Digital Privacy
Briefing: VPNs and the Online Safety Act
Briefing on the public’s use of VPN technology.
VPNS ARE UNLIKELY TO BE USED BY 6-12 YEAR OLDS
BARRIER, NOT ELIMINATION
Age assurance measures aim to make accessing restricted content more difficult for underage users. It has been acknowledged that they will not prevent all under 18s from accessing such content, particularly older teens, The core group of younger children that age assurance is expected to protect are 6-12 years old. The effort required to install, configure, and pay for a VPN remains a significant barrier for these children.
YOUNGER USERS
The majority of children in the 6–12 age group are highly unlikely to download, configure, or subscribe to VPNs without adult help. Especially if parental controls on app store downloads are enabled.
The Online Safety Act Network have stated:
“It’s important to remember that the vast majority of children will not be downloading a VPN to access online content: the age assurance measures that are now in force will, however, protect those children, particularly the youngest, from involuntarily or otherwise accessing pornographic or violent content on social media, which was the purpose of these measures in the Act.”
ADOLESCENTS AND TECHNICALLY ADEPT TEENAGERS
Those with the capacity to use VPNs are likely to be adolescents in the 13-18 age-range. They already possess the skills and determination to use other circumvention methods (e.g. proxy sites, Tor, P2P sharing, borrowed account credentials, or simply accessing content on alternative platforms). For these teenagers educational rather than ineffecitve technical interventions might be more appropriate.
Baroness Kidron has commented on this in an article in the FT:
Do not assume that every VPN that has been downloaded is a child trying to get around [age controls],” Kidron said. “Many of them are adults trying to preserve their freedom . . . to access that [material] in private.” Even if children were using VPNs, that would count as an improvement over the previous status quo where it had become “normal to offer pornography in the playground”, she said. Before the new rules there was no “hurdle” to do so, with many children encountering explicit material on social media without looking for it, she added. “It’s really an important part of childhood to transgress,” Kidron said. “[Using a VPN] is like a child climbing out the window at night when you’ve grounded them . . . They know what they’re doing.”
WHY THE SPIKE IN VPN DOWNLOAD AND USE?
Most of the people downloading VPNs are adults that do not trust the age assurance industry. Adults are now being asked to hand over personal data to companies they are unfamiliar with. This goes against many years of cybersecurity advice around being careful when handing over sensitive personal data online.
THE POSITIVE ROLE OF VPNS
VPNs are not just tools for getting around geo-blocking or age-gating of platforms and sites. They are widely used for legitimate, positive purposes, including:
CYBERSECURITY AND PRIVACY
VPNs protect users (including children) from online threats such as data theft, DDoS attacks, identity fraud, and surveillance. They can, for example, enable people to use public Wifi safely.
They are used by businesses, NHS workers, parliamentarians, journalists, campaigners and ordinary citizens to safeguard sensitive data and communications.
PARENTAL CONTROL AND FAMILY SAFETY
Some VPN services are bundled with parental filters, allowing parents to restrict children’s exposure to harmful websites at the network level.
Parents may use VPNs to secure home Wi-Fi networks against cyberattacks, protect their IP address from exposure to DDoS attacks or online threats, or to manage children’s online activities across multiple devices.
FREEDOM OF EXPRESSION AND ACCESS TO INFORMATION
In countries such as Russia and China, VPNs are essential for accessing news, educational resources, and social media blocked by governments. The MoD recognizes their importance for keeping Russian citizens informed about the war in Ukraine (see Fig 1 below).
Restricting VPNs could inadvertently criminalise legitimate use by children, parents, teachers, and communities. These positive aspects far outweigh the narrow concern that VPNs could be used to bypass age checks.
WHY SITES SHOULD NOT BE REQUIRED TO DETECT VPN USE
The Age Verification Providers Association propose that sites age-gating content should detect VPN use and direct it to their services. This is problematic for a number of reasons.
TECHNICAL IN-FEASIBILITY
VPN traffic can look identical to ordinary encrypted web traffic. Detection relies on constantly updated blacklists of commercial VPN servers, which are incomplete and easily outpaced by new services.
Users would switch to purchasing dedicated IP addresses which are not on any commercially available lists of known VPN servers.
FALSE POSITIVES AND EXCLUSION
Blocking VPNs often prevents law-abiding users (e.g. workers logging in remotely, citizens in high-risk environments, or families securing their internet connection) from accessing online platforms.
PRIVACY RISKS
Monitoring for VPN use requires intrusive traffic analysis, undermining the very principles of privacy and data protection that age assurance frameworks claim to uphold.
IMPACT ON USERS IN OTHER COUNTRIES
Users in other countries that did not have age-assurance requirements would also be caught by such measures. Creating further diplomatic rows over the UK’s attempt to restrict free speech outside of its jurisdiction.
RECOMMENDATION
If adults are using VPNs to by-pass age-checks it is because they do not trust the age assurance providers with their personal data. An adult using a VPN does not impact the safety of a child online.
Policy makers could address the low trust in age assurance providers by implementing higher privacy standards. Ofcom is limited as to what it can do here. It is the ICO that is the UK’s data protection regulator, but even they can only operate within existing laws not create a new regulatory framework for age assurance technologies.
ORG has prepared a paper ‘Regulating Age Assurance, Keeping Users Safe Online’ on how age-assurance providers could be certified to a higher privacy standard, and consumer choice as to method of age-assurance could be introduced. If this occurred it would increase trust in the age assurance industry, and fewer adults would then pay to use VPN technology to avoid the age assurance technologies.
The Age Assurance Providers Association have themselves welcomed calls for their industry to be regulated.
RESTRICTING ACCESS TO VPNS IS ALMOST IMPOSSIBLE
The Children’s Commissioner Dame Rachel de Souza has suggested that Government should age-gate VPNs. Even if policymakers attempted to restrict VPNs to protect age assurance systems, enforcement would be impossible in practice:
DIY VPNS
Anyone can create a VPN on widely available cloud servers in minutes. The ability to do so is built directly into the Linux operating system and many consumer routers.
Attempting to regulate VPN services does not address private, self-hosted VPNs, which cannot be feasibly tracked or blocked.
INTEGRATION WITH OPERATING SYSTEMS
VPN functionality is a standard feature of Linux, Windows, macOS, iOS, and Android devices. Blocking or regulating it would require restricting core Internet protocols, with catastrophic knock-on effects for business and personal security.
GLOBAL NATURE OF INTERNET
VPN services are offered worldwide. Attempts to ban or regulate them domestically would simply drive users to offshore providers, creating compliance headaches for businesses while leaving determined individuals unaffected.
In short, trying to regulate VPNs because they might be used to bypass age assurance would be as unworkable as banning web browsers because they allow access to adult content. Throughout the Online Safety Act’s passage the phrase ‘perfect should not be a barrier to good’ was commonly cited.
Just as laws around children purchasing cigarettes will never stop all children obtaining them, trying to pursue a policy of a perfect age assurance system that no one can circumnavigate is not technically feasible. Attempts to do so would involve extreme level of digital authoritarianism. To comprehensively prevent circumvention, a state would need to remove the ability of users to install and use software on their computer and try to prevent the Internet from providing open connectivity.
CONCLUSION
VPNs are not a meaningful threat to the effectiveness of age assurance. Children who lack the skills to install VPNs are still protected, while those with the skills to use VPNs would always find other circumvention methods. VPNs, meanwhile, play a crucial role in securing families, enabling parental control, protecting businesses, and upholding freedom of expression.
Requiring sites to detect VPNs would be technically flawed, privacy-invasive, and would exclude legitimate users. Age-gating, regulating or banning VPNs would be impossible in practice and would have damaging consequences for cybersecurity, children’s safety, and freedom of expression rights more broadly.
RECOMMENDATION
Policymakers should treat VPN use as one of many potential but limited circumvention routes to age assurance. Older children should be educated around the risks of trying to circumvent age assurance, and parents informed about how they can restrict downloads or VPN use on their children’s devices. This educational approach is something missing in the Online Safety Act, and a crucial part of efforts to improve both cybersecurity and equip young people with the tool-set needed to navigate online content.
Efforts should focus instead on supporting balanced, proportionate, and privacy-preserving age assurance systems, while protecting the legitimate and beneficial uses of VPNs.
