Fears grow that age verification coming to VPNs as a British research firm labels them a 'loophole' — one app developer saw downloads surge by 1,800% in just the first month after the UK's Online Safety Act took effect

News
By published

The very tools regulators want to restrict are surging in popularity.

EU Flag
(Image credit: Getty Images/NurPhoto)

The European Parliamentary Research Service (EPRS) published a briefing paper this week describing VPN use as "a loophole in the legislation that needs closing," as governments across Europe and the U.S. expand laws requiring platforms to verify users' ages before granting access to adult content.

The paper noted that VPN downloads spiked after enforcement began in the UK and several U.S. states, with one app developer reporting an 1,800% increase in downloads in the first month following the UK's Online Safety Act taking effect last year. Some policymakers, including England's Children's Commissioner, have called for VPN services to be restricted to adults only.

The EPRS paper acknowledges that current age-assurance methods are "relatively easy for minors to bypass," but offers no technical workaround to prevent VPN circumvention. In March, Utah became the first U.S. state to target VPN use in its age-verification law when Governor Spencer Cox signed Senate Bill 73. However, such efforts are technically flawed because the only reliable method for identifying VPN protocol signatures is deep packet inspection at the network level, which the EPRS paper doesn’t mention.

Latest Videos From

The EPRS paper also highlights France's "double-blind" verification model, in which the adult platform learns only whether a user meets the age threshold, while the verification provider doesn’t see which sites the user visits. California has taken a separate approach, requiring operating systems to collect age data at device setup. GrapheneOS has refused to comply with such laws.

Google Preferred Source

Follow Tom's Hardware on Google News, or add us as a preferred source, to get our latest news, analysis, & reviews in your feeds.

Luke James
Luke James
Contributor

Luke James is a freelance writer and journalist.  Although his background is in legal, he has a personal interest in all things tech, especially hardware and microelectronics, and anything regulatory. 

10 Comments Comment from the forums
  • LordVile
    My issue isn’t that they want ID, it’s that I have to give my ID to every company. It’s almost like digital ID would have solved this.

    That being said I’d be happier giving my ID to someone like nord once than everyone else multiple times
    Reply
  • Shiznizzle
    EU citizens have access to a government app that will dish out tokens to providers of content so no personal info needs to be given. This is an open source app but it was breached within hours. Fine, its in beta state and will eventually do as it should without leaking.....hopefully.

    But for me this is even more sinister as the recipient of what i do is my own government. They are keeping tabs on what we do in the UK almost as good a china does with its citizens.

    No more nanny state. Is it the state's responsibility to decide who gets to use what app or do the parents have any responsibility for their kids at all?
    Reply
  • Darrenmk
    Governments have proven many times that they cannot be trusted to protect the privacy of their people.
    Reply
  • chaos215bar2
    Shiznizzle said:
    EU citizens have access to a government app that will dish out tokens to providers of content so no personal info needs to be given. This is an open source app but it was breached within hours.
    That's pretty inexcusable if so. But also not something I've seen reported elsewhere, so I doubt somewhat the seriousness of the "breach".

    Security and cryptography are not things you leave for beta testing. They're things that needs to be designed correctly by experts in the field from the start, or the entire basis of your platform is a false promise.
    Reply
  • Shiznizzle
    chaos215bar2 said:
    That's pretty inexcusable if so. But also not something I've seen reported elsewhere, so I doubt somewhat the seriousness of the "breach".

    Security and cryptography are not things you leave for beta testing. They're things that needs to be designed correctly by experts in the field from the start, or the entire basis of your platform is a false promise.
    I am so sorry. I was wrong. It was not two hours. It was two minutes

    https://proton.me/blog/eu-age-verification-app-hacked
    https://www.google.com/search?q=EU+age+verification+app+breach&sca_esv=86d667622f42836f&source=hp&ei=E-T_afLML_mvhbIPu9Ou-Ac&iflsig=AFdpzrgAAAAAaf_yI1MCHeRVuLWKY435TFboVtjm-gBj&ved=0ahUKEwiyoruvza2UAxX5V0EAHbupC38Q4dUDCBY&uact=5&oq=EU+age+verification+app+breach&gs_lp=Egdnd3Mtd2l6Ih5FVSBhZ2UgdmVyaWZpY2F0aW9uIGFwcCBicmVhY2hI9FtQpRRY1llwBXgAkAEAmAFMoAG5CqoBAjMyuAEDyAEA-AEBmAIgoAKmCKgCCsICChAAGAMYjwEY6gLCAgoQLhgDGI8BGOoCwgIREC4YgAQYsQMYgwEYxwEY0QPCAg4QABiABBiKBRixAxiDAcICCxAAGIAEGLEDGIMBwgIOEC4YgAQYsQMYxwEY0QPCAgsQLhiABBixAxiDAcICBRAAGIAEwgIIEAAYgAQYsQPCAggQLhiABBixA8ICBBAAGAPCAgsQLhiABBjHARivAcICCxAuGIAEGMcBGNEDwgIGEAAYFhgewgILEAAYgAQYigUYhgPCAggQABiABBiiBJgDBPEF_RBlml5nBqqSBwIzMqAHiJ0BsgcCMje4B5wIwgcGMC4zMS4xyAcugAgB&sclient=gws-wiz
    Reply
  • thesyndrome
    Things like this are why Labour recently lost big in the recent elections: no one asked to have a 1984 Big Brother system monitoring everything we do online under the guise of "child safety" which is solved in a much better way by educating parents on firewalls and parental controls per-app.

    We're likely going to end up with a pseudo-fascist government like the USA just because Labour kept making terrible decisions like this....
    Reply
  • DragonWolf5589
    I tell you why this whole ID THING doesn't work... Cause kids can still use an adults account and adults devices.

    A vpn is not a loophole do you really think kids have credit cards to use a vpn.. Which BTW.. Does NOT bypass website age verifications.

    Parental controls exist. I have a dns level filter and parental controls on kids devices..

    If anything to actually protect kids have devices themselves locked to parental controls to ON by default and must be disabled if you are over 18... Which btw.. Is how mobile data/broadband used to be for pay as you go.. I had to go into shops to prove I was 18 to be able to do the lottery and unlock my Internet...

    Vpn.. Virtual PRIVATE network.. Should stay PRIVATE. .. My issue is look how discords 3rd party id check was breached. My friend had his ID STOLEN and his address compromised as keeps getting credit loan letters since.

    Hackers must be praising this law.
    Reply
  • usertests
    thesyndrome said:
    Things like this are why Labour recently lost big in the recent elections: no one asked to have a 1984 Big Brother system monitoring everything we do online under the guise of "child safety" which is solved in a much better way by educating parents on firewalls and parental controls per-app.

    We're likely going to end up with a pseudo-fascist government like the USA just because Labour kept making terrible decisions like this....
    https://www.tomsguide.com/computing/vpns/uk-government-considers-vpn-ban-for-under-16s-as-privacy-advocates-slam-proposal-as-a-draconian-crackdown
    Responses from supporters of four UK political parties – the Conservatives, the Liberal Democrats, the Labour Party, and Reform UK – all showed strong majorities in favor of a VPN ban for under 18s. Liberal Democrat supporters had the smallest majority, with 54%. Conservative supporters were the largest group, with 69% in favor of a ban.
    Conservative MPs have supported terrible Internet policies over the years. Reform UK purportedly supports repealing the Online Safety Act but were responsible for it in the first place as former Conservatives. Maybe Reform and Greens could team up to fix this, but public support for some kind of VPN restriction is relatively high, if you believe the polling.

    Basically, it's over for the UK. Technical solutions or simply breaking the law will have to win out. This applies to other outrages in the USA or globally, like the push for OS-level age/ID verification. Many ordinary people will go with the flow, but the 1,800% VPN download surge shows that there's interest in at least a quick fix.
    Reply
  • Why_Me
    thesyndrome said:
    We're likely going to end up with a pseudo-fascist government like the USA just because Labour kept making terrible decisions like this....
    Fascist?

    This is what fascism looks like:

    https://pbs.twimg.com/media/HH_P2AkWsAAiO5a?format=jpg&name=small
    Reply
  • thesyndrome
    Why_Me said:
    Fascist?

    This is what fascism looks like:

    https://pbs.twimg.com/media/HH_P2AkWsAAiO5a?format=jpg&name=small
    Not the government-backed thugs with no oversight rounding up political enemies and ethnic minorities from their homes to place them in concentration cam-I mean """detention centres""" before disappearing them? I thought THAT was what fascism looked like, based on historical precedent

    https://images.theconversation.com/files/680733/original/file-20250717-79-jt6h03.jpg?ixlib=rb-4.1.0&q=45&auto=format&w=600&h=377&fit=crop&dpr=1
    If you are under the impression that arresting people for online comments is something I think is acceptable, then you are mistaken, however saying "don't arrest people for free speech" doesn't mean I also want a party of idiotic manipulative racists to take control of the country, especially when the leader of that party is one of the primary instigators of brexit, which has been a complete disaster for the UK, and when the growing pains of increased prices of EVERYTHING occurred in the wake of brexit (and no further money into the NHS, like he promised), he just went to hide in America for a few years until the heat died down.

    Just because someone says they don't like something about a political party DOES NOT mean they are immediately on-board with every single thing the opposing party does. I am so sick of this tribalism "if you aren't on my side then you're my enemy" ****.
    Reply