Online safety and the case for VPNs

Graeme Stewart at Check Point Software argues that banning VPNs isn’t the answer: it’s a dangerous distraction from real online safety

 

The UK Government’s attempt to protect children from harmful online content through the Online Safety Act has taken an alarming turn. Amid a surge in virtual private network (VPN) usage triggered by mandatory age verification on adult websites, some MPs are now calling for a ban on VPNs altogether.

 

Let’s be clear: banning VPNs would be a catastrophic misstep. It would not only undermine online safety but would also align the UK with authoritarian regimes like China, Russia, and Iran, countries where VPNs are outlawed to suppress free expression and control information flow. That alone should ring every alarm bell in a democracy.

 

 

The real issue: trust, not tunnelling

At the heart of the matter is a legitimate concern; children should not be exposed to adult content online. The introduction of mandatory age verification for adult websites aims to tackle this, and on paper, it’s a sensible measure.

 

But the implementation is flawed. Instead of creating a safe, trustworthy ecosystem for identity verification, the enforcement has been outsourced to unaccountable third parties with opaque data handling practices. These third parties now expect users to hand over highly sensitive identification data, often to offshore platforms, without any credible guarantee of how that data is stored, secured, or protected from abuse. Unsurprisingly, many people are reluctant to hand over their ID to a faceless, unregulated adult website. Who can blame them?

 

There are precedents for concern. From the Ashley Madison breach to recent dating app data leaks, history shows us that platforms handling intimate data are prime targets for hackers. People don’t just fear the theft of their data, but the very real risk of blackmail, extortion, or reputational damage should that information fall into the wrong hands. The consequence? Users are flocking to VPNs to bypass age verification requirements, not out of a desire to break the law, but to protect themselves in a system they simply do not trust.

 

 

What a VPN actually does

A VPN is a well-established technology, and in internet terms, it’s practically middle-aged. It encrypts your data and hides your location, effectively placing your online activity in a secure “locked box” during its journey across the internet. From a privacy and security perspective, VPNs are invaluable. They’re used by journalists protecting sources, whistleblowers exposing corruption, businesses enabling secure remote work, and everyday citizens protecting their data from surveillance or criminal snooping.

 

Millions of UK users rely on VPNs daily, from accessing corporate networks securely while working remotely to streaming British services like Netflix or BBC iPlayer while abroad. Banning or heavily regulating VPNs doesn’t just put these legitimate uses at risk; it criminalises basic privacy protection. It would be akin to banning curtains because some people use them to hide illicit activity.

 

 

The Government’s misfire

The Online Safety Act’s noble intent is now backfiring. In attempting to protect children from online harm, the legislation has unwittingly pushed large numbers of users into the arms of privacy tools that make lawful interception and regulation nearly impossible.

 

Worse still, the Government seems more focused on controlling the tools of circumvention than addressing the root cause: lack of public trust in age verification systems. The idea that a user becomes a "person of interest" simply for using a VPN is a worrying sign of how this narrative is being manipulated. It’s deeply ironic and dangerous to suggest that protecting one’s privacy is itself suspicious behaviour.

 

 

Legislative lag and the illusion of control

This situation underscores a broader issue: governments’ ongoing struggle to keep up with the pace of technological change. Legislating for the internet often leads to reactionary decisions, based on misunderstandings of how technologies work or the ecosystems they operate in.

 

Attempting to “deal with” the VPN spike by banning VPNs is a classic case of addressing the symptom, not the disease. It solves nothing. Worse, it risks breaking more than it fixes. A more rational approach would involve the creation of a centralised, UK-regulated digital identity framework – one that users can trust, that is secure by design, and that offers transparency in how their data is managed. Similar frameworks already exist in banking and other sectors; there’s no reason a well-designed digital identity model couldn’t underpin age verification too.

 

To draw a parallel: for decades, pubs and off-licenses have been required to ask for ID from anyone buying alcohol. But not just any ID – recognised, official documentation like a passport or driving license. The responsibility is on the seller to verify the authenticity of that ID. In the digital space, we’ve handed that responsibility to adult websites; a decision that feels, at best, naïve, and at worst, reckless.

 

 

Better solutions, not worse problems

Let’s not lose sight of the end goal: protecting children online. That is an objective we can all agree on. But achieving it requires smart, future-proofed policy, not knee-jerk restrictions or digital authoritarianism.

 

Banning VPNs doesn’t fix the problem. It punishes people for not blindly trusting a system that has consistently failed them. It undermines individual privacy, damages national cyber-security posture, and positions the UK in embarrassing company on the global stage.

 

It’s time for a grown-up conversation about digital identity, trust, and accountability, not the scapegoating of privacy tools that millions rely on for perfectly legal, legitimate, and essential reasons.

 

---

 

Graeme Stewart is Head of Public Sector at Check Point Software

 

Main image courtesy of iStockPhoto.com and PonyWang