of exactly how wrong they are.

La Liga vs. The Internet

For those not familiar, here's the situation: in December 2024, a commercial court in Barcelona authorized La Liga (Spain's top football league) to require Spanish ISPs, including Movistar, Vodafone, and Orange, to block IP addresses associated with unauthorized streaming of football matches. The court upheld the ruling again in March 2025, and La Liga has been running with it ever since. The result? Every weekend during the football season, roughly 3,000 IP addresses get blocked across Spain. Not 3,000 pirate streaming sites. 3,000 IP addresses. And because the modern internet runs on shared infrastructure like content delivery networks (CDNs), blocking one IP address doesn't just take down one site. It takes down every site that shares that address.

Cloudflare, which serves a significant chunk of the world's web traffic, has been hit hard. So have Vercel (a major platform used by developers and businesses), GitHub Pages, and Docker registries. Spanish developers have reported being unable to pull container images or deploy code because La Liga decided those IP addresses were being used for pirate streams, and the ISPs dutifully blocked them, taking out everything else hosted there in the process. This isn't a theoretical risk I'm warning about for Canada. This is happening right now, in a developed European democracy, every single weekend.

"Just Use a VPN" (Until They Block Those Too)

The standard response to overblocking has always been "just use a VPN." And sure, VPNs work. Proton VPN reported a 200% surge in sign-ups from Spain after the blocking started, which tells you everything you need to know about how well IP blocking works as a content control measure: it mostly just drives people to circumvention tools. But wait, there's more. La Liga anticipated this, and in February 2026, a court in Córdoba ordered NordVPN and Proton VPN to block access to IP addresses identified as streaming La Liga matches. The court classified VPN providers as "technological intermediaries" under the European Digital Services Act. The orders were issued inaudita parte (without hearing from either VPN company). NordVPN called the approach "unacceptable." Proton VPN said they weren't even aware proceedings had taken place.

So the playbook is clear: block IP addresses, watch people move to VPNs, then try to block the VPNs too. It's whack-a-mole all the way down. And here's where it gets really absurd. You can't actually block VPNs without breaking the corporate world. Every company with remote workers relies on VPN connections to access internal networks. Every hospital system, every bank, every government department. If you blanket-block VPN protocols, you don't just stop people from watching pirated football, you stop an enormous chunk of legitimate business activity. (Although, I'll admit, it would be one creative way to enforce those return-to-office mandates that keep popping up.)

The Blast Radius Problem

The core issue is something I raised in my S-209 piece: the internet doesn't work the way legislators and rights holders think it does. Twenty years ago, blocking an IP address might have taken down one website. That was already problematic (remember when Telus blocked one site and took out 766 others in 2005?), but today it's orders of magnitude worse. The modern internet is built on shared infrastructure. Cloudflare alone handles a massive percentage of global web traffic. A single Cloudflare IP address might serve thousands of completely unrelated websites, from a local bakery's online ordering page to a government health portal to a developer's Docker registry. When La Liga tells an ISP to block that IP, all of those sites go dark for every user on that ISP's network.

Cloudflare CEO Matthew Prince put it bluntly, warning that it's only a matter of time before a Spanish citizen can't access a life-saving emergency resource because of these blocks. Vercel's leadership called it "unaccountable internet censorship." Vodafone Spain admitted there is no effective mechanism to prevent collateral damage. These aren't fringe voices. These are the companies that literally run the infrastructure of the internet telling you that this approach is broken.

This Isn't Just About Football

I keep coming back to this because the pattern is always the same, whether the stated goal is stopping piracy or protecting children. The goal sounds reasonable. The mechanism chosen is network-level blocking. And the consequences are predictable and severe. In Canada, we've already seen this playbook with the GoldTV case, where rights holders got ISPs to block a pirate streaming service. We've seen the push to block IPTV services. Bill S-209 would add pornography to the list of things ISPs are expected to filter. And once that infrastructure exists, once ISPs have the technical capability and the legal framework to block content on demand, the requests won't stop. Copyright holders, political actors, and anyone else with enough legal resources will line up to use it.

Spain is showing us the future that Bill S-209 is building toward. Not a future where kids can't access porn (they'll just use VPNs, like the Spanish football fans did). A future where legitimate businesses lose access to their tools, where developers can't deploy code, where emergency services might become unreachable, all because a sports league or a government agency decided to block an IP address that happened to be shared by thousands of other services.

So What Can We Do About This?

Let me be clear: the underlying problems are real. Kids accessing adult content online is a legitimate concern. Copyright infringement is a legitimate concern. I'm not dismissing either of these issues. But ISP-level blocking is not the answer. It never was. The Spain situation proves that it doesn't effectively stop the targeted behaviour (people just switch to VPNs), it causes massive collateral damage to innocent bystanders, and the escalation path (blocking VPNs, expanding the scope) leads somewhere nobody should want to go.

The bottom line is this: we need solutions that target the actual problem without breaking the internet for everyone else. That means platform accountability, where the companies hosting and distributing content bear responsibility for age verification and content moderation. It means investing in digital literacy and parental tools that actually empower families. It means working with CDN providers like Cloudflare through their existing, functional takedown processes rather than having ISPs carpet-bomb IP ranges. What it doesn't mean is handing ISPs a mandate to be the content police of the internet. They aren't equipped for it, the technology doesn't support it, and Spain is proving in real-time that the collateral damage is exactly as bad as critics predicted.

Every weekend, Spanish developers can't pull Docker images because there's a football match on. That's not a policy success story. That's a cautionary tale, and Canadian lawmakers would do well to pay attention before they build the same broken system here.