EU calls VPNs “a loophole that needs closing” in age verification push

欧盟称 VPN 是年龄验证推进过程中的“一个需要堵上的漏洞”

The European Parliamentary Research Service (EPRS) has warned that virtual private networks (VPNs) are increasingly being used to bypass online age-verification systems, describing the trend as “a loophole in the legislation that needs closing.” The warning comes as governments across Europe and elsewhere continue expanding online child-safety rules that require platforms to verify users’ ages before granting access to adult or age-restricted content.

欧洲议会研究服务局 (EPRS) 发出警告称，虚拟专用网络 (VPN) 正越来越多地被用于绕过在线年龄验证系统，并将这一趋势描述为“立法中一个需要堵上的漏洞”。随着欧洲及其他地区的政府不断扩大在线儿童安全法规，要求平台在授予用户访问成人或受限内容权限前必须验证其年龄，这一警告随之而来。

VPNs are privacy tools designed to encrypt internet traffic and hide a user’s IP address by routing connections through remote servers. While widely used for legitimate purposes such as protecting communications, avoiding surveillance, and enabling secure remote work, regulators are increasingly concerned that the same technology allows minors to circumvent regional age checks.

VPN 是一种旨在通过远程服务器路由连接来加密互联网流量并隐藏用户 IP 地址的隐私工具。虽然它被广泛用于保护通信、规避监控和实现安全远程办公等合法用途，但监管机构越来越担心，同样的技术也让未成年人能够绕过区域性的年龄检查。

The EPRS notes that VPN usage surged after mandatory age-verification laws took effect in countries including the United Kingdom and several US states. In the UK, where online services are now required to prevent children from accessing harmful content, VPN apps reportedly dominated download charts after the law came into force.

EPRS 指出，在英国和美国多个州实施强制性年龄验证法律后，VPN 的使用量激增。据报道，在英国，由于在线服务现在被要求防止儿童接触有害内容，该法律生效后，VPN 应用程序一度占据了下载排行榜的首位。

The document explicitly frames VPNs as a regulatory gap, stating that some policymakers and child-safety advocates believe VPN access itself should require age verification. England’s Children’s Commissioner has also called for VPN services to be restricted to adults only. However, forcing users to verify their identity before accessing VPN services could significantly weaken anonymity protections and create new risks around surveillance and data collection. VPN providers and other privacy advocates have already expressed their objections to this approach in a letter sent to the UK policymakers.

该文件明确将 VPN 视为监管缺口，并指出一些政策制定者和儿童安全倡导者认为，使用 VPN 本身也应进行年龄验证。英格兰儿童事务专员也呼吁将 VPN 服务仅限于成年人使用。然而，强制用户在访问 VPN 服务前验证身份可能会严重削弱匿名保护，并带来监控和数据收集方面的新风险。VPN 提供商和其他隐私倡导者已在一封致英国政策制定者的信中表达了他们对此做法的反对。

Last month, researchers found multiple security and privacy flaws in the European Commission’s official age-verification app shortly after its release. The app, promoted as a privacy-preserving tool under the DSA framework, was discovered storing sensitive biometric images in unencrypted locations and exposing weaknesses that could allow users to bypass verification controls entirely.

上个月，研究人员在欧盟委员会官方年龄验证应用程序发布后不久，就发现了其中的多个安全和隐私漏洞。该应用程序作为《数字服务法》(DSA) 框架下的隐私保护工具进行推广，但被发现将敏感的生物识别图像存储在未加密的位置，并暴露了可能允许用户完全绕过验证控制的弱点。

The EPRS paper acknowledges that age verification remains technically difficult and fragmented across the EU. Current systems based on self-declaration, age estimation, or identity verification are described as relatively easy for minors to bypass. The report highlights emerging approaches, such as “double-blind” verification systems used in France, where websites receive only confirmation that a user meets age requirements without learning the user’s identity, while the verification provider does not see which websites the user visits.

EPRS 的报告承认，年龄验证在技术上仍然困难，且在欧盟范围内碎片化严重。目前基于自我声明、年龄估算或身份验证的系统被认为很容易被未成年人绕过。报告强调了一些新兴方法，例如法国使用的“双盲”验证系统：网站仅收到用户符合年龄要求的确认信息，而无需获知用户身份；同时，验证提供商也无法看到用户访问了哪些网站。

At the same time, regulators are beginning to address VPN use directly in legislation. Utah recently became the first US state to enact a law explicitly targeting VPN use in online age verification. The state’s SB 73 defines a user’s location based on physical presence rather than apparent IP address, even if VPNs or proxy services are used to mask it. The EPRS suggests VPN providers may face increasing scrutiny as the EU revises cybersecurity and online safety legislation, noting that future updates to the EU Cybersecurity Act could introduce child-safety requirements aimed at preventing VPN misuse to bypass legal protections.

与此同时，监管机构开始在立法中直接处理 VPN 的使用问题。犹他州最近成为美国第一个颁布法律明确针对在线年龄验证中 VPN 使用的州。该州的 SB 73 法案规定，用户的地理位置应基于其实际物理位置而非表面 IP 地址，即使使用了 VPN 或代理服务进行掩盖也是如此。EPRS 建议，随着欧盟修订网络安全和在线安全立法，VPN 提供商可能会面临越来越多的审查，并指出未来对《欧盟网络安全法》的更新可能会引入旨在防止利用 VPN 绕过法律保护的儿童安全要求。