🌱 Seedling

Mill’s Harm Principle Applied to API Rate Limiting

· 2 min read
John Stuart Mill’s harm principle (1859) states that the only justification for restricting individual liberty is to prevent harm to others. API rate limiting, which restricts individual users’ access to shared computational resources, is a direct application of this principle. A 2024 Cloudflare report found that the average API receives 47 million requests per day, with rate limiting blocking an average of 12% of traffic. The question is not whether to limit. It is where the line between legitimate protection and illegitimate restriction falls.

When does rate limiting protect shared resources and when does it restrict legitimate use?

Mill’s harm principle draws the line: restriction is justified when one user’s consumption degrades the experience for others. It is not justified when the restriction serves only the provider’s convenience or commercial interests. The distinction is between protecting a commons and controlling access to it.

Mill’s On Liberty argues that individual freedom should be restricted only to prevent harm to others. Applied to APIs, this means rate limiting is justified when one client’s request volume threatens the service quality experienced by other clients. It is harder to justify when the API has spare capacity and the rate limit serves primarily to upsell to a premium tier.

I implemented rate limiting on a public API that served 3,200 clients. The initial limits were based on the 99th percentile of usage: clients who consumed more than 99% of others were rate-limited. This was Millian: the restriction protected the shared resource from the few who would degrade it for the many. Six months later, the business team asked me to lower the limits to push clients toward a paid tier. The API had capacity to spare. The new limits were not protecting anyone. They were restricting liberty for commercial gain. Mill would not have approved. I pushed back. The limits stayed at the protective threshold.

The engineering question and the ethical question are the same: is this limit protecting the commons we share, or is it an artificial constraint? The answer determines whether rate limiting is infrastructure or extraction. Every infrastructure design decision carries this ethical dimension, whether acknowledged or not.

Mill wrote about speech and assembly. The principle applies wherever shared resources exist. An API is a commons. Rate limiting is governance of that commons. And governance, as Mill insisted, requires justification beyond the governor’s convenience.