Utah tells porn sites to take the P out of VPNs, and it's their fault that they can't

OPINION The terms "blindingly obvious," "logical consequence," and "that is not how it works" appear nowhere in the government handbook of internet legislation. In particular, the discovery that imposing age access controls on websites has pushed users to VPNs has come as a huge surprise to legislators in the UK, the EU, Canada, and Australia. Nobody here knows how old VPN users are, be they kids unwilling to lose access or adults unwilling to disgorge personally identifying data to who knows what. As they recover from this shocking discovery, these fine people are looking at ways to control VPNs, whether by adding age verification here too or by some magical "digital age of consent" technology that somehow evades the paradox that demanding more personal information in the name of safety itself reduces safety. Yet here, as in so many ways, the rest of the world is lagging behind America - more specifically, the great state of Utah, which has just enacted an anti-VPN law. This law makes it compulsory for any site that the state says needs age verification - porn, basically - to impose those checks on anyone physically in Utah whether or not they are using any VPN. Those would be the same VPNs whose sole purpose is to prevent the geolocation of their users. Which would seem, and is, another paradox. The only way to comply is to impose global age checks, effectively giving Utah worldwide regulatory powers. As there is no global standard for this, it's not a practical option. But then, there are no practical options to control VPNs, short of cutting off all internet access a la North Korea. Even China, the world's most effective cyber-authoritarian state and one which very much enjoys telling its citizens what to think, has to be very wary of putting the VPN screws on too harshly. The ground truth about VPNs is that if you allow people access to anywhere on the internet outside your direct control, they can access a VPN. Obvious vectors of denial, such as blacklisting VPN ingress or egress IP ranges, don't work for long. VPN operators are adept at moving these, and you can build your VPN infrastructure in the cloud, and there are plenty of stealth techniques. A VPN pipe looks to any router it traverses like an encrypted bitstream, which is to say like most internet traffic, and if you disguise the session establishment ports and protocols, it's HTTPS going about its lawful business. All this adds up to a landscape where hundreds of VPN providers are able to react to any official monitoring or clampdown in ways that leave them more resilient and more expensive to tamper with. China knows this, discouraging rather than preventing access altogether, and putting the squeeze on only briefly as occasion demands. The reason age verification works as far as it does for social and salacious media is that these are advertising-driven, which means having a commercial presence everywhere they have advertisers. That puts their cash flow at the mercy of local regulators, which is how the British pirate radio ships of the 1960s were closed down. They operated in international waters and couldn't be jammed, so the UK government made it illegal to advertise on them. VPNs take your money directly, so don't react to local edicts. Plus, even if none of the above were true, VPNs are so essential to enterprise security, and are so available as open source, that they could no more be banned or backdoored than, say, HTTPS. VPNs are bombproof, as far as sense extends. Which means attempts to bomb them into compliance or out of existence in a fit of epic fury will work as well on the internet as it does in the desert. Lots of collateral damage, not so much victory. This isn't an unalloyed good, as the consumer VPN market is far less competitive than it appears and there are plenty of questions about connections between those who control VPNs and various national security interests. A VPN service is literally a man in the middle you pay to use, and assigning trust is up to you. Freedom rarely comes for free, and it would be unwise to rely on any VPN you can't check out if you're doing anything that might summon the intelligence services. Most of us aren't, at least in the free world, at least for now. VPNs, for all their faults, remain a genuine and essential brick in our antisurveillance Lego set. It is very much in our interests that we aren't forced to disclose additional identifying data to them, and that they're not used as an excuse to effectively close down services and sites a particular state dislikes. The Utah law may yet fail on various grounds, as it has already been challenged in court - although given the way the American legal system is being stress-tested right now, this is harder to call than it should be. If it stands, then it will spread to like-minded states like butter across a hot pan. The obvious consequence will be that people move their attention to smaller, less savory sites more resistant to state interdiction. This will come as a surprise to nobody except the legislators. Outside the US, the progress of the Utah experiment will be watched closely by those who see VPNs as loopholes to be blocked. It's our job to demonstrate that VPN regulation would be counterproductive and dangerous, and that concentrating on reducing harm at source is better than forcing consumers to reveal ID and tampering with the infrastructure. (R)