Fears grow that age verification coming to VPNs as a British research firm labels them a 'loophole' — one app developer saw downloads surge by 1,800% in just the first month after the UK's Online Safety Act took effect

The European Parliamentary Research Service (EPRS) published a briefing paper this week describing VPN use as "a loophole in the legislation that needs closing," as governments across Europe and the U.S. expand laws requiring platforms to verify users' ages before granting access to adult content.

The paper noted that VPN downloads spiked after enforcement began in the UK and several U.S. states, with one app developer reporting an 1,800% increase in downloads in the first month following the UK's Online Safety Act taking effect last year. Some policymakers, including England's Children's Commissioner, have called for VPN services to be restricted to adults only.

The EPRS paper acknowledges that current age-assurance methods are "relatively easy for minors to bypass," but offers no technical workaround to prevent VPN circumvention. In March, Utah became the first U.S. state to target VPN use in its age-verification law when Governor Spencer Cox signed Senate Bill 73. However, such efforts are technically flawed because the only reliable method for identifying VPN protocol signatures is deep packet inspection at the network level, which the EPRS paper doesn’t mention.

VPN demand in Florida surged 1,150% within hours of Pornhub blocking access in that state, and Utah saw a 967% increase after a similar withdrawal. Mozilla, Mullvad, and Proton, among others, sent a joint letter opposing the UK's proposals to mandate age verification for VPN access on May 5th, urging officials “not to undermine the open internet.”

The EPRS research paper comes less than a month after the EU’s own age verification technology, which European Commission President Ursula von der Leyen described as being built to respect “the highest privacy standards in the world — failed a basic security test.

Security consultant Paul Moore found in April that the European Commission's official age verification app stored facial images from identity documents as unencrypted files and allowed its biometric authentication to be bypassed by toggling a single boolean value in a config file. Moore demonstrated a full bypass in under two minutes.

The EPRS paper also highlights France's "double-blind" verification model, in which the adult platform learns only whether a user meets the age threshold, while the verification provider doesn’t see which sites the user visits. California has taken a separate approach, requiring operating systems to collect age data at device setup. GrapheneOS has refused to comply with such laws.

Utah's law took effect on May 6th, defining a user's location as their physical presence, regardless of VPN use. The UK House of Lords voted 207-159 in January to ban VPN services for under-18s, while the EU Parliament adopted a resolution last November supporting a digital age of majority of 16 for social media.

To date, the only governments that have made meaningful progress blocking VPN traffic are authoritarian regimes with ISP-level surveillance infrastructure.

Follow Tom's Hardware on Google News, or add us as a preferred source, to get our latest news, analysis, & reviews in your feeds.