Age-verification laws don’t exempt VPN traffic. But that traffic can’t always be detected.
Social media age-verification laws that have popped up across the country have all types of unintended consequences. But one issue that has not been examined closely yet is how these laws would impact virtual private networks (VPNs). R Street conducted interviews with various stakeholders around VPNs including VPN blockers, a cybersecurity scholar and a partner at a digital media firm in order to better understand and convey the challenges around VPN detection.
Obviously, age-verification laws would force platforms to identify the age of their users in each specific area—Utah’s laws apply to residents in Utah, Arkansas’ laws apply to residents in Arkansas, U.S. law would apply to U.S. residents, and so on. But people can use VPNs to get around age verification by making their web traffic appear as though it originates in a jurisdiction outside the law’s reach. In these cases, the laws still hold the social media companies liable. That’s a problem, because VPN detection is far from a perfect process.
For example, in order to ensure perfect compliance with Utah’s law, platforms would have to treat all VPN users as Utah residents or block VPNs completely. Not only does the law not specifically exempt VPN traffic, it says that a “social media company shall not permit a Utah minor account holder to change or bypass restrictions on access as required by this section.” That language seems to implicate popular methods of bypassing restrictions such as VPNs. While the Arkansas law uses different language, it would likely restrict VPNs in a similar way for residents of that state. Meanwhile, the proposed Protecting Kids on Social Media Act could extend these rules to every resident of the United States.
While we believe that protecting access to VPNs is a worthy goal in its own right, there are also many practical problems with these laws. Below, we identify the core issues.
VPN traffic isn’t always detectable
It is not always simple to detect VPN traffic. A representative from proxycheck.io, a service used to detect VPN traffic, told R Street that they believe their service is “quite accurate in detecting 99 percent of VPNs.” He explained that they not only index “the infrastructure of known VPN providers” but also index “server hosts/datacenter address ranges.” “This allows us to detect the companies that make available servers for rent to VPN companies,” he told R Street.
But the representative lamented that, “residential VPN networks—which allow anyone in the world to rent out their home internet connection to anonymous users online for profit” are difficult for VPN blockers and detectors to identify. “The VPNs they have available for use are extremely hard to track and detect at scale,” he said.
Meanwhile, Alex Stamos, Director at the Stanford Internet Observatory, told R Street that, “you can pretty easily catch about 90 percent of VPNs and block them completely.” It is worth noting that social media companies failing to identify even 10 percent of VPN users could still mean millions of violations of the law.
Ian Spencer, Partner and Chief Technology Officer of digital advocacy firm Red Edge, explained, “VPN detection is a relatively straightforward game of cat and mouse if someone is using a public VPN, like NordVPN, ExpressVPN, Mullvad, etc., or if they have a custom VPN server hosted on a service like AWS EC2.” But, as he explained further, “it’s much more difficult if they are using a private VPN through a regular consumer or business internet connection.” Spencer added that he uses a VPN in Red Edge’s office and doesn’t run into any problems connecting to services like Netflix.
This is extremely important because Netflix works aggressively to block VPNs for compliance purposes. Netflix pays for licensing agreements in order to stream third party content on its platform. Those agreements must be negotiated country-by-country. While it would be “Brilliant!” to be able to watch the IT Crowd on Netflix in the United States, attempting to do so will be met with the error message, “Oh no! This title isn’t currently available to watch in your country.”
An additional message clarifies, “[u]navailable on an advert-supported plan due to licensing restrictions.” That means that a potential viewer in the United States would have to use a VPN to pretend to be in another country where Netflix has the license to stream the show. Netflix has massive legal incentives to prevent such illicit access and protect these licensing agreements. Too many violations will also encourage these shows to take their business elsewhere. The fact that Spencer is able to bypass these restrictions easily—and countless articles assist users in doing the same—highlights the impossible task of effectively blocking or identifying VPNs.
“But it’s always a guess, and a percentage of certainty, the provider has to make a judgment on,” said Spencer of the cat and mouse game of VPN use and detection. And the cat and mouse game will be accelerated when laws are passed that penalize website operators for failing to detect VPN traffic. “I can tell you if there’s a demand for it, VPN companies will invest more resources to get around our detection methods,” said a representative for IPHub, a tool that works to detect VPN traffic. “And we’ll need to step up our efforts accordingly in order to maintain the VPN detection ratio.”
Websites could face pursuant penalties under, say, Utah’s law for failing to catch an underage Utah resident using social media through a VPN. Under the proposed Protecting Kids on Social Media Act, a website could face penalties for failing to catch an underage Oklahoma resident using a VPN. And note—while proxycheck.io says that it’s “quite accurate in detecting 99 percent of VPNs,” even a 99 percent detection rate would be considered failing under these laws’ standards. Missing one VPN may not lead to a lawsuit, but for websites that have millions or billions of daily visitors, failing to detect a VPN one out of 100 times could easily mean millions of missed VPNs—or millions of violations of these laws—on a daily basis.
Less-detectable VPNs tend to be less secure
When asked about the consequences of these laws, proxycheck.io’s representative told R Street that “laws that try to restrict services will only make consumers seek out riskier and riskier VPN services that aren’t as readily detectable—and they can put their personal information at risk by doing so.” “Ultimately we think these kinds of laws will only serve to make consumers less safe,” he concluded. Consider that lesser-known VPNs may not trigger VPN detection as easily because detection may account more for more popularly used VPNs’ IP addresses and other triggers. But these smaller VPNs may also have fewer reviews and more uncertain security and liability.
These laws apply to “residents” and separating “visitors” from “residents” is nearly impossible
Although IP addresses indicate general location, they can be off by miles, and are by no means a perfect way to determine location. And even if a social media platform can tell by a user’s IP address that they are in Utah, the platform does not know if they are a resident or a visitor. Naturally, platforms are likely to over-correct and apply the law to every person in Utah in order to comply with the law. And while the Utah and Arkansas laws only apply to state “residents,” the proposed Protecting Kids on Social Media Act also applies to anyone who “habitually resides in the United States.”
This raises the question of what constitutes habitual. While we might agree that taking a vacation to the United States doesn’t mean that someone “habitually resides” here, would a three-month stay with an aunt constitute “habitual?” What about someone who comes to the United States every six months for work? Every three months? The legislation’s definition is far too vague in its current form. Without a much clearer definition it will be almost impossible for companies to comply. And remember, too, that this requires platforms to acquire lots of location data about users. Not all platforms want to collect and retain such sensitive information and forcing them to do so mandates bad cybersecurity practices.
Moreover, all of this legislation fails to help platforms determine who is and is not a resident. Even government IDs can be deceptive, as both of the authors maintained home state IDs long after moving to Washington, D.C. Perhaps an Arkansas child lives in Arkansas near its border, but attends school in Mississippi. If that child only uses social media in Mississippi and the platform permits it due to their IP address-based location, is that platform in violation of the law? And while we’ve focused largely on the impact that these laws would have on children, they would actually mandate age and identity verification for every single person accessing the platforms. Because that’s the only way to know who is and isn’t a child or resident.
Companies will be incentivized to collect user IP addresses for compliance purposes
Let’s say a child under a U.S. law’s jurisdiction bypasses age verification using a VPN, which is likely to happen. It would be wise for the social media platform to keep a record of their IP addresses handy in order to prove that they actively tried to verify the user’s location. And IP addresses can tell a lot about a user. Yes, they indicate general location. But IP addresses can also indicate “[o]nline services for which they have registered,” “[p]ersonal interests, based on websites visited,” “[o]rganizational affiliations,” and locations they have visited physically,” according to a 2013 report by the Office of the Privacy Commissioner of Canada (OPC). That is an enormous amount of information to force websites to collect.
Other laws prohibit treating VPN traffic differently, creating a compliance paradox
Utah’s Libertas Institute highlighted a little-discussed problem with these laws, particularly state-level ones: some states’ data-privacy laws “prohibit companies from conditioning access on a user providing personal information like an IP address or something more.” A platform may not be able to comply with the laws of those states while also complying with laws in Utah or Oklahoma that require companies to collect user locations and prevent users from bypassing the restrictions. If a platform successfully detects VPN traffic and treats it according to the strictest age verification law enacted by a U.S. state, such as Utah, then it violates California’s law that prohibits treating VPN traffic in a unique way. Under these contradictory regimes, companies may be forced to make the onerous decision of violating one law to comply with another. This is a compliance nightmare.
What may seem like a minor legislative issue at first blush has massive real-world consequences that will punish companies genuinely trying to comply with the law. Congress and the states should be working to support, not destroy, privacy and free speech-enhancing technologies like VPNs.
This is part of the series: “The Fundamental Problems with Social Media Age-Verification Legislation.”