VPNs (Virtual Private Networks) route a user’s internet traffic through an encrypted tunnel to a server in another location. They protect privacy, secure public Wi-Fi connections and, for many businesses, are essential to remote working. They also allow a user to appear as if they are connecting from a different country, perhaps one where age assurance to protect children online is not a legal requirement. Data shows VPN usage can spike significantly, such as a claimed 1400% surge in sign-ups around enforcement of laws like the UK’s Online Safety Act, as users seek to bypass checks.
For most adults, using a VPN is a legitimate and often advisable way to protect online security (e.g., public Wi-Fi protection). But recent media reports have raised concerns about the effectiveness of age assurance laws such as the UK’s Online Safety Act when VPNs are used to bypass checks. Similar concerns apply to other location-masking tools, including proxies, fake-location apps, virtual machines and remote desktop services.
The “Not Normally Accessible” Rule
UK law for both adult content and social media with primary priority content does not require absolute prevention of underage access. Instead, it sets a performance standard: the service must be “not normally accessible” to minors. If significant numbers of UK-located children can reach restricted content, the service is out of compliance. There is also a requirement to use “Highly Effective Age Assurance”, such as methods with 95% accuracy thresholds.
If VPN use is mostly by adults and very few UK minors succeed in gaining access this way, the digital service can still be compliant. The aim of the law is not to ban VPN use, although Ofcom does wisely restrict sites from promoting it, but to ensure minors in the UK cannot normally reach age-restricted content.
The VPN Fallacy
Some argue that because VPNs exist, any age assurance system will fail. This leads to the mistaken belief that age-restricted sites are exempt from compliance if users connect through a VPN. As we have argued before, this is not true. Legislation we have reviewed globally, including the UK’s Online Safety Act (2023) and similar meaaures in Australia or US states, offers no such exemption. In practice, there are ways to detect and address circumvention and there is no need to even consider banning VPNs outright.
Detecting and Responding to VPN Use
Step 1: Detect VPN traffic
Industry-standard techniques include:
- Checking IP addresses against databases of known VPN servers (benchmarked accuracy 95–99% for major providers)
- Analysing patterns of traffic, such as sudden shifts in IP location, repeated connections from the same exit node, or signatures from protocols like OpenVPN or WireGuard
- Identifying mismatches between IP location and other device or browser signals, such as language, currency or time zone settings
While advanced VPNs using obfuscation or dedicated IPs can evade detection, these methods are widely used in fraud prevention and, when combined, can identify commercial VPN use with high confidence.
Step 2: Assess likely user profile
Once VPN use is detected, the question becomes whether the user is a UK-based minor or an adult using the VPN for privacy. Behavioural clues can guide this:
For adult content (18+):
- Access during UK daytime but not in school hours
- Language set to UK English
- Visiting content popular mainly with UK audiences or younger demographics
- Using free access routes rather than paid subscriptions
For social media (13+):
- Following or interacting mainly with UK-based peers
- Time zone matching UK usage patterns, considering school hours
- Content engagement typical of younger users
- No payment credentials linked to the account
These signals are probabilistic, not definitive. Major social media platforms already use similar analytics to segment audiences for advertisers, reporting confidence in their user location accuracy, which is not surpising given the wealth of data points social media have available. It may be less easy for adult sites,
Step 3: Prompt for proof
If the behavioural profile suggests a UK-based minor, the service can offer a choice:
- Complete a highly effective age assurance check
- Consent to a one-time geolocation to confirm the user is overseas
This does not mean continuous location tracking. The user must agree to share enough location data to confirm their jurisdiction only at the point where they would otherwise need to prove their age. And if they don’t wish to reveal where they are, they can just prove their age instead.
How Geolocation Works
Modern browsers and apps can request location data from a device using GPS, Wi-Fi network mapping and mobile mast triangulation. The service receives a location estimate precise enough to confirm whether the user is inside or outside the UK, often with 98-99% country-level accuracy. No ongoing tracking is needed, and no location history is stored beyond the verification event. But to do this with enough confidence in the accuracy of the result to achieve legal compliance, it needs user consent. Geolocation is used every time a US gambler places a bet online, to confirm they are in a state where that is legal. While spoofing is possible via extensions or modified devices, it is not ‘normal’ for minors and supports the law’s performance standard. Critically, it’s not IP-based, so VPNs don’t affect it – the location comes from the device itself.
Conclusion
VPNs are not the enemy of age assurance. They are valuable privacy and security tools, but can be misused. Digital services using age assurance to remain compliant, can do so by detecting VPN use, assessing risk using behavioural clues, and giving flagged users the option to verify their age or prove their location. This will not detect every underage UK user, but it can ensure age assurance remains highly effective, keeping restricted content “not normally accessible” to minors while respecting the privacy and legitimate VPN use of adults.