The internet as we know it may be radically changing, not with a technological leap, as with Web 1 into Web 2.0, but rather thanks to a wave of strict, government-mandated age-verification regimes hitting websites, apps and services.
While the apparent goal of the UK’s Online Safety Act is to prevent children from viewing pornography and other harmful content, such as websites that glorify suicide or eating disorders, its strictures also extend to web staples including Reddit, Spotify and Wikipedia.
The second stage of this legislation, which requires visitors to certain websites to verify their age using either a selfie or a government-issued ID, came into force late July. Similar age-assurance bills are springing up throughout Europe, too.
With private companies in charge of age verification, security experts have expressed concerns about the personally identifiable information they are collecting, which could be linked to sensitive browsing habits. For instance, some age-assurance platforms are based in the US, which has loose regulations on data brokerage. The information held by these platforms could therefore be put up for sale.
How Brits are using VPNs to sidestep age checks
There are ways around age-verification requirements. Some users have uploaded pictures of digital avatars from games such as The Sims, or photos of driving licences found on Google Images.
Predictably, there has also been a surge in the use of virtual private networks (VPNs), a type of network architecture that can be used to circumvent geographic restrictions. Downloads of the free VPN by Proton, a privacy company, rocketed by 1,400% per hour on the day age checks came into force, making it the top free app in the UK. Meanwhile, a paid VPN option, Nord, recorded a 1,000% increase in purchases over the same period.
VPNs work by routing internet traffic through an encrypted ‘tunnel’ to a server hosted elsewhere. With a single mouse click, web users in the UK can connect to servers based anywhere in the world, from Australia to Norway to South Africa to Argentina. And their web traffic in such cases is effectively hosted in those jurisdictions instead of the one in which they’re physically situated. People use VPNs for a variety of reasons. Some are obliged to connect to corporate VPNs to access their employer’s internal servers, while others seek enhanced security while using public Wi-Fi.
“In trying to stop children seeing harmful content, the government has driven maybe hundreds of thousands of people to adopt tools that make lawful interception near impossible,” says Graeme Stewart, head of public sector at Check Point, a cybersecurity vendor. “Worse still, they’ve outsourced enforcement to unaccountable third parties, relying on fragmented databases that offer no guarantee of security. It’s become theatre.”
Can the UK close the VPN loophole?
Experts have long warned that VPNs expose a glaring loophole in the Online Safety Act. Following the rollout of the age-assurance clause, speculation swirled that the government might clamp down on consumer VPNs.
This isn’t all fear-driven guesswork. Sarah Champion, a Labour backbencher, complained while in opposition, that VPNs could undermine online safety. According to Politico, however, she had included a paid VPN on her expenses. Meanwhile, Peter Kyle, the tech secretary, said banning VPNs was “not on the cards” but urged “caution” in how they are used.
A government spokesperson added: “We make no apology for holding platforms to account, to ensure they prevent children from bypassing safety protections. This includes blocking content that promotes VPNs and other workarounds, when they are aimed specifically at young users. More broadly, there are a range of legitimate reasons why adults might use VPNs which do not cut across children’s safety online.”
Ofcom has echoed these points. In a statement, a spokesperson acknowledged that VPNs are “lawful services which can be marketed and used by people in the UK”, but noted that parents in the UK “need to be aware that if their children are using a VPN, they may not benefit from the protections of the Online Safety Act.”
The regulator added that parents worried about VPN use can take some additional precautions, including adding parental controls at the router level or setting up store alerts when such apps are downloaded.
Could the UK ban VPNs if it wanted to?
Some security experts believe the government will indeed legislate to plug the VPN gap. However, any additional requirements would likely be on content platforms rather than VPN providers.
“We will probably see additional legislation pretty soon that will require adult-oriented websites to ban VPN traffic,” says Ilia Kolochenko, an expert in cybersecurity law. “Certainly, some VPNs will remain undetected, but about 90% of the most popular free and commercial VPN services can be fingerprinted – and will likely be blocked by adult-content providers, closing the loophole.”
There are many technical and operational ways to detect the use of VPNs, he notes, but blocking such networks for specific websites is trickier. Kolochenko says the government could purchase VPN subscriptions from all well-known vendors to determine their network ranges, IP addresses and exit points, which could then be blocked directly. Vendors mix and change their exit points to avoid detection, however, so it’d be a Sisyphean endeavour that would require significant time and investment. Devices can also be ‘fingerprinted’ to determine whether they’re connected to a VPN.
Still, to effectively ban VPNs, the government would have to run ‘deep-packet inspection’, thus enabling censors to inspect internet traffic, categorise it and decide what to block. So says Harry Halpin, the CEO of Nym, a decentralised privacy tool. “This is what China does. But it would require the UK, like Russia, to buy VPN-censorship tools from China, to build the ‘Great Firewall of Great Britain’.”
VPN bans: what are the risks?
For a country that talks up its democratic status, prohibiting VPNs would launch the UK down a dark and messy path. Even if the government pursued such a dangerous strategy, enforcing the ban would be difficult.
Decentralised systems such as Tor and Nym have an ever-changing set of servers running different IP addresses, making spotting VPNs very difficult, says Halpin. Meanwhile, a growing number of tools are building censorship resistance into their platforms.
Any attempt to ban VPNs would risk the UK becoming a “digital pariah state”, he adds. “I imagine internet companies like Google, who offer their own VPN, via Project Jigsaw, to people in repressive countries, will move out as the UK itself becomes a repressive country. Like Brexit, this would be a grave, self-inflicted harm by the UK government that will damage the domestic economy.”
Stewart adds: “I genuinely don’t see how you could enforce a ban on VPNs. Connections are established by equipment, either on corporate premises or in the cloud. How do you even begin to block that? It’s like banning people from smoking in their own homes – you might not like it, but good luck enforcing it. The logistics are near-impossible.”
Even after banning the sale of VPN equipment or instructing ISPs not to accept VPN traffic, people will find workarounds, Stewart says. “All you’d achieve is pushing VPN use underground, creating a black market. You’d effectively be forcing ISPs to block legitimate encrypted traffic and, in doing so, you’d be regulating an entire industry out of existence.
“Worse still, you’d be legislating against cybersecurity and privacy. The only way to do it is badly.”
The internet as we know it may be radically changing, not with a technological leap, as with Web 1 into Web 2.0, but rather thanks to a wave of strict, government-mandated age-verification regimes hitting websites, apps and services.
While the apparent goal of the UK’s Online Safety Act is to prevent children from viewing pornography and other harmful content, such as websites that glorify suicide or eating disorders, its strictures also extend to web staples including Reddit, Spotify and Wikipedia.
The second stage of this legislation, which requires visitors to certain websites to verify their age using either a selfie or a government-issued ID, came into force late July. Similar age-assurance bills are springing up throughout Europe, too.
