Wisconsin lawmakers are on the verge of passing legislation that would not only require age verification for access to websites containing “material harmful to minors,” but also effectively ban the use of Virtual Private Networks (VPNs) to circumvent those restrictions. Assembly Bill 105 / Senate Bill 130 (AB 105/SB 130) has already passed the State Assembly and is scheduled for a vote in the State Senate, raising significant concerns among privacy advocates like the Electronic Frontier Foundation (EFF).
The core of the bill mandates that websites hosting content deemed “harmful to minors” implement “reasonable age verification methods.” However, the legislation goes further, requiring these sites to actively block access from any IP address associated with a VPN. This seemingly straightforward approach is proving to be deeply problematic, both technically and from a privacy perspective.
The Technical Challenges of VPN Blocking
A fundamental issue lies in the very nature of VPNs. Websites can only detect the masked IP addresses provided by VPN services, not the actual location of the user. As the EFF points out in a letter to the Wisconsin Legislature, this creates an impossible situation for website operators. To comply with the law, they would be forced to choose between several undesirable options: over-blocking legitimate IP addresses commonly used by VPNs, blocking all users from Wisconsin, or implementing nationwide restrictions to avoid potential liability.
This over-blocking is a significant concern. Commercial VPNs are used by a wide range of individuals and organizations for legitimate purposes, including businesses protecting sensitive data, journalists safeguarding sources, abuse survivors seeking anonymity, and individuals simply wanting to protect their online privacy. A blanket ban on VPN access would impact all of these users, not just those attempting to access restricted content.
A Privacy Nightmare: Data Collection and Broad Definitions
Beyond the technical hurdles, the bill raises serious privacy concerns. Complying with the age verification requirement necessitates the collection of sensitive personal data. Websites would be compelled to request government-issued identification, financial information, or even biometric identifiers to verify a user’s age. The bill prohibits websites from retaining this identifying information after access is granted or denied, but the initial collection itself presents a substantial risk of data breaches and misuse.
Adding to these concerns is the bill’s expansive definition of “material harmful to minors.” The legislation goes beyond the traditionally recognized categories of explicit adult sexual material, potentially encompassing depictions and discussions of human anatomy, sexuality, and reproduction. This broad definition invites over-censorship and chills lawful speech, as websites may err on the side of caution and remove content that could be subject to interpretation. The EFF highlights that this approach mirrors a pattern seen in other conservative states, where definitions of “harmful to minors” are aggressively expanded to censor a wide range of content, including educational materials and artistic expression.
VPNs: Cybersecurity Tools, Not Just “Loopholes”
The push to ban VPNs stems from the fact that they allow users to bypass age verification systems. As age verification laws are enacted, VPN usage has increased as individuals seek to maintain their privacy. However, framing VPNs as mere “loopholes” ignores their crucial role as cybersecurity tools. VPNs encrypt internet traffic, protecting users from surveillance and data interception. They are essential for maintaining online security, particularly on public Wi-Fi networks.
The rise in VPN usage also presents risks, particularly with free VPN services. , CNET reported on the dangers of downloading malicious VPN apps, which can inject malware, log user activity, or misuse personal data. Google has even issued warnings to consumers about these risks. While the potential for malicious VPNs is a valid concern, banning VPNs altogether is not the solution. Instead, efforts should focus on educating users about the risks and promoting the use of reputable VPN providers.
A Broader Debate: Privacy vs. Protection
Wisconsin’s proposed legislation highlights a fundamental tension in internet policy: balancing the legitimate goal of protecting minors from inappropriate content with the equally important need to preserve privacy, free speech, and the security tools that millions of law-abiding adults rely on daily. The debate extends beyond Wisconsin, with similar proposals being considered in other states, like Michigan, and even in the United Kingdom. The UK has seen calls to close what officials describe as the “VPN loophole.”
The EFF argues that the Wisconsin bill is both technically unworkable and a dangerous overreach of government power. The organization urges Wisconsin lawmakers to reject the bill, emphasizing that protecting young people online should not come at the expense of cybersecurity, free speech, and individual privacy. The outcome of the vote in the State Senate will likely set a precedent for other states grappling with similar issues, making it a critical moment for digital privacy rights.
