2 Million VPNs in One Month: How Age Verification Laws Backfired

Two million people downloaded a V.P.N. in a single month. Not because of a data breach. Not because of a hack. Because the U.K. turned on its age verification law.

Anyone who's ever handed over a government I

Anyone who's ever handed over a government I.D. just to prove they're old enough to visit a website knows the feeling. That uneasy pause before you upload a scan of your driver's license to a site you've never heard of. That's what millions of people in the U.K. faced when the Online Safety Act kicked in on 07-25-2025. The law required websites hosting adult content to verify every visitor's age — often through facial scans or uploaded I.D. documents. And the public response wasn't compliance. It was mass evasion. Over two million V.P.N. installs in one month. On Reddit, posts about how to bypass age checks jumped from a single thread in May of twenty twenty-five to sixty-five threads by April of twenty twenty-six. Two hundred forty-one total discussions over that stretch. So the question running through this entire story is simple — when a law's main effect is teaching people to dodge it, is it a law or a lesson?

And it wasn't just teenagers looking for workarounds. Privacy-conscious adults made up a huge share of those V.P.N. downloads. People who didn't want to hand their passport or face scan to a website just to prove they're over eighteen. A senior security researcher at Cybernews put it plainly — as long as these verification methods stay this invasive while bypass tools stay this easy to find, the laws won't achieve what they're designed to do. That's a researcher at a cybersecurity firm saying the quiet part out loud. The compliance model itself is the problem.

Now, some lawmakers saw the evasion and decided the answer was to crack down harder. Utah passed a law that holds platforms liable if someone uses a V.P.N. to get around age gates. That same law prohibits platforms from even providing instructions on how to use a V.P.N. NordVPN — one of the biggest V.P.N. providers in the world — called this an unresolvable compliance paradox. Why? Because comprehensive V.P.N. blocklists don't exist. You can't block what you can't catalog. So Utah is essentially telling companies to stop something that no one has figured out how to stop.

Meanwhile, Mozilla — the organization behind

Meanwhile, Mozilla — the organization behind Firefox — filed a formal warning with U.K. regulators. Their argument cuts two ways. First, restricting V.P.N. access doesn't push people toward safer behavior. It pushes them toward unregulated, offshore V.P.N. services with weaker security. The very tools meant to protect people end up exposing them to worse risks. Second — and this one sticks — Mozilla warned that limiting V.P.N.s for minors would create what they called a two-tier internet. Adults keep their privacy tools. Young people lose access to the same protections that shield them from surveillance and tracking. That's not a hypothetical. That's the structural outcome of the policy as written.

And Mozilla backed it up with data. According to their research, only about seven percent of children who use V.P.N.s do so to get around age gates. Seven percent. The vast majority use V.P.N.s for the same reason adults do — privacy and security. So the entire enforcement framework is built around a small fraction of the behavior it claims to target.

California is trying a different path. The state's Digital Age Assurance Act takes effect in twenty twenty-seven. Instead of making every website check your I.D. separately, it requires operating systems to ask your age once — during device setup. The O.S. then shares an age range with apps. Not your birthday. Not your I.D. Just a range. And it explicitly does not require government identification. Parents enter children's ages at setup, and the system attests from there. One verification, at the device level, instead of friction every time you visit a new site. For anyone who's ever managed identity verification in an investigation, this maps to a principle you already know — a single cryptographic proof beats repeated manual checks every time.