The deadline for the UK's national consultation on children's online safety arrives tonight, bringing to a head one of the most contentious digital policy debates the country has seen in years: whether virtual private networks should require users to verify their age before connecting. The Department for Science, Innovation & Technology's three-month exercise, titled "Growing up in the online world," closes at 11:59 pm on May 26, after which the government will begin processing submissions from parents, advocacy groups, technology companies, and individual citizens. What follows could reshape the legal landscape for one of the internet's most widely used privacy tools.
Why VPNs Became the Focal Point of a Child Safety Debate
VPNs were not, until recently, a subject for parliamentary debate. These tools encrypt a user's internet connection and route it through a server in another location, masking the user's IP address and making their traffic appear to originate elsewhere. For decades, they have served a straightforward purpose: protecting sensitive communications, securing connections on public Wi-Fi networks, enabling journalists and activists to operate in hostile environments, and allowing businesses to give remote employees secure access to internal systems.
That changed when the UK began enforcing mandatory age verification on adult content platforms. Usage of VPN services spiked sharply last July, prompting alarm among lawmakers who interpreted the surge as evidence that children were using these tools to circumvent new restrictions. The interpretation is plausible, but contested. Research from organizations including Childnet and Internet Matters suggests the spike may largely reflect adults unwilling to submit biometric data to commercial platforms - a concern that is, in its own right, entirely legitimate. Distinguishing between the two populations is technically difficult, and that ambiguity has driven much of the political heat.
By December, UK Lords had gone far enough to propose an outright VPN ban for minors. The proposal did not survive, replaced instead by the DSIT consultation - but the fact that a blanket prohibition reached serious legislative discussion signals how charged the atmosphere has become. The Children's Wellbeing and Schools Act, which became law just weeks ago, adds another layer: it requires service providers to take "reasonable anti-circumvention measures," a phrase that could eventually be applied to VPN access if the government chooses to read it that way.
An Industry United in Opposition, and the Technical Case Behind It
Rarely does the cybersecurity industry speak with a single voice. On this question, it has. Mozilla - the organization behind the Firefox browser and Mozilla VPN - issued a public statement arguing that age-restricting VPN access "would undermine the privacy and security of all users." The argument is structural rather than rhetorical: requiring age verification at the point of VPN connection means collecting identity data from every user, globally, and storing or transmitting it through systems that have a documented history of being compromised.
Nineteen organizations, among them Proton VPN, Mullvad, ExpressVPN, and Tor, published a joint warning urging the government not to undermine the open web by restricting privacy-preserving technologies. The VPN Trust Initiative, an industry consortium, made a similar case in April, cautioning that framing VPNs as loopholes rather than security infrastructure exposes users - including children - to greater harm, not less.
Surfshark, a VPN provider and VTI member, put the technical dilemma plainly. Providers already prohibit under-18 users in their terms of service. But actually enforcing that prohibition at the infrastructure level leaves companies with two paths, neither of them good: build identity verification into services architecturally designed to do the opposite, or rely on third-party verification systems that have repeatedly proven vulnerable to breaches. Either option degrades the core security proposition of the product. NordVPN raised a related concern in March, noting that blocking VPN and proxy IP addresses in a specific jurisdiction - the approach Utah has adopted in the United States - is practically unenforceable, and would most likely result in providers age-verifying their entire global user base, subjecting millions of people to identity checks they have no legal obligation to undergo.
A Regulatory Tide With No Clear Shore in Sight
The UK is not acting in isolation. Utah recently became the first US state to impose VPN usage restrictions as part of its age verification framework. The European Union has signaled its intention to address circumvention of its own age verification infrastructure. The pattern suggests a coordinated, if uncoordinated, international drift toward treating privacy tools as vectors of risk rather than foundations of security.
What makes the UK's moment particularly significant is the framing. When Ian Cheshire - the government's nominee to chair Ofcom - described "the joys of VPNs" as "technical problems" during a recent parliamentary hearing, it revealed something about the default assumptions among senior regulators: that these tools are primarily obstacles to enforcement rather than infrastructure that millions of ordinary people depend on for security and privacy. That framing matters, because it shapes what solutions get proposed and which trade-offs get dismissed.
The DSIT consultation's own accompanying report acknowledges the need to balance enforceable content restrictions against the "legitimate and lawful use" of VPNs by adults - a recognition that the tool itself is not the problem. But the survey instrument reportedly described VPNs in terms of circumvention far more often than in terms of their privacy and security functions, which may influence how the results are interpreted and what policy directions they appear to support.
The consultation closes tonight. Its findings will inform decisions that could determine whether a technology relied upon by journalists, dissidents, remote workers, security researchers, and ordinary privacy-conscious citizens becomes subject to the same identity-verification regimes as age-restricted content platforms. For anyone with a view on that question, the window is measured in hours.
