”After the UK implemented its Online Safety Act the country’s VPN usage surged as teens sough [sic] to skirt age checks on social media platforms and pornography websites.”
The report they link to presents no evidence that the surge was from “teens”.
Practically, it’s also wrong to categorize all popular sites that opted into the geo-block as being social or adult. For example, imgur.com is by all sensible definitions a general purpose image upload site with 3M DAU worldwide. It is as much a “pornography website” as YouTube or Reddit.
I would suggest this article be corrected to instead say “usage surged as netizens sought to avoid online ID checkpoints and mandatory facial recognition”, but that’s bordering on inflammatory in the other direction.
Out of Imgur, YouTube and Reddit, Imgur is actually the most prudish. Reddit is full of hardcore pornography; YouTube still allows some "people being naked for non-sexual reasons" videos; Imgur is right there with Facebook, automatically deleting anything racy.
Is imgur blocked because it is a "pornography website" or because it is a "social media website"?
imgur has featured a combination of social media features including accounts, commenting, tagging, upvotes, downvotes, and et cetera for a good number of years.
It hasn't been just a simple image-host for a long time.
I wish these articles would highlight the very real dangers these types of laws present to children. How they often create the very harm they claim to prevent. Surveilling children only makes it easier for the creeps to track them too.
This has been one thing I've liked about how Benn Jordan has been handling the Flock issues. How he shows that the very cameras used to protect children can also be used to harm them. And uses this to walk into the conversation about wider privacy concerns and authoritarian turkey tyranny.
But with the article, we've been using the same rhetoric for decades. There's nothing wrong with it, per se, but we need to iterate on it if we're to communicate these dangers more effectively. Those trying to get that authoritarian control are iterating and they're effective. The dangers are only becoming more real and the current rise in global authoritarianism should make many realize how dangerous it is
it being that time of year, this reminds me of how children are being indoctrinated into the surveillance state by the “elf on the shelf” Christmas “toy”. My point being, these things creep up on a society in ways you don’t anticipate
If anything, I think it might help kids understand real-world surveillance better. Knowing that there's a device in their environment spying on them as part of a system versus magic man can see everything at all times because he's magic.
Maybe, but that doesn't mean this side of the argument won't be impactful. Even if people want more control over their own children I very much doubt they want others to have similar control. Especially those that wish to do harm.
Take for example the age verification via camera we're seeing be suggested in some places. I can't think of a more endangering technology than putting a camera in every child's bedroom. We know how bad security is and how even making it a lot better still makes this a highly valuable target for these people.
People want control because they're scared. But what they need to be taught is that these people are leveraging that fear to turn those nightmares into reality.
>> a considerable chunk of the market — including three of the six most popular VPNs — is quietly operated by an Israeli-owned company with close connections to that country’s national security state, including the elite Unit 8200 and Duvdevan Units of the Israeli Defense Forces (IDF).”
I think the hidden motivation for all of these crackdowns across the developed world is the increasing risk of a third world war. Propaganda is already rife across social media for both sides of both the Russia-Ukraine and Israel-Palestine conflicts. Governments very much want to be able to repeat feats like the XX System, and will need strict control over online communications to achieve that.
Does this impact people who work from home and connect to the corporate VPN? I have to do that to access production servers, as I assume most people here who WFH do as well.
Reading TFA it seems that use case would be allowed, but would I be a criminal for checking social media on my work PC when connected to the corporate VPN?
They can't do jackshit. They are totally clueless and run by a bunch of extremely incompetent boomers. Next, they will try to ban Tor but guess what that can't happen as Tor is censorship-resistant!
Blocking the exit nodes is quite tivial [1] but it would indeed be hard to stop people from accessing Tor and .onion sites. More websites should add some Tor .onion nodes even if they have to put those in read-only mode on user-provided multimedia sites to avoid complex CSAM filters.
I'm not sure that's actually accurate. Using Tor or even many VPNs you get hit with a lot of block lists or bot detectors. I also heard that Tor is blocked in China. I mean isn't the list of entries and exits public?
Of course these groups are also shooting themselves in the foot. Tor was invented by the Navy after all and they like spies to go through it because connecting to "totallynotNSA.com" is a great way to get yourself found. But Tor also only works for those purposes if non bad actors make up the majority of traffic
Tor bridges allow people to bypass blocking of Tor entry nodes and look more like normal traffic and less like Tor traffic, here is an example of how to set one up.
Oh interesting, thanks. Do you know how well that compares with Mullvad? I know Tor and them collaborate on the browser but I'm traveling right now and Mullvad's is definitely getting picked up by some routers
They are after the personal use VPN clients, but corporate users will follow soon.
Using the corporate VPN for personal purposes, including social media, is generally against corporate policy and is frowned upon (at least officially) in most businesses and organisations. It is also fraught with complications and could lead to disciplinary action or other unpleasant consequences. Just because the policy is not enforced does not mean it won’t be in the future.
If governments start targeting personal VPN's, it is only a matter of time before businesses crack down on unauthorised corporate VPN use as it will increase their risk of legal action stemming from employees’ missteps or misdeeds.
I imagine it's referring to anonymous VPN traffic through providers like Mullvad. Your internet traffic through your corp VPN is likely already at Orwellian-levels of surveillance, and that traffic can at least be tracked back to a asingle identifiable business.
Would a child have access to a paid VPN like Mullvad anyway, I wonder.
If they ban OpenVPN and WireGuard through what I can only think is something akin to the great firewall of China, then what is the next step, making ssh -D unlawful?
Maybe encryption too? Maybe they need to ban booting Linux and filter access to open source software as well? Running unsigned code? Might as well just shut down the internet.
> Would a child have access to a paid VPN like Mullvad anyway, I wonder.
Sure. Why not? Paid VPNs are cheap to use, and kids are smart.
A kid who already has a computer to use can turn a relatively large amount of electricity into a relatively small amount of crypto, and can do so very informally. It's usually a money-losing operation, but that matters less when a person is (say) 14 and someone else pays the electric bill: Out of sight, out of mind.
After that: Simply use the proceeds to pay for something like Mullvad or AirVPN (they accept crypto payments just fine).
It's been quite a long time since I was 14 and it was a very different world back then, but I don't think I would have had any trouble connecting these dots at that age.
(And indeed, that's how I used to pay for my own VPN service as a grown adult back when using those things was a lot less common. Rather than potentially draw unwanted interest from my bank by making international payments, I'd just mine some crypto to cover the VPN, and pay the electric bill. It wasn't strictly anonymous or untraceable or anything like that, but it did help cover the tracks that I cared about covering.)
I'd say Mullvad is on the more accessible side, since a Mullvad subscription can be obtained through a relatively small amount of cash. All you need is a few dollars and the ability to mail a letter with a few bucks to Europe.
Wisconsin is a state that's been looking at banning VPNs[1]. And they also apply laws to "companies commonly known to provide VPN services" - which makes me wonder how far that goes. Because technically I could get a free AWS instance, spin up Tailscale on it, and I have a VPN. Is AWS a VPN company since they certainly host servers that are used for VPNs? Who knows!
TLS 1.3 forces PFS, which means that if you want to decrypt a 1.3 stream, you have to actually do a man in the middle attack, not just get a copy of a key. PFS was optional before.
It supports ECH, which lets you hide which service the client is trying to reach on a multitenant host or CDN. Given that Cloudflare supports ECH, and that it's possible to hide the fact that you're using ECH, that makes it possible to have connections that could actually be using any of a huge number of possible sites without passive spying equipment being able to tell which ones.
It removes a bunch of weak old primitives and options, and should generally be harder to misconfigure in a dangerous way.
I'm sure the Chinese, Russians, and other adversaries of the west will welcome any intentional weakening of network security to "protect children".
Any back doors, crippled encryption, etc, is a way in for their intelligence services. I find it baffling that politicians are so careless with their national sovereignty. It's especially worrying that a lot of populist support for this nonsense is indirectly supported by the before mentioned adversaries. There's a well documented history of especially Russian and Chinese propaganda aimed at supporting fringe populist parties. The agenda with that is complex but it isn't necessarily with friendly intentions.
Both Russia and China have isolated their own populations from the normal internet and effectively their countries run on centralized infrastructure where private VPNs are no longer allowed and traffic is monitored, filtered, and analyzed. Additionally, especially China has long targeted academic and enterprise network security for industrial espionage reasons. Weak government security has caused a few embarrassing situations across especially EU governments (e.g. Germany) with scandals related to over reliance on Chinese technology for telecommunications (huawei) and components for energy, auto motive, etc.
The point here is that those countries calling for this the most are also the most at risk of being compromised like this.
> There's a well documented history of especially Russian and Chinese propaganda aimed at supporting fringe populist parties. The agenda with that is complex but it isn't necessarily with friendly intentions.
You can add the USA to that list now, who follow the exact same strategy in the EU.
in Michigan there is a recently proposed piece of legislation that aims to ban content that "corrupts the public morals“ (which includes pornography, manga, and talking about trans people). It labels VPNs, proxies and encrypted tunneling methods as "circumvention tools" and would make it illegal to use them to access such content.
I hope people will start to see these blatant censorship proposals for what they are, but honestly I'm not too optimistic...
I'm on the "outside" of this argument - never owned a gun yet and not in the US, but the right to life (not to be shot) can be exercised by protecting oneself from guns, with a gun.
Here we're discussing how attacks against privacy are totalitarian and how more and more governments are on their way to become totalitarian regimes, but we don't agree that people having guns is a good defense against a totalitarian government. We talk about police or ICE overreach, but don't talk about what would happen if that overreach expands even more.
That's kind of a jump. The 2a is cool, but gun deaths outpace car deaths now and 2a people refuse literally any of the protections we have against car deaths. Whereas a 15 year old jerking it to a pornstar hurts no one and these people want to completely ban the 4th amendment.
Am I the only one who thinks it's possible that the vast majority of VPN providers are actually working for the intelligence agencies of the world? It wouldn't be the first time something like that happened.
There was a Swiss company[1] selling cryptography gear that turn out to be a CIA front.
Pretty sure a ban on VPNs would simply collapse society overnight. I think lawmakers vastly underestimate just how prevalent and necessary they are to ordinary business functions, including by ISPs themselves.
Your comment is one of several that doesn't distinguish between corporate VPNs (to access internal systems) and commercial VPNs (to bypass country-level laws and restrictions). Do you not think the lawmakers would realize this difference, it's a cartoonish level of understanding if you think lawmakers will accidentally ban any software with the term "VPN" in it. They'll describe a ban of tools/services to circumvent the laws..
Yes I understand the difference. Yes I think (and know) they are that dumb, especially given their penchant for blanket banning any and all things that happen to include "DEI" terms, starting lawsuits they know they can't win, and constantly walking back guidance they give after realizing how stupid it was. I also know they'll do just about anything for enough money.
”After the UK implemented its Online Safety Act the country’s VPN usage surged as teens sough [sic] to skirt age checks on social media platforms and pornography websites.”
The report they link to presents no evidence that the surge was from “teens”.
Practically, it’s also wrong to categorize all popular sites that opted into the geo-block as being social or adult. For example, imgur.com is by all sensible definitions a general purpose image upload site with 3M DAU worldwide. It is as much a “pornography website” as YouTube or Reddit.
I would suggest this article be corrected to instead say “usage surged as netizens sought to avoid online ID checkpoints and mandatory facial recognition”, but that’s bordering on inflammatory in the other direction.
Out of Imgur, YouTube and Reddit, Imgur is actually the most prudish. Reddit is full of hardcore pornography; YouTube still allows some "people being naked for non-sexual reasons" videos; Imgur is right there with Facebook, automatically deleting anything racy.
Is imgur blocked because it is a "pornography website" or because it is a "social media website"?
imgur has featured a combination of social media features including accounts, commenting, tagging, upvotes, downvotes, and et cetera for a good number of years.
It hasn't been just a simple image-host for a long time.
Imgur is blocking itself to avoid any legal exposure from the UK's insane law.
I wish these articles would highlight the very real dangers these types of laws present to children. How they often create the very harm they claim to prevent. Surveilling children only makes it easier for the creeps to track them too.
This has been one thing I've liked about how Benn Jordan has been handling the Flock issues. How he shows that the very cameras used to protect children can also be used to harm them. And uses this to walk into the conversation about wider privacy concerns and authoritarian turkey tyranny.
But with the article, we've been using the same rhetoric for decades. There's nothing wrong with it, per se, but we need to iterate on it if we're to communicate these dangers more effectively. Those trying to get that authoritarian control are iterating and they're effective. The dangers are only becoming more real and the current rise in global authoritarianism should make many realize how dangerous it is
it being that time of year, this reminds me of how children are being indoctrinated into the surveillance state by the “elf on the shelf” Christmas “toy”. My point being, these things creep up on a society in ways you don’t anticipate
I understand where you're coming from, but how is it different than parents telling kids that Santa is watching them?
If anything, I think it might help kids understand real-world surveillance better. Knowing that there's a device in their environment spying on them as part of a system versus magic man can see everything at all times because he's magic.
They can see the elf
Sadly, I think the unspoken point is never to protect children but to control them.
If you look at the many “think of the children” arguments from this angle it becomes a lot more consistent
Maybe, but that doesn't mean this side of the argument won't be impactful. Even if people want more control over their own children I very much doubt they want others to have similar control. Especially those that wish to do harm.
Take for example the age verification via camera we're seeing be suggested in some places. I can't think of a more endangering technology than putting a camera in every child's bedroom. We know how bad security is and how even making it a lot better still makes this a highly valuable target for these people.
People want control because they're scared. But what they need to be taught is that these people are leveraging that fear to turn those nightmares into reality.
>> a considerable chunk of the market — including three of the six most popular VPNs — is quietly operated by an Israeli-owned company with close connections to that country’s national security state, including the elite Unit 8200 and Duvdevan Units of the Israeli Defense Forces (IDF).”
What are those VPNs? Asking for a friend...
ExpressVPN
Cyber ghost
Private Internet Access
ZenMate
Intego VPN
According to [0] though there are various other sites that roughly align with this list.
[0] https://blog.boycat.io/posts/expressvpn-israeli-ownership-1b...
I think the hidden motivation for all of these crackdowns across the developed world is the increasing risk of a third world war. Propaganda is already rife across social media for both sides of both the Russia-Ukraine and Israel-Palestine conflicts. Governments very much want to be able to repeat feats like the XX System, and will need strict control over online communications to achieve that.
https://en.wikipedia.org/wiki/Double-Cross_System
1. That's unrealistic.
2. There is no way any significant number of the people involved in this are thinking that far ahead.
[dead]
Does this impact people who work from home and connect to the corporate VPN? I have to do that to access production servers, as I assume most people here who WFH do as well.
Reading TFA it seems that use case would be allowed, but would I be a criminal for checking social media on my work PC when connected to the corporate VPN?
They can't do jackshit. They are totally clueless and run by a bunch of extremely incompetent boomers. Next, they will try to ban Tor but guess what that can't happen as Tor is censorship-resistant!
Blocking the exit nodes is quite tivial [1] but it would indeed be hard to stop people from accessing Tor and .onion sites. More websites should add some Tor .onion nodes even if they have to put those in read-only mode on user-provided multimedia sites to avoid complex CSAM filters.
[1] - https://github.com/firehol/blocklist-ipsets/blob/master/tor_...
Yes, we need .onion on every site. Not only is it censor resistant but also provides anonymity for user and the onion server,.
Of course these groups are also shooting themselves in the foot. Tor was invented by the Navy after all and they like spies to go through it because connecting to "totallynotNSA.com" is a great way to get yourself found. But Tor also only works for those purposes if non bad actors make up the majority of traffic
Tor bridges allow people to bypass blocking of Tor entry nodes and look more like normal traffic and less like Tor traffic, here is an example of how to set one up.
https://community.torproject.org/relay/setup/webtunnel/
Oh interesting, thanks. Do you know how well that compares with Mullvad? I know Tor and them collaborate on the browser but I'm traveling right now and Mullvad's is definitely getting picked up by some routers
Mullvad is a single-hop VPN, so not comparable to Tor. OTOH their exit nodes might not be as easy to detect as Tor.
[dead]
They are after the personal use VPN clients, but corporate users will follow soon.
Using the corporate VPN for personal purposes, including social media, is generally against corporate policy and is frowned upon (at least officially) in most businesses and organisations. It is also fraught with complications and could lead to disciplinary action or other unpleasant consequences. Just because the policy is not enforced does not mean it won’t be in the future.
If governments start targeting personal VPN's, it is only a matter of time before businesses crack down on unauthorised corporate VPN use as it will increase their risk of legal action stemming from employees’ missteps or misdeeds.
I imagine it's referring to anonymous VPN traffic through providers like Mullvad. Your internet traffic through your corp VPN is likely already at Orwellian-levels of surveillance, and that traffic can at least be tracked back to a asingle identifiable business.
Would a child have access to a paid VPN like Mullvad anyway, I wonder.
If they ban OpenVPN and WireGuard through what I can only think is something akin to the great firewall of China, then what is the next step, making ssh -D unlawful?
Maybe encryption too? Maybe they need to ban booting Linux and filter access to open source software as well? Running unsigned code? Might as well just shut down the internet.
> Would a child have access to a paid VPN like Mullvad anyway, I wonder.
Sure. Why not? Paid VPNs are cheap to use, and kids are smart.
A kid who already has a computer to use can turn a relatively large amount of electricity into a relatively small amount of crypto, and can do so very informally. It's usually a money-losing operation, but that matters less when a person is (say) 14 and someone else pays the electric bill: Out of sight, out of mind.
After that: Simply use the proceeds to pay for something like Mullvad or AirVPN (they accept crypto payments just fine).
It's been quite a long time since I was 14 and it was a very different world back then, but I don't think I would have had any trouble connecting these dots at that age.
(And indeed, that's how I used to pay for my own VPN service as a grown adult back when using those things was a lot less common. Rather than potentially draw unwanted interest from my bank by making international payments, I'd just mine some crypto to cover the VPN, and pay the electric bill. It wasn't strictly anonymous or untraceable or anything like that, but it did help cover the tracks that I cared about covering.)
[dead]
I'd say Mullvad is on the more accessible side, since a Mullvad subscription can be obtained through a relatively small amount of cash. All you need is a few dollars and the ability to mail a letter with a few bucks to Europe.
Wisconsin is a state that's been looking at banning VPNs[1]. And they also apply laws to "companies commonly known to provide VPN services" - which makes me wonder how far that goes. Because technically I could get a free AWS instance, spin up Tailscale on it, and I have a VPN. Is AWS a VPN company since they certainly host servers that are used for VPNs? Who knows!
[1] https://www.eff.org/deeplinks/2025/11/lawmakers-want-ban-vpn...
> Would a child have access to a paid VPN like Mullvad anyway, I wonder.
What's stopping the kid from obtaining a VPN number and mailing 5 bucks to Mullvad?
Fully HTTPS traffic can bypass that damned Great Firewall. Greetings from inside the Great Firewall.
Tls 1.3 is completely banned by the gfw
Why is TLS 1.3 interesting here, in relation to censorship circumvention? Why is version 1.3 banned and not 1.2?
TLS 1.3 forces PFS, which means that if you want to decrypt a 1.3 stream, you have to actually do a man in the middle attack, not just get a copy of a key. PFS was optional before.
It supports ECH, which lets you hide which service the client is trying to reach on a multitenant host or CDN. Given that Cloudflare supports ECH, and that it's possible to hide the fact that you're using ECH, that makes it possible to have connections that could actually be using any of a huge number of possible sites without passive spying equipment being able to tell which ones.
It removes a bunch of weak old primitives and options, and should generally be harder to misconfigure in a dangerous way.
Thanks a lot for the detailed reply!
Just in case someone will read this without knowing the abbreviations:
PFS = perfect forward secrecy [0]
ECH = Encrypted Client Hello
[0] https://en.wikipedia.org/wiki/Forward_secrecy
[1] https://en.wikipedia.org/wiki/Server_Name_Indication#Encrypt...
I'm sure the Chinese, Russians, and other adversaries of the west will welcome any intentional weakening of network security to "protect children".
Any back doors, crippled encryption, etc, is a way in for their intelligence services. I find it baffling that politicians are so careless with their national sovereignty. It's especially worrying that a lot of populist support for this nonsense is indirectly supported by the before mentioned adversaries. There's a well documented history of especially Russian and Chinese propaganda aimed at supporting fringe populist parties. The agenda with that is complex but it isn't necessarily with friendly intentions.
Both Russia and China have isolated their own populations from the normal internet and effectively their countries run on centralized infrastructure where private VPNs are no longer allowed and traffic is monitored, filtered, and analyzed. Additionally, especially China has long targeted academic and enterprise network security for industrial espionage reasons. Weak government security has caused a few embarrassing situations across especially EU governments (e.g. Germany) with scandals related to over reliance on Chinese technology for telecommunications (huawei) and components for energy, auto motive, etc.
The point here is that those countries calling for this the most are also the most at risk of being compromised like this.
> There's a well documented history of especially Russian and Chinese propaganda aimed at supporting fringe populist parties. The agenda with that is complex but it isn't necessarily with friendly intentions.
You can add the USA to that list now, who follow the exact same strategy in the EU.
in Michigan there is a recently proposed piece of legislation that aims to ban content that "corrupts the public morals“ (which includes pornography, manga, and talking about trans people). It labels VPNs, proxies and encrypted tunneling methods as "circumvention tools" and would make it illegal to use them to access such content.
I hope people will start to see these blatant censorship proposals for what they are, but honestly I'm not too optimistic...
The scary thing about that is who gets to say what public morals are. And how this would normally be next to impossible to prove.
Seeing as how the US government recently said anti-capitalist and anti-christian opinions are a threat, well... hold on to your collective hats.
Who? The people you have all elected.
Donald Trump of course, the most moral of them.
It's always the same pattern. Point to a genuine evil and then use that as justification to strip everyone of their rights.
Like gun control.
The right to life (not to be shot) never seems as important as the right to take a life with US gun folk, it seems mad from the outside.
I'm on the "outside" of this argument - never owned a gun yet and not in the US, but the right to life (not to be shot) can be exercised by protecting oneself from guns, with a gun.
Here we're discussing how attacks against privacy are totalitarian and how more and more governments are on their way to become totalitarian regimes, but we don't agree that people having guns is a good defense against a totalitarian government. We talk about police or ICE overreach, but don't talk about what would happen if that overreach expands even more.
That's kind of a jump. The 2a is cool, but gun deaths outpace car deaths now and 2a people refuse literally any of the protections we have against car deaths. Whereas a 15 year old jerking it to a pornstar hurts no one and these people want to completely ban the 4th amendment.
Am I the only one who thinks it's possible that the vast majority of VPN providers are actually working for the intelligence agencies of the world? It wouldn't be the first time something like that happened.
There was a Swiss company[1] selling cryptography gear that turn out to be a CIA front.
[1] https://en.wikipedia.org/wiki/Crypto_AG
You're not the only one, and youre not a part of the stupidest conspiracy in the world, but you better hope the flat eartherers dont walk in
Pretty sure a ban on VPNs would simply collapse society overnight. I think lawmakers vastly underestimate just how prevalent and necessary they are to ordinary business functions, including by ISPs themselves.
Your comment is one of several that doesn't distinguish between corporate VPNs (to access internal systems) and commercial VPNs (to bypass country-level laws and restrictions). Do you not think the lawmakers would realize this difference, it's a cartoonish level of understanding if you think lawmakers will accidentally ban any software with the term "VPN" in it. They'll describe a ban of tools/services to circumvent the laws..
Lawmakers in the aggregate are apparently cartoonishly incompetent so it's not much of a stretch.
Yes I understand the difference. Yes I think (and know) they are that dumb, especially given their penchant for blanket banning any and all things that happen to include "DEI" terms, starting lawsuits they know they can't win, and constantly walking back guidance they give after realizing how stupid it was. I also know they'll do just about anything for enough money.
But I appreciate you punching down.
Corporations and military of course will have a way to exclude themselves from this.