Mozilla on Monday warned UK policymakers that disabling or degrading virtual private networks will not fix the country’s troubled approach to online age checks. The Firefox maker argued that VPNs serve as basic security infrastructure for millions of users and businesses, not as contraband for teenagers. The warning comes as the UK continues to search for workable age-verification measures under its online safety regime, amid pressure to curb access to adult content and other age-restricted material. Mozilla’s message, reported by The Register, puts a spotlight on a core policy trade-off: how to protect young people without undermining privacy, cybersecurity, and the tools that keep modern work and daily life running.
The development surfaced in the UK on Monday, May 18, 2026, in coverage by The Register. It reflects ongoing domestic debates over how to enforce online age checks and whether to curb technologies that can route around website blocks or local restrictions.
VPNs are security plumbing, not a loophole to seal
A VPN creates an encrypted connection between a device and a remote server. People use them to secure traffic on public Wi-Fi, protect data from snooping, and reach work resources from home. Companies depend on VPNs to shield internal systems and to comply with security obligations. Newsrooms, activists, and at-risk communities rely on them to avoid surveillance and harassment. These are not fringe uses; they are routine for modern networks.
Treating VPNs as a problem to solve invites collateral damage. Many VPNs run over the same ports and protocols as other secure services. Trying to block them can break legitimate apps, disrupt remote work, and erode trust in UK infrastructure. It also nudges users toward riskier behaviors, like disabling security features or turning to unvetted tools that are harder to monitor or support.
The UK’s long struggle with online age checks
Britain has wrestled with this problem for years. Lawmakers first tried age verification for adult sites under the Digital Economy Act in 2017, but ministers dropped the plan in 2019 after technical, privacy, and enforcement concerns. The Online Safety Act has since revived age-assurance goals across a wider range of services, with Ofcom tasked to enforce codes of practice and guidance.
The central challenge remains the same: any system that demands robust proof of age runs into privacy and data protection issues, while any system that avoids holding sensitive data can be easier to bypass. That tension has fueled calls from some quarters to clamp down on circumvention tools, including VPNs. Even so, there is no clear, consistent path to identify and block all VPN traffic without sweeping up legitimate encrypted services.
Breaking VPNs won’t close the enforcement gap
Technical blocks often trigger a cat-and-mouse cycle. VPN providers can shift IP addresses, use “stealth” or obfuscation modes, and blend into ordinary web traffic. Attempts to block them risk overreach—accidentally cutting off content delivery networks, cloud services, or corporate tunnels that share similar network patterns. Network operators also warn that blunt blocking can degrade overall internet reliability.
Security experts have long cautioned that undermining general-purpose encryption to reach one policy goal undermines many others. Weakening VPNs can expose small firms to data theft, disrupt supply chains that rely on remote access, and harm public services using secure links. Those costs fall hardest on schools, councils, clinics, and small businesses that lack the budget to rebuild systems around new rules.
Privacy law still sets hard limits on age-check data
Age-assurance schemes that collect sensitive identity data raise well-known privacy risks. Data protection law in the UK requires necessity, proportionality, and data minimisation. Regulators have stressed that services should not create new troves of personal information that can leak or be misused. That places a high bar on any proposal that centralises age data or makes it easy to link a person’s identity to what they browse or watch.
Privacy-preserving options—such as third-party tokens that confirm age without revealing identity, or checks done on-device—offer promise but face adoption and interoperability hurdles. They must work across a fragmented ecosystem of websites and apps while staying usable for families and small services. Even the best designs will not stop every determined user, which is why many technologists warn against staking a policy’s success on total circumvention-proofing.
What regulators can do without hobbling security
Policymakers have options that do not depend on breaking VPNs. Clearer, risk-based standards for age assurance can focus on outcomes, not single technologies. Regulators can target repeat non-compliance by commercial adult sites, require transparent policies, and encourage independent audits of age models. App stores can enforce publisher-level checks and remove repeat offenders. Payment and ad networks can add pressure by refusing business from services that ignore the rules.
Public education also matters. Families need simple tools and clear advice. Schools and local authorities can help parents set device-level controls and discuss safe online habits. None of these steps delivers a perfect shield, but together they raise the bar without weakening the networks that people and businesses rely on every day.
The UK’s credibility is at stake in global tech debates
The UK often presents itself as a leader in online safety, privacy, and cybersecurity. Moves that undermine common security tools risk sending mixed signals to allies and investors. At a time when ransomware and data breaches strain hospitals, councils, and SMEs, policymakers will face tough questions if they curtail one of the basic tools those organisations use to stay safe.
Other jurisdictions also watch how the UK strikes this balance. The EU’s Digital Services Act pushes platforms toward stronger age-appropriate design, and US debates over youth online safety continue at the state and federal levels. If the UK can show that it will protect children without degrading core security infrastructure, it strengthens its hand abroad. If not, it may find itself isolated and its rules difficult to export.
Mozilla’s warning on Monday distills a hard truth: fixing the UK’s age-check mess requires a clear plan that respects both child safety and the security fabric of the internet. VPNs are part of that fabric. Breaking them would burden businesses, weaken privacy, and likely fail to stop the most determined users. The government and Ofcom now face a practical test. They can refine guidance, back privacy-preserving age assurance, and target willful non-compliance—or chase an illusion of total control that erodes trust in UK networks. The next steps will signal whether Britain aims for durable, enforceable rules or a shortcut that creates bigger problems than it solves.
