UK privacy groups warn ministers: age-gating VPNs would weaken security, not stop kids
A coalition letter urges the UK to drop VPN restrictions ahead of a new under-16 social media ban.

Mozilla, Proton, Tor, and other privacy organizations have urged UK ministers to rule out age verification and other restrictions on VPN services in a letter published Tuesday. The push matters because regulators preparing tighter online-safety rules may otherwise undermine privacy protections for millions.
On Tuesday, an open letter from more than 20 privacy, browser, and VPN organizations landed with a clear message for UK ministers: hands off VPNs. The signatories, including the Open Rights Group, Electronic Frontier Foundation, ExpressVPN, Internet Society, Mozilla, Mullvad, Proton, and the Tor Project, argue that restricting VPNs, especially through age-gating, would weaken online security while doing little to stop children from dodging social media bans.
The headline version of their case is blunt. They want ministers to rule out “age verification and other restrictions on VPN services,” and they say requiring users to prove their age would force everyone to surrender sensitive personal information just to access tools that are designed to protect privacy. The letter frames VPNs as broad infrastructure, not a niche workaround, pointing to users across categories: businesses, journalists, abuse survivors, and ordinary people protecting themselves on public Wi-Fi. If that framing holds, age-gating VPNs becomes a policy with a huge collateral impact and a questionable benefit.
This is not the UK policy debate that only ever lives in legal documents. Mozilla, for example, spent much of spring arguing that ministers were chasing the wrong target. In that earlier push, Mozilla warned that breaking VPNs would do little to fix Britain’s age-check problem while making the internet less private and less secure for everyone else. Tuesday’s letter suggests the coalition thinks that prediction is still the correct lens: fix enforcement and platform behavior, not by adding friction to privacy tools used by far more than the “kids looking for loopholes” story.
Timing matters because the intervention arrives as ministers prepare to introduce a ban on social media for under-16s. Critics often assume VPNs are the straightforward escape hatch, a way for minors to get around age gating and keep using platforms that are supposed to be off-limits. The coalition argues the evidence does not support that narrative the way policymakers might fear. The government’s own research, as cited by the letter, suggests about one in four 11 to 17-year-olds say they used a VPN, but only 7 to 10 percent used it to bypass age checks. In other words, the majority of VPN use in that age range is not about defeating age verification, and “Most simply lied about their age instead.” That distinction is the whole policy argument: if lying about age is the dominant mechanism, restricting VPN access may not close the gap.
The letter also leans on Ofcom figures to challenge how policymakers interpret the “VPN loophole.” It says Ofcom research found that only around 3 percent of children used VPNs to access content meant for older audiences. To underscore how kids might get around restrictions even when VPNs are regulated, the letter points to evidence from Australia, stating that children are much more likely to bypass age checks by not being asked, giving false information, or even drawing on a “mustache.” The point for ministers is not that age-gating never matters. It is that forcing identity proofing at the VPN layer may create a new privacy and security problem for a large population while leaving the core workaround dynamics largely intact.
If you are an executive or board member watching this, there is a second-order risk in how these debates tend to spread. Once regulators decide privacy tools are the weak link, policy can drift from “target abuse” to “mandate identity.” That creates compliance work, data minimization pressure, and reputational risk for companies that sell privacy and security products. It can also alter platform incentives. When an enforcement regime assumes VPNs are the loophole, organizations may design guardrails that treat privacy services as suspicious infrastructure rather than essential safety tooling.
The coalition argues for a different hierarchy of causes: tackle what it describes as the “root causes of online harms,” rather than requiring VPNs to be behind age checks. It points to alternatives like strong enforcement of platform obligations, better parental controls, investment in digital literacy, and privacy-by-design requirements. That framing is important because it shifts VPNs from being a compliance bottleneck to being a part of the safety stack. From a business perspective, that can also influence customer expectations. If regulators build rules that force VPN providers into identity verification or sensitive data collection, users who need privacy for legitimate reasons, including abuse survivors and people on public Wi-Fi, may reassess what “safety” means.
Whether the government is persuaded may come down to a choice of interpretation. Does the UK view VPNs as a niche loophole used by a small minority of teenagers, as the cited research suggests? Or does it treat VPN access as the next obstacle in its online safety agenda? For decision-makers, the strategic takeaway is not simply “regulation good” or “regulation bad.” It is that policy design that targets a tool used by many can produce outsized unintended consequences. For executives in cybersecurity, consumer privacy, and platform policy, this letter is an early signal that the regulatory battlefield may move from social media age rules into the privacy infrastructure layer. And if that happens, boards will want to be ready for compliance and product implications that go beyond the obvious target market.
This story's Key Insights and Take-aways are locked.
Create a free account to unlock Executive Actions for one credit.
Register to UnlockAlways free for Executives Club members. Join the Club
More in Science
Hawaiian hotspot warmed 250°C in 47 million years, flipping the hotspot cooling rule
A new study led by University of Hawai'i at Mānoa says the Hawaiian plume got hotter, not cooler, over time.
Underwater mics in Japan Sea bays log dolphin visits about every ten days
New acoustic monitoring links resident reports to how often dolphins show up, filling a long blind spot for ecology.

Aug. 12, 2026 flips skywatching: total eclipse Greenland/Iceland/Spain, deep UK partials
A single date delivers a solar eclipse, Venus at dichotomy, and the Perseids peak, with timing by region.

