EU calls VPNs "a loophole that needs closing" in age verification push

Posted by muse900 7 hours ago

EU calls VPNs "a loophole that needs closing" in age verification push(cyberinsider.com)

266 points | 196 commentspage 2

rswail 4 hours ago|

Governments already have everyone's ID, including DOB. They say that the problem is non-adults accessing adult sites and services. So therefore, the sites need to know that users are over 18 (or the selected government age).

There should be a standardized government ID service/API that allows a person to let it disclose their age (or other user selected information) to a requesting site/service. That's all that is needed if the government ID service has appropriate 2FA and security.

Both the request and the response can be appropriately anonymized so that the government doesn't know the site, and the site doesn't know the person's identity.

Why isn't this a thing yet? As far as I know, no one has proposed it.

mr_mitm 4 hours ago||

The german gov id supports that. They have a PKI and the id is a smart card with a cert and private key on it [0]. It lets you answer the question "are you over 18" with a zero knowledge proof. I guess it only proves you have in your possession a valid id AND know the PIN to it, but that should be fine. France apparently has this, too, according to the article.

[0] https://www.personalausweisportal.de/Webs/PA/EN/government/t..., https://www.bsi.bund.de/EN/Themen/Oeffentliche-Verwaltung/El...

pimterry 4 hours ago|||

This has been widely discussed, and initial implementations exist: the EU digital wallets are doing exactly this. https://ec.europa.eu/digital-building-blocks/sites/spaces/EU....

In theory, every EU state will have to support this soon so users can use it to verify age privately online. Still work to do to roll this out for real, but the technological part is very much already happening and I think the rollout plan is committed.

codedokode 3 hours ago|||

No. You seem to not understand how government works. It will never be anonymized so it's an awful idea, you basically suggest to link accounts to a passport.

qnpnpmqppnp 2 hours ago|||

> Both the request and the response can be appropriately anonymized so that the government doesn't know the site, and the site doesn't know the person's identity.

Yes that's how it's done in France for instance, and generally how it's being discussed in the EU.

mcv 4 hours ago|||

Exactly. Governments that really care about age verification should provide the tools to do so. They have the means to do so without violating privacy. Something like the Dutch DigiD service (the one they're about to sell to the US despite literally everybody opposing that) would be a great basis for this; just add an age verification service to it. They already know who you are in the most legal sense possible.

thrance 4 hours ago|||

> There should be a standardized government ID service/API

Most European country already have one, some are still testing theirs. They're required by the EU to make one accessible to their citizens by the end of this year, in the context of the eID project [0].

[0] https://commission.europa.eu/topics/digital-economy-and-soci...

pembrook 4 hours ago||

> if the government ID service has appropriate 2FA and security.

You're kidding right?

drysine 3 hours ago|||

Why?

In Russia we have gosuslugi.ru (state services), which nowadays requires 2FA and hasn't been compromised in any major way so far.

Among other things they provide a way for a third party to use it as identification service and a user chooses which data about himself he wants to share. No anonymity, though, and I don't see how it can be implemented so that the verification provider doesn't know which service is requiring age verification.

pembrook 3 hours ago||

You seriously think Russia's state services are not compromised by intelligence?

Also, yea, no anonymity is the problem. Why would you want your government to be able to track every single website you've ever visited -- especially considering we're talking about an autocratic regime?

I'm astonished at the naivety on display on a community called "Hacker news."

drysine 1 hour ago||

>You seriously think Russia's state services are not compromised by intelligence?

The state services are required to assist intelligence and law enforcement in lawful investigations, the intelligence don't need to compromise anything.

>Why would you want your government to be able to track every single website you've ever visited

I don't want anyone to track every single website I visited.

>considering we're talking about an autocratic regime

Glad you see the EU for what it is.

The problem is that verifying age requires disclosing your identity and the fact that you use a certain service. Whoever is the provider of such verification, it learns too much about you.

Is the state a worse choice for that than a commercial entity that has fewer resources to secure itself against hacking and might even sell the data itself?

I would rather not have age verification at all and glad there is no such thing in Russia (yet?).

Hikikomori 3 hours ago|||

These already exist in several eu countries. Imagine that there are governments that is not America and that actually work.

pembrook 3 hours ago||

Just this year, France government ID system hacked: https://www.biometricupdate.com/202604/french-govt-confirms-...

rvnx 3 hours ago||

"hacked", such a shame what happened in the background; it was a teenager who saw some url like "view_my_id_documents?id=1234" and just incremented the number, and could download the documents of other people (did on dozens of millions).

pveierland 5 hours ago||

Age restrictions + VPN bans + encryption restrictions + client-side monitoring + restricting general purpose computing.. It's just rapid descent into digital fascism set up by people who have no ability to see how the dots will end up connecting.

lpcvoid 5 hours ago||

I think they absolutely have the ability to see it, it's part of the value proposition for them.

pveierland 4 hours ago||

Speaking from the POV of my country, you absolutely have prime minister + minister level understandings that seem to plainly be based on issues such as "we need to stop children from bullying each other on social media", "we need to help police surveillance to stop crime", "we need to protect people from internet porn" etc, and it seems to be that the political capital and will to create these measures comes from short-term attempts to solve certain problems, without being able to understand how a broader set of these measures will together create digital fascism.

Beyond that I fully believe there are intelligence agencies, advertising agencies, military interests, IP control interests etc that are all working very diligently and in more targeted ways to each achieve their goals better by pushing for specific measures and helping to amplify moral panics to build the necessary political capital.

rufasterisco 4 hours ago||

I am sorry you see it this way, when the very subject at hand is a practical example of how the EU has planned and built a wallet around the very same ideas you seem to cherish.

Unfortunately, now that it comes to the news cycle, it’s easy to get outraged around misleading headlines.

I encourage you to invest time in researching what the EU has done in the past decade around digital identities and their framing around privacy questions on this. I hope you will find, as I do, that it moved the needle in t he right direction.

pveierland 4 hours ago||

I don't care for a limited and selective best-possible interpretation of a subset of measures viewed in isolation. The point is that a broader set of vectors are being used continuously to gradually ensnare and limit digital freedom.

This is not a misleading headline, this is a document from the European Parliamentary Research Service that calls out VPNs as a technology that may need to be moderated in order to enforce restrictions such as age verification.

https://www.europarl.europa.eu/RegData/etudes/ATAG/2026/7826...

As you are calling me out - specifically answer how restricting access to VPNs would benefit the freedom of thought, communication, and information within Europe, and not be something that - together with other measures - can help facilitate digital fascism.

kro 4 hours ago||

VPN usage increased, but how to they draw the conclusion that this is children. I think it's more likely that adults are using VPNs to not have to deal with the ID process. I would do that.

As VPNs usually cost some money, which is already a barrier for minors.

dragonelite 3 hours ago||

The western great fire wall is reducing its scope..

megous 1 hour ago||

Some EP commitee writes a report about some UK (not-EU) person stating "VPNs are a loophole that needs closing".

  > A loophole that needs closing
  [Some argue] that this is a loophole in the legislation that needs closing and call for age verification to be required for VPNs as well.

[Some argue] being a link to some UK website

https://www.europarl.europa.eu/thinktank/en/document/EPRS_AT...

sev_verso 5 hours ago||

VPNs are essential tools against government persecution. Linking identity to a VPN session under any guise (age verification or otherwise) is something out of the playbook of dictatorial states.

LightBug1 3 hours ago||

Over my dead internet connection.

VPN for the VPN with a back-up VPN for the VPN's VPN.

spacedoutman 4 hours ago||

We desperately need a new internet

JV00 5 hours ago|

Perhaps these legislators are addicted to porn and don't want their children to do to themselves the same they have done. Would explain their obsession and relentlessness to get this done.

It's just a pity they are destroying the internet while doing that. They should be attacking the companies making money from porn instead.

And by the way porn can damage your mind even after 18 so age verification is not a real solution anyway.

danaris 3 hours ago||

Porn addiction has been shown not to be a real thing.

People who believe they are addicted to porn view porn at approximately the same rate as other people: they just feel more guilty about it, due to being raised to believe that it is shameful.

One source on the topic: https://www.psychologytoday.com/us/blog/talking-apes/202207/...

olsondv 51 minutes ago||

[dead]

lifestyleguru 5 hours ago|||

I agree that age verification is old perverts addicted to porn simply projecting their problem onto others. Kids after a day of continuous swiping of tiktok and instagram want tattoos and bitcoin.

xg15 5 hours ago||

Which is why the age restriction would apply to "normal" social media as well?

lifestyleguru 5 hours ago||

Even better! Now teenager can legally buy bitcoin straight in the tattoo parlor one week after their 18th birthday.

skeptic_ai 5 hours ago||

Porn or social media or fake news destroy kids brain more? I can’t even tell

balamatom 3 hours ago||

Parents destroy kids' brains the most.

More comments...