VPNs a navigable challenge for age assurance sector, says AVPA

What to do about Virtual Private Networks? The VPN question is on the minds of many organizations and legislators navigating new online safety laws that aim to restrict minors’ access to adult content.

Following the imposition of the Online Safety Act (OSA) in the UK, VPNs have seen huge spikes in downloads, suggesting many users are savvy enough to download a readily available workaround for age assurance requirements.

A post from the Age Verification Providers Association (AVPA) runs through the points about VPNs that the organization has made throughout the legislation process. In particular, it looks to debunk two commonly encountered assertions.

The first is that age assurance is legally designed as absolute prevention. Rather, says AVPA, it “sets a performance standard: the service must be ‘not normally accessible’ to minors.” Only if it can be proven that a majority of those downloading VPNs are minors, and not just privacy conscious adults, would a formal noncompliance situation arise. And while some kids will go the extra mile to watch porn, in a “not normally accessible” situation, many will simply not bother.

The second is the so-called “VPN fallacy.”

“Some argue that because VPNs exist, any age assurance system will fail,” AVPA says. “This leads to the mistaken belief that age-restricted sites are exempt from compliance if users connect through a VPN.”

“As we have argued before, this is not true. Legislation we have reviewed globally, including the UK’s Online Safety Act (2023) and similar measures in Australia or U.S. states, offers no such exemption. In practice, there are ways to detect and address circumvention and there is no need to even consider banning VPNs outright.”

For one, age assurance systems that use digital intelligence tactics are capable of figuring out if someone is using a VPN. In the latest episode of the Biometric Update Podcast, Socure’s Chief Growth Officer, Rivka Little, says biometrics and digital ID providers know the playbook by now.

“The first thing people try to do is mask themselves digitally so they can come in another way,” she says. “For us, our digital intelligence product looks at device attributes, but it also looks at emulators, and looks for the presence of risky VPNs specifically. We are able to now track full sets of risky domains.”

Fraud prevention handbook has tools for VPN challenge

On the question of detecting and responding to VPN use, AVPA has a few notes on industry-standard techniques. It lists checking IP addresses against databases of known VPN servers, analysing patterns of traffic such as sudden shifts in IP location or signatures from protocols like OpenVPN, and identifying mismatches between IP location and other device or browser signals, such as language or timezone.

“While advanced VPNs using obfuscation or dedicated IPs can evade detection, these methods are widely used in fraud prevention and, when combined, can identify commercial VPN use with high confidence,” AVPA says.

What about the question of who is an adult and who isn’t? Step two in AVPA’s recommended process is to assess a likely user profile to gauge whether it’s a UK-based minor or an adult using the VPN for privacy, using behavioral clues that are “probabilistic, not definitive.”

The final step is to ask for proof. “If the behavioural profile suggests a UK-based minor, the service can offer a choice.” They can do an age assurance check deemed “highly effective” or consent to a one-time geolocation to confirm foreign location via GPS, Wi-Fi network mapping and mobile mast triangulation.

“This does not mean continuous location tracking. The user must agree to share enough location data to confirm their jurisdiction only at the point where they would otherwise need to prove their age. And if they don’t wish to reveal where they are, they can just prove their age instead.”

Geolocation, AVPA notes, “is used every time a US gambler places a bet online, to confirm they are in a state where that is legal. While spoofing is possible via extensions or modified devices, it is not ‘normal’ for minors and supports the law’s performance standard. Critically, it’s not IP-based, so VPNs don’t affect it – the location comes from the device itself.”

Laws, tech should evolve as patterns emerge

AVPA’s conclusion is that “digital services using age assurance to remain compliant can do so by detecting VPN use, assessing risk using behavioural clues, and giving flagged users the option to verify their age or prove their location.”

It points to the need for flexibility in the design and implementation of regulations for biometrics and age verification. For political leverage, some would call VPNs as the nail in the coffin of age assurance generally. But in truth these laws and technologies are works in progress, and must, to some degree, function with the same iterative quality as the tech itself. VPNs may be a problem for age verification laws today, but there are already those working to solve it.

There are also those developing the next workaround. A post on the Y Combinator message board advertises the latest from “cloud-based DNS resolver service” NextDNS: “We just shipped a new feature in NextDNS: Bypass Age Verification,” it says.

“More and more sites (especially adult ones) are now forcing users to upload IDs or selfies to continue. We think that’s a terrible idea: handing over government documents to random sites is a huge privacy risk. This new setting workarounds those verification flows via DNS tricks. It’s available today to all users, including free accounts.”

Coverage in PPC Land says NextDNS’ technical implementation relies on “DNS-level geographic spoofing” that resolves domain names to IP addresses and redirects requests through proxy servers in jurisdictions without age assurance laws. “From the website’s perspective, traffic appears to originate from the proxy server’s location rather than the user’s actual country.”

The system does not yet work for every scenario; notably, it does not circumvent YouTube’s measures to restrict adult content, which require user account authentication. Nonetheless, NextDNS (which is operated by former executives from Netflix and Dailymotion) has plans to iterate.

That doesn’t quite put it afoul of UK regulator Ofcom, which specifies that platforms “must not host, share or permit content that encourages use of VPNs to get around age checks.” But the same spirit is sure to apply to those offering other ways to get around OSA’s regulations.

Having taken on Big Porn, will Ofcom have the resources to pursue every VPN touting itself as a way to skip age checks, or those looking at other ways around age verification? Ofcom has touted the sharpness of its teeth in preparing to enforce the OSA. But VPNs and their offshoots will test its chompers’ strength.

Article Topics

age verification  |  AVPA  |  biometric age estimation  |  Online Safety Act  |  VPN (virtual private network)