UK and other democracies won't ban VPNs: Here's why
It’s a tunnel, not a platform.

Image by Cybernews
- Britain’s VPN climbdown shows why democracies can’t treat internet infrastructure like just another platform.
- Any age-based VPN crackdown would be hard to enforce without broader surveillance and privacy trade-offs.
- Even strict rules would be easy to evade via offshore providers, self-hosting and other encrypted tools
- Experts claim online safety laws work best downstream on platforms, not upstream on the plumbing of the internet.
Key Takeaways by nexos.ai, reviewed by Cybernews staff.
Despite months of tough talk, the UK quietly ruled out banning VPNs yesterday to stop children evading the country's forthcoming social media ban – for the same reason every other country, including its digital role model Australia, has avoided it.
While the debate over banning VPNs has largely focused on politics, the real obstacle is technology.
Unlike TikTok or Instagram, it’s not as simple as restricting a platform. VPNs are part of the internet’s infrastructure, and that’s what less tech-savvy politicians have found harder to grasp and communicate with to the broader public.
VPN double U-turn
The idea of restricting VPNs for under-18s was first proposed in January by the House of Lords – the UK's unelected upper house – with an average member age of around 70.
The House of Commons voted against restrictions, then U-turned after a social media ban was announced last month.
Then, on Wednesday, when pressed on BBC Breakfast, the online safety minister Kanishka Narayan U-turned again, confirming that no restrictions were currently planned – though he added that the situation would be kept under constant review.
UK politicians may still talk tough on VPNs, and to many it sounds like the logical next step: If teens are using them to access age-restricted content, why not outlaw the technology?
However, as the government has come to understand from talking to cybersecurity experts, privacy advocates, and academics, the answer isn’t that simple.
As Jake Moore, a former digital forensics expert for Dorset Police, and an advisor at security firm ESET, acknowledges: “The UK government could legislate a ban on VPN use for under-16s, but enforcing it would be a waking nightmare,” he says.
What is a VPN?
The challenge begins with knowing what a VPN actually is. In political rhetoric they are rarely explained as anything beyond a circumnavigation tool that makes it sound like something that can be easily banned.
Unlike a social media platform or a website, a VPN isn’t a single service that can simply be switched off. It is an encrypted technology used every day by businesses, hospitals, journalists, universities, and millions of ordinary people to protect their internet traffic.
As Dr. Manimathu Arunmozhi of Aston University explains, trying to block VPNs would be like trying to inspect every locked van traveling on Britain’s roads.
“Think of a VPN like a locked, unmarked van driving down a public road. The van is carrying a package, and the road doesn’t know – and isn’t supposed to know – what’s inside.”Dr. Manimathu Arunmozhi, Aston University
To stop VPNs, he says, the government would effectively have to inspect everyone’s internet traffic, continually block thousands of VPN servers that are constantly changing, and remove VPN apps and app stores – measures that users could bypass in minutes.
The bigger challenge is that there is no obvious way for a government to reliably identify who is using a VPN.
“Nobody currently has the technical ability to reliably tell ‘this is a 15-year-old’ from ‘this is an adult’ on a VPN connection,” Arunmozhi says.
“Which is why nothing has been mandated yet.”
Instead, responsibility would have to be spread across VPN providers, internet service providers, app stores, and online platforms, none of which can solve the problem on their own.
Even if commercial VPN companies introduced age verification, determined users could simply switch to overseas providers, self-hosted VPNs, or alternative encrypted tools.
“The key distinction is between reducing access and preventing access,” Arunmozhi says.
“Regulation can significantly raise the barrier for under-16s, but a complete prohibition would be difficult to enforce in practice.”
Ban may force teens to shadier online places
Moore adds that the practical reality is even messier inside the family home.
“Some parents will set up a VPN directly on their router, so it applies to every device on the network, including that of their kids.
“Others may have VPNs set up on shared devices, such as an iPad or a family VPN subscription with multiple seats. Browsers like Opera come with free built-in VPN features. The lines are just too blurred for a no-tolerance policy to under-16s,” Moore says.
And, as Ricardo Amper, founder and CEO of identity provider Incode, adds, that leaves governments facing an uncomfortable dilemma.
“VPNs keep people safe: Demand for privacy doesn't disappear when you restrict reputable providers – it migrates to free, sometimes shady services that monetize users by logging their traffic, selling their data or injecting ads.”Ricardo Amper, founder and CEO, Incode.
Restricting a tool that forces teens to use sketchier workarounds that could send them to underground forums or insecure websites that expose them to cyber threats is probably not what the UK’s online harms bill intended.
VPN regulation: the upstream/downstream chase
Privacy advocate Henry Fisher, CEO and co-founder of Techlore, believes governments often chase whatever tool is currently helping people bypass restrictions instead of addressing the underlying problem.
“I like to look at this as an upstream/downstream chase,” he says.
“Regulators go after whatever's the current common workaround: VPNs get targeted once they're identified as the standard bypass for a platform block...once VPNs prove hard to kill outright, attention shifts to app stores or to the platforms themselves,” Fisher adds.
The UK’s approach, he notes, has so far followed the European model by placing the burden primarily on platforms rather than VPN providers.
Countries with VPN restrictions
Fisher also points to countries that have already attempted tougher controls.
Russia has spent years blocking hundreds of VPN services using deep packet inspection and sophisticated traffic analysis.
Yet VPN use continues to rise as users migrate to newer, harder-to-detect services.
“The arms race keeps escalating and pushes users toward increasingly obscure, less-audited tools, which is its own security problem. For most of us, this isn't a fair tradeoff and is unlikely to be compatible with a free society."Henry Fisher, CEO and co-founder of Techlore
India offers another warning.
Rather than banning VPNs outright, it introduced regulations requiring providers to log user data. The response from many of the industry’s biggest names was simply to remove their physical servers from the country rather than weaken their privacy protections.
“We’ve already seen what this can look like,” Fisher says. “Reputable no-log providers exit rather than compromise, and what’s left in-market skews toward providers willing to log and comply with the government’s demands.”
VPN ban: Cybersecurity and privacy concerns
As Chris Swan, an engineer at Atsign, believes, many mainstream VPN companies would rather leave the UK market than build age verification into services that were never designed for it.
“It’s likely that many of the above board VPN providers will simply choose to exit the UK market rather than implement age checks, leaving UK citizens at the mercy of less wholesome providers."Chris Swan, engineer, Atsign
Swan argues that forcing age verification onto VPNs would also create new privacy risks by requiring users to submit identity documents for a technology whose purpose is often to minimize personal data collection.
Stay updated with our latest stories and follow us on social media
Be the first to discover new stories, ideas, and updates from our team.
“The only place that age verification can happen is when establishing the account,” he explains. VPN protocols themselves were never designed for anything like age verification.”
There are still other bypasses
Meanwhile, technically minded teenagers would continue finding alternatives.
"It’s also trivial to self-host a VPN using cloud virtual machines," Swan says.
"For many use cases, a simple secure shell (SSH) connection can be used in place of a VPN, and that takes the game of 'whack-a-mole' to a whole different level."
That, ultimately, explains why experts believe Britain is unlikely ever to introduce a true VPN ban.
Strong password generator
Doing so would require surveillance powers most democracies would struggle to justify, create major privacy and cybersecurity risks for millions of legitimate users, and still fail to stop determined people from finding another route online.
As Arunmozhi puts it, "VPNs are a cornerstone of modern cybersecurity. The objective should be to prevent misuse, not to undermine a technology that protects millions of lawful users every day."