Due to the UK’s Online Safety Act implemented earlier this year, accessing my Bluesky DM’s now means I need to allow a third-party service to scan my face, ID, or bank card. Understandably, that gives me the willies. So I can either simply never look at my messages again, whip out the likeness of Norman Reedus, OR I can log on via a VPN. However, the days of this vastly preferable third option may be numbered.
US states Wisconsin and Michigan have already proposed VPN crackdown bills aiming to close off this workaround—and the UK may be looking to follow suit. Online privacy nonprofit the Electronic Frontier Foundation recently criticised this strategy, taking aim at Wisconsin’s bill in particular, saying that blocking the use of VPNs is “going to be a disaster for everyone.”
I do wonder how they’re going to even try to enforce this. VPNs aren’t exactly blockable without a great firewall type apparatus. If they block major providers then you can just setup your own, and if they block VPN protocols outright then it ranges from ineffective to outright destroying the internet. I just don’t really get how this is going to work practically. Which is good… hopefully it doesn’t pass though.
I could see them using it a law they only enforce when they want to target someone.
It seems like a “great firewall” is where all this will lead. Projects like xray-core may become important to a lot more people in the future.
The way I understand it, any company wanting to do business in the state would have to block access to their services from (anonymous?) VPN providers. That means IP blocks for PIA, mollivard, etc will be blacklisted by companies. There are already blocklists of IPs for VPN providers that many corporate web filters use (yes, they are terrible and inaccurate).
Yes, you would probably be able to fire up a VPS from a no-name provider and get through. However,
The major providers have “no logging” policies. They generate no data linking your payment information to your activity, so they have no data to turn over if requested. Your activity is traceable from the sites you visit back to the VPN’s endpoint, but the no-logging policy prevents further tracing back to you.
Any VPN you setup on your own is going to be tied to you just as closely as a facial scan, ID, or bank card.
It depends on how the law is implemented.
If simply connecting to a VPN is illegal, then your ISP could rat you out. They can’t tell what you are doing, but they can see a bunch of encrypted traffic between you and a VPN server.
Such a law would prohibit Cloudflare’s entire business model. That interpretation will never survive the courts.
You good sir underestimate the stupidity of courts
The courts understand money. A handful of state legislators can’t throw nearly as much money at such a case as the big names in tech. Therefore, big tech wins.
Wrong end for most of us. It’s not that we live in a backward-state where VPNs are illegal, it’s that companies that want to do business in the state will have to block ALL users coming in through a VPN, regardless of where you live. They know which users are using a VPN because the IP blocks are well known, and they will just have to block those users. That’s why this one state is trying to f- over everyone.
That makes more sense and is…even worse tbh because that’s actually enforceable and so obvious I don’t know how I missed it. That would also probably impact Tor since those IPs are already heavily reputation damaged. The stuff governments have been pulling recently is just insane
As apex32 pointed out, it isn’t about logging, it’s about your ISP either ratting you out or outright blocking the domains and IP blocks of major providers and that’s why I said you can setup your own. Ofc even hosting one yourself your ISP can probably still determine you’re using a VPN through traffic analysis even if you’re using TCP 443 to blend in but it makes it harder.
My point is that setting up your own, you have a second ISP for the VPN endpoint. Traffic from/to that endpoint is traceable to the operator of that VPN, but now that operator is you, rather than a major provider.
The no-logging feature of the major ISPs provides anonymity by leaving them unable to correlate traffic on the endpoint to an actual person. That feature is the core function of a VPN, but it is not something that you can setup for yourself.
So what do you propose? Just not using a VPN? If you’re that worried you can run a second public VPN on top of your private one. The point of the private one is to avoid ISPs outright blocking known major providers.