Lawmakers Want To Ban VPNs—And They Have No Idea What They’re Doing
from the what-the-actual-fuck? dept
Remember when you thought age verification laws couldn’t get any worse? Well, lawmakers in Wisconsin, Michigan, and beyond are about to blow you away.
It’s unfortunately no longer enough to force websites to check your government-issued ID before you can access certain content, because politicians have now discovered that people are using Virtual Private Networks (VPNs) to protect their privacy and bypass these invasive laws. Their solution? Entirely ban the use of VPNs.
Yes, really.
As of this writing, Wisconsin lawmakers are escalating their war on privacy by targeting VPNs in the name of “protecting children” in A.B. 105/S.B. 130. It’s an age verification bill that requires all websites distributing material that could conceivably be deemed “sexual content” to both implement an age verification system and also to block the access of users connected via VPN. The bill seeks to broadly expand the definition of materials that are “harmful to minors” beyond the type of speech that states can prohibit minors from accessing—potentially encompassing things like depictions and discussions of human anatomy, sexuality, and reproduction.
This follows a notable pattern: As we’ve explained previously, lawmakers, prosecutors, and activists in conservative states have worked for years to aggressively expand the definition of “harmful to minors” to censor a broad swath of content: diverse educational materials, sex education resources, art, and even award-winning literature.
Wisconsin’s bill has already passed the State Assembly and is now moving through the Senate. If it becomes law, Wisconsin could become the first state where using a VPN to access certain content is banned. Michigan lawmakers have proposed similar legislation that did not move through its legislature, but among other things, would force internet providers to actively monitor and block VPN connections. And in the UK, officials are calling VPNs “a loophole that needs closing.”
This is actually happening. And it’s going to be a disaster for everyone.
Here’s Why This Is A Terrible Idea
VPNs mask your real location by routing your internet traffic through a server somewhere else. When you visit a website through a VPN, that website only sees the VPN server’s IP address, not your actual location. It’s like sending a letter through a P.O. box so the recipient doesn’t know where you really live.
So when Wisconsin demands that websites “block VPN users from Wisconsin,” they’re asking for something that’s technically impossible. Websites have no way to tell if a VPN connection is coming from Milwaukee, Michigan, or Mumbai. The technology just doesn’t work that way.
Websites subject to this proposed law are left with this choice: either cease operation in Wisconsin, or block all VPN users, everywhere, just to avoid legal liability in the state. One state’s terrible law is attempting to break VPN access for the entire internet, and the unintended consequences of this provision could far outweigh any theoretical benefit.
Almost Everyone Uses VPNs
Let’s talk about who lawmakers are hurting with these bills, because it sure isn’t just people trying to watch porn without handing over their driver’s license.
- Businesses run on VPNs. Every company with remote employees uses VPNs. Every business traveler connecting through sketchy hotel Wi-Fi needs one. Companies use VPNs to protect client and employee data, secure internal communications, and prevent cyberattacks.
- Students need VPNs for school. Universities require students to use VPNs to access research databases, course materials, and library resources. These aren’t optional, and many professors literally assign work that can only be accessed through the school VPN. The University of Wisconsin-Madison’s WiscVPN, for example, “allows UW–Madison faculty, staff and students to access University resources even when they are using a commercial Internet Service Provider (ISP).”
- Vulnerable people rely on VPNs for safety. Domestic abuse survivors use VPNs to hide their location from their abusers. Journalists use them to protect their sources. Activists use them to organize without government surveillance. LGBTQ+ people in hostile environments—both in the US and around the world—use them to access health resources, support groups, and community. For people living under censorship regimes, VPNs are often their only connection to vital resources and information their governments have banned.
- Regular people just want privacy. Maybe you don’t want every website you visit tracking your location and selling that data to advertisers. Maybe you don’t want your internet service provider (ISP) building a complete profile of your browsing history. Maybe you just think it’s creepy that corporations know everywhere you go online. VPNs can protect everyday users from everyday tracking and surveillance.
It’s A Privacy Nightmare
Here’s what happens if VPNs get blocked: everyone has to verify their age by submitting government IDs, biometric data, or credit card information directly to websites—without any encryption or privacy protection.
We already know how this story ends. Companies get hacked. Data gets breached. And suddenly your real name is attached to the websites you visited, stored in some poorly-secured database waiting for the inevitable leak. This has already happened, and is not a matter of if but when. And when it does, the repercussions will be huge.
Forcing people to give up their privacy to access legal content is the exact opposite of good policy. It’s surveillance dressed up as safety.
“Harmful to Minors” Is Not a Catch-All
Here’s another fun feature of these laws: they’re trying to broaden the definition of “harmful to minors” to sweep in a host of speech that is protected for both young people and adults.
Historically, states can prohibit people under 18 years old from accessing sexual materials that an adult can access under the First Amendment. But the definition of what constitutes “harmful to minors” is narrow — it generally requires that the materials have almost no social value to minors and that they, taken as a whole, appeal to a minors’ “prurient sexual interests.”
Wisconsin’s bill defines “harmful to minors” much more broadly. It applies to materials that merely describe sex or feature descriptions/depictions of human anatomy. This definition would likely encompass a wide range of literature, music, television, and films that are protected under the First Amendment for both adults and young people, not to mention basic scientific and medical content.
Additionally, the bill’s definition would apply to any websites where more than one third of the site’s material is “harmful to minors.” Given the breadth of the definition and its one-third trigger, we anticipate that Wisconsin could argue that the law applies to most social media websites. And it’s not hard to imagine, as these topics become politicised, Wisconsin claiming it applies to websites containing LGBTQ+ health resources, basic sexual education resources, and reproductive healthcare information.
This breadth of the bill’s definition isn’t a bug, it’s a feature. It gives the state a vast amount of discretion to decide which speech is “harmful” to young people, and the power to decide what’s “appropriate” and what isn’t. History shows us those decisions most often harm marginalized communities.
It Won’t Even Work
Let’s say Wisconsin somehow manages to pass this law. Here’s what will actually happen:
People who want to bypass it will use non-commercial VPNs, open proxies, or cheap virtual private servers that the law doesn’t cover. They’ll find workarounds within hours. The internet always routes around censorship.
Even in a fantasy world where every website successfully blocked all commercial VPNs, people would just make their own. You can route traffic through cloud services like AWS or DigitalOcean, tunnel through someone else’s home internet connection, use open proxies, or spin up a cheap server for less than a dollar.
Meanwhile, everyone else (businesses, students, journalists, abuse survivors, regular people who just want privacy) will have their VPN access impacted. The law will accomplish nothing except making the internet less safe and less private for users.
Nonetheless, as we’ve mentioned previously, while VPNs may be able to disguise the source of your internet activity, they are not foolproof—nor should they be necessary to access legally protected speech. Like the larger age verification legislation they are a part of, VPN-blocking provisions simply don’t work. They harm millions of people and they set a terrifying precedent for government control of the internet. More fundamentally, legislators need to recognize that age verification laws themselves are the problem. They don’t work, they violate privacy, they’re trivially easy to circumvent, and they create far more harm than they prevent.
A False Dilemma
People have (predictably) turned to VPNs to protect their privacy as they watched age verification mandates proliferate around the world. Instead of taking this as a sign that maybe mass surveillance isn’t popular, lawmakers have decided the real problem is that these privacy tools exist at all and are trying to ban the tools that let people maintain their privacy.
Let’s be clear: lawmakers need to abandon this entire approach.
The answer to “how do we keep kids safe online” isn’t “destroy everyone’s privacy.” It’s not “force people to hand over their IDs to access legal content.” And it’s certainly not “ban access to the tools that protect journalists, activists, and abuse survivors.”
If lawmakers genuinely care about young people’s well-being, they should invest in education, support parents with better tools, and address the actual root causes of harm online. What they shouldn’t do is wage war on privacy itself. Attacks on VPNs are attacks on digital privacy and digital freedom. And this battle is being fought by people who clearly have no idea how any of this technology actually works.
If you live in Wisconsin—reach out to your Senator and urge them to kill A.B. 105/S.B. 130. Our privacy matters. VPNs matter. And politicians who can’t tell the difference between a security tool and a “loophole” shouldn’t be writing laws about the internet.
Republished from the EFF’s Deeplinks blog.
Filed Under: ab 105, age verification, harmful to minors, sb 130, vpns, wisconsin
Comments on “Lawmakers Want To Ban VPNs—And They Have No Idea What They’re Doing”
I'd like to add a 5th use case to your list
A fair number of people working with confidential data — medical, financial, etc. — bridge their physically distant networks via VPNs. Doing this with physical network infrastructure is prohibitively expensive; doing it with a VPN isn’t. One setup that I built links three sites hundreds of miles apart and presents a uniform virtual view of the network to the researchers at all three locations — everything just works, and thanks to judicious caching, it works fairly well even with non-local data.
I would have thought that the most likely entity wanting to ban VPNs would be the major domestic media companies in Canada. One of them, Bell Media, is on record as having called personal VPN use “stealing”.
LOL, good luck with that.
I have an idea. Let’s follow this story and when signed into law all of us who use VPN for whatever purpose let’s browse the WI.gov sites!
Don’t law makers in these states use VPNs to connect to their government network? Or do they not realize that.
Re:
Those laws only apply to public VPN. Your own private VPN is not subject to that law,so corporate and private VPNs are not subject to this.
I have a retirement nest egg I will cash out if this happens in California, which it might is the state goes GOP next year, which could happen, and then buy a condo in Ensenada, park a computer there with a VPN on it, and do it that way.
There is a condo in Ensenada right now for sale for $279k that is 2 bedrooms 2 bathrooms and 1050 square feet where I can get gigabit Internet and just log on to that if I want to use VPN.
If I need to go down there and do maintenance on the computer, Ensenada is only about 11 hours drive from here.
They can ban the service, but not the protocol and a home coputer in Mexico is not subject to any US jurisdiction even if the homeowner is a US citizen.
Just as a factual matter, the point about university VPNs is wrong. At Madison, for example, there are multiple routes to access licensed resources from off-campus: https://www.library.wisc.edu/help/off-campus-access/. And as a librarian at one of Madison’s Midwest peers, I can tell you definitively that they’re not unusual in that regard.
This only goes to show that these efforts aren’t actually about “protecting children”, but about banning porn (and not incidentally, imposing their own puritan definitions of ‘obscene materials’ as well).
Eh, that’s only partially true. A lot of sites (like Netflix) have started doing things like blocking known IPs of VPN services. It’s not foolproof, but it is a real problem.
The bigger problem of course being once they go after VPNs/providers of VPNs themselves, instead of trying to block it on the website side.
When things like VPNs start getting banned, it becomes a lot less trivial.
They’re both. That’s the point of privacy.
Re: Not merely partially true.
Knowing the IP address and location of a VPN provider’s server does not reveal the locations of the individuals using the VPN. All it tells you is that the traffic coming from the provider… is coming from the provider. Someone using the provider could come from Milwaukee or Mumbai, and the requests will look the same to a website, the same request coming from the same suspected VPN server.
Re: Re:
Sorry, I kind of mangled that first quote when trying to rewrite it in haste. I wasn’t trying to say that they can reveal your location of the user. You are correct, and I wrote that poorly.
Re:
If a provider is not in the United States, Amrican law does not apply to them.
VPNs could start accepting Bitcoins for payment so they do not know who is buying the service.
Michigan’s plan on jailing/fining VPN providers will not work because of this. Bitcoin is anonymous and does not have the name and address or who the customer is.
Re: Re: Straight Cash, Homie
You can mail an envelope of cash to Mullvad to pay for their VPN.
Re: Re:
The problem is they can still block VPN providers at the ISP level, or go after the sites for not blocking known uncompliant VPN IPs.
The VPN providers themselves are safe, and we’ll still have them, which is not nothing, But it doesn’t fix the issue for people in those states themselves.
It’s as if Reno vs. American Civil Liberties Union had never happened.
Re:
That one and Ashcroft vs. ACLU, thanks to FSC vs Paxton as I have just learned.
I wish every time politicians suggest stupid laws like this, all their internet traffic would magically appear for the world to see.
While they might not mind it showing what sites they visit, or emails show up at work. I promise you they will freak out when all their personal traffic starts showing.
We all know what they’re doing: what they’re told to do by their campaign donors.
What do surveillance and money have in common? Capitalism!
Reading the bills at the links provided, they aren’t banning VPN services in Wisconsin. The plain language of the bill states that porn sites need to age verify people geo located in Wisconsin and VPN or ban VPN. As already pointed out in a previous comment, Netflix already does this. No outrage there? The points you make about normal people not being able to function for privacy, business, school, etc do not apply here. VPN for non porn purposes won’t be going away in Wisconsin. To make such an inference is dishonest and you should be ashamed of yourself for doing so.
The far fetched argument of payment data being transmitted unencrypted is on its face, false. Any payment processed over the internet must be TLS 1.2 encrypted in transit and also encrypted at rest. Check the PCI DSS requirements for payment processors. Besides with the rise of let’s encrypt almost every single website on the internet is using TLS for encrypted traffic these days.
your 4th point about privacy is also garbage. If any VPN provider is served with a subpoena, you bet your ass they’re forking over the data. Many will even sell it just like your ISP. Some of the low rent or free providers will even go so far as to sell access to your real IP to shady actors. Go check some of those EULAs and then tell me if you are really better off using one of those services. Sure you can sort hide your location and some will even block some tracking mechanisms, but the cat and mouse game there is just like any other. The big three have a lock on collecting and selling your data to whoever will pay.
I am also willing to bet dollars to donuts most people won’t have the tach savvy to fully tunnel all their traffic such as DNS or use DNS over https. Even the most well versed individual in privacy on the internet will make mistakes. The only winning move is not to play.
Blocking VPNs and proxies can be done with services like blocked.com
WHen I had my online radio station and its associated website I had problems with one very problematic user who would bypass blocking of his ISP using a proxy or VPN.
That is all I could do because he was not breaking any laws either in Washington (where he lived at the time), in California (where my servers were) or in Australia (whee my station was).
In order to break the law in California, Washington, New SOuth Wales, or either US or Australian federal laws, you have to use an stolen or otherwise illegally ontained password, which he was not doing.
In order for it to be a felony in California, Washington, New South Wales, or either US or Australian federal law you have to have used a hacked, stolen, or illegally obtained password, which circumventing an IP ban list is not.
Since his actions did not break any laws anywhere in the USA or Australia, all I couuld do is use expensive services like blocked.com to keep him at bay.
Re:
So why did you need to block him if he wasn’t breaking any laws?
“The Net interprets censorship as damage and routes around it.” -John Gilmore
Give credit when you use someone else’s work and words.
When they are effective at anything technical, wake me up. Cryptocurrency laundromats are a much higher priority and cost billion$ in damages than little Suzy’s pink pony fetish.
Lenny Bruce went through all of this over half a century ago, yet a small segment of our population continue to DEMAND the “right” to unilaterally inflict their selective interpretation of poorly translated arcane documents upon us all. The REAL obscenity is that anyone goes along with their draconian horseshit.