Since Australia announced a ban on the use of social media by minors under 16 years of age at the end of last year, Governments around the world are continuously strengthening online child safety protection, requiring the platform to perform age validation. The European Parliament Research Service (EPRS) has recently warned that the Virtual Private Network (VPN) is increasingly being used to bypass online age certification, describing it as “the legislative gap that needs to be closed”.
According to EPRS, the use of VPN began to increase following the enforcement of age certification in several British and United States states. In the United Kingdom, online services must prevent children from accessing harmful content, and it was reported that, after the entry into force of the law, the VPN application led the downloads of the app store. The document issued by EPRS clearly indicates that there are regulatory gaps in the VPN, and some policymakers and child safety advocates believe that the VPN itself should be age-tested. The UK Commissioner for Children also called for limiting the use of VPN services to adults only.
VPN operators and other privacy advocates have objected to this approach in letters to British policymakers, arguing that the imposition of VPN age certification could significantly weaken anonymity protection and create new surveillance and data collection risks. Last month, shortly after the official age validation application was released by the European Commission, the researchers discovered a number of security and privacy gaps. The application claims to be a privacy protection tool within the framework of the Digital Security Agreement (DSA), but researchers have found that the sensitive biometric images collected by the application are not stored in encrypted form, exposing loopholes that may allow users to circumvent authentication controls completely. EPRS reports that age certification remains technically difficult and that EU policies vary. The report emphasizes that the current system based on self-declaration, age estimates or identification is relatively easy to bypass by minors. The report highlights some new technologies, such as the “two-blind” certification system used in France. In the system, the website only receives age-validation confirmation information from users and does not know the specific identity of the user; neither does the provider of the authentication system have access to the website accessed by the user.
At the same time, regulators began to address VPN use directly through legislation. Utah has recently become the first state in the United States to adopt laws that explicitly target the use of VPN for online age certification. The State ‘ s SB 73 Act defines the user ‘ s location on the basis of physical location rather than IP address, and even the use of VPN or proxy services cannot be concealed. EPRS indicates that VPN providers may face increasingly stringent scrutiny as the EU revises its cybersecurity and online security legislation. It also noted that future updates of the EU Cybersecurity Act might introduce child safety requirements aimed at preventing the misuse of VPN to circumvent legal protection.