Lawmakers want to ban VPNs
Mood
heated
Sentiment
negative
Category
politics
Key topics
VPN ban
privacy
surveillance
Lawmakers are proposing a ban on VPNs, sparking concerns about privacy and government overreach. The EFF article argues that lawmakers lack understanding of VPNs and their implications.
Snapshot generated from the HN discussion
Discussion Activity
Very active discussionFirst comment
2h
Peak period
87
Day 2
Avg / period
53.3
Based on 160 loaded comments
Key moments
- 01Story posted
11/14/2025, 6:39:13 AM
5d ago
Step 01 - 02First comment
11/14/2025, 8:33:55 AM
2h after posting
Step 02 - 03Peak activity
87 comments in Day 2
Hottest window of the conversation
Step 03 - 04Latest activity
11/18/2025, 4:02:54 AM
1d ago
Step 04
Generating AI Summary...
Analyzing up to 500 comments to identify key contributors and discussion patterns
The key change is needed with things such as meshtastic and lora. Taking things out of the hands of regulators is key
For better security, a signed obligation to observe law might be collected from every employee, and an access log kept, with records signed by company's digital signature.
Being a devil's advocate, you already entrust the government to register your property, issue your money, prosecute you for wrongdoing (including death penalty) and send you to the war. Your data is already collected and sold by thousands of data brokers. What are you losing by having a backdoor that would be used only in strict accordance with the law (laws being created by your elected representatives) and only for legal purposes? You must comply with the law anyway, no matter if the government can or cannot see what you are doing.
If you truly believed in democracy and rule of law in your country, you would have no doubts and volunteered to install the backdoor yourself.
https://old.reddit.com/r/XGramatikInsights/comments/1ovd88s/...
I get your overall point, but conflation of the two is inaccurate.
Considering that most crimes require people to be physically present at the crime scene, it also doesn't seem to be a functioning deterrent at all in the real world.
Most of the bad behaviour is concentrated in "seedy" places, where you usually have to go out of your way to interact with that place. A real name policy doesn't change the nature of the place at all.
If anything, the places that would be most affected are the ones where people are roleplaying or pretending to be something other than "themselves". E.g. gay or transgender people, furries, MMO/MUD/MUSH players, streamers, etc which overall seem to be exceedingly harmless.
There is also the blatantly obvious problem that this only works on people who are risk averse to begin with. So it will basically have no effect on actual perpetrators, who see some risk vs reward tradeoff for their bad behaviour.
Nothing guarantees free speech like making it trivial to keep a copy of everything everyone says that can always be tracked back to their real identity! No way that could have a chilling effect on perfectly normal speech.
Authoritarianism is not limited by your birthplace, it can turn up anywhere. And when it does people are often really enthusiastic about it.
The findings in the Times article were subsequently debated in the House of Lords. The figures weren't disputed: https://lordslibrary.parliament.uk/select-communications-off...
30 arrests a day for something in a population of seventy million people, a large proportion of whom are online in some way, is not that much.
And it's not 30 arrests per day for saying things the government don't like or that are politically incorrect, is it? It's mostly for things that rise to the level of threats or harassment or cause alarm.
On the one hand it's a new conduit for threatening conduct, and on the other hand, it's probably replacing some.
I'd note something that comes up when this number is mentioned often enlightens the context: that people often use this figure to say "that's more than in Iran or Russia", as if the number itself is actually meaningful. Nobody's going to arrest you in Russia for abusing transgender people; nobody's going to arrest you in Iran for encouraging the punishment of promiscuity or gay people. In either case they might turn a blind eye if you threaten the lives of those people. But the things they would arrest you for — criticising the government or the war — you know not to even say out loud when not among friends. Because the punishment is not the mild inconvenience you would get in the UK.
There are bigger problems in the UK with misunderstanding policing of speech in the real, physical world: the Palestine Action stuff is being much more obviously mishandled. I think it's much more important to focus on getting the government to handle that more logically and sanely.
One of the most bizarre legal opinions I've ever heard of, but if they used any digits in the writing of the law those are up for grabs. Law makes a 30 day window or something? The governor can just change it to a million days with a stroke of the pen and then sign the edit into law with the same pen!
Pretty close.
> (b) If the governor approves and signs the bill, the bill shall become law. Appropriation bills may be approved in whole or in part by the governor, and the part approved shall become law.
> (c) In approving an appropriation bill in part, the governor may not create a new word by rejecting individual letters in the words of the enrolled bill, and may not create a new sentence by combining parts of 2 or more sentences of the enrolled bill
https://docs.legis.wisconsin.gov/constitution/wi_unannotated
The big limitation here is that it is limited to appropriations. Further, the constitution goes out of its way to try and prevent creative vetoing.
Unfortunately, the court decided that numbers are not words.
As a result, the governor changed "for the 2023–24 school year and the 2024–25 school year" to "for 2023–2425"
https://statecourtreport.org/our-work/analysis-opinion/wisco...
I can understand allowing a governor to change the text of a bill. But I cannot understand allowing them to sign those changes into law. It seems like that would mean they could creatively reverse the meaning of any bill.
It seems like a governor should be able to approve the text as written, or change it and send it back.
What am I missing?
That was the idea. But Wisconsin has twisted into something else entirely. Arguably, the idea was not a good one to begin with, anyway.
https://www.bbc.co.uk/news/articles/c0epennv98lo
https://www.lbc.co.uk/article/digital-id-cards-ill-stop-ille...
Terrorism still crops up occasionally but the rhetoric has certainly expanded.
Don’t be deceived - huge amounts of lobbying went into this, because some savvy entrepreneurs saw a market to sell age-verification services. The key driver behind the laws is more about creating that market than actual child protection - if they were actually interested in that, they wouldn’t be pushing things that are clearly so ineffective (but expensive).
1. https://www.gov.uk/government/publications/safer-technology-...
https://youtu.be/Pr4v725LPOE?si=ih3gfTSpiHumtrFs&t=79
"That's not how apps work"
"Then make it work you think we are stupid but we are not, we know" VPNs have something to do with IPs which are necessarily geolocatable , and also users need to make an account to connect to a VPN, you can just ask them what country and State they are in.
Being willfully obtuse draws no sympathy, and will not exclude companies from compliance
First of all, IP addresses are issued in blocks and the IPs are distributed within regional proximity. This is how connections are routed, a router in say, Texas, knows that it can route block, say 48.88.0.0/16 to the south to mexico, 48.95.0.0/16 to the west to Arizona, and so on.
whois/RDAP data will tell you the precise jurisdiction of the company that controls the block. It's entirely sensible to use that for geographic bans, the mechanisms are in place, if they are not used, a legislative ban will force providers to use that mechanism correctly. I wouldn't say it's trivial, but it what the mechanism has been designed to do, and it will work correctly as-is for the most part.
In the context of jurisdiction within a state in the U.S., I don't think it's accurate or reliable enough when taking mobile phones into account.
Country-level is much more accurate
The website (which is the party these obligations are being placed on) could geolocate the VPN IP, but that wouldn't tell them where the user is actually from.
Yes, governments really did want to force us to use HTTPS with only broken/weak crypto.
Same propaganda, different buzzwords.
Notice that in those cases DJB was represented by the eff, so they have been involved in this issue for a very long time.
Can’t count how often I‘ve heard otherwise technologically literate people saying how they use a VPN (NordVPN e.a.) because „something something security“.
Oh look, someone's conflating business VPNs and consumer VPNs again. This time to legitimize consumer VPNs.
The cited laws propose to ban pornography for minors, and ban VPNs that hide geolocation and their use in accessing pornography. Nothing to do with businesses using private VPNs to encrypt employee traffic.
>Vulnerable people rely on VPNs for safety. Domestic abuse survivors use VPNs to hide their location from their abusers.
Woah, maybe VPNs have some uses I haven't considered, let's take a look at the linked article.
>Use a virtual private network (VPN) to remain anonymous while browsing the internet, signing a new lease or applying for a new home loan. This will also keep your location anonymous from anyone who has gained access to or infiltrated your device.
I think the loan thing is rubbish I don't get it, and it's unaffected by the law. But the idea of installing a VPN in case the device is compromised might make sense, if the device is compromised it might still be trackable, especially while downloading the VPN, but maybe if it connects at startup, and the RAT isn't configured to bypass the VPN bridge, it might work.
Quite a stretch if you ask me. And again, not relevant to adult sites blocking VPNs.
The rest of the example are the usual "people use it to evade the government and regulations but it can be THE BAD GOVERNMENt AND REGULAtiONS"
Kids are resourceful.
It's also pretty trivial to wrap in an app
Source, I was setting up home proxies so classmates could access Flash games on school computers when I was 12...
If I could figure out 65C02 assembly programming at 12 in the 80s without the Internet and some books, I’m sure the 12 year old me in 2025 could set up a proxy.
These laws aren’t meant to be followed. Their text is deliberately vague, and their demands are impossible by design. They aren't foolish, or at least their ignorance isn't needed to explain the system's broader function. They are meant to serve as a Chekhov's gun that may or may not fire over your head, depending solely on whether the people holding it decide like you.
In peaceful times, they fade into the background, surfacing only when it’s convenient to blackmail some company for cash or favors. In times of crisis, they declare a never-ending war on extremism, sin, and treason, fought against an inexhaustible supply of targets to take down in front of their higher‑ups, farming promotions, contracts for DPI software, and jobs updating its filters.
Historically, such controls were limited by the motivation and competence of the arms dealers, usually taking the form of DNS or IP blocks easily bypassed with proxies. With modern DPI, it's entire protocols going dark. Even so, those able to learn easily find a way around them. The people who suffer most are seniors, unable even to call family across the border without a neighbor's help, and their relatives forced into using least trustworthy messengers (such as Botim, from the creators of ToTok, a known UAE intel operation [0]) thinking they're the only way to stay in touch, not knowing how or wanting to use mainstream IM over a VPNs that may or may not live another month.
If wherever you are your votes still matter, please fight this nonsense. Make no mistake, your enemies are still more ridiculous than Voltaire could hope they'd be, but organizing against or simply living through a regime constantly chewing on the internet's wires is going to be a significantly greater inconvenience than taking _real_ action now.
A more apt metaphor might be Damocles’ sword?
Selective enforcement should be illegal - people practicing it should be put in prison, the law should be auto-repealed, any past sentences cancelled and the people sentenced should be compensated.
This should be written into every constitution, just like free speech and the right to kill when killing is right ("right to bear arms").
The bill reads like you would think from someone who's been talking with the ceo of an age verification company. The bill gives the website two options: use a _commercial_ age verification product tied to gov't id checking, or "digitize" the web user's gov't id.
Seems highly unlikely it would ever happen (at least in the U.S.) but seems like it'd solve a decent amount of verification problems. With a JWT, the IdP wouldn't even necessarily need to know the recipient since the validity could be verified by the consuming party using asymmetric crypto.
We can't just rely on technological solutions because you can't out-tech the law at scale. People need to actually understand that the government is very close to having the tools needed for a stable technocratic authoritarian regime here in the US and all around the world. It might not happen immediately even if they have the tools, but once the tools are built, that future becomes almost unavoidable.
Seems quite achievable and sustainable to me
Every human carries dense compute and sensors with them. If they don't they stand out while still surrounded by dense compute and sensors held by others at all times
Not nice to think about but it is the reality we are moving towards – vote accordingly
People want this stuff. People want ring doorbells, they want age verification, they want government control. Think of the children/criminals/immigrants.
Voting won’t help.
Voting doesn't work because everybody votes on everything, not just people who understand the subject matter.
Voting doesn't work because it's impossible to express nuanced choice - you vote for a candidate or party as a whole, not on specific policies. The number of parties is much smaller than the number combinations of policies so some opinions can't be expressed at all.
Society is complex and there will always be someone somewhere that can influence an outcome where he/she doesn't understand the subject matter. Hence, nothing works and can ever work.
"Let's just give up" is the only conclusion I can see. Hardly useful.
Can you give an example of something that works by your standards?
There are just a handful of corporations get to decide which websites are visitable every 90 days. Put a bit of legal pressure on the corporate certificate authorities and there's instant centralized control of effectively the entire web thanks to corporate browser HTTPS-only defaults and HTTP/3 not being able to use self-signed certs for public websites.
We're really only missing a few things before there's decentralized VPN over HTTPS that anyone in the world can host and use, and it would be resistant to all DPI firewalls. First, a user-friendly mobile client. Second, a way to broadcast and discover server lists in a sparse and decentralized manner, similar to BitTorrent (or we may be able to make use of the BT protocol as is), and we'd have to build such auto-discovery and broadcasting into the client. Third, make each client automatically host a temporary server and broadcast its IP to the public server lists when in use.
No, but I'm curious why you'd think that?
The reason it exists is just that it predates WireGuard by ~decade.
I don't know if Tailscale has any plans to make their service more censorship resistant, but I hope they do.
Not to mention these online content censorship laws for kids are wrong in principle because parents are supposed to be in control of how they raise each of their own kids, not the government or other people.
And these laws make authoritarian surveillance and control much easier. It's hard to not see this as the main objective at this point. And even if it isn't, this level of stupidity is harmful.
Many parents aren't taking time to be in control, and no amount of legislation will fix that.
This is already the case in the UK. We discovered another sad fact. Parents will suddenly develop the technical literacy to turn parental controls off because it's inconveniencing them, but won't bother to fine grain the control to make it safe for their children.
Apple and android controls aren’t that difficult to understand. Roblox parental controls aren’t that difficult to understand. Could it be simpler by unifying these things under one framework? Sure - I’ve worked with tons of parents who fall under the trap that Roblox is safe because they set iOS parental controls. I feel for them because they aren’t “tech” people and apple conditions them to expect a setting to be universal across the operating system, so it’s quite a shock when they find out their child has been texting with some groomer from Roblox chat.
The parents who are doing that will continue to do that. Improving those controls will help those parents and I agree efforts should be made for them. But for every one of those parents I encounter I get about 4-5 more who don’t bother to set any kind of parental control or filter on their children’s devices. When their 9 year old starts talking about pornhub and I give them resources on setting up parental controls it almost always falls on deaf ears. They simply don’t give a fuck. They can’t be bothered to spend 20 minutes figuring out how to set it up, even if I offer to walk them through it.
It is the new form of parental neglect, the modern version of a latchkey kid
Are we really going to argue “since some parents won’t adequately parent their children, we’re going to create a massive censorship and surveillance apparatus and the Government will tightly control what everyone is allowed to view or talk about online”?
eg consider child-proof packaging and labeling laws for medication, which dramatically reduced child mortality due to accidental drug misuse.
Read about the infamous EU's chat control and lobbying behind it: https://mullvad.net/en/blog/mullvad-vpn-present-and-then
They'd latch on to whatever reason they'd think would stick.
What's left?
There are better solution than blocking IPs.
Ironically enough, that meant when I was working at AWS, I sometimes couldn’t access a site that I was working on for a client when I went into the office for a business trip (I worked remotely).
Anyways, the main point I was making is the filtering should be done on-device at the parents' discretion, if they really wanted to protect their children. We can give them that feature and eliminate an excuse for authoritarian laws at the same time. This doesn't even require legislation, we can just do it if enough people working on operating systems agree.
You realize that a lot of parents support this sort of thing because they are not technically sophisticated enough to control it themselves? Or they simply think that it has no place in polite society? That is why politicians enact these laws, because they are hearing from constituents that they want it.
How much more proof do we need that we're speedrunning the authoritarianism and frankly we're already somewhat authoritarian, it's just pluralism for now. Wait until the elites eat each other and only one dictator is left.
1) In my home state I can no longer access Pornhub
2) Last month I visited Mississippi and could not access BlueSky, even though I can from my home state.
[I personally blame this on the "holier then thou", "don't tread of me" conservatives who cannot resist the urge to try to rule over the activities of others.]
I haven't selected a VPN provider because I have heard that a lot of websites create barriers to people who use VPNs. For example, I've seen people say that couldn't access Reddit via a VPN.
Accessing imgur from the UK has been a bit tricky. Sometimes they limit certain IP addresses like the US one usually doesn't work but the Singapore one does (slowly) for some reason.
Can someone explain how this is true? Even if there is not a VPN, there should be https encryption and privacy protection.
Or otherwise that if you want to effectively ban VPNs you'll end up at the point where secure encryption is effectively banned, because there are ways to tunnel traffic over pretty much any protocol eg. SSH, HTTPS if you're creative.
We already know how this story ends. Companies get hacked. Data gets breached. And suddenly your real name is attached to the websites you visited, stored in some poorly-secured database waiting for the inevitable leak. This has already happened, and is not a matter of if but when. And when it does, the repercussions will be huge."
Then
"Let's say Wisconsin somehow manages to pass this law. Here's what will actually happen:
People who want to bypass it will use non-commercial VPNs, open proxies, or cheap virtual private servers that the law doesn't cover. They'll find workarounds within hours. The internet always routes around censorship."
Even in a fantasy world where every website successfully blocked all commercial VPNs, people would just make their own. You can route traffic through cloud services like AWS or DigitalOcean, tunnel through someone else's home internet connection, use open proxies, or spin up a cheap server for less than a dollar."
EFF presents two versions of "here's what will happen"
If we accept both as true then it appears a law targeting commercial VPNs would create evolutionary pressure to DIY rather than delegate VPN facility to commercial third parties. Non-commercial first party VPNs only service the person who sets them up. If that person is engaged in criminal activity, they can be targeted by legislation and enforcement specifically. Prosecution of criminals should not affect other first party VPNs set up by law-abiding internet users
Delegation of running VPNs to commercial third parties carries risks. Aside from obvious "trust" issues, reliability concerns, mandatory data collection, potential data breach, and so on, when the commercial provider services criminals, that's a risk to everyone else using the service
This is what's going on with so-called "Chat Control". Commercial third parties are knowingly servicing criminals. The service is used to facilitate the crime. The third parties will not or cannot identify the criminals. As a result, governments seek to compel the third party to do so through legislation. Every other user of the service may be affected as a result
Compare this with a first party VPN set up and used by a single person. If that person engages in criminal activity, other first party VPNs are unaffected
EFF does not speculate that third parties such AWS, DigitalOcean, or "cheap server[s] for less than a dollar" will be targeted with legislation in their second "here's what will happen" scenario
Evolutionary pressure toward DIY might be bad news for commercial third party intermediaries^1
But not necessarily for DIY internet users
1. Those third parties that profit from non-DIY users may invoke the plight of those non-DIY users^2 when arguing against VPN legislation or "Chat Control" but it's the third parties that stand to lose the most. DIY users are not subject to legislation that targets third party VPNs or third party chat services
2. Like OpenAI invoking the plight of ChapGPT users when faced with discovery demands in copyright litigation
They might interfere with the businesses of other third party intermediaries like "Big Tech"
Paying the middleman (intermediary) might in theory discourage it from conducting commercial surveillance but it doesn't solve the problem presented by using third parties as middlemen
The possibility to profit from surveillance remains
An effective solution would remove the possibility, and thereby the incentive, by removing the third party
People causing shenanigans using residential IPs if they ban VPNs is gonna lead to a lot of kicked doors, red herrings, lawsuits, and very probably ballooning budgets and will yet again fail to stop Bad Things™ not that it was really designed to anyway. I wonder if they think this is a good idea because they have machinations or is it just that they are clueless wealthy dinosaurs corrupting a future that isn't theirs?
Last time I checked modestly reliable geoblocking existed, and completely unreliable vpn blocking.
A friend told me that when he comes across a site for which Nordvpn is blocked, he just changes IP. Latest the third one always works, even on YouTube (he is all about privacy).
218 more comments available on Hacker News
Want the full context?
Jump to the original sources
Read the primary article or dive into the live Hacker News thread when you're ready.