Utah to hold websites liable for users who mask their location with VPNs
Utah to hold websites liable for users who mask their location with VPNs
犹他州将追究用户使用 VPN 掩盖地理位置的网站责任
Utah’s Online Age Verification Amendments, formally Senate Bill 73, take effect on May 6, making the state the first in the U.S. to explicitly target VPN use as part of age verification legislation. 犹他州的《在线年龄验证修正案》(正式名称为参议院第 73 号法案)将于 5 月 6 日生效,使该州成为美国首个在年龄验证立法中明确针对 VPN 使用的州。
Signed by Governor Spencer Cox on March 19, the controversial law establishes that a user is considered to be accessing a website from Utah if they are physically located there, regardless of whether they use a VPN or proxy to mask their IP address. It also prohibits covered websites from sharing instructions on how to use a VPN to bypass age checks. 该法案由州长斯宾塞·考克斯(Spencer Cox)于 3 月 19 日签署。这项充满争议的法律规定,如果用户身处犹他州,无论其是否使用 VPN 或代理服务器来掩盖 IP 地址,均被视为从犹他州访问网站。此外,该法案还禁止相关网站分享有关如何使用 VPN 绕过年龄检查的说明。
NordVPN has called the law an “unresolvable compliance paradox” and a “liability trap,” arguing that it holds websites responsible for identifying users whose tools are specifically designed to be unidentifiable. The EFF warned that the legal risk could push sites to either ban all known VPN IPs or mandate age verification for every visitor globally. NordVPN 将该法律称为“无法解决的合规悖论”和“责任陷阱”,认为它要求网站识别那些专门为“不可识别”而设计的工具用户,这在逻辑上是行不通的。电子前沿基金会(EFF)警告称,这种法律风险可能会迫使网站要么封锁所有已知的 VPN IP 地址,要么强制要求全球每一位访问者进行年龄验证。
The law is also technically flawed, given that it assumes that a web provider can reliably detect VPN traffic and determine a user’s true physical location — they can’t. IP reputation databases such as MaxMind and IP2Proxy can flag traffic from known datacenter IP ranges, but commercial VPN providers rotate addresses constantly, and residential VPN endpoints are largely indistinguishable from standard home connections. Autonomous System Number analysis can catch traffic originating from datacenter networks, but can’t identify a personal WireGuard tunnel running on a cloud VPS, for example, which routes through the same infrastructure as ordinary web hosting. 该法律在技术上也存在缺陷,因为它假设网络服务提供商能够可靠地检测 VPN 流量并确定用户的真实物理位置——但实际上他们做不到。MaxMind 和 IP2Proxy 等 IP 信誉数据库可以标记来自已知数据中心 IP 段的流量,但商业 VPN 提供商会不断轮换地址,且住宅 VPN 终端与普通家庭连接在很大程度上无法区分。自治系统编号(ASN)分析可以捕获源自数据中心网络的流量,但无法识别例如在云 VPS 上运行的个人 WireGuard 隧道,因为其路由方式与普通网络托管的基础设施相同。
The only detection method that reliably identifies VPN protocol signatures is deep packet inspection, which analyzes traffic at the network level, not system- or app-level. China’s Great Firewall and Russia’s TSPU system deploy DPI via ISPs, but a website operator can’t because it requires access to network infrastructure that sits between the user and the server, not on the server itself. 唯一能可靠识别 VPN 协议特征的检测方法是深度包检测(DPI),它是在网络层级而非系统或应用层级分析流量。中国的防火长城和俄罗斯的 TSPU 系统通过 ISP 部署 DPI,但网站运营商无法做到这一点,因为它需要访问位于用户和服务器之间的网络基础设施,而不是服务器本身。
Meanwhile, setting up a personal WireGuard instance on any major cloud provider takes minutes, meaning the law will be more likely to negatively impact non-technical users who rely on commercial VPN services for legitimate privacy: journalists, people living under authoritarian regimes, political dissidents, and abuse survivors, among others. 与此同时,在任何主流云服务商上设置个人 WireGuard 实例只需几分钟。这意味着该法律更有可能对那些依赖商业 VPN 服务获取合法隐私的非技术用户产生负面影响,例如记者、生活在威权政权下的人们、政治异见人士以及虐待受害者等。
Utah isn’t alone in trying to legislate the impossible into being. In the UK, the House of Lords — Parliament’s secondary chamber — voted 207-159 in January to ban VPN services for under 18s, with those amendments now due to be debated in the House of Commons. VPN use jumped by more than 1,400% on the first day of age verification enforcement in July last year. Meanwhile, France’s digital affairs minister, Anne Le Hénanff, has said that VPNs are “next on my list.” Wisconsin considered similar VPN provisions earlier this year but scrapped them due to heavy backlash. 犹他州并非唯一试图通过立法实现“不可能任务”的地方。在英国,议会上议院于 1 月以 207 票对 159 票通过了禁止 18 岁以下人群使用 VPN 服务的提案,这些修正案目前正等待下议院辩论。去年 7 月年龄验证强制执行的第一天,VPN 的使用量激增了超过 1,400%。与此同时,法国数字事务部长安妮·勒·埃南夫(Anne Le Hénanff)表示,VPN 是她“名单上的下一个目标”。威斯康星州今年早些时候也考虑过类似的 VPN 条款,但因遭到强烈反对而作罢。
To date, the only countries that have made progress in blocking VPN traffic with some success are authoritarian regimes with ISP-level surveillance. 迄今为止,唯一在封锁 VPN 流量方面取得一定进展的国家,都是拥有 ISP 级监控能力的威权政权。