Age verification creates a bifurcated internet
Last week, the United Kingdom’s Online Safety Act went into effect. This law empowers Ofcom, the country’s internet regulatory body, to ensure that companies have implemented age-verification for a wide swath of content. For services such as Reddit, this will mean certain subreddits are age-gated. For Blusky, this means you won’t be able to direct message others without verifying your age. Age verification comes with an inherent reduction of privacy, however it also risks cutting off adults from parts of the internet should they fail the verification. As the Electronic Frontier Foundation notes in their piece about the bill:
These systems will collect data, particularly biometric data. This carries significant privacy risks, and there is little clarity in the Bill about how websites will be expected to mitigate these risks. It also carries risks of incorrect blocking where children or adults would be locked out of content by an erroneous estimate of their age.
The best way to protect user privacy is to not collect the data in the first place. In an event that may now become more common with the collection of id documents, Tea, a dating safety app, suffered a breach last week that leaked users’ identification documents to 4chan.
There is, at least for now, an easy way for users to circumvent these age control measures entirely; using a VPN. A VPN is a service that tunnels your internet activity through a particular server before connecting to the wider internet, and therefore these services can be used to make your computer appear to be connecting from another country. In the UK, Proton VPN has seen a 1,800% increase in daily sign-ups. Michael Geist, a Canadian law professor, noted how VPN’s are a known workaround when talking about Bill S-210 (a similar bill to the Online Safety Act here in Canada that was proposed in the last parliament). As age verification laws spread around the world, including now in Australia and the United States, the internet will become bifurcated into those that can afford a good VPN and those that cannot.
Users may also opt for a VPN to get around internet censorship, such as the spike in VPN popularity when the TikTok ban briefly went into effect in the United States. While usage of VPN’s has been necessary for many years in more authoritarian countries, this phenomenon is fairly new in democracies, and many users may not know which VPN to use or trust. Choosing incorrectly could result in using a service that is insecure or actively malicious.
The luxury of a good VPN
There are a huge amount of VPN providers to choose from, offering services at various price points and speeds. For most users, three things will matter when selecting a provider: privacy, cost, and speed. It is rare for all three of these factors to align—a cheap VPN that values privacy and is fast is hard to come by. Therefore, users will be sorted into two buckets; those that surf the net quickly and privately, and those that either have to work through slower speeds or give up their anonymity; either to a company by providing their id, or to the VPN provider by providing their data.
The future ahead
We now have an internet where users have to research which VPN providers to trust, or expose their identity documents in more places to cyberattacks and theft. Once knowledge of VPN’s spread, and once lawmakers see their efforts being undermined, it is uncertain what will happen next. Already, encryption has come under attack multiple times. Penalties for using a VPN or an encrypted service may be put in place, such that users are scared into sacrificing their privacy, or forgo accessing certain services entirely.
Jurisdictions for privacy-focused services are dwindling, with Proton recently concerned with new Swiss regulations. Privacy companies may shift again into favorable locations, resulting in higher concentration in a few countries. With the UK regulations going into effect, another domino has fallen.