Children’s Commissioner calls for VPN sign-ups to be age verified

The Children’s Commissioner Dame Rachel de Souza has told BBC Newsnight that she believes VPNs should be required to verify the age of anyone subscribing to their service. This follows the massive uptake of VPN services following the Online Safety Act’s age verification requirements kicking in. The website 4chan yesterday told Ofcom where to stick it, in in an all American way.

In a draft report launched today, the Commissioner calls for VPNs to be age gated.

“The Act provides powers to limit children’s access to pornography [..] The problem is that [..] there will always be ways around measures which limit access. [..] The office is concerned that even with the new rules, users will be able to circumvent restrictions through the use of Virtual Private Networks (VPNs). Within a day of the new rules being in place, VPN use in the UK was platformed as an easy work-around.”

Draft Report, The Children’s Commissioner

This is very true, but we’re not aware of evidence that children are using VPNs to work around age restrictions. We would expect the vast majority of these to be adults who are legally entitled to access such content, but would not wish to sacrifice/risk their identity through use of age verification services. We covered the privacy risks extensively in our previous article.

The VPN use was very foreseeable and the fact we are now seeing calls for more regulation of VPNs is a reactionary response by those who fail to understand how technology works. You could ban VPNs entirely and it wouldn’t stop VPNs from being used.

Furthermore, there are many workaround that are not VPNs. Whilst we won’t provide specific instructions, your friendly AI (or even many technically aware ten-year-olds) will be able to help you bypass such restrictions using proxy servers you can set up yourself outside the country (which aren’t VPNs).

Putting aside the limitations of filtering in any case, we believe that the best place to filter content is the device itself. If the government engages with major OS manufacturers like Microsoft, Apple and Google (an we stress engage and not threaten; this should be a positive tool for them to help their customers), there could be good stronger parental control systems built into ‘child safe’ devices by default. Responsible adult content websites would welcome working with an easy system which could be used in many countries but which doesn’t introduce privacy risks for lawful users.

Of course, some kids will find jail breaks of those devices, or install Linux on a Raspberry Pi or similar and maybe one day we’ll end up with ‘USB sticks’ with unrestricted OSs being shared in playgrounds. Policy-makers should be fully aware that technically restricting access is a very limited use case which primarily prevents incidental access rather than stopping the determined. The complications caused by DNS over HTTP (DoH) etc. will also affect many existing systems used to limit access.

The reality is that those who want to protect the children have noble aims, but very little insight into how technology works. It would make more sense to try to work co-operatively with the wider tech community to solve this issue than to make generic recommendations with very negative side effects.