Utah's Online Age Verification Amendments, formally Senate Bill 73, take effect on May 6, making the state the first in the U.S. to explicitly target VPN use as part of age verification legislation.
Signed by Governor Spencer Cox on March 19, the controversial law establishes that a user is considered to be accessing a website from Utah if they are physically located there, regardless of whether they use a VPN or proxy to mask their IP address. It also prohibits covered websites from sharing instructions on how to use a VPN to bypass age checks.
NordVPN has called the law an "unresolvable compliance paradox" and a "liability trap," arguing that it holds websites responsible for identifying users whose tools are specifically designed to be unidentifiable. The EFF warned that the legal risk could push sites to either ban all known VPN IPs or mandate age verification for every visitor globally.
Article continues below
The law is also technically flawed, given that it assumes that a web provider can reliably detect VPN traffic and determine a user’s true physical location — they can’t. IP reputation databases such as MaxMind and IP2Proxy can flag traffic from known datacenter IP ranges, but commercial VPN providers rotate addresses constantly, and residential VPN endpoints are largely indistinguishable from standard home connections. Autonomous System Number analysis can catch traffic originating from datacenter networks, but can’t identify a personal WireGuard tunnel running on a cloud VPS, for example, which routes through the same infrastructure as ordinary web hosting.
The only detection method that reliably identifies VPN protocol signatures is deep packet inspection, which analyzes traffic at the network level, not system- or app-level. China's Great Firewall and Russia's TSPU system deploy DPI via ISPs, but a website operator can’t because it requires access to network infrastructure that sits between the user and the server, not on the server itself.
Meanwhile, setting up a personal WireGuard instance on any major cloud provider takes minutes, meaning the law will be more likely to negatively impact non-technical users who rely on commercial VPN services for legitimate privacy: journalists, people living under authoritarian regimes, political dissidents, and abuse survivors, among others.
Utah isn’t alone in trying to legislate the impossible into being. In the UK, the House of Lords — Parliament’s secondary chamber — voted 207-159 in January to ban VPN services for under 18s, with those amendments now due to be debated in the House of Commons. VPN use jumped by more than 1,400% on the first day of age verification enforcement in July last year. Meanwhile, France’s digital affairs minister, Anne Le Hénanff, has said that VPNs are “next on my list.” Wisconsin considered similar VPN provisions earlier this year but scrapped them due to heavy backlash.
To date, the only countries that have made progress in blocking VPN traffic with some success are authoritarian regimes with ISP-level surveillance.
Luke James is a freelance writer and journalist. Although his background is in legal, he has a personal interest in all things tech, especially hardware and microelectronics, and anything regulatory.
The government isn't smart enough to stop this with stupid legislation like this. If parents won't or can't do their jobs the nanny state isn't going to fix it either. There will be a multitude of ways to circumvent this crap anyway. Kids probably shouldn't be doing lots of things on the Internet, but the government is usually the last one I want trying to fix it because they're terrible at it and usually make it worse. Now a kid will circumvent it, and the parents will have more legal charges against them from the government, and the already probably bad parents will be even less engaged with their kids because they're mired in a quagmire of government meddling in their lives trying to fix a problem in a completely counterintuitive manner.
I expect this will be challenged as a violation of the First Amendment, which has been interpreted by the Supreme Court to include a right to anonymous speech and the right to receive information.
Now what they could do and be sneaky about it, reclassify any traffic coming from VPNs regardless if it originates from an American user as foreign under Section 702 of the Foreign Intelligence Surveillance Act (FISA), which could strip users of Fourth Amendment protections against warrantless searches.
Disclaimer, no lawyer but information retrieved from different Ai, and general searches.
The government officials have no clue how the internet infrastructure actually works, but make no mistake, they do have high paid consultants that do and tell them how things work. This is an intermediary step towards the real system they want to implement. The governmnts of the world want biometric ID of every user. This current flawed system that can't work will be their excuse to bring in biometrics instead under the guise of protecting children. They are making a system to break so they can trick people into agreeing to biometric ID.
There are so many issues with the internet, that it's discouraging. Most people haven't even secured their modem or router and so they are used by criminals as Bots.
...the law will be more likely to negatively impact non-technical users who rely on commercial VPN services for legitimate privacy: journalists, people living under authoritarian regimes, political dissidents, and abuse survivors, among others.
"Feature, not bug."-Utah State Legislature
Bone61 said:
This literally isn't about kids, it's overreach by certain states (and governments ) that want to control and spy on literally everything anyone does.
It's EXACTLY what totalitarian/authoritarian governments do.
Bone61 gets it. "Give us full authority to jail all of those people you're afraid of so I can protect you," says every single tyrant ever, before getting the power to jail everyone that disagrees with them on anything.
Besides clearly being written by olds who don't understand how VPNs work, this law is also unconstitutional. It's a restriction on free speech to bar sites from telling how to use a VPN.
