The European Parliamentary Research Service (EPRS) has warned that virtual private networks (VPNs) are increasingly being used to bypass online age-verification systems, describing the trend as “a loophole in the legislation that needs closing.”
The warning comes as governments across Europe and elsewhere continue expanding online child-safety rules that require platforms to verify users’ ages before granting access to adult or age-restricted content.
VPNs are privacy tools designed to encrypt internet traffic and hide a user’s IP address by routing connections through remote servers. While widely used for legitimate purposes such as protecting communications, avoiding surveillance, and enabling secure remote work, regulators are increasingly concerned that the same technology allows minors to circumvent regional age checks.
The EPRS notes that VPN usage surged after mandatory age-verification laws took effect in countries including the United Kingdom and several US states. In the UK, where online services are now required to prevent children from accessing harmful content, VPN apps reportedly dominated download charts after the law came into force.
The document explicitly frames VPNs as a regulatory gap, stating that some policymakers and child-safety advocates believe VPN access itself should require age verification. England’s Children’s Commissioner has also called for VPN services to be restricted to adults only.
However, forcing users to verify their identity before accessing VPN services could significantly weaken anonymity protections and create new risks around surveillance and data collection. VPN providers and other privacy advocates have already expressed their objections to this approach in a letter sent to the UK policymakers.
Last month, researchers found multiple security and privacy flaws in the European Commission’s official age-verification app shortly after its release. The app, promoted as a privacy-preserving tool under the DSA framework, was discovered storing sensitive biometric images in unencrypted locations and exposing weaknesses that could allow users to bypass verification controls entirely.
The EPRS paper acknowledges that age verification remains technically difficult and fragmented across the EU. Current systems based on self-declaration, age estimation, or identity verification are described as relatively easy for minors to bypass. The report highlights emerging approaches, such as “double-blind” verification systems used in France, where websites receive only confirmation that a user meets age requirements without learning the user's identity, while the verification provider does not see which websites the user visits.
At the same time, regulators are beginning to address VPN use directly in legislation. Utah recently became the first US state to enact a law explicitly targeting VPN use in online age verification. The state’s SB 73 defines a user’s location based on physical presence rather than apparent IP address, even if VPNs or proxy services are used to mask it.
The EPRS suggests VPN providers may face increasing scrutiny as the EU revises cybersecurity and online safety legislation, noting that future updates to the EU Cybersecurity Act could introduce child-safety requirements aimed at preventing VPN misuse to bypass legal protections.
Hi Sven,
Age verification laws have been a hot topic in Australia. I can see both sides, one stating the potentially serious harms to young persons online and the other advocating for personal freedoms and privacy.
I think that for young people there needs to be a two tiered solution. In one part some sites should be required by law to take reasonable steps to detect and limit harm towards young people; and in the second part there should be measures at the device and account level where the parent maintains permission control and supervisory oversight.
I don’t think there is a perfect solution.
Why not ban firearms, any explosives, even crowbars in the end… after all, they can be used to break down doors and rob stores.
> Children
~50% of them are pubescent, meaning they have developed some sexual characteristics. It is not at all unheard of for 11-12 year olds to explore pornography autonomously–not just lured into it by nefarious pedophiles lurking in the bushes. Everybody knows this is true. If an 12 year old is smart enough to load up a VPN to watch porn, we should let him.
The idea that we’re going to put a digital chastity belt on young people for 8 years of their reproductive life “to protect them” is a laughable absurdity suited to a comedy of errors. That our politicians seem willing to throw our society under totalitarian surveillance to accomplish this goal is a horror story.
World losing it’s freedom at every turn & everywhere, under faux pretenses
I do find it rather ironic & sad that Cyber insider always promote their accounts on X & LinkedIn, two highly politically biased sites that only perpetuate & promote these anti-privacy agendas thru various means & censorship
Even their inline snippets are from X (which Librewolf, my good friend, blocks thank you very much)
Gotta make those dollars somewhere I guess, but the end of following this site for me, not that they or anyone care of course lol
Hold your values closely folks, never give in, and be ever vigilant on wolves in sheep clothing