Editor’s note (UK context):

This analysis is being published as the UK House of Commons considers whether to accept a House of Lords amendment to the Children’s Wellbeing and Schools Bill that would bring VPNs into scope for age-verification requirements. While framed as a child-safety measure, this proposal raises serious technical, security, and proportionality concerns. The analysis below explains why VPN blocking is unworkable and harmful, regardless of jurisdiction, and why these concerns matter now.

Virtual Private Networks (VPNs) are no longer niche privacy tools: they are part of the core security fabric of the modern Internet. Every sector—business, education, healthcare, research, civil society—relies on encrypted connections provided by VPNs to keep information secure and accessible. In the United States alone, millions of workers log in through VPNs every day as the only practical way to maintain secure access to their organizations’ networks and data. In educational settings, students and faculty rely on VPNs to connect to campus resources for learning and collaboration. Outside the workplace or classroom, millions of individuals similarly use VPNs to protect their personal information from tracking, protect themselves on public Wi-Fi, and navigate sensitive online situations with greater safety. Outside the workplace or classroom, millions of individuals similarly use VPNs to protect their personal information from tracking, protect themselves on public Wi-Fi, and navigate sensitive online situations with greater safety.

To be clear: the Internet would be a far more dangerous place without VPNs. They are widely used to enable secure remote access for businesses—and are indeed often necessary and required for distributed workforces who handle sensitive material. For decades, VPNs have also empowered everyday people online by helping defend against cyber threats, phishing attempts, and surveillance, just as enterprise businesses do on their own networks.

Into this reality, a new wave of age-verification proposals has swept in, most recently in Wisconsin and Michigan, that would require websites to detect and block traffic coming to them through a VPN. That same rhetoric is now playing out in the UK, where a House of Lords amendment to the Children’s Wellbeing and Schools Bill (see link further above) would bring VPNs into scope for age-verification requirements. That amendment has returned to the House of Commons, where MPs must now decide whether to accept, modify, or reject it.

 These ideas rest on the false notion that VPNs are simply workarounds used by people attempting to evade age gates. That assumption misunderstands what VPNs are and who depends on them. It is noteworthy that the sponsor of the Michigan bill has already committed to removing the VPN language after further consideration. This is an important signal that restricting VPN use is not a viable or responsible path forward, and that policymakers can reach better outcomes when they fully understand just how essential VPNs are, and have long been, to the security and functioning of the modern Internet.

The VTI and i2Coalition present a straightforward position: VPN-blocking provisions are ineffective, impossible to implement responsibly, and inflict far-reaching collateral damages that lawmakers have not adequately considered. Far from advancing child safety, these provisions undermine cybersecurity and privacy of all citizens and businesses; as well as the stability of critical online systems. Put simply, more sensible, evidence-based tools to address the child safety concerns are available, without these negative unintended consequences.

A misunderstanding at the heart of the proposals

What’s driving these bills is a belief that VPNs are used by people only to evade age-verification measures. In reality, VPNs are not circumvention tools—they are privacy and security tools that individual consumer have used for many years. The encrypted connection that protects a company’s financial documents is the same kind of encrypted connection that protects an individual’s privacy from trackers, hackers, and scammers. The underlying technology is identical, the purposes overlap substantially, and the user base spans virtually the entire digital ecosystem.

That is why “consumer VPNs” and “enterprise VPNs” are not categories of fundamentally different technologies. One is not a “real VPN” and the other a loophole. Both rely on encrypted tunnels, IP masking, and secure routing. Both protect sensitive information from interception. Both help people navigate the Internet with safety and confidence.

When a technology is deemed safe and stable enough for an international corporation to protect trade secrets, or a hospital to protect vital patient data, it makes no sense to take that same technology out of individual consumers’ hands. Consumer VPNs give individuals the ability to apply enhanced encryption to their online browsing, without relying solely on businesses and other entities to make those decisions on their behalf. This autonomy is particularly needed given the prevalence of data security and privacy breaches, even among well-intentioned institutions.

The technical impossibility of enforcing a VPN ban

The enforcement challenge created by these proposals alone should give policymakers pause. A VPN server’s IP address reveals nothing about the end-user’s physical location. There is no technical signal that allows a website, or a state government, to know whether a particular VPN connection originates in Wisconsin, Wyoming, or Warsaw. Any requirement that websites block “VPN users in Wisconsin” translates in practice to one of two impossible choices: block all VPN traffic everywhere, or exit the Wisconsin market entirely. Both scenarios push beyond the limits of what any responsible operator can do.

We trust that no sensible policymaker would seriously consider banning PO boxes—or turning them into open cubbyholes—because they can’t tell who’s standing in the post office lobby at any given time. So hopefully a better understanding of how this technology works will help policymakers see that banning or weakening VPNs would have profound negative consequences for the Internet as a whole.

As we’ve already experienced in Mississippi and other jurisdictions considering strict verification regimes, smaller platforms simply block the entire state rather than attempt to build unworkable compliance systems. The collateral damage from such market abandonment falls on users, businesses, and educators, not on those who might try to circumvent the law.

Who gets harmed when VPNs are restricted

The broad impacts of these VPN-blocking proposals rarely appear in legislative conversations, but they are profound. Businesses cannot operate securely without VPNs. Universities depend on them for research access: in Wisconsin, WiscVPN is a required tool for faculty and students. Vulnerable communities—journalists, LGBTQ+ youth, domestic abuse survivors, political dissidents—often rely on a VPN to navigate the Internet with safety. Even ordinary users who simply want a modest degree of privacy from commercial tracking or ISP-level profiling depend on them.

Business travelers must make use of VPNs when using airport WiFi, or risk compromising sensitive data. Journalists covering conflict zones or reporting on repressive regimes must use VPNs as a matter of life or death: with 129 journalists and media workers killed in 2025, this is not a hypothetical threat. Meanwhile, The Trevor Project lists VPNs as a core element of online safety for LGBTQ+ youth.

Removing VPN access to enforce a narrow category of content restrictions is akin to banning locks because some people might hide something behind a door. The proportionality problem is massive

Privacy risks increase when VPNs are eliminated

It makes sense to look at VPNs as dolphins about to get caught in a legislative tuna net here: they are a crucial part of the cybersecurity and privacy ecosystem that, when removed, harms everyone using the Internet—not just the individuals targeted in these legislative efforts. Indeed, eliminating VPN use does nothing to address the underlying safety challenge that policy makers are trying to solve and instead amplifies privacy and security harms.

In simplest terms, VPN blocking does not solve a safety problem. It creates a much larger one.

Overbroad definitions add instability

Several current bills pair VPN-blocking requirements with extraordinarily broad definitions of what counts as content “harmful to minors,” sometimes including basic sexual education, reproductive health information, LGBTQ+ community resources, medical information, literature, or art. When a bill claims to be narrowly focused on explicit adult material but functionally sweeps in vast areas of lawful expression, it creates a compliance environment of uncertainty and overblocking. When that uncertainty is combined with a requirement to block VPN traffic, the consequences become much more serious. If the definition of “harmful content” is broad, then many websites, including news outlets, health resources, and educational platforms, will feel pressured to block VPN connections in order to avoid liability. 

In practice, this means excluding millions of legitimate users who rely on VPNs for work, privacy, research access, and personal safety. The result is a sweeping and discriminatory ban on a single technology that underpins modern cybersecurity, cutting VPN users off from large portions of the Internet and causing real harm to the people who depend on it most.

Censorship attempts that are doomed to fail

Even setting aside the very real harms, these laws will not achieve what their proponents imagine. Users who are intent on bypassing restrictions will simply create their own VPNs, use open proxies, route traffic through cloud infrastructure, or employ one of the countless other methods that emerge whenever governments attempt to enforce technical filters. The Internet is resilient and routes around damage; it has for decades. The users most affected will not be the determined bypassers, but rather the ordinary people whose daily work, studies, or safety depend on secure connections.

A more constructive way forward

The VTI and i2Coalition fully support evidence-based approaches to improving online safety for young people. That includes measures that are already widely deployed and demonstrably effective, such as device- and operating-system-level parental controls, app-store governance, age-appropriate design within authenticated platforms, and digital literacy initiatives that help young people navigate online spaces safely. These approaches address the real-world context in which minors access content—at the device, household, and platform level—without undermining the security, privacy, and resilience of the Internet itself.

But the starting point must be an acknowledgment that breaking fundamental security tools is not a path to better outcomes. We need policies grounded in digital literacy, robust parental controls, support for caregivers, investment in educational resources, and collaboration across sectors—not mandates that destabilize cybersecurity and burden businesses, educational institutions, and ordinary people.

Should they be ready to develop more realistic and effective policy, lawmakers will find many highly knowledgeable educators, civil rights activists, and technologists who are eager to collaborate with them, including VPN and Internet infrastructure providers themselves.

Closing perspective

Ultimately, VPN-blocking requirements attempt to solve a social and educational challenge with a technical tool that was never designed for that purpose. They misdiagnose the problem, introduce significant harm, and cannot be implemented without undermining the very security foundations that governments, companies, and individuals depend upon.

This is not a question of whether we value child safety online. It is a question of whether our response strengthens the Internet’s security and resilience—or weakens it in ways that harm millions while delivering no meaningful protection to those who need it most.

VTI and i2Coalition members stand ready to work with policymakers on approaches that promote safety, privacy, and technical integrity. But we cannot support measures that compromise essential security infrastructure or create new risks for people who depend on VPNs every day.