Businesses may be caught by government proposals to restrict VPN use

Carve-out for companies?

The government has not spelled out whether employees would be expected to prove their age by using a verification service before being given access to a corporate VPN or whether the government will propose a carve-out for businesses.

Maya Thomas, legal and privacy officer at the campaign group Big Brother Watch, told Computer Weekly that a carve-out for companies would put the government in a position of having to decide which businesses would qualify to use VPNs and which would not.

“Think about a small business that may not be formerly registered yet. Would they have to go through a huge, diplomatic, bureaucratic process to apply for an exemption?” she said.

Prime minister Keir Starmer announced plans in a post on Substack to implement a minimum age for social media in a matter of months, to restrict addictive features such as endless scrolling or autoplay for children on social media apps, and to limit children’s access to VPNs, which can be used to bypass age restrictions.

“We will bring new powers that will give us the ability to crack down on the addictive elements of social media, stop auto-play, the never-ending scrolling, that keeps our children holed on their screens for hours, and stop kids getting around age limits,” he wrote.

Ministers are expected to introduce measures in the Children’s Wellbeing and Schools Bill to give them authority to give the capability to protect children “at speed” subject to a final vote in Parliament.

Users would be required to prove age

Privacy campaigners argue that the only way that an age limit for VPNs could be enforced would be to require anyone that uses a VPN to verify their age by uploading an identity document or using facial recognition to estimate age.

This would have unintended consequences for people that rely on VPNs – including victims of domestic abuse, journalists and people who may be at risk from authoritarian regimes – to protect their identity.

Thomas said that victims of domestic abuse, for example, use VPNs to access resources that they don’t want their abusers to know about. “VPNs are a great tool for victims of domestic abuse – by forcing these victims to upload their ID, you are putting them in a precarious position. That would severely disincentivise people who need to use VPNs from doing so,” she added.

There are other issues that still have to be worked out. For example, in a family setting, could a child use their parents’ VPN to watch the US Superbowl? Would they or their parents have to scan their face to show they are old enough to use the VPN?

“We think its quite a knee-jerk reaction. It has not been well thought through as policy,” said Thomas.

Vulnerable people could be less safe

One option would be to require people to register their ID’s with third-party organisations that could then confirm to VPN providers that their customer is over 16, without disclosing a copy of the ID to the provider.

But even this could deter vulnerable people, who may be at risk of domestic abuse, or may face discrimination at home because of their religious beliefs, from taking steps to protect their identity. It could also add to the administrative burdens faced by companies that use VPNs.

The government’s intervention comes in the wake of similar moves by Conservative peers to introduce an amendment to the Children’s Wellbeing and Schools Bill to restrict the use of VPNs to people under the age of 18, which won approval from the Lords.

The government is expected to give further details of its plans when it issues a public consultation in March.

The proposals also include an amendment to the Crime and Policing Bill to allow the government to require chatbots that are not currently covered by the Oneline Safety Act to protect users from illegal content, and measures to preserve children’s social media in the event of a child’s death.