Banning Vpns To Protect Kids? Good Luck With That

Analysis With the UK’s Online Safety Act (OSA) now in effect, it was only a matter of time before tech-savvy under-18s figured out how to bypass the rules and regain access to adult content.

The more creative wangled the “robust” selfie-based verification systems by using the in-game selfie feature in the Death Stranding sequel, which worked for Discord’s k-ID system.

However the more obvious workaround was to simply install a VPN and browse the web as if from another country where such age verification laws don’t apply. As has been widely reported, including by this vulture’s kettlemates, some VPN companies reported a 1,400 percent increase in sign-ups since the OSA came into force.

The idea of a total VPN ban was subsequently floated, but how realistic or feasible would this be to implement?

How a ban could look

If you want the short answer, experts we spoke to were predictably dismissive. One told us that its “not gonna happen.”

The government could pull various technical levers, such as banning the sale of VPN kit, but as people who spoke to The Register about the matter said, it would be like banning people from smoking in their own homes.

“You might not like it, but good luck enforcing it,” said Graeme Stewart, head of public sector at Check Point Software. “The logistics are near-impossible. You could, in theory, ban the sale of VPN equipment, or instruct ISPs not to accept VPN traffic. But even then, people will find workarounds. All you’d achieve is pushing VPN use underground, creating a black market for VPN concentrators.

“The only way to do it is badly. You’d effectively be forcing ISPs to block legitimate encrypted traffic and, in doing so, you’d be regulating an entire industry out of existence. Worse still, you’d be legislating against cybersecurity and privacy.”

Speaking of which, the UK’s largest mobile network operator, EE, proudly announced this week that it was the first carrier to launch SIMs for under-18s that block access to “inappropriate content.” 

A clear play to capitalize on parents’ newfound obsession with online safety, courtesy of the Act, this comes despite EE having offered parental controls for years, like most other providers.

EE is also now offering 30-minute online safety appointments for all families, regardless of whether they are a paying customer, in their retail stores so parents can drag their kids along to hear stuff they almost certainly know more about than their elders.

Beyond the drawbacks of an ISP-level content block Stewart mentioned, it is also likely that once one VPN is banned, there will always be another to block, and a game of cyber whack-a-mole would ensue.

Jake Moore, global cybersecurity advisor at ESET, told us that other methods could see the UK veering into enemy territory, not to mention a PR calamity.

“Although we shouldn’t even consider adopting a route used by China, the Chinese use the technique of analyzing traffic patterns for VPN usage, but this requires expensive infrastructure and constant updates so again, not feasible,” he said. 

“Furthermore, many VPNs offer modes to make their traffic look like regular HTTPS anyway, making detection harder yet again.”

To put it in his plainer terms: “Not gonna happen.”

Scott McGready, co-founder of Damn Good Security, agreed that if UK ISPs started snitching on their customers’ VPN usage, it would be “a very worrying position to be in” and the unintended consequences for legitimate users and businesses would be massive.

Potential impact of a VPN ban

McGready’s point about affecting legitimate users is valid. A VPN ban would be a lazy way to achieve the government’s aims, which as we understand aren’t to limit privacy, but to quell access to online harms.

Officially, the UK wants to limit underage access to adult content, make it more difficult for harassers to hide behind privacy-preserving technologies, put an end to illegal streaming, and similar – not prevent people from using VPNs to protect themselves on public Wi-Fi networks, for example.

That’s the government’s line, anyway, although its attack on end-to-end encryption might have you believe there is more to its ambition than that.

But how many people – beyond those with a solid understanding of cybersecurity – are really using VPNs to stay safe on public networks? Other than those whose employers demand they hook up to the corporate network using one?

A fair few, as it goes. According to a Forbes Advisor poll, enhanced online privacy prevailed as the top use case for UK VPN users, although the same proportion (24 percent) of respondents said they used them to access restricted content as they did for work.

The data suggests Brits aren’t just looking for ways to stream the footy illegally, or access a few foreign shows on Netflix, although this undoubtedly drives a certain amount of subscriptions.

They use VPNs to preserve personal security and privacy, too – legitimate, necessary use cases. To take that away would force the UK down a worrying path, aligning it with geopolitical adversaries.

Morally unconscionable?

Some countries that ban the use of VPNs include Russia, the United Arab Emirates, Iran, Saudi Arabia, Turkmenistan, Myanmar, Belarus, and China. That’s not even an exhaustive list, but it shows the questionable company the UK would keep should it choose to ban VPNs.

A ban not only puts the UK on a concerning trajectory from a privacy and cybersecurity standpoint, but it is also unlikely to work in practice. Possible? Yes, but the practicality of policing such a ban would be challenging.

As shown by individuals in nearly all the aforementioned countries that outlaw VPNs, bans don’t prevent use. People always find ways to circumvent such restrictions, as they do routinely and successfully in more authoritarian countries.

All a UK ban would do is provide the impetus for young people to learn how to circumvent the legislation by using outlawed privacy tech. They would find a way, they always do.

If restricting children’s access to sensitive content is the aim of the game, parents need to be more proactive in making use of the existing network, device, and app-level controls available to them, not support a ban for technology that preserves privacy for all.

Communications regulator Ofcom told us on Monday that platforms covered by the OSA must not promote content that encourages the use of VPNs or means to circumvent age checks.

However, tech secretary Peter Kyle, following the furor he stoked after a post comparing OSA opponents to sexual predators (which remarkably has still yet to be deleted), confirmed the UK has no current plans to ban VPNs.

He told Sky News on Tuesday that he will look “very closely” at how VPNs were being used and that the majority of Brits were playing by the rules.

A digital petition to repeal the OSA has now reached north of 423,000 e-signatures at the time of writing, a figure well beyond the threshold triggering a Parliamentary debate on the matter.

UK Parliament is in recess until September, but a government response to the petition has already stated it has no plans to repeal the Act. ®


Original Source


A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.

If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below

To keep up to date follow us on the below channels.