Mozilla Urges UK Regulators to Preserve VPN Access for All Ages Amid Online Safety Concerns
Introduction
In May 2026, the United Kingdom’s Department for Science, Innovation and Technology (DSIT) launched a consultation on new measures aimed at protecting young people in an increasingly digital world. The proposal, part of the broader Online Safety Act, suggested age‑gating virtual private networks (VPNs) to curb minors’ ability to bypass age‑assurance systems that enforce content restrictions. Mozilla, the non‑profit steward of the open web, responded with a detailed submission arguing that such restrictions would undermine fundamental privacy and security rights for users of all ages. Mozilla’s stance underscores a broader debate about how best to safeguard children online without eroding the freedoms that underpin the internet’s open architecture.
VPNs have long been a staple of digital privacy, offering encryption, anonymity, and the ability to circumvent geographic or political restrictions. They are also a crucial tool for professionals, activists, and ordinary users seeking to protect personal data from surveillance and tracking. By advocating for age‑gating, regulators risk creating a digital divide that disproportionately affects vulnerable populations, including minors who may rely on VPNs for safety and privacy.
This article examines Mozilla’s submission in detail, situating it within the regulatory landscape, exploring the technical and societal implications of restricting VPN access, and considering alternative policy approaches that balance child protection with privacy rights. By dissecting the arguments from multiple angles—legal, technical, and ethical—the piece aims to provide a comprehensive understanding of the stakes involved in this contentious policy debate.
1. The UK Online Safety Act and Age Assurance
The Online Safety Act, enacted in 2022, establishes a statutory framework for platforms to mitigate harmful content and behaviors online. Central to the Act is the concept of “age assurance,” a mechanism that requires platforms to verify a user’s age before granting access to certain content or services. Proponents argue that age verification will curb exposure to disallowed material, reduce child exploitation, and create a safer digital environment for minors.
Critics point out that age‑assurance systems are notoriously fragile. Many platforms employ self‑reported ages or rely on third‑party verification services that can be bypassed. The DSIT’s consultation sought to strengthen these measures by proposing age‑gating for VPNs, effectively preventing minors from using tools that could help them circumvent the very age checks the Act intends to enforce. The underlying assumption is that minors who can bypass age restrictions pose a greater risk to themselves and others.
Mozilla’s submission challenges this assumption, contending that restricting VPNs would be an overreach that harms the broader user base and fails to address the root causes of online harm. Instead, Mozilla advocates for a more nuanced approach that focuses on platform accountability, parental controls, and digital literacy.
2. VPNs as Privacy and Security Tools
2.1. How VPNs Work
Virtual private networks operate by routing a user’s internet traffic through encrypted tunnels to remote servers. This process masks the user’s IP address, obfuscates location data, and prevents third parties from monitoring or profiling online activity. For many, VPNs are a first line of defense against targeted advertising, surveillance, and censorship.
Beyond privacy, VPNs enable legitimate use cases such as remote work, secure access to corporate networks, and compliance with data‑protection regulations. Activists and journalists in repressive regimes rely on VPNs to protect sources and evade state‑controlled monitoring. Even everyday users benefit from reduced exposure to malicious actors, as VPNs can block traffic from known threat actors and mitigate phishing attempts.
2.2. VPNs in the Context of Minors
In the UK, minors increasingly use the internet for education, social interaction, and creative expression. VPNs can serve as a protective shield against exploitation. For instance, a teenager living in a region with strict internet censorship can use a VPN to access educational resources and communicate safely with peers. Conversely, a malicious actor could use a VPN to conceal identity and facilitate predatory behavior. Thus, VPNs occupy a dual role: they are both a tool for empowerment and a potential vector for abuse.
3. Mozilla’s Position: Summary of the Submission
Mozilla’s 2026 submission to DSIT presents a multi‑layered argument against age‑gating VPNs. First, the organization asserts that privacy and security are fundamental human rights, a stance rooted in its mission to keep the internet open and accessible. Second, Mozilla highlights the practical realities of VPN usage: individuals use VPNs for work, education, and safety, not solely to evade age restrictions. Third, the submission contends that blanket restrictions would be ineffective in protecting children, as determined users can find alternative methods to bypass controls.
Mozilla recommends that regulators focus on holding platforms accountable for harmful content, encouraging responsible parental controls, and investing in digital skills education. The submission emphasizes a “whole‑society” approach, suggesting that policy should foster digital wellbeing rather than impose technical barriers that affect all users.
The core of Mozilla’s argument is that restricting VPNs would not only undermine privacy but also erode the very freedoms that the Open Web is built upon. By limiting access to a widely used privacy tool, the government risks creating a precedent that could justify further erosions of digital rights.
4. Potential Impact on Young Users
4.1. Risks of Unrestricted VPN Access
Minors who gain access to VPNs may use them to bypass age restrictions on platforms that host inappropriate or harmful content. This could expose them to sexual exploitation, radicalization, or other online harms. Additionally, some children may use VPNs to access illicit content or engage in illegal activities, raising concerns about child protection and law enforcement.
4.2. Benefits of VPN Access for Youth
Conversely, restricting VPNs could disproportionately affect young users who rely on them for legitimate reasons. For instance, a teenager in a country with strict censorship may need a VPN to access educational resources or communicate with family abroad. In the UK, minors might use VPNs to protect their privacy when interacting with peers or accessing sensitive services, such as mental‑health platforms. Age‑gating could inadvertently force them to rely on less secure alternatives, increasing vulnerability to surveillance or targeted advertising.
4.3. Digital Literacy as a Mitigating Factor
Mozilla’s submission stresses that equipping young people with digital literacy skills is a more effective strategy than restricting technology. By teaching children how to navigate privacy settings, evaluate content credibility, and use parental controls responsibly, policymakers can address root causes of online harm without limiting access to privacy tools. This approach also aligns with broader educational initiatives that emphasize critical thinking and responsible digital citizenship.
5. Regulatory Alternatives to Age‑Gating VPNs
Mozilla proposes several policy alternatives that could mitigate online harm while preserving privacy:
| Alternative | Description | Potential Effectiveness |
| ------------- | ------------- | ------------------------ |
| Platform Accountability | Strengthen legal obligations for platforms to remove harmful content promptly and transparently. | High – addresses root cause of exposure. |
| Parental Controls | Encourage development and use of robust, user‑friendly parental control tools that allow parents to set boundaries. | Medium – depends on parental engagement and tool quality. |
| Digital Skills Investment | Fund educational programs that teach privacy, security, and critical media literacy. | High – long‑term cultural shift. |
| Transparency Reports | Require platforms to publish detailed reports on content moderation, data collection, and user privacy. | Medium – promotes accountability but may not directly reduce harm. |
| Youth‑Centred Safeguards | Create guidelines for safe design practices that protect minors without restricting adult tools. | Medium – requires industry cooperation. |
These alternatives focus on systemic changes rather than individual tool restrictions. They also align with Mozilla’s broader advocacy for open, privacy‑respecting internet architecture.
6. International Comparisons
6.1. European Union Digital Services Act
The EU’s Digital Services Act (DSA) introduces a “protective shield” for minors, requiring platforms to provide age‑appropriate content filters and parental controls. However, the DSA does not mandate age‑gating for VPNs. Instead, it emphasizes transparency and user empowerment, mirroring Mozilla’s approach.
6.2. United States Privacy Landscape
In the U.S., privacy is largely sector‑specific, with laws such as the Children’s Online Privacy Protection Act (COPPA) focusing on data collection from minors. There is no federal mandate for age‑gating VPNs. The industry has largely adopted voluntary age‑verification schemes, and the focus remains on parental controls and user education.
6.3. Other Jurisdictions
Countries like Canada and Australia have introduced “child‑protective” measures that emphasize parental consent and content moderation. None of these jurisdictions have considered age‑gating VPNs, suggesting a global consensus that VPN restrictions would be disproportionate and ineffective.
7. Challenges of Age‑Gating VPNs
7.1. Technical Feasibility
Implementing age verification for VPN services is technically challenging. VPN providers typically operate through decentralized networks, often using servers in multiple jurisdictions. Verifying the age of a user who initiates a VPN connection requires real‑time identity verification, which can introduce latency and degrade user experience. Moreover, many VPNs are free or low‑cost, making it difficult to enforce age checks without significant cost increases.
7.2. Enforcement and Compliance
Even if age‑gating were technically feasible, enforcement would be difficult. VPN providers would need to maintain logs of user identities, raising privacy concerns and potentially conflicting with the very privacy protections they offer. Additionally, users could switch to unregulated VPN services, including those operated abroad, circumventing any UK‑based restrictions.
7.3. Unintended Consequences
Age‑gating could inadvertently push minors toward less secure alternatives, such as public Wi‑Fi or unencrypted connections, increasing their exposure to surveillance and data exploitation. It could also stifle innovation, as developers of privacy‑enhancing technologies may be discouraged from operating in the UK market.
8. The Open Web and Human Rights
Mozilla’s submission is rooted in the principle that the internet is a public utility that must remain open, accessible, and privacy‑respecting. The organization argues that restricting VPNs would erode the freedoms of expression, association, and privacy that are enshrined in international human‑rights frameworks, such as the Universal Declaration of Human Rights and the European Convention on Human Rights.
By preserving VPN access for all users, the policy would uphold the right to privacy and the ability to seek information without undue interference. Conversely, age‑gating could set a precedent for further restrictions on privacy tools, potentially leading to a slippery slope where other essential services are similarly curtailed.
9. Stakeholder Perspectives
9.1. Parents and Educators
Many parents advocate for stronger controls to protect children from harmful content. However, they also recognize the importance of privacy tools for legitimate educational and developmental needs. Educators emphasize digital literacy as a key component of safe online engagement, aligning with Mozilla’s emphasis on skill development.
9.2. Industry Viewpoints
VPN providers argue that they operate within regulatory frameworks and that any new restrictions would impose significant compliance costs. Some platform operators support age‑verification mechanisms but caution against over‑regulation that could stifle user experience and innovation.
9.3. Civil Society and Advocacy Groups
Human‑rights organizations, digital‑rights NGOs, and child‑protection advocates have mixed views. While they support efforts to reduce exposure to harmful content, many caution against blanket restrictions on privacy tools, citing the risk of eroding fundamental rights.
10. Future Outlook
The debate over VPN access and child protection reflects a broader tension between regulation and freedom in the digital age. As technology evolves, so too will the methods by which minors can navigate online spaces. Policymakers will need to balance the need for protective measures with the imperative to preserve privacy and openness.
Potential future developments include:
- Adaptive Moderation Technologies: AI‑driven content filters that can tailor age‑appropriate experiences without requiring age verification.
- Privacy‑Preserving Age Verification: Zero‑knowledge proofs and other cryptographic methods that allow age checks without revealing personal data.
- Cross‑Jurisdictional Cooperation: International frameworks that harmonize privacy standards and child‑protection measures.
Mozilla’s submission underscores the importance of crafting policies that respect human rights while addressing real risks. The outcome of the DSIT consultation will likely influence the trajectory of UK internet policy for years to come.
Conclusion
Mozilla’s 2026 submission to the UK Department for Science, Innovation and Technology presents a compelling case against age‑gating virtual private networks. By framing VPNs as essential privacy and security tools, Mozilla highlights the broader implications of restricting such technology for all users, not just minors. The organization argues that regulatory focus should shift toward holding platforms accountable, encouraging responsible parental controls, and investing in digital literacy—strategies that address the root causes of online harm without compromising fundamental rights.
The debate illustrates a critical crossroads in digital policy: whether to impose technical barriers that risk eroding privacy and openness, or to adopt a holistic approach that empowers users and strengthens the underlying infrastructure of trust. As the UK and other jurisdictions grapple with these questions, the outcome will shape not only how children navigate the internet but also the very nature of digital rights in the 21st century.
Mozilla’s position serves as a reminder that privacy tools are not merely conveniences; they are foundational to a free, safe, and equitable online ecosystem. Any policy that threatens to undermine them must be scrutinised carefully, balancing protection with the preservation of the open web that benefits all.