As Lawmakers Take Aim at VPNs, the Privacy of Millions Could Be in Jeopardy

Under the pretense of protecting minors and preserving morals, lawmakers in the United States and the United Kingdom are putting the privacy of millions of citizens at risk. Age verification bills that are aimed at preventing minors from accessing adult content online are nothing new, as the Free Speech Coalition lists 130 bills across much of the US since 2022 -- with 30 already signed into law. But the latest proposals from legislators in Wisconsin and Michigan take aim not just at access to adult content, but at virtual private networks as well.

As the UK and individual states have begun enacting age verification laws, internet users are turning to VPNs to make it appear as though their connection is originating from a different location, effectively bypassing the verification requirements. As a result, VPN use has skyrocketed, which is a boon for VPN providers, but due to the risks related to most free VPNs, it is also a big deal for cybercriminals.

Someone looking to change their virtual location could download any one of the thousands of free VPN apps available without realizing the risks involved. Google has even issued a warning to consumers on the dangers of downloading malicious VPN apps, which might inject user devices with malware, log their internet activity or misuse their personal data. Age verification laws and proposed VPN bans come with distinct privacy implications that are numerous and wide-ranging, putting people unnecessarily at risk.

Don't miss any of our unbiased tech content and lab-based reviews. Add CNET as a preferred Google source.

What the proposed state legislation says

In Wisconsin, Senate Bill 130 proposes that sites use “reasonable age verification methods” and requires the publishers and distributors of “material harmful to minors” to prevent access from known VPN IP addresses. Under the bill, entities in violation of the law would be subject to civil penalties.

In Michigan, House Bill 4938 takes it a step further and proposes an all-out ban on VPNs and access to online adult content entirely. The lawmakers in support of the bill, called the Anticorruption of Public Morals Act, want internet service providers in the state to “actively monitor and block known circumvention tools.” The bill prohibits “the promotion or sale of circumvention tools to access prohibited material.” Violators would be subject to civil and criminal penalties of up to 25 years in prison and fines of up to $500,000 under the proposed legislation.

Both state proposals focus on the distribution of content and possible methods to get around blocks or verification. But requiring internet providers to enforce content laws can be messy, as many Starlink users have discovered.

The fallout from online age verification

The proposed legislation is a tangle of different considerations, but one of the most important threads is age verification, an important piece in the Wisconsin legislation. Online age verification is not just a major invasion of privacy, but a potential bonanza for cybercriminals. With millions of internet users uploading images of their faces alongside their government-issued IDs so they can access online content, age-verification companies have become extremely attractive targets for hackers.

The wealth of personal information -- including full name, birthdate, address, nationality, ID number and likeness -- collected by ID verification companies is putting people at risk of having their data compromised in a breach, which can lead to identity theft and other real-life perils. Promises to keep data safe do not always work out. Several recent instances of ID verification data being compromised and shared online have made headlines.

Last year, 404 Media reported that ID verification provider AU10TIX left age verification data submitted by users of popular online services like Uber, TikTok, PayPal and X exposed on the internet for more than a year. This year, a data breach targeting the Tea app exposed 72,000 user-uploaded images, 13,000 of which were identification images. More recently, cybercriminals targeted a third-party customer support provider for Discord, stole ID photos of 70,000 users and demanded a ransom from the company. With age verification requirements more prevalent across the web, similar incidents are bound to continue.

What is a VPN? How can it help users access restricted content?

A virtual private network is software that encrypts your internet traffic while routing it through a secure server in a different location. A VPN's encryption can keep your online activity hidden from your ISP and any other entity looking to snoop on what you do on the internet.

Additionally, a VPN masks your true IP address, effectively swapping it out with the IP address of the VPN server you are connected to. This is key, because your IP address is linked to your general location, so if you connect to the internet using the IP address of a VPN server located in a different location, your online traffic will appear to originate from that location rather than your actual physical location.

A VPN encrypts your internet traffic and routes it through a secure server. This process masks your real IP address and hides your activity from entities like your ISP.

Getty Image/Zooey Liao/CNET

If you live in a state where certain sites are required to verify the age of its visitors, a VPN can make it appear as though you are in a different state or country that doesn’t enforce such requirements. This is the same functionality that helps users access geo-restricted streaming content and bypass censorship.

The best VPNs offer apps available for a variety of mobile devices, computers and streaming devices that are just as easy to download and use as any other app you find online. Just use the app interface to connect to a specific server location to protect your privacy and change your virtual location as needed.

While they are not able to protect against data breaches, VPNs are critical online privacy tools used by millions of people to protect themselves online. Activists, whistleblowers and people who live under repressive regimes use VPNs to hide their internet activity, bypass censorship, and access information and communication tools. Average internet users use VPNs to keep their internet activity private from their internet service providers and other online snoops who harvest and sell their data. Banning VPNs could put considerably more people at risk than these bills aim to protect.

Can ISPs block VPN use?

Websites and ISPs can employ certain tactics to detect and block VPN use. These tactics include blocking access from known VPN IP addresses, blocking certain ports, or using more involved methods like deep packet inspection, which can analyze the entire data packet and identify certain VPN protocols. These methods are how streaming sites like Netflix seek to curtail VPN geo-unblocking and how repressive governments censor the internet within their borders.

However, quality VPNs often provide obfuscation features that can disguise VPN traffic as regular internet traffic, evading efforts by websites and ISPs to block VPN use. Some VPNs like Proton VPN and NordVPN offer obfuscation-focused protocols that are designed specifically to thwart deep packet inspection.

A warning from Google

VPN use in the US and UK has reached stratospheric levels as age verification requirements continue to take effect. The problem is a large contingent of new VPN users may not be aware of the risks associated with downloading VPN software from a potentially disreputable entity. Thousands of VPN apps are available to download on the internet, many offered for free, which some users may find enticing as a simple fix to getting around age verification requirements or content restrictions. But many of them are unsafe to use, despite developers purporting otherwise.

In its fraud and scams advisory this month, Google warns of threat actors deploying malicious VPN apps disguised as legitimate services that can compromise user privacy. “Once installed, these applications serve as a vehicle to deliver dangerous malware payloads including info-stealers, remote access trojans and banking trojans that exfiltrate sensitive data such as browsing history, private messages, financial credentials and cryptocurrency wallet information,” the advisory states. Good antivirus software can help protect you from some of those threats, but the best plan is to dodge disreputable VPNs entirely.

Google urges users to enable Google Play Protect to protect from downloading potentially harmful apps and to only download apps from official sources rather than sideloading apps from unknown publishers. For VPN users specifically, Google says to be wary of free VPN apps and to look for apps with the VPN badge in the Google Play Store.

This is all sound advice, but I recommend not relying solely on the Google VPN badge or popularity ratings in the Play Store to determine whether a VPN is safe to use. Earlier this summer, a “verified” free VPN app sporting the Google VPN badge was found to be spying on users and capturing screenshots of their online activity. And 18 of the most popular VPN apps were recently found to have sketchy ownership and posed privacy risks.

Finding a safe VPN can take some diligence. Do some research into VPN ownership, read reviews from trusted sources, look through each privacy policy with special attention to what categories of user data is collected by a VPN and what entities that data may be shared with. Also look out for no-logs policies, third-party audits and any legal cases a VPN company has been involved with.

If you do not want to pay for a VPN, you will need to be especially mindful that you are making a safe choice. Sometimes using a free VPN can be worse than using no VPN at all because many free VPNs make money by selling user data, and some may even infect your device with malware to steal other personal information. The only free VPN I recommend is the free tier from Proton VPN since it provides the same basic privacy protections as its paid tier and does not put limits on bandwidth or usage.

If you are one of the many people who are newly jumping on the VPN bandwagon in the wake of new legislation and expanding use of online age verification, take a beat and do some research to make sure the VPN you choose will enhance your privacy rather than put it at risk.