Utah Wants Websites To See Through VPNs. That’s Not How VPNs Work.
from the security-theater dept
Utah has a long track record of short-sighted internet policymaking, but the latest example really does take things to a new level of stupid. As of yesterday, Utah’s “Online Age Verification Amendments” bill, Senate Bill 73, has taken effect. It is a piece of legislation that effectively tries to ban VPNs as a desperate attempt to stop people from bypassing the state’s already problematic (and likely unconstitutional) age verification requirements.
Signed by Governor Spencer Cox on March 19, the controversial law establishes that a user is considered to be accessing a website from Utah if they are physically located there, regardless of whether they use a VPN or proxy to mask their IP address. It also prohibits covered websites from sharing instructions on how to use a VPN to bypass age checks.
We’ve been highlighting the various attempts to ban VPNs as short-sighted legislators fail to grasp how necessary they are for basic security. But, now, Utah has touched the stove and is going to find out what it feels like.
While an earlier version of the law would have simply held a provider liable for not doing age verification, the amended version says service providers have to determine whether the person is physically located in Utah — even if they’re using a VPN to appear to be from somewhere else:
An individual is considered to be accessing the website from this state if the individual is actually located in the state, regardless of whether the individual is using a virtual private network, proxy server, or other means to disguise or misrepresent the individual’s geographic location to make it appear that the individual is accessing a website from a location outside this state.
In short, the genius legislators in Utah have decided that websites should do the impossible: either block all access from VPNs or somehow magically “know” that users whose digital footprints suggest they’re connecting from outside Utah are actually lying about their location. That is, in any understanding of the law, an effective ban on VPNs, because the only way to deal with that would be to block off huge segments of IP addresses associated with known VPN servers.
Even worse, the law says it’s a violation to tell people how to protect themselves with a VPN, which seems like a First Amendment violation on its own (you can’t ban a service from telling users how to use another service):
A commercial entity that operates a website that contains a substantial portion of material harmful to minors may not facilitate or encourage the use of a virtual private network, proxy server, or other means to circumvent age verification requirements, including by providing:
(a)instructions on how to use a virtual private network or proxy server to access the website; or
(b)means for individuals in this state to circumvent geofencing or blocking.
Lia Holland at Fight for the Future pointed out the absurdity of this in a statement, noting that the logic of the bill doesn’t even survive a basic reality check:
This is the sort of slop that if you asked the chatbot whether or not its previous statement was accurate, it would apologize profusely. Why? Because you cannot require a website doing age verification to determine where someone using a reputable VPN is browsing from—this feat is literally impossible by design for even the best hacker.
Such language and lack of logic begs the question—do Utah lawmakers actually understand what a VPN is? Let’s set the record straight: VPNs are an essential tool for online privacy, security, and liberty that everyone from abuse survivors to small businesses use to keep themselves safe. VPNs do this by totally hiding where a person is browsing the Internet from. Thus, when a person is using a VPN, the website they are browsing definitionally can’t tell whether or not they are in Utah.
It’s fairly astounding the level of technological ignorance legislators will openly admit in their efforts to demand technology do the impossible. Insisting that VPNs need to be banned should be a disqualifier from holding public office.
EFF’s Rindala Alajaji notes that what Utah is demanding here is technologically incomprehensible:
Blocking all known VPN and proxy IP addresses is a technical whack-a-mole that likely no company can win. Providers add new IP addresses constantly, and no comprehensive blocklist exists. Complying with Utah’s requirements would require impossible technical feats.
The internet is built to, and will always, route around censorship. If Utah successfully hampers commercial VPN providers, motivated users will transition to non-commercial proxies, private tunnels through cloud services like AWS, or residential proxies that are virtually indistinguishable from standard home traffic. These workarounds will emerge within hours of the law taking effect. Meanwhile, the collateral damage will fall on businesses, journalists, and survivors of abuse who rely on commercial VPNs for essential data security.
Again, Fight for the Future explains the real impact of such a law:
Websites are left with three choices: either try to block everyone around the globe who’s using a VPN (which they can’t actually do), or require age verification for everybody in the world no matter if they’re in Utah, or censor all content that meets Utah’s nebulous “harmful to minors” standard for age verification.
Oh wait, there’s a fourth option: sue Utah.
Ignoring the law or suing the state appear to be the only rational responses.
Age verification already has a long list of well-known problems, many of which put users at risk. An effective ban on VPNs just makes it that much more dangerous for anyone in that state to use the internet. The fact that they’re doing all of this under the pretense of “protecting” children, when the actual impact will put everyone at greater risk, is just the icing on the cake — performative headline-chasing dressed up as policy.
Filed Under: age verification, location, sb 73, security, utah, vpns
Comments on “Utah Wants Websites To See Through VPNs. That’s Not How VPNs Work.”
Surely we just need to put this in terms these people understand.
Flawed in many ways
Even without the pointless VPN request, IP geolocation data can be quite questionable.
I have seen some IP geolocation services offer data that is incredibly inaccurate, reporting an IP is used in a location thousands of miles from its actual location.
It is all just pointless. But, that is expected from the government, especially these days.
Re:
[insert evergreen “Conservatives are harmful to minors” joke here]
Re: Re:
The other truth that keeps getting said about this sort of thing is that a website having to shut down or block users is a feature not a bug. Utahn legislators aren’t interested in making sure the targeted websites can still operate.
Re:
“Even without the pointless VPN request, IP geolocation data can be quite questionable.”
That’s putting it mildly. Most geolocation data is horribly inaccurate, because it’s an attempt to layer geographic coordinates on top of a complex and rapidly-changing topology that wasn’t designed or built or intended to facilitate that.
It’s also horribly inaccurate because geolocation providers have zero economic incentive to even try to make it accurate. There was a recent discussion on NANOG where one of the morons who works for IPinfo (a) publicly confessed that they ignore some geofeed data provided by ISPs — you know, the people who are the authoritative sources for such data and (b) actually admitted that they’re compounding the blunder of (a) by using horribly broken metrics like RTT — which everyone knows has never worked, doesn’t work, and will never work.
They don’t care. As long as customers keep paying for bad data, they’ll keep deliberately creating and selling bad data. And the damage done to Internet users and Internet operations? Not their problem.
Re: Re:
One is i was on once had myngeolocation data in britain despite be6ng in the usa so I had to use a vpn to bypass geo restrictions so I could watch n
Netflix.
It occurs to me that there is a way for websites to identify who’s visiting them, even if the visitor is using a VPN.
However, said method would be to install spyware on every device that visits said website, either surreptitiously or as a condition for entry, that ‘phones home’ with information about the device it’s on.
I’m not even going to think about how big a can of worms that would open.
Re:
you just described the next new OS! it will demand your government ID just to turn it on! you can thank CA. for that one! now we can only hope the courts see that one for what it is….
Re: Re:
That is why intend to get the appropriate visaa, but a home in baja and park a computer there with a vpn on it so they incan download an OS that does not do that.
There is no law that makes circumventing geoblocking a crime
Re: Re:
And someone will come out with q crack to bypass that.
Re: Re:
If the os maker is not in the united states, they are not subject to that law
Re:
And watch gps jamming take off. As long as you do not use too much power nobody will ever know
Re: No spyware.
Just have the app ask for location information and pass it along. Lots of apps do that.
“An individual is considered to be accessing the website from this state if the individual is actually located in the state, regardless of whether the individual is using a virtual private network, proxy server, or other means to disguise or misrepresent the individual’s geographic location to make it appear that the individual is accessing a website from a location outside this state.”
My eyes are bleeding and my brain hurts after reading that head twister nonsense.
You should probably highlight all the European countries proposing the same thing.
Re:
At this point, that would almost require it’s own dedicated website to track that lunacy.
Re:
The EU version is arguably worse, because it pertains to their development of an age verification app, effectively making it possible to age-gate every website deemed controversial.
Not to mention that the app was recently noted to be “ready for rollout”, and then cracked in two hours when given to security experts to test.
User: What is VPN?
Website: VPN allows you to hide your real identity on any website and bypass most restrictions. So don’t use them because it’s bad.
User: Whoa, VPN seems so cool!
Maybe a government with freedom of speech guarantees will make a service that anyone can download and use to get around this farce.
Until a lawsuit enjoins it of course….
Re:
I made an ambiguous statement. I expect the Utah law to be enjoined, and for Tor to continue to be available.
I think the fact that the law exempts no log VPNs is a small feature that would be a convenient side effect if the law wasn’t going to be enjoined.
Re: Re:
If the vpn company pulls all its servers out of the usa and has no assets here, they do not have to comply with American laws.
Re: Re:
It looks like they took that non knowledge provision out of it before it was passed. I guess I looked at an old criticism of the bill.
I propose we make illegal for lawmakers to not know every constituent by name.
Hey hackers.
Please hack into the republicans likely already malware ridden computers and get their ips registered as vpns.
That's a nice website you've got there, it'd be a shame if something happened to it
An inability to follow the law is a feature, not a bug. A government’s only power is to crack down on crime, a law which can actually be followed is consequently mostly useless to a government.
The only good laws for such a government are those which cannot be followed or interpreted or even enforced; once everyone is a criminal the government has free reign to punish anyone they dislike and reward anyone they do.
Excusing their actions as “ignorance” is only believable if that ignorance hurts them as often as it helps. That the ignorance is somehow always beneficial to the government is the result of malice.
The quoted section doesn’t actually say anything about having to determine whether they’re physically in Utah? Outside of the issues with age verification in general, this new wording doesn’t seem notably worse than the old one
Re:
Read that section in the greater context of the rest of the bill.
Re:
The law states that they must perform age verification for individuals “in this state”. The quoted section defines “individuals in this state” as anyone physically located in the state, regardless of whether they’re using a VPN to make it appear is if they’re not located in the state.
How can websites possibly comply with the law without determining whether a given user is physically located in the state?
Re: Re:
I mean, they can’t. But I think they were just as screwed with the old version? It was also broken, I don’t think they were off the hook if someone used a VPN with the old bill.
I’d call it a “clarification” rather than a new requirement, but you can’t really clarify something that’s impossible to comply with.
Re: Re:
Perform age verification for everybody. Like how many sites have already become inaccessible to people using Tor, because the operators just don’t give a shit about collateral damage.
When the eff website covered it, eff claimed the service has to have actual knowledge that the user is in utah. No log vpns that don’t match billing addresses with logins would be exempt.
Re:
The eff post was about an old version I guess. They passed an impossible mandate and probably know it.
Be interesting to see how they ban Tor…
Insofar as the stuff quoted here is concerned it seems to be saying that ‘well I was using a VPN so I was technically accessing this stuff from Italy’ isn’t a defence against it.
fifth option
block all traffic from Utah
Re:
Tye rich can easily bypass that by by getting the visas to buy a home in baja and park a computer there with a vpn on it. Baja is no more than 3 days drive from Utah
I believe it is possible
I am not condoning this or saying it is a good idea but a website could have a script/code that used the Location information from the phone/computer to determine location. Much like the maps apps do. Now It would require the user to give the browser permission to get that information. And the browsers would have to indicate they want permission to access location information. So it is technically possible for a website to determine location of users, but not very likely it would be successful.
Re: No. This isn't possible.
First, you’re presuming that all browsers will run arbitrary — or any — scripts. They won’t. They dont.
Second, you’re presuming that all browsers can query the operating system to discover the device’s location. They can’t. They won’t.
Third, you’re presuming that even if the browser will run such a script and even if the operating system will provide an answer, that the answer is accurate/truthful. But it may not be. (In my case, it’s not: I’ve configured the OS installations on all my laptops to return locations selected at random from a library of about 3,000.)
Fourth, even if all of this worked: “where the device is” does not necessarily equate to “where the user is”. I’m about 2700 miles from the computer I’m typing this on: it’s at home, I’m traveling, and I’ve remotely tunneled into it. There are all kinds of scenarios/methods that involve people originating traffic from a system they’re nowhere near.
Fifth, you’re presuming that “web == Internet”. There are all kinds of services that run on the Internet and nothing to do with the web. To be fair, this is a very, VERY common mistake among Internet novices: the web is pretty much all they know, so they assume that’s all there is.
Bottom line: nope. Trying to impose geography on a complex, dynamic topology like the Internet is never going to work — not really. Yes, in some cases it’ll accidentally be right, but there are a large and increasing number of cases where it’ll never be right.
Re: Re: I think you read too much into my comment.
I was not presuming anything. Simply stating that is is technically possible to determine where a website visitor is, even if they are using a VPN. As long as it is “possible” then Utah has a leg to stand on when saying you need to do it.
I did state that it would require the user to be using a browser that allowed for querying the location, and the user to have given it that permission.
I don’t know about you, but I have run across websites that required certain browsers. I have run across websites that checked for the ability to do certain things and when they could not declined to properly display. Not saying I like it. Not saying it is something they should do. But it is something that happens.
So it is certainly possible that a website could have code/script that checks location in a certain way and if you do not allow it then they refuse to let you on.
There are websites now that if you visit them a dialog comes up stating “your state is requiring age verification” and directing you to how to do it. Not sure how many false positives they get. Doesn’t matter if they can show the people in charge the are trying.
Don’t agree with it. Think it causes all kinds of problems, many of which have been discussed on this website.
But for people to say it is technically impossible is just plain wrong. They don’t have to be perfect, just good enough.
Re: Re: Re:
It takes two steps to bypass. A vpn/proxy to a location with no age gate law that can see you’re from Utah connecting to a second vpn/proxy that goes to the website. The second vpn/proxy can only see the location information sent by the first vpn/proxy.
These services are available for free.
Right now I have an oppressive corporate firewall/censorship apparatus that I am stuck behind (kind of… I have found numerous ways to bypass it but it tries to block all kinds of things and crashes browser sessions in which it detects connections to sites/services the corp doesn’t approve of.)
I am not their employee and have no contractual obligation to put up with their bullcrap. I use Cloudflare to get around the corps dpi and free opera vpn (which is actually an encrypted proxy) to get around what Cloudflare tries to block, since it blocks its own services for a fee to sites that want to block bots and possibly censors things for foreign governments.
If one of those starts failing I can still use tor or install software that obfuscates the information on the connection, specifically to bypass the DPI that the corporate censorship device relies upon.
If all that fails, which it won’t, I will have to turn on the data connection on the phone, but that is less fun.
Re: Re: Re:2 Not sure the confusion.
You are considering the option where you IP address is used to determine location. And you are correct that can be spoofed. But there is a way for an app to determine your location other ways. I don’t think the MAP apps used your IP to figure out where they are. They use Location Services (more familiar with apple). The Maps app can see your location even if you are connected to a VPN, because it uses information local to the device to get that. Is the fact that Google Maps gets your location from the phone spyware? Of course not. When installed you are informed it will want location information and you approve it. Meta could do the same thing with the Facebook app. It could ask your location. And then send that location to check some things. If you don’t want to give it your location then they might just not work, tell you to use something else. They could also have the website do the same thing. Not check back at the server, but check on the device. If I look through my phone and Location Services, I see a couple browsers that have requested that information. I denied it but they asked. Would be possible for the site to indicate they cannot get location so will not allow me in.
And I do know there are ways to fool the phone into thinking it is somewhere else. But when you do that lots of other things you might want to use break. So only someone hardcore trying to hide their location would probably do that. Not the casual user.
I am just pointing out that technically it is possible to determine your location in an app even if using VPNs. So if it is possible, then Utah will feel they can demand it. No matter how stupid it is.
So to recap, Meta apps can request location information. That information is not affected by VPNs. They can send that location information to the server for further instructions. Websites can do the same thing by using the Location Services on the device regardless of how many hops/relays they are going through.
Re: Re: Re:3
I hate walled garden business models. I have foss on my Android device for most of my app usage. I also downloaded several app stores for variety. If you are stuck in a walled garden with a suable corporation vetting all programs allowed to run on the device it might work, until the user decides to jailbreak the device.
I would refuse an Apple device even if someone tried to give me one as a gift. The corporations you mentioned largely don’t run adult websites and don’t have to do anything in response to Utah’s law.
Re: Re: Re:4 I think you may be wrong
Those websites certainly do have to worry. The law is about “protecting the children”. And some want to protect them from what they are finding at facebook/tiktok/instagram etc. So they have to worry about keeping minors off their sites or curating what they have access to. This is not about porn.
And this has nothing to do with walled gardens. This has to do with an app deciding it should only be accessible to certain people depending on where those people are. Has nothing to do with Apple or Google or IOS or Android. Has to do with the apps/websites.
Re: Re: Re:5
… Ughhhh… That’s Not How Internet Technology Works
lol… sorry…
Re: Re: Re:6 ?
What part do I have wrong?
Is it not true that apps can determine location of the device they are running on, regardless of internet connection?
Is it not true that the law applies to companies/websites, not the Internet as a whole?
And TBH I do know a little about how the internet works. I was involved with it when it was still arpanet/nsfnet, before the thing you know as the internet was operating.
Re:
It would take an overhaul of the entire global internet to make those signals mandatory. Foreign countries aren’t going to do it for Utah and I don’t think the federal government will either.
Re: Re: Mandatory?
Don’t have to be mandatory. Website just has to indicate that THEY require access to your location. If you don’t want to give your location, visit a different site. I mean some websites used to not let you in if you did not have Internet Explorer. lol
Re: Re: Re:
I doubt porn websites are incorporated in Utah… or VPN providers, especially since Utah has decided to be hostile to privacy now.
Utah needs to convince people in countries with different laws, and countries without extradition agreements, and from states with different laws to cooperate with them and they won’t. (Maybe other US states would cooperate with them and maybe not. If they try to force it on other states Utah will probably have a dormant commerce clause claim against them and they have a good chance of losing for trying to regulate interstate commerce)
Re: Re: Re:2 Other states and countries?
Utah will go after the companies. You know, Meta, Tiktok, Youtube (Google). Not after the states where they are incorporated. They will just tell Meta you need to do this. We don’t care how. But we believe it is possible. And technically it is. I mean, can’t the maps apps tell where you are even if you are connected to a VPN?
Re: Re: Re:3
Telling the engineers to nerd harder and do our bidding makes us want to rebel.
Re: Re: Re:4 I agree
But does not stop the people passing laws from trying it. lol I mean they look at all the tech groups gushing about AI. So they can build a system that catches and diagnoses cancer and disease better than doctors. Can solve math problems that have been around for years. But you cannot keep a kid from accessing stuff that will lead to his death. Sure buddy.
That is the mindset. I am one of the nerds. I know some things are just hard. Some impossible. But I don’t pass laws and they don’t seem to want my opinion.
Re: Re: Re:4
Also it’s not possible… That’s not how internet technology works. Utah wants to demand computers cease being turing complete like the copyright people did after Napster got shut down and grokster immediately popped up.
Re: Re: Re:5 Please explain
What you think is not technically possible? An app using location services? An app/website requiring users to be logged in?
I don’t agree with this BS. I think it puts requirements on people that should not be there. I am not for the morality police.
The argument I have been making is not that it is OK. Just that it is technically possible. And if the companies try to say it is not possible they will be pointed to apps that do determine location. They will point out that Facebook can cut off anonymous access and require users to login.
The big companies can support this nonsense. Might even help them.
Re: Re: Re:6
Being turing complete means that given infinite time a turing complete machine can do the calculations of any other turing complete machine. Since modern computers are turning complete it is somehow possible to compute the information for any location that can be computed and sent along as packets on the network. Maybe a hypervisor or sandbox is necessary. Maybe an online spoofing service. You would need to vet all code running on the device to prevent a workaround and vet all external services the device connects to for enforcemen.
Oops...
Expect immediate visits from the Utah Morality Police to inspect your computer. I can imagine that having traces of any VPN ever having been near your system will be prosecutable. Have the TOR browser? – straight off to the Provo maximum-security reeducation camp for you and no appeals possible.
Re:
Then have car fast enough to outrun them. The cadillac ct6 with the turbocharged v8 can do 196 miles an hour. The Utah highway patrol does not have anything that fast
Then you buy one radio jammets I saw once on the dark web that puts of power and shut down their radio network so baxkup cannot be called
Re:
It is most correct that residential vpns are ubstectable
With a sumilar law coming in 2027 to California I am already looking at getting a resident visa in
Mexico, buying a home there, and parking a computer there with vpn software installed where I can connect to that when operating system makers start having to geoblock califurniw
Using a vpn on a home computer in tijuana or ensenada to do that does not break any california or federal law.
Just like when I went to great America and the hotel I stayed at jammed cell.phones and forced people to use the in room phone and pay $7.95 for a local call.
Whil3 they blocked the wifi calling from my cell provider I logged on to the VPN on my home computer to get past their blocking of wifi calling
Bypassing that and saving money did not break any laws. Bypassing network filtering did not any laws at either the state or federal level.
Re:
Then you have a fast car like a cadillac ct6 that could outrun every cop in Utah with its 196 mph top speed
Then you buy a jammer I saw once on the dark web with 94 watts output that could jam their radios and prevent them from calling in backup.
It is most correct that residential vpns are ubstectable
With a sumilar law coming in 2027 to California I am already looking at getting a resident visa in
Mexico, buying a home there, and parking a computer there with vpn software installed where I can connect to that when operating system makers start having to geoblock califurniw
Using a vpn on a home computer in tijuana or ensenada to do that does not break any california or federal law.
Just like when I went to great America and the hotel I stayed at jammed cell.phones and forced people to use the in room phone and pay $7.95 for a local call.
Whil3 they blocked the wifi calling from my cell provider I logged on to the VPN on my home computer to get past their blocking of wifi calling
Bypassing that and saving money did not break any laws. Bypassing network filtering did not any laws at either the state or federal level.
WhatsApp Number List | Database List
A list of mobile phone numbers provides you with a reliable and accurate database of numbers for telemarketing. You must obtain a reliable and accurate list of phone numbers if you want to conduct internet marketing efforts. You can obtain precise and active mobile number leads with the use of databases. Here, you can opt in to a database that complies with GDPR, CCPA, and TCPA. You’ve come to the correct location if you’re searching for the most accurate and confirmed phone number list.
Information is protected speech so making information on using VPN illegal do3s violate the 1st amendment
Just like in usenet newsgroups in 2008 when someone posted information for dual citizens of the US and Australia to travel to cuba and evade the travel ban on which flights to take to avoid a us connecting city one person claimed providing that information was a crime when it is not
Merely providing information is protected speech
With the online safety act in britain the pirate iptv service i subscribe to has moved it’s operations to the seychelles where british law does not apply.
Because of the 4500 porn channels out of about 140000 total channels they moved their operations there.
Good luck to utah evet enforcing that in the seychelles. American and British laws do not apply in the seychelles.
That site only has to follow seychelles law. Michigan’s proposed porn ban wull not apply in the seychelles if it is passed.
Websites in the seychelles are not subject to any American or British laws