Nineteen organisations, including Proton, Mozilla, the Tor Project, and the Electronic Frontier Foundation, published an open letter on Tuesday calling on UK policymakers to abandon what they describe as "blunt policy interventions" that risk undermining the fundamental architecture of the internet. The letter comes days after the Children's Wellbeing and Schools Act passed into law, introducing sweeping new online restrictions for young people - and raising urgent questions about the future of privacy tools used by millions of adults.
What the New Law Actually Allows
The Children's Wellbeing and Schools Act grants the Secretary of State authority to compel internet service providers to prevent or restrict children's access to specific online services and functionalities. The scope is broad: screentime limits, location tracking restrictions, and more could all fall within its reach. Critically, the Act also requires service providers to take "reasonable anti-circumvention measures" - language that directly implicates VPNs, encrypted browsers, and other privacy-preserving technologies.
The legislation is positioned as a child safety measure, and the intent behind it is not in dispute. What is in dispute is whether the methods it authorises are proportionate, effective, or safe. Privacy and digital rights organisations argue the law addresses symptoms rather than causes. Their position is that the internet would better protect children if online services were required to design for children's rights and interests by default - rather than imposing access restrictions that affect everyone.
The Age Verification Problem
A central mechanism underpinning the online restrictions is age verification - the requirement that users prove they are old enough to access particular services. The coalition's open letter identifies a core technical dilemma: the tools that exist to verify age are either too inaccurate to be meaningful, or they require users to submit personal and biometric data that creates serious privacy and security risks.
Mass age verification systems generate centralised databases of identity information. Such databases are high-value targets. A breach does not merely expose an email address - it can expose browsing habits, health queries, and personal interests tied directly to verified identities. The concern is not hypothetical. Major data breaches affecting platforms with identity-linked accounts have occurred repeatedly across the industry.
Beyond security, the signatories warn that age verification mandates could entrench the market dominance of large technology companies. Smaller services and independent platforms often lack the infrastructure to implement compliant verification systems. The result, critics argue, would be a web progressively consolidated around a handful of corporations capable of absorbing compliance costs - an outcome that runs counter to the open-web principles the letter defends.
These concerns have been building for some time. In March 2025, more than 400 scientists called for a pause on mandatory age verification until there is scientific consensus that such systems do not produce greater harm than they prevent. Proton's CEO Andy Yen, writing the same week the Children's Wellbeing and Schools Act became law, described the global push for age verification as "the death of anonymity online."
The VPN Question Remains Unresolved
During parliamentary debate on the bill, the House of Lords considered an outright ban on children using VPNs. That provision did not survive into the final text. But the question has not been settled - it has been deferred. The UK government has launched a national consultation on online harms, open until May 26, 2026, which explicitly considers whether VPN access should be age-restricted if these tools are found to undermine safety protections.
VPNs occupy an awkward position in this debate. They are characterised by some policymakers as circumvention tools - a loophole through which children bypass age checks. Privacy advocates counter that this framing misrepresents what VPNs actually are. A virtual private network encrypts internet traffic and masks a user's IP address. These are defensive functions. Journalists, activists, whistleblowers, domestic abuse survivors, and ordinary users rely on them to protect themselves from surveillance, data harvesting, and targeted attacks. Restricting them does not make the internet safer - it removes a layer of protection from people who depend on it.
The VPN Trust Initiative made exactly this argument on April 23, warning UK lawmakers that restrictions on VPN use could expose children to greater harms rather than fewer. Mozilla has indicated it will publish a formal response to the consultation in the coming days.
A Wider Pattern Worth Watching
The UK is not acting in isolation. Age verification and online access restrictions for minors have become a recurring policy response in multiple jurisdictions, driven by legitimate concern over the documented effects of certain online environments on young people's mental health and development. The instinct to act is understandable. What the coalition of signatories is asking - with some urgency - is whether the specific mechanisms now being adopted in the UK will produce the outcomes promised, or whether they will instead shift risk onto different populations without addressing the underlying design failures of the platforms in question.
That is not a rhetorical question. It is the central tension in digital policy right now, and it has no easy answer. What Tuesday's open letter establishes clearly is that the privacy and digital rights community intends to make its case loudly, and with considerable institutional weight, before the consultation closes.
