It’s been one month since the Online Safety Act’s age-verification requirements came into effect, and already Dame Rachel de Souza, England’s children’s commissioner, has called for a legislative clampdown on virtual private networks (VPNs).
VPNs enable individuals or organisations to route their web traffic through encrypted ‘tunnels’ to servers around the world. VPN users, therefore, can avoid any internet restrictions in their home jurisdiction.
For this reason, said De Souza, easily available VPNs present a “loophole” in the Online Safety Act, which “must be closed”. Although she has not called for an outright ban on the networks, she has suggested that age-verification requirements be extended to VPN downloads.
Peter Kyle, the technology secretary, has previously ruled out any blanket bans on VPNs, acknowledging that there are many legitimate uses for the technology. But could parliament limit the use of VPNs in the UK? And, if it did, would the restrictions be enforceable? Security experts weigh in.
“We may need a more analogue solution – better parenting“
In the classic arcade game Whac-A-Mole, players smack animatronic moles as they pop up out of their holes. But each time a critter is smacked down, another one pops up to take its place. The supply is seemingly endless. The ceaseless smacking – hammering away at problems as they continuously arise – might make for an enjoyable arcade game, but it’s not a wise approach when it comes to cybersecurity.
The success of any policy depends on the ability of the organisation to enforce it. For example, imagine a policy to stop the sun from rising over London tomorrow. This may sound like an interesting policy, particularly during a warm spell, but, of course, there is no way to enforce it. The grandest, most well-intentioned policies are useless if they cannot be enforced.
Protecting our youngest citizens is extremely important, but, all too often, policies to achieve this goal are circumvented quickly and easily; they are unenforceable. It is difficult, if not impossible, to protect minors with policies of this nature. Instead, they merely create more regulatory burdens for service providers.
So what options do we have as a society? Sadly, we may need a more traditional, analogue solution – better parenting.
“The only way to achieve this is complete censorship”
The Online Safety Act was poorly thought through: of course people were going to circumnavigate the measures. All the act does is push users to VPNs or the Tor browser. And, in the case of Tor, young users could be exposed to much worse content than they’d find on the normal internet.
Banning VPNs would be ludicrous. The majority of organisations use VPNs for secure connections to customers, staff and sites. VPNs from non-corporate networks also have many legitimate uses, especially in the gig economy, so banning those could lead to economic disruption as well.
Moreover, it would be extremely difficult to enforce a VPN ban without forcing every internet provider to the UK to apply the restrictions, resulting in broad internet censorship. To successfully block access to sites, the UK would ultimately have to replicate a Russia- or China-style network to control the flow of all information in the country – at which point there would likely be riots in the streets. It’s not a route to be entertained.
Individual websites can’t shoulder the burden either, because restrictions differ across countries. Although sites can see whether traffic is coming from a VPN and could choose to drop it, they don’t know if the user behind it is in the UK or the US, for example. Technology can’t solve this. The only option is to enforce a know-your-customer process where users must be registered and provide some form of ID.
The internet is globally interconnected; if the UK puts in place one set of controls, people will find a way around it using systems in other countries. The only way to legislate against VPNs is to implement complete censorship.
“In a difficult economic climate, overhauling secure connection and remote access architecture will come with significant challenges“
A ban on the use of VPNs would be a step in the wrong direction, given the number of businesses that rely on the networks to ensure secure remote access to sensitive data.
Many firms, including those in critical-infrastructure sectors, use VPNs to enable employees to access company servers from remote locations, including their home offices. A blanket ban on VPNs would, therefore, force organisations to re-think their secure connection methodologies.
Beyond the business impacts, banning VPNs would threaten the privacy and security of everyday consumers who use the technology to connect to public Wi-Fi networks, access services while travelling internationally, safeguard personal communications from surveillance and maintain privacy in regions with restrictive internet policies. Eliminating this protection would leave consumers vulnerable to data breaches, identity theft and privacy violations, while potentially driving them towards less-secure or unregulated alternatives.
In this difficult economic climate, overhauling secure connection and remote access architecture would create significant logistical and operational challenges for businesses. If firms can no longer use VPNs for remote access to secure servers, they would be forced to transition to alternative secure-access solutions, such as zero-trust network access or software-defined perimeter technologies, often integrated with robust identity- and access-management (IAM) frameworks to verify credentials and manage permissions.
While identity-driven access is arguably more secure than VPNs, forcing a wholesale adoption through a VPN ban would cause an abrupt transition that would disrupt operational stability. Upgrading access architecture would require significant financial and team resources to ensure that central infrastructure, such as servers, is fully upgraded. For businesses reliant on legacy systems, this will be a much heavier lift as their current infrastructure may not support modern secure-access protocols, such as IAM. Moreover, businesses must ensure that all endpoint devices are compatible with the new protocols.
Larger enterprises may be able to cope with the changes, but SMEs will inevitably be disadvantaged given their relatively limited resources. During Covid, we saw that some organisations were ill-prepared for remote access and, while they quickly adopted VPNs to support the transition, much of that capital investment is still being depreciated on company books.
It’s unclear whether the VPN debate will result in an outright ban. But businesses should get on the front foot and look at implementing more granular identity-management frameworks to support their security objectives.
It's been one month since the Online Safety Act's age-verification requirements came into effect, and already Dame Rachel de Souza, England's children's commissioner, has called for a legislative clampdown on virtual private networks (VPNs).
VPNs enable individuals or organisations to route their web traffic through encrypted ‘tunnels’ to servers around the world. VPN users, therefore, can avoid any internet restrictions in their home jurisdiction.
For this reason, said De Souza, easily available VPNs present a “loophole” in the Online Safety Act, which "must be closed". Although she has not called for an outright ban on the networks, she has suggested that age-verification requirements be extended to VPN downloads.
