Utah Wants Websites To See Through VPNs. That’s Not How VPNs Work.
Utah has a long track record of short-sighted internet policymaking, but the latest example really does take things to a new level of stupid. As of yesterday, Utah's Online Age Verification Amendments" bill, Senate Bill 73, has taken effect. It is a piece of legislation that effectively tries to ban VPNs as a desperate attempt to stop people from bypassing the state's already problematic (and likely unconstitutional) age verification requirements.
Signed by Governor Spencer Cox on March 19, the controversial law establishes that a user is considered to be accessing a website from Utah if they are physically located there, regardless of whether they use a VPN or proxy to mask their IP address. It also prohibits covered websites from sharing instructions on how to use a VPN to bypass age checks.
We've been highlighting the various attempts to ban VPNs as short-sighted legislators fail to grasp how necessary they are for basic security. But, now, Utah has touched the stove and is going to find out what it feels like.
While an earlier version of the law would have simply held a provider liable for not doing age verification, the amended version says service providers have to determine whether the person is physically located in Utah - even if they're using a VPN to appear to be from somewhere else:
An individual is considered to be accessing the website from this state if the individual is actually located in the state, regardless of whether the individual is using a virtual private network, proxy server, or other means to disguise or misrepresent the individual's geographic location to make it appear that the individual is accessing a website from a location outside this state.
In short, the genius legislators in Utah have decided that websites should do the impossible: either block all access from VPNs or somehow magically know" that users whose digital footprints suggest they're connecting from outside Utah are actually lying about their location. That is, in any understanding of the law, an effective ban on VPNs, because the only way to deal with that would be to block off huge segments of IP addresses associated with known VPN servers.
Even worse, the law says it's a violation to tell people how to protect themselves with a VPN, which seems like a First Amendment violation on its own (you can't ban a service from telling users how to use another service):
A commercial entity that operates a website that contains a substantial portion of material harmful to minors may not facilitate or encourage the use of a virtual private network, proxy server, or other means to circumvent age verification requirements, including by providing:
(a)instructions on how to use a virtual private network or proxy server to access the website; or
(b)means for individuals in this state to circumvent geofencing or blocking.
Lia Holland at Fight for the Future pointed out the absurdity of this in a statement, noting that the logic of the bill doesn't even survive a basic reality check:
This is the sort of slop that if you asked the chatbot whether or not its previous statement was accurate, it would apologize profusely. Why? Because you cannot require a website doing age verification to determine where someone using a reputable VPN is browsing from-this feat is literally impossible by design for even the best hacker.
Such language and lack of logic begs the question-do Utah lawmakers actually understand what a VPN is? Let's set the record straight: VPNs are an essential tool for online privacy, security, and liberty that everyone from abuse survivors to small businesses use to keep themselves safe. VPNs do this by totally hiding where a person is browsing the Internet from. Thus, when a person is using a VPN, the website they are browsing definitionally can't tell whether or not they are in Utah.
It's fairly astounding the level of technological ignorance legislators will openly admit in their efforts to demand technology do the impossible. Insisting that VPNs need to be banned should be a disqualifier from holding public office.
EFF's Rindala Alajaji notes that what Utah is demanding here is technologically incomprehensible:
Blocking all known VPN and proxy IP addresses is a technical whack-a-mole that likely no company can win. Providers add new IP addresses constantly, and no comprehensive blocklist exists. Complying with Utah's requirements would require impossible technical feats.
The internet is built to, and will always, route around censorship. If Utah successfully hampers commercial VPN providers, motivated users will transition to non-commercial proxies, private tunnels through cloud services like AWS, or residential proxies that are virtually indistinguishable from standard home traffic. These workarounds will emerge within hours of the law taking effect. Meanwhile, the collateral damage will fall on businesses, journalists, and survivors of abuse who rely on commercial VPNs for essential data security.
Again, Fight for the Future explains the real impact of such a law:
Websites are left with three choices: either try to block everyone around the globe who's using a VPN (which they can't actually do), or require age verification for everybody in the world no matter if they're in Utah, or censor all content that meets Utah's nebulous harmful to minors" standard for age verification.
Oh wait, there's a fourth option: sue Utah.
Ignoring the law or suing the state appear to be the only rational responses.
Age verification already has a long list of well-known problems, many of which put users at risk. An effective ban on VPNs just makes it that much more dangerous for anyone in that state to use the internet. The fact that they're doing all of this under the pretense of protecting" children, when the actual impact will put everyone at greater risk, is just the icing on the cake - performative headline-chasing dressed up as policy.