VPNs on regulatory block in EU, UK as lawmakers address age check circumvention

A philosophical tug-of-war is at play in the debate over whether Virtual Private Networks (VPNs) enable easy circumvention of age assurance mechanisms.

On the one hand, there is the notion that biometric age checks have users flocking to VPNs to protect their anonymity. A paper newly pushed out by the European Parliamentary Research Service (EPRS) suggests “there has been a significant surge in the number of virtual private networks (VPNs) used to bypass online age verification methods in countries where these have been put in place by law.”

Given this, some see VPNs as a “loophole that needs closing,” arguing that “access to VPN services should be restricted to users above a digital age of majority.” The UK has floated this idea, as well. And in the U.S., Utah recently passed Senate Bill 73, which explicitly applies to anyone in Utah, regardless of whether or not they are pretending to not be in Utah by using a VPN.

A competing idea says VPNs represent the spirit of a free, anonymous internet free from censorship and surveillance. Regulating VPNs would mean everyone, everywhere doing age checks – and the spike in use as a workaround for age verification legislation simply proves that the laws as structured do not and cannot work.

So far, the age assurance industry’s response to the latter argument has involved pointing out that compliance doesn’t stop counting when users turn to VPNs. In a sense, the Age Verification Providers Association (AVPA) agrees with the loophole theory, but doesn’t see the need to ban VPNs: “in practice, there are ways to detect and address circumvention and there is no need to even consider banning VPNs outright.”

VPNs not charities, can also exploit user data for gain

Another argument that may ultimately have more force is highlighted in a “multi-perspective study of VPN users and VPN providers” conducted by researchers at the University of Michigan in 2023. Whereas age assurance is fighting against the idea that it invades privacy, VPNs are positively associated with privacy – but that reputation may be unearned. A quantitative survey of 1,252 VPN users in the U.S. and qualitative interviews with nine providers show that “users rely on and trust VPN review sites, but VPN providers shed light on how they are mostly motivated by money.” Worryingly, say the researchers, “we find that users have flawed mental models about the protection VPNs provide, and about the data collected by VPNs.”

Like age assurance providers, VPNs are online businesses with a bottom line. Unlike age assurance providers, they aren’t regulated.

“Commercial VPNs are now a multi-billion global industry with numerous VPN providers, and apps on almost every platform,” says the research paper. “As our VPN provider interviews highlight, many of these companies have unknown ownership and multiple providers mention that setting up a VPN and offering a service is not technically difficult, especially with the existing open source solution.” One provider suggests that “two people in a basement with half-decent power can run a VPN.”

That’s a lot of uncertainty shouldering a lot of risk. “In simple terms, a user using a VPN is simply transferring trust, say from their internet provider, onto the VPN provider,” the paper says. “internet service providers (ISPs) have been around for longer and have many regulations globally. However, such regulations and advocacy has not yet caught up to the VPN industry.”

The notion that VPNs increase privacy hinges on the assumption that VPN companies will respect and not exploit users’ private data for profit. That’s a convenient bit of optimism that highlights a largely unspoken truth: VPN providers benefit from an unearned trust of the sort the age assurance industry is trying to earn.

Article Topics

age verification  |  biometrics  |  EU age verification  |  regulation  |  UK age verification  |  VPN (virtual private network)