The window for public input on one of the most consequential digital policy decisions Britain has faced in years shuts tonight. The Department for Science, Innovation & Technology's three-month consultation, "Growing up in the online world," officially closes at 11:59 pm on May 26 - and among its most contested questions is whether virtual private networks should require age verification before anyone in the UK can use them. The answer will shape not just children's access to the internet, but the privacy and security of millions of adults who rely on these tools daily.
How a Children's Safety Debate Became a Fight Over Privacy Infrastructure
VPNs were not, until recently, a subject of mainstream political debate in the UK. They function by encrypting a user's internet traffic and routing it through a server in another location, masking the user's real IP address in the process. This makes them indispensable for journalists, remote workers, dissidents, and anyone who needs to keep their communications private from third-party surveillance. The encryption alone is a fundamental security layer - without it, data transmitted over public or compromised networks is exposed to interception.
The political attention shifted last July, when VPN usage in the UK surged sharply after newly enforced mandatory age checks came into effect on certain platforms. Because a VPN can make a user appear to be browsing from a country without those restrictions, it became - in the eyes of some lawmakers - a tool for circumventing child protection measures. The problem is that spike in usage does not cleanly indicate who was doing the circumventing. Studies from groups including Childnet and Internet Matters suggest adults unwilling to share biometric data with age-verification services may account for a significant portion of that increase - not children seeking restricted content.
That distinction matters enormously, because it determines whether restricting VPNs would actually protect children or simply punish adults for declining to hand over sensitive personal data to commercial verification systems.
The Industry Has Spoken - and It Is United Against Age Gating
Rarely does the cybersecurity sector coalesce this clearly around a single position. Mozilla, the nonprofit behind Firefox and Mozilla VPN, issued a public statement warning that mandatory age verification for VPN access "would undermine the privacy and security of all users." The argument is structural: forcing every VPN user to prove their age requires building identity-verification infrastructure into services specifically designed to minimize data collection. That is not a technical refinement - it is a fundamental contradiction of purpose.
Nineteen organisations, including Proton VPN, Mullvad, ExpressVPN, and the Tor Project, submitted a joint appeal urging UK lawmakers not to restrict privacy-preserving technologies in the name of online safety. The VPN Trust Initiative, an industry consortium, warned in April that treating VPNs as loopholes rather than legitimate security tools could expose children to greater harms by pushing privacy-conscious users - including minors - toward less reputable, unvetted alternatives.
Surfshark, a VPN Trust Initiative member, made the technical bind explicit. Age-gating VPN services leaves providers with two options: embed identity checks into a product engineered to do the opposite, or rely on third-party verification services with documented records of security breaches. Either path weakens the very protections the tool is meant to provide. Surfshark also noted that its terms of service, like those of most established providers, already prohibit use by anyone under 18 - a fact largely absent from the political debate.
The Regulatory Trajectory Is Moving in One Direction
Whatever this consultation concludes, the legislative environment around VPNs is tightening. The Children's Wellbeing and Schools Act, which became law just weeks ago, includes a requirement for service providers to implement "reasonable anti-circumvention measures." The language is deliberately broad. At a recent Ofcom hearing, Ian Cheshire, the government's nominee to lead the communications regulator, described the circumvention capabilities of VPNs as "technical problems" - framing that suggests regulators view these tools primarily through the lens of enforcement, not privacy.
The international picture reinforces that direction. Utah became the first US state to enforce VPN usage restrictions as part of age-verification regulations - a development that illustrates the practical difficulty of such policies. NordVPN, responding to Utah's requirements in March, stated that blocking all known VPN and proxy IP addresses in a given jurisdiction is practically impossible. The only technically workable alternative is age-verifying every user globally, regardless of where they actually are - a step that would subject users worldwide to identity checks they have no legal obligation to submit to, simply because one state or country mandated it. The European Union has also signalled its intention to address circumvention of its own age-verification framework, suggesting this is a coordinated regulatory instinct rather than an isolated experiment.
What Comes Next - and Why It Matters Beyond the UK
The DSIT consultation was, in part, designed to prevent the blunter instrument proposed in December, when members of the House of Lords floated an outright VPN ban for children. That proposal was shelved in favour of evidence gathering. Whether the evidence gathered over three months is sufficient to resist political pressure for sweeping restrictions remains genuinely uncertain.
The core tension is not new to digital policy: legitimate safety concerns pulling in the direction of greater control, and privacy rights pulling in the opposite direction, with enforcement realities complicating both. Age-verification systems are not neutral. They require data collection, create honeypots for breaches, and disproportionately burden users who have the most to lose from identity exposure. At the same time, the concern that children are accessing harmful content online is neither fabricated nor trivial.
What the consultation has made clear is that treating VPNs as the problem misidentifies the mechanism. A VPN does not create harmful content - it obscures location. Restricting access to encryption tools to address a content moderation failure is, as the industry has argued consistently, a remedy that causes more damage than the condition it claims to treat. UK residents who wish to register a view before the consultation closes tonight can do so via the GOV.UK website. After midnight, that window is gone.
