The window for the British public to influence how lawmakers protect children online shuts tonight at midnight, as the government's three-month national consultation - "Growing Up in the Online World" - reaches its deadline. At stake is a set of sweeping decisions about content restrictions, platform accountability, and, most contentiously, whether virtual private networks should require users to prove their age before connecting. The Department for Science, Innovation and Technology launched the exercise in March, explicitly flagging VPNs as tools that could undermine online safety protections if the evidence pointed that way.
Why VPNs Became the Flashpoint
VPNs work by encrypting a user's internet traffic and routing it through a server in another location, masking the user's real IP address in the process. That combination of encryption and apparent geographic relocation is what makes them valuable to security-conscious users - and what makes them frustrating to regulators trying to enforce age-based content barriers. When mandatory age checks took hold in the UK last July, VPN usage spiked sharply as users sought ways around the new requirements. Whether those users were predominantly adults reluctant to hand over biometric data, or minors accessing restricted content, remains genuinely unclear. Research from groups including Childnet and Internet Matters suggests adults account for much of the circumvention activity, but the ambiguity has been enough to keep VPNs in the political crosshairs.
The consultation's framing has not helped VPN providers make their case. When TechRadar reviewed the online safety survey, VPNs were described primarily as circumvention tools rather than as privacy or security infrastructure - a framing that has persisted in parliamentary debate. During a recent Ofcom hearing, Ian Cheshire, the government's nominee to chair the communications regulator, referred to "the joys of VPNs" as a "technical problem." That characterisation reflects a broader tendency among UK policymakers to treat VPN use as inherently suspect rather than as an established and legitimate element of digital security practice.
The Industry Pushes Back - and Explains the Technical Trap
The cybersecurity sector has responded with unusual unity. Mozilla, which operates both the Firefox browser and its own VPN service, submitted a public statement warning that mandatory age verification for VPN access "would undermine the privacy and security of all users." The concern is structural: requiring identity checks at the point of VPN access creates a centralised data collection point in a product whose core purpose is to prevent exactly that kind of data exposure. A breach of an age-verification database tied to VPN usage would be far more damaging than a breach of an ordinary service, because it would expose not just personal details but the fact of users' desire for privacy itself.
Nineteen organisations - among them Proton VPN, Mullvad, ExpressVPN, and the Tor Project - jointly urged UK lawmakers not to restrict privacy-preserving technologies, warning against "undermining the open web." The VPN Trust Initiative, an industry consortium, published a parallel warning in April, arguing that treating VPNs as loopholes exposes children to greater harms by pushing traffic toward less reputable, potentially unvetted services. Surfshark, a VTI member, pointed out that its terms of service already prohibit under-18s from using the platform - as do most established providers - and framed the regulatory choice bluntly: either build identity verification into tools designed to resist it, or rely on third-party verification services that have a documented track record of data breaches. Neither outcome strengthens safety.
The technical enforcement problem compounds the policy one. NordVPN, speaking to TechRadar in March, described blocking all known VPN and proxy IP addresses as practically impossible. The realistic alternative - age-verifying every user globally regardless of their location - would subject millions of people outside the UK to identity checks they have no legal obligation to submit to, and would do so to protect against a harm that existing evidence suggests is more limited than the political debate implies.
A Regulatory Trend With Global Reach
The UK is not acting in isolation. Utah recently became the first US state to attach VPN usage restrictions to its age verification regulations, creating an early test case that providers like NordVPN have already said they cannot technically comply with on a state-specific basis. The European Union has separately signalled its intention to address circumvention of its own age verification framework. Meanwhile, the UK's Children's Wellbeing and Schools Act - which became law just weeks ago - already obliges service providers to take "reasonable anti-circumvention measures," language that could eventually be read to encompass VPN access controls depending on how regulators interpret it.
If the DSIT consultation results in recommendations for a broader teen social media ban, VPNs will almost certainly be drawn into the implementation debate, since any ban without accompanying circumvention controls would be straightforward to bypass. That sequence of events could make mandatory age verification for VPN users a practical near-term prospect rather than a theoretical one. What remains entirely unresolved is how such a requirement would be enforced in a way that is both technically credible and proportionate - a question that neither the consultation's framing nor the political debate has yet come close to answering. The survey closes tonight. The harder questions open tomorrow.
