All products featured on WIRED are independently selected by our editors. However, we may receive compensation from retailers and/or from purchases of products through these links. Learn more.
Age-verification laws are popping up around the world, and although websites like Pornhub originally caught the limelight, other online platforms are struggling to keep up with compliance.
It’s not just porn, though saying “just” undermines how big a deal adult entertainment access really is. Bluesky shut down service in Mississippi, and Mastodon will likely follow. The video game platform Steam now requires age verification in the UK to view mature games, even with a decades-old account. Discord also requires verification in the UK with a photo, which you can stump by snapping a picture of a video game character.
Unsurprisingly, VPN usage has surged in response. A VPN, or virtual private network, masks your internet traffic and spoofs your location. You probably know about it as a way to bypass region-locked content on streaming platforms like Netflix. You can’t access Bluesky if your internet traffic is coming from Mississippi, but with a VPN, your traffic could be coming from a different state or country.
The Electronic Frontier Foundation (EFF) says VPNs aren’t a solution. They aren’t. Although VPNs provide a fix for circumventing age-verification laws, they aren’t foolproof. I’m going to run down what VPNs can (and can’t) do to mask your online identity, as well as the state of the laws on the books and how they interact with VPN providers.
Why Age-Verification Laws Pose a Privacy Risk
Courtesy of Proton VPN
It’s hard to argue with age-verification laws on the surface. Pornhub itself has been very forward with its stance that age-verification laws are a good thing—if done correctly. Pornhub and online privacy advocates say it’s the implementation of the law that’s flawed, not the idea behind it.
The problem is how the verification happens. You aren’t verifying your age with the government. You’re routing it through an independent third party, and most of the laws on the books are designed specifically in this way. In the UK, for example, Reddit verifies with Persona, and Bluesky uses Kids Web Services (owned by Epic Games).
Persona’s privacy policy states that it collects not only biometric information and personal details, like your ID, but also ties that to information gathered from third-party sources. It also retains that information and is free to share it with others.
“Age verification laws threaten individual privacy by requiring individuals to submit highly sensitive personal data, such as government-issued IDs or biometric scans, to access material online,” Rindala Alajaji, a legislative activist at EFF, tells WIRED. “This opens the door for potential breaches and misuse.”
It’s data brokerage at the behest of the legislature, and organizations like the American Civil Liberties Union (ACLU) say the laws limit free speech protections. Service providers also argue that the laws don’t protect minors. Pornhub, for example, says it saw an 80 percent drop in traffic from Louisiana in 2023 when the state passed an age verification law. It argues that these regulations only serve to push users to platforms that don’t comply with regulations.
“These laws don’t actually ‘protect minors’ or stop people from accessing adult content; they push users to unregulated, unsafe corners of the internet where privacy and safety protections are minimal, making the internet more dangerous for everyone,” Alajaji says.
Some services, such as Pornhub, have blocked access in these states in a seeming act of protest. Others, such as Mastodon, say they’re forced to shut down as it can’t provide verification information it doesn’t have. The result is the same: a fragmented internet where the services you can access are based on your physical location, and the only solution is to sacrifice your privacy.
What VPNs Can (and Can’t) Do
At a basic level, VPNs work by sending your traffic to a server within the provider’s network before going out to the open internet. By routing your traffic this way, it’ll appear as if you’re connecting from the server’s location. Unlike a proxy server, which does the same location spoofing, your connection is negotiated and encrypted with a VPN protocol. Combined with proper privacy measures on the VPN side, that should mean you and your online browsing are completely anonymous.
No system is perfect, though, and VPNs aren’t an exception. When you connect to a VPN, your traffic looks as if it’s coming from the VPN server, which itself poses a hurdle. If enough questionable traffic comes from a particular server, it’ll be blocked. Streaming platforms like Netflix might notice that an odd amount of traffic comes from one particular server in a certain location, and it may block that server from connecting. You can easily find massive lists of known VPN servers online. Some VPNs, like Proton VPN, are good at keeping up with this game of whack-a-mole. Others, like Private Internet Access, aren’t.
VPNs can hide where your internet activity is coming from, but it doesn’t totally hide who is engaging in that activity. VPNs are only concerned with your internet connection. They don’t touch other potentially personally identifiable information. Cookies, ad IDs, GPS, and other browser-based information can create a so-called “browser fingerprint.” This fingerprint isn’t as identifiable as your IP address, but a motivated traffic sniffer could build a fairly robust profile even while you’re connected to a VPN.
In the context of age verification laws, however, VPNs are effective. Prominent services like Bluesky and Pornhub have, publicly and reluctantly, withdrawn access in locations with these laws, so it’s hard to imagine that they’ll block access from known VPN servers. However, some organizations, such as the Age Verification Providers Association (AVPA), have pushed for more robust enforcement mechanisms beyond IP geolocation. If services are forced to comply with more restrictive tracking, the effectiveness of a VPN goes down.
“The approach outlined is that, for example, a social media platform would analyze the content or behaviour of its own users reaching it via a VPN to flag any that were likely to be underage in a jurisdiction that requires age checks,” Iain Corby, executive director at the AVPA, told me via email. “States must consider the impact of giving VPN users a pass, which is that they are effectively giving up on any attempt to apply the rule of law online.”
The EFF says it wants to see a different approach, one that’s less focused on restricting access to VPNs and more focused on protecting individual privacy. “VPNs shouldn’t be necessary to access legally protected content in the first place,” Alajaji says. “Their growing use underscores a larger issue: Age-verification laws often erode privacy and digital freedom without effectively achieving their intended goals.”
Age Verification and VPNs: Are They Against the Law?
Using a VPN to spoof your location and access the internet isn’t illegal in most parts of the world, and any change in legislation on that front would bring forth serious questions about online censorship. Countries like Russia and North Korea infamously have VPN bans in place. Any similar policy from Western states like the US and UK would certainly be met with fierce opposition.
Age-verification laws are targeted toward providers, not users, and they’re civil liabilities, not crimes. If a company or website operating in a particular state doesn’t comply with the law, that state can sue the provider—most laws in the US put liability at $10,000 per day of noncompliance.
Using a VPN isn’t illegal. However, performing illegal acts while connected to a VPN is still illegal. If you’re a minor using a VPN to purchase nicotine products or alcohol online, for example, that’s still illegal. Circumventing age verification with a VPN isn’t so that minors can access services they aren’t supposed to; it’s to protect the privacy of users who don’t want to send sensitive information to third-party verification platforms.
VPNs We’ve Tested and Recommend
There are some great VPNs out there, but there are a few I’d lean toward if you’re concerned with your online privacy first and foremost. These services all have decent pricing, solid speeds, and stable apps, but privacy takes center stage.
Courtesy of Proton
Proton VPN
Proton VPN is the best VPN for most people. It’s fast, easy to use, and comes with a ton of server locations. I’m recommending it here because Proton has an unconventional approach to the online privacy debacle. The company is a Swiss corporation, but its primary shareholder is The Proton Foundation—a non-profit set up and led by Proton’s founder Andy Yen.
That already sets Proton apart from most VPNs, and it’s backed up by open source apps. For the privacy-conscious, I gravitate toward Proton due to its Secure Core servers. Proton’s network comprises over 15,000 servers, but 112 of those (at the time of writing) are owned and operated entirely by Proton. Those are the Secure Core servers.
Basically, Proton owns a small internet network across Sweden, Switzerland, and Iceland, which Proton says it chose due to their robust privacy legislation. From there, you can connect to another location (i.e., a connection to the US via Sweden). You’ll take a drop in speed, and other services offer these kinds of multi-hop connections, but Proton is the only provider I’m aware of that fully owns its multi-hop network.
Proton is the VPN to beat right now, full stop, which is shocking because it’s not that expensive. You can get started for free, but with reduced speeds, and the paid plan clocks in at just $10 a month, even less if you subscribe for a year or more. You really get the best bang for your buck with Proton Unlimited, which is $13 per month (less for a year or more), and it includes all of Proton’s apps, including the excellent Proton Mail and Proton Pass.
Mullvad VPN
Like any VPN worth its salt, Mullvad says it doesn’t keep logs about what you do online. Unlike other VPNs, though, you don’t have to take Mullvad’s word for it. You don’t even need to do as much as enter a credit card or provide an email to sign up.
Instead, generate an account number on Mullvad’s website and plug that number into the app to log in. When you want to add time to your account, you pay Mullvad €5 per month regardless of how much time you buy. That’s €5 per month flat; Mullvad doesn’t do regional pricing or long-term discounts. You can pay with a credit card if you want (or a string of various online payment providers), but you’re also free to send Mullvad cash directly.
That’s Mullvad’s big claim to fame, but it includes a ton of other security features that most other VPN services lack. For starters, all of its apps are open source and externally audited. It also provides multi-hop connections—basically connecting to two VPN servers consecutively—and WireGuard key rotation. Key rotation is a big security feature: It ensures perfect forward secrecy, as a single compromised session won’t compromise past or future sessions.
When it comes to fingerprinting, Mullvad takes the cake because of DAITA, or Defence Against AI-Guided Traffic Analysis. Although things like GPS play a role in fingerprinting, so do encrypted traffic patterns. To get around this kind of traffic analysis, DAITA uses consistent packet sizes and interjects dummy packets into the stream. It’s basically background noise, making it even more difficult to figure out who you are and what websites you’re visiting.
Windscribe
Windscribe is one of the few VPN providers that has a demonstrable no-logging policy. Every VPN says your history isn’t logged, but precious few actually back up that claim. Windscribe founder and CEO, Yegor Sak, was personally charged in a Greek court due to activity on the Windscribe network. The case was dismissed, but even in the face of criminal prosecution, Windscribe couldn’t turn over data it didn’t have.
I’m recommending it here due to Windscribe’s excellent browser extension. There are a lot of ways to track you outside a VPN tunnel, and Windscribe’s extension is set up to tackle those exact issues. It can delete cookies when you close a tab, and it can spoof time and GPS signals to make you more difficult to track. Critically, it also rotates your browser user agent automatically, essentially making browser fingerprinting a non-issue.
Like Proton, Windscribe offers a restrictive free version with 10 GB of data per month. Unlike most VPN providers, however, you can build a plan from that piecemeal. Unlimited data will run you $3 per month, and each additional location is an extra $1. Or, you can unlock everything for $9 per month or $69 per year, which is lower than the going rate of most VPN services.
Windscribe has a lot of personality as a brand, but don’t let that fool you. It’s just as serious about online privacy and security as a service like Mullvad, and it comes with an extensive roster of features that even top-rated VPN services struggle to keep up with.
VPNs Are a Workaround, Not a Solution
Although VPNs are effective at circumventing age-verification systems (at least right now), it’s important to zoom out. Alajaji and Paige Collings, a senior speech and privacy activist at the EFF, put it best: “While VPNs may be able to disguise the source of your internet activity, they are not foolproof—nor should they be necessary to access legally protected speech.”
VPNs put a bandage on the age-verification problem, but they have benefits outside of this particular issue. Even without being foolproof, VPNs are a huge boon to privacy online, especially when combined with browser-based blocking mechanisms. And spoofing your location can still let you stream movies and TV shows in other countries, as well as access domestic services when traveling abroad.
Power up with unlimited access to WIRED. Get best-in-class reporting and exclusive subscriber content that’s too important to ignore. Subscribe Today.
