21 KiB
VPN Ban Investigation: The Last Layer of the Surveillance Architecture
Correction: Attribution of VPN Amendment
Previous investigation files attributed the UK VPN ban to Baroness Kidron. This was incorrect. The VPN amendment (Amendment 92) was tabled by Lord Nash (Conservative venture capitalist, former Parliamentary Under Secretary of State for Schools), co-signed by Baroness Cass, Baroness Benjamin, and Baroness Berger. Kidron did not co-sign the amendment. She voted for it and spoke in the debate but did not author it. This correction applies to files 15, 16, and 18.
Source: UK Parliament Amendment 92 https://bills.parliament.uk/bills/3909/stages/20215/amendments/10027478 Source: TheyWorkForYou debate https://www.theyworkforyou.com/lords/?id=2026-01-21a.346.0
What Happened in the Lords: January 21, 2026
Three amendments were debated in the Children's Wellbeing and Schools Bill, Report Stage (3rd Day).
Amendment 92 (VPN ban): Required VPN providers to prevent anyone under 18 in the UK from using their services within 12 months of the Act passing. Passed 207 to 159. Government (Labour) opposed. Conservative majority in the Content (for) lobby. The government preferred a three-month consultation over legislative mandates.
Amendment 93 (device scanning): Required "tamper-proof system software" on all smartphones and tablets sold in the UK, "highly effective at preventing the recording, transmitting (by any means, including livestreaming) and viewing of CSAM using that device." Lord Nash withdrew this amendment without a vote after "constructive discussions with Ministers." It remains a live proposal.
Amendment 94A (social media ban for under-16s): Passed 261 to 150. An even larger government defeat.
Source: Lords Division 3503 https://votes.parliament.uk/votes/lords/division/3503 Source: Hansard debate https://hansard.parliament.uk/Lords/2026-01-21/debates/FDF32A4B-6004-4C08-8995-EB06C45C0B65/Children%E2%80%99SWellbeingAndSchoolsBill Source: Amendment 93 text https://bills.parliament.uk/bills/3909/stages/20215/amendments/10027476
The Commons Rejected the VPN Ban, Then Replaced It with Something Broader
On 9 March 2026, the House of Commons rejected Lord Nash's VPN amendment (Amendment 92) and the social media ban for under-16s (307 to 173). The government passed "amendments in lieu" granting the Secretary of State for Science, Innovation and Technology broad discretionary powers to:
Restrict or ban children of certain ages from accessing social media services and chatbots. Limit access to specific harmful or addictive features. Age-restrict or limit children's VPN use (discretionary power, not a mandate). Change the age of digital consent in the UK GDPR.
Open Rights Group titled their response "MPs give ministers powers to restrict entire Internet." Their analysis warned the government amendments grant ministers "huge powers to restrict the Internet without having to pass new legislation" and that the consequence would be "every adult having to provide their personal data, or use their body and biometric features as a key to unlock the internet." ORG described this as potentially more dangerous than the original Nash amendments because it grants open-ended regulatory authority without requiring parliamentary debate for each restriction.
The bill returned to the Lords on 25 March 2026 for consideration of Commons amendments, entering ping-pong.
Source: ORG press release https://www.openrightsgroup.org/press-releases/mps-give-ministers-powers-to-restrict-entire-internet/ Source: ORG analysis of Amendment 38B https://www.openrightsgroup.org/publications/childrens-wellbeing-and-schools-bill-org-analysis-of-amendment-38-b/ Source: Hansard Commons debate https://hansard.parliament.uk/commons/2026-03-09/debates/655E6B7C-4642-44D5-ABFE-236ADC69819A/Children%E2%80%99SWellbeingAndSchoolsBill
Kidron's Actual Position
Kidron's role is more nuanced than the initial investigation stated. She voted for the Nash amendments and spoke in the debate, using the quote "Consultation is the playground of the tech lobbyist and inaction is the most powerful tool in politics." She attacked the government's proposed three-month consultation as a delay tactic.
In a separate September 2025 Lords debate on VPNs and the Online Safety Act, Kidron stated there was "no evidence that the media's reported increase in use of VPNs was entirely attributable to use by children" and cited Ofcom data showing "only one in ten VPN users is a child." In a Financial Times interview, she said "Do not assume that every VPN that has been downloaded is a child trying to get around age controls. Many of them are adults trying to preserve their freedom to access that material in private."
She told ITV News (January 25, 2026) that "outrage is driving rapid social media law changes" and called for "a better answer than a ban" that tackles "root harms."
In a March 2026 Bureau of Investigative Journalism interview: "Regulation has failed, not because it can't work, but because the regime envisaged by Parliament was weakened by lobbying and critically undermined in its implementation." She described Ofcom as "too timid, too close to tech, too secretive."
Source: ORG briefing quoting Kidron on VPNs https://www.openrightsgroup.org/publications/briefing-vpns-and-the-online-safety-act/ Source: ITV News https://www.itv.com/news/2026-01-25/outrage-is-driving-rapid-social-media-law-changes-baroness-kidron Source: Bureau of Investigative Journalism https://www.thebureauinvestigates.com/stories/2026-03-17/baroness-kidron-interview
The Device Scanning Provision Goes Further Than Apple's Abandoned System
Amendment 93 requires "tamper-proof system software" on all smartphones and tablets that scans for child sexual abuse material. This is client-side scanning built into the operating system.
In August 2021, Apple announced a plan to scan devices for CSAM using on-device hash matching (NeuralHash) against a database of known hashes. Nearly 100 policy and rights groups published an open letter opposing it. Researchers demonstrated the system could be spoofed. Apple delayed in September 2021 and formally abandoned the plan in December 2022, stating it could not implement it without "the potential to create a system that could be used to scan private content on people's phones."
The UK amendment goes further than Apple's abandoned system. Apple planned to scan only images uploaded to iCloud. The UK amendment covers recording, transmitting by any means including livestreaming, and viewing. Active real-time scanning of what a user sees on their device.
Signal President Meredith Whittaker said Signal "would absolutely, 100% walk" from the UK rather than implement scanning. WhatsApp head Will Cathcart threatened to pull the app. In a joint open letter, Signal, WhatsApp, and other encrypted messaging services warned the Online Safety Bill could compel client-side scanning that would be "blanket scanning of message content."
Germany's CSAM scanning data shows 48.3% of reports were false positives. Nearly half of all flags were innocent images wrongly identified as illegal.
Source: Apple CSAM abandonment https://www.cnn.com/2022/12/08/tech/apple-csam-tool Source: Signal position https://signal.org/blog/uk-online-safety-bill/ Source: EFF on Apple scanning https://www.eff.org/deeplinks/2021/12/2021-we-told-apple-dont-scan-our-phones Source: Alec Muffett analysis https://alecmuffett.com/article/134940
Who Opposed the VPN Ban
Open Rights Group published multiple briefings. Their September 2025 analysis argued children aged 6-12 are "highly unlikely to use VPNs" and that tech-savvy teenagers can bypass age verification through other means. Their March 2026 analysis warned the government's replacement powers allow the Secretary of State to "mandate age verification tools that violate the privacy of children and users" and "amend, repeal, revoke or apply any provision of the UK GDPR or the Data Protection Act" without substantive parliamentary scrutiny.
Big Brother Watch Director Silkie Carlo called the plan "absolutely clueless, dangerous, and undemocratic" and warned it puts the UK "in the same category as China, Russia, and North Korea."
EFF joined ORG, Big Brother Watch, and Index on Censorship in a joint letter urging reform or repeal of the Online Safety Act. A petition calling for OSA repeal gathered over 550,000 signatures. EFF argued that "requiring ID verification defeats the purpose entirely and creates a database of everyone who uses privacy tools."
Mullvad VPN warned the amendments would "effectively ban end-to-end encrypted communication and open source operating systems such as GrapheneOS and forbid that people have administrator rights on their own devices." Mullvad stated: "In the UK, mass surveillance and censorship reminiscent of authoritarian countries are on the verge of being introduced." Mullvad's anti-surveillance TV advertisement was banned by Clearcast. Their London Underground follow-up ad was banned by Transport for London.
GrapheneOS stated it "will not comply with emerging laws requiring operating systems to collect user age data at setup" and that "if GrapheneOS devices can't be sold in a region due to their regulations, so be it."
Source: ORG VPN briefing https://www.openrightsgroup.org/publications/briefing-vpns-and-the-online-safety-act/ Source: Big Brother Watch https://bigbrotherwatch.org.uk/press-releases/big-brother-watch-response-to-government-plans-to-limit-childrens-access-to-vpns/ Source: EFF coalition letter https://www.eff.org/deeplinks/2025/12/eff-open-rights-group-big-brother-watch-and-index-censorship-call-uk-government Source: Mullvad https://mullvad.net/en/and-then/uk Source: GrapheneOS https://www.tomshardware.com/software/operating-systems/grapheneos-refuses-to-comply-with-age-verification-laws
The AVPA Wants VPN Age Verification, Not a Ban
The AVPA published a position paper "VPNs are not Kryptonite to age assurance" (August 2025) arguing what they called the "VPN fallacy." Their proposed approach: platforms detect VPN use, assess risk using behavioral signals, then prompt flagged users to either verify their age or consent to a one-time geolocation check. This requires all VPN users to either prove their identity or prove their location, functionally undermining VPN anonymity. The AVPA frames this as a middle ground. Privacy advocates describe it as a ban by another name.
Source: AVPA position paper https://avpassociation.com/thought-leadership/vpns-are-not-kryptonite-to-age-assurance/ Source: Biometric Update https://www.biometricupdate.com/202508/vpns-a-navigable-challenge-for-age-assurance-sector-says-avpa
Technical Reality
The decoded.legal analysis (December 2025) identified fundamental problems. The amendment does not define "virtual private network." The "in the course of a business" language means Tor (a nonprofit) and self-hosted VPNs are out of scope. The only way to enforce a VPN ban for minors is to require all users to verify their age before using a VPN, because you cannot determine someone is a minor without first checking. This means universal age verification for VPN access. The same companies documented in this investigation (Yoti, Persona, AU10TIX) would provide the verification.
Source: decoded.legal analysis https://decoded.legal/blog/2025/12/a-proposed-legislative-amendment-to-attempt-to-compel-vpn-services-providers-to-prevent-anyone-under-18-in-the-uk-from-using-their-vpns/
VPN Usage Surge
After the Online Safety Act age verification requirements took effect on 25 July 2025, UK daily VPN usage more than doubled from approximately 650,000 to over 1.4 million by mid-August 2025. VPN apps became the most downloaded on Apple's UK App Store.
Source: ISPreview https://www.ispreview.co.uk/index.php/2026/01/house-of-lords-votes-to-ban-uk-children-from-using-internet-vpns.html
Government Consultation
"Growing up in the online world: a national consultation" launched 2 March 2026, closes 26 May 2026. Covers VPN age restrictions, social media bans, addictive design features, and AI chatbot restrictions. Government response expected summer 2026.
Source: GOV.UK consultation https://www.gov.uk/government/consultations/growing-up-in-the-online-world-a-national-consultation
5Rights EU Lobbying
5Rights Foundation's EU Transparency Register entry (ID 373653640889-82) shows 2.5 full-time equivalent lobbyists in Brussels. 12 high-level European Commission meetings. 1 current European Parliament accreditation (Manon Letouche, since June 2025). Brussels office at Square de Meeus 35. Self-declared lobby budget: not disclosed (since September 2021, non-commercial organizations exempted). Main EU files targeted: Charter of Fundamental Rights Article 24, DSA, AI Act, AVMSD, Consumer Protection/Digital Fairness Act, GDPR, e-Commerce Directive, e-Privacy Regulation, Competition law/DMA, European Strategy for rights of the child, EU action plan against cyberbullying, EU inquiry on social media wellbeing, European strategy to combat child sexual abuse, and EU-UK relations. 14 legislative files targeted simultaneously by a 10-person charity.
Source: LobbyFacts https://www.lobbyfacts.eu/datacard/_rights-foundation?rid=373653640889-82
Brazil: 250% VPN Surge When Digital ECA Took Effect
Proton VPN reported a 250% increase in Brazilian signups between March 16-17, 2026, the days the Digital ECA became enforceable. Users are turning to VPNs to avoid submitting biometric data and identity documents. The law does not explicitly mention or ban VPNs. VPN use remains fully legal in Brazil.
Beyond the Linux distributions previously documented (Arch 32, Bazzite, CachyOS), MidnightBSD also banned Brazilian users starting March 17, 2026. A protest distribution called "Ageless Linux" was launched as an intentionally non-compliant distro.
Source: Cybernews https://cybernews.com/tech/vpn-use-brazil-age-verification-law/ Source: Gadget Review https://www.gadgetreview.com/brazils-age-verification-law-triggers-250-vpn-surge-overnight Source: It's FOSS MidnightBSD https://itsfoss.com/news/midnightbsd-age-verification/
The 1,400% Surge: Original Source
The 1,400% figure comes from Proton VPN (Proton AG, Switzerland), announced via their official X/Twitter account on the evening of July 25, 2025, minutes after the UK Online Safety Act's age verification requirements came into force. Proton VPN surpassed ChatGPT to become the most downloaded free app on Apple's UK App Store. NordVPN and Super Unlimited also ranked in the top ten. Proton stated: "Unlike previous surges, this one is sustained, and is significantly higher than when France lost access to adult content." A petition demanding repeal of the Online Safety Act gathered over 290,000 signatures within days.
Source: Proton VPN tweet https://x.com/ProtonVPN/status/1948773319148245334 Source: CyberInsider https://cyberinsider.com/proton-vpn-signups-in-uk-surge-1400-after-online-safety-act-comes-into-force/ Source: The Register https://www.theregister.com/2025/07/28/uk_vpn_demand_soars/
France: "VPNs Are Next on My List"
France's National Assembly approved an under-15 social media ban on January 25, 2026 (116-23). Digital Affairs Minister Anne Le Henanff declared in an interview: "VPNs are next on my list." She said the ban was "only the beginning" and that "new rules" would be adopted. After backlash, a spokesperson clarified Le Henanff "accepts VPNs have numerous legitimate uses" and is "not looking at banning them outright." No VPN-specific legislation has been drafted. The bill is proceeding to the French Senate.
Source: TechRadar https://www.techradar.com/vpn/vpn-privacy-security/vpns-are-next-on-my-list-france-set-to-evaluate-vpn-use-following-social-media-ban-for-under-15s Source: Decrypt https://decrypt.co/356823/france-considers-restricting-vpns-to-support-under-15-social-media-ban
Australia: Platforms Expected to Detect VPN Circumvention
Australia's under-16 social media ban (Online Safety Amendment Act 2024) does not explicitly ban VPN use. No penalties exist for children or parents who circumvent. The eSafety Commissioner instructs platforms to "try to stop under-16s from using VPNs to pretend to be outside Australia" by integrating VPN detection services, IP intelligence APIs, and "additional signals" including photos, tags, connections, and activity patterns. ABC News reported "many children have already been able to get around the ban."
Source: TechRadar https://www.techradar.com/vpn/vpn-privacy-security/australia-expects-platforms-to-stop-under-16s-from-using-vpns-to-evade-social-media-ban Source: eSafety Commissioner FAQs https://www.esafety.gov.au/about-us/industry-regulation/social-media-age-restrictions/faqs
EU: EPRS Flags VPNs for Regulatory Attention
The European Parliamentary Research Service published a briefing in January 2026 titled "Virtual private networks and the protection of children online," documenting "a significant surge in the number of virtual private networks used to bypass online age verification methods." The EPRS warns: "It is likely that the revised Cybersecurity Act will introduce child-safety criteria, potentially including measures to prevent the misuse of VPNs to bypass legal protections." The EU Chat Control regulation (CSAM regulation, Council position November 2025) includes proposals that "explicitly mention VPNs and anonymity services as problems to be solved."
Source: EPRS briefing https://www.europarl.europa.eu/thinktank/en/document/EPRS_ATA(2026)782618 Source: EFF on digital identities in Europe https://www.eff.org/deeplinks/2025/04/digital-identities-and-future-age-verification-europe
US States: Wisconsin Scrapped VPN Ban, Michigan Proposed ISP Blocking
Wisconsin's age verification bill (AB 105 / SB 130) originally required adult content sites to block all users connecting via VPN. Following backlash from the EFF and ACLU of Wisconsin, Republican Senator Van Wanggaard struck the VPN provision on February 19, 2026. The EFF called it "unworkable" because sites "cannot reliably determine where a VPN customer lives."
Michigan's HB 4938 ("Anticorruption of Public Morals Act," introduced September 2025 by six Republican representatives) would require ISPs to "detect and block connections coming from circumvention tools," defined as "any software, hardware, or service designed to bypass internet filtering mechanisms or content restrictions, including virtual private networks (VPNs), proxy servers, and encrypted tunneling methods." ISPs that fail to comply face fines up to $500,000. The bill has not moved through the legislature.
Source: TechRadar Wisconsin https://www.techradar.com/vpn/vpn-privacy-security/wisconsin-scraps-vpn-ban-from-age-verification-bill-following-backlash Source: EFF Wisconsin https://www.eff.org/deeplinks/2026/02/eff-wisconsin-legislature-vpn-bans-are-still-terrible-idea Source: Michigan Legislature HB 4938 https://www.legislature.mi.gov/documents/2025-2026/billintroduced/House/pdf/2025-HIB-4938.pdf
5Rights Position Is More Nuanced Than Expected
5Rights published a position paper in February 2026 titled "Access restrictions to protect children and their rights." Their position does not call for VPN bans directly. They argue "children should not be banned from accessing the digital world, but companies that exploit them should be banned from accessing them." The paper calls for corporate accountability and age-appropriate design rather than restrictions on privacy tools. This contrasts with the broader surveillance infrastructure their legislation enables.
Source: 5Rights position paper https://5rightsfoundation.com/wp-content/uploads/2026/02/5Rights-Position-paper-on-Access-restrictions_Final.pdf
Connection to the Investigation
The VPN findings connect to the broader investigation through the same structural pattern. The age verification laws documented across the UK, EU, US, Brazil, and Australia create a mandatory identity verification layer. VPNs are the primary tool citizens use to avoid geographic verification requirements. Proposals to ban or age-gate VPNs close the circumvention path, making the identity verification inescapable.
The AVPA, the trade body whose Executive Director chairs the IEEE 2089.1 certification (the standard Kidron co-vice-chaired), advocates for mandatory age verification of all VPN users. The same companies documented throughout this investigation (Yoti for Instagram/Meta, Persona for Discord/Serpro, AU10TIX for X/TikTok) would provide VPN age verification. The device scanning provision (Amendment 93, withdrawn but alive) would require client-side scanning that goes further than the system Apple abandoned after global backlash.
The Commons replacement is potentially more significant than the original amendments. By granting the Secretary of State discretionary power to restrict VPNs, ban social media, and modify GDPR provisions without new legislation, the government obtained broader authority than the Lords proposed. Open Rights Group warns this amounts to "huge powers to restrict the Internet" without parliamentary oversight for individual restrictions.