Utah passed a bill recently that didn’t get nearly as much attention as it probably should have, mostly because the way it was framed made it sound pretty reasonable on the surface. The stated goal was to stop people from using VPNs to get around age verification on adult websites. And honestly if that were really all it was about, most people probably wouldn’t have much to say about it. But there’s a lot more going on underneath that and it’s worth paying attention to.
Here’s the background. Utah is one of several states that has passed laws requiring adult websites to verify the age of their visitors before letting them in. The way that usually works is the site asks you to upload a government ID. And as you can probably imagine, most people are not thrilled about uploading their drivers license to a website like that just to prove they’re over 18. So a lot of people have been using VPNs to make it look like they’re in a different state where those restrictions don’t apply. You tell the site you’re in Nevada, it lets you in, no ID required.
The new bill is trying to address that by making it so companies can’t encourage or guide their users to use a VPN to get around these geolocation restrictions. So if you run one of these sites you can’t tell your visitors hey there’s this thing called a VPN that would solve your problem. You have to basically pretend that option doesn’t exist.
And this is where it starts getting into some genuinely weird legal territory. VPNs are completely legal. There’s no law against using one. But this bill is telling companies they cannot educate their users about a legal tool. That’s a free speech argument waiting to happen and its a pretty valid one. You’re not banning the thing itself, you’re just banning talking about it, which in some ways is even stranger.
The practical enforcement problem is just as messy. How do you actually prove someone used a VPN to access your site? And even if you could, what are the companies supposed to do about it? The only real technical option would be to block known VPN IP addresses, but that’s basically impossible to do effectively. VPN services constantly rotate their IP addresses and there are thousands of them. Trying to block them all would be like trying to get rid of bedbugs one at a time. And on top of that if you start blocking IP ranges you’re inevitably going to start blocking regular people who aren’t using VPNs at all and just happen to share an IP range with one that got flagged.
So realistically what this bill actually does is force companies to put out a statement saying they don’t condone using VPNs to get around state laws. That’s about it. Which makes the whole thing feel more like a press release requirement than actual enforcement.
But here’s what makes people nervous about it and rightfully so. This kind of legislation tends to be step one. You pass something that sounds completely reasonable, everybody nods along because nobody wants to defend adult websites, and then the infrastructure you built to enforce it gets used for something else down the road. The same pattern happened in the UK where a Child Safety Act got passed and then pretty quickly started being used to censor content about unrelated political topics. The tool doesn’t go away once the stated problem is solved. It just finds new applications.
The deeper fear is that laws like this are slowly building toward a world where everyone has a kind of unique digital fingerprint that makes it impossible to be anonymous online. And once that infrastructure exists, whoever is in power has the ability to see exactly what everyone is doing and saying. That’s not a paranoid fantasy, its a pretty logical endpoint if you follow where the legislation is trending. It’s worth paying attention to even if the thing they’re using to get there sounds totally harmless.
