The Firefox maker argues that VPNs are essential privacy tools, not teenage contraband, and that Britain's focus on them distracts from the real issues with the Online Safety Act's age verification system.
Mozilla has issued a stark warning to the UK government, cautioning against treating virtual private networks (VPNs) as the enemy in the enforcement of age verification requirements under the Online Safety Act. In a submission to the Department for Science, Innovation and Technology's "Growing up in the online world" consultation, the Firefox maker argued that VPNs are fundamental privacy and security infrastructure, not merely tools for teenagers to bypass age restrictions.
The submission comes as UK officials grapple with the unintended consequences of their Online Safety Act, which has led to a surge in VPN usage as both adults and children seek to avoid handing over sensitive personal data to websites demanding facial scans or ID verification. The Children's Commissioner for England has even suggested exploring ways to prevent children from using VPNs altogether—a position Mozilla strongly contests.
"VPNs serve as critical privacy and security tools for users across all ages," said Svea Windwehr, policy manager at Mozilla. "By hiding users' IP addresses, VPNs help protect users' location, reduce tracking and avoid IP-based profiling." Windwehr emphasized that millions of ordinary people rely on VPNs for legitimate purposes, including securing public Wi-Fi connections, enabling remote work, protecting journalists and activists, and simply maintaining privacy online.
Mozilla's submission challenges the fundamental premise behind targeting VPNs, pointing to research from Internet Matters suggesting that relatively few children actually use VPNs, and an even smaller minority use them specifically to bypass age restrictions. The company argues that most successful workarounds involve fake birth dates, borrowed accounts, or inadequate age assurance systems that children have reportedly fooled with simple tricks like drawn-on facial hair.
A central paradox identified by Mozilla is that any attempt to restrict VPN access would require users to first hand over personal information to verify their age—precisely the kind of data collection VPNs are designed to prevent. This creates a Catch-22 situation where privacy tools become inaccessible to those who need them most.
The UK's struggle with VPNs reflects a broader European trend. Denmark recently proposed anti-piracy legislation so broad that it raised fears VPN usage itself could become legally risky, though ministers later clarified they weren't attempting to ban VPNs entirely. Across the continent, VPNs are increasingly being viewed not as routine security software but as obstacles to enforcement as users turn to them to bypass various restrictions.
Complicating regulatory efforts is the technology industry's movement in the opposite direction. Mozilla has already begun testing built-in VPN functionality directly within Firefox, joining a growing trend of browsers integrating privacy features that previously required separate software. While standalone VPN apps might be blockable, untangling VPN functionality from modern browsers presents a much more significant technical challenge.
Mozilla's submission repeatedly criticizes what it sees as Britain's drift toward "safety through surveillance" rather than addressing the root causes of online harms. The company argues that the focus should be on engagement algorithms, platform incentives, and recommendation systems that actually drive problematic content, rather than targeting the privacy tools that protect users from excessive data collection.
The implications for compliance are significant. If the UK proceeds with restrictions on VPNs, it would face substantial technical challenges, potential conflicts with privacy regulations like GDPR, and likely limited effectiveness in achieving its stated goals of protecting children online. Meanwhile, millions of legitimate users who depend on VPNs for security and privacy would be caught in the crossfire.
As digital rights advocates continue to push back against what they see as disproportionate measures, the debate highlights a fundamental tension: how to protect vulnerable users online without undermining the privacy and security infrastructure that underpins trust in the digital ecosystem. Mozilla's warning suggests that the UK's current path may ultimately undermine both security and safety, rather than enhancing either.
Comments
Please log in or register to join the discussion