28 May 2026
Chapter 2: Interventions for safer, more positive experiences
Restricting access to services based on features and functionalities
Question 15: What do you think the impacts would be if some online services were required to introduce age restrictions on specific features and functionalities?
For example, impacts on the safety and wellbeing of children, or the impact for parents and carers, as well as other users. You could also comment on the impact on all users’ privacy and data or on business costs, revenue, and innovation.
| The Global Encryption Coalition promotes and defends encryption in key countries and multilateral fora where it is under threat. It also supports efforts by companies to offer encrypted services to their users. It has over 400 members across 103 countries. The GEC Steering Committee is composed of the Center for Democracy and Technology, Global Partners Digital, Mozilla Corporation, the Internet Freedom Foundation, and the Internet Society. This response is submitted on behalf of the Global Encryption Coalition Steering Committee. The Global Encryption Coalition Steering Committee expresses concern about the generalised enforcement of age-based restrictions across certain online services. The Steering Committee is specifically concerned by proposals to restrict access to privacy-preserving functionalities such as end-to-end-encryption (E2EE) and Virtual Private Networks (VPNs): if enforced, such restrictions would fundamentally expand data collection of all users, undermining the utility of trusted digital security tools and interfering with the right to privacy in a manner that is inconsistent with permissible restrictions under international human rights law. Encryption provides essential security and privacy benefits to both young people and adult users. Each time a child types a password, scans their smartphone to pay for lunch, or sends their parents a photo from their school performance, encryption helps make sure that nobody else can see that information. Encryption does this by scrambling sensitive data while it is on the move or when it is stored somewhere, preventing third parties from interfering with personal data, including financial or identity data. When E2EE is not in place, this provides the technical means for businesses to harvest and monetise children’s data and for criminals to gather this same data for scam or exploitation purposes. Likewise, VPNs are essential privacy and security tools for all users. As noted by this consultation, the main reason they are used is “to access the privacy and data protection benefits that VPNs offer”. Both young people and adults benefit from VPNs: a VPN protects users from surveillance by their internet service provider, from network information-based tracking, and from interception on unsecured public wi-fi. For example, VPNs can offer enhanced data protection for young people (usually of an older age range) connecting to public or school networks for homework or research, or accessing private institutional networks in educational settings. VPN use is a legitimate and proportionate response to the genuine security risks that exist online. They are an easy-to-use and accessible tool that can help children and young people to assert their agency and to protect their personal data while navigating the online world. The Global Encryption Coalition Steering Committee asserts that privacy-preserving functionalities should be explicitly exempt from any age-assurance mandates. All users, including children and young people, ought to be able to exercise agency online, making use of robust privacy tools to improve their digital literacy and to navigate the online world safely. In many ways, children and young people are more in need of privacy-preserving tools: their evolving emotional and cognitive capabilities mean that they may be particularly vulnerable to the expanded collection and processing of their personal data. Being able to protect themselves from online tracking and harms stemming from the collection and processing of their personal data is therefore especially critical for young people. General Comment No.25 of the UN Committee on the Rights of the Child explicitly emphasises that governments should require the integration of privacy-by-design into digital products and services that affect children. |
Question 20: What do you think the impacts would be if online platforms were required to restrict specific features or functionalities, or to introduce time limits?
For example, impacts on the safety and wellbeing of children, or the impact for parents and carers, as well as other users. You could also comment on the impact on all users’ privacy and data or on business costs, revenue, and innovation.
| The Global Encryption Coalition Steering Committee submits that, if platforms are legally mandated to age-restrict certain privacy-preserving functionalities, this would have severely negative consequences for cyber security and for the safety and human rights of all users, including children and young people. End-to-End encryption (E2EE) mathematically scrambles data so that not even the service provider has access to it in a usable form. Legislation that requires providers to provide access to E2EE content would necessitate creating vulnerabilities in encryption protocols through the deployment of backdoors. Compelling providers to adopt on-device surveillance to circumvent encryption puts users at increased risk by creating new vulnerabilities for on-device attacks. Research by cybersecurity experts and the European Parliament Research Service has shown that there are currently no technically feasible means of allowing access to content on systems that are E2EE without compromising the security of the system as a whole. As the Internet Society’s policy brief on age restrictions observes, there is currently no fully privacy-preserving age verification method. The risks of legally mandating age restrictions on privacy-preserving functionalities are severe. Age-gating E2EE would not adhere to security norms and would not be possible without an intervention akin to backdooring encryption. Applying age assurance requirements to restrict the use of these services prevents young people from benefitting from the essential protection they provide, while introducing new vulnerabilities that fundamentally compromise the security of all users. Likewise, VPNs protect users from surveillance by their internet service provider, from network information-based tracking, and from interception on unsecured public wi-fi. Legislation that restricts VPN use poses structural challenges: there is no mechanism by which a VPN provider can determine which users are minors without verifying the age of all users. Requiring age verification for VPN access therefore means requiring every user, regardless of age, to provide sensitive personal data. While the technical tool remains intact, this undermines the fundamental value of VPNs to shield the user from unwanted tracking and harvesting of their personal data. The Global Encryption Coalition Steering Committee has and continues to strongly advocate that the UK government recognises the value of strong encryption as a critical security measure and an enabler of human rights, and repeals any regulatory mandates that aim to weaken or undermine E2EE (see, for instance, here and here). Efforts that restrict, compromise, or circumvent encryption expose users to online harms and place them at greater risk. Age-restricting privacy-preserving functionalities such as E2EE and VPNs are fundamentally at odds with the government’s own objectives: restricting young people from using the very tools that can help them to navigate the online world safely, while imposing technical requirements that heighten their exposure to online harms. |
Chapter 3: Enforcement and compliance
Circumvention of age limits
Question 37: Which of the options below do you think the government should prioritise to reduce circumvention of online safety rules in the UK?
(Please select the most important one to you)
-more education for children
-restricting children’s access to VPNs
-none of the above
-don’t know/prefer not to answer
-other (please specify):
Question 38: To what extent do you agree or disagree with the following statement:
“Everyone should go through age checks to access a VPN if it would prevent children using them”
-strongly agree
-somewhat agree
-neither agree nor disagree
-somewhat disagree
-strongly disagree
-don’t know/prefer not to answer
Question 39: What do you think the impacts would be if VPNs were age-restricted?
For example, impacts on the safety and wellbeing of children, or the impact for parents and carers, as well as other users. You could also comment on the impact on all users’ privacy and data or on business costs, revenue, and innovation.
| As discussed in the responses to Questions 15 and 20, VPNs are essential privacy and security tools for all users. Users, including children and young people, rely on VPNs for legitimate purposes, helping them to assert their agency by shielding themselves from tracking or interception by third-parties. Imposing age-restrictions on the use of VPNs carries structural risks for all users. Mandating age-based restrictions on the use of VPNs would require all users to verify their age, obligating them to provide sensitive personal data to be able to access a key privacy-preserving technical tool. This undermines the inherent value of strong VPNs, which aim to protect privacy and strengthen digital security by reducing the risk of data exposure. This particularly affects those for whom anonymity or privacy is not a preference but a necessity: journalists protecting their confidential sources, public servants requiring high levels of privacy and security, or domestic abuse survivors and providers requiring confidentiality and privacy to protect themselves or their users from harm. Restricting VPN use by age would prevent children from benefiting from the critical privacy and security benefits that VPNs provide. This conflicts with the government’s aims of improving digital security online and promoting the development of digital skills. Imposing a blanket age-restriction on VPNs would also represent a disproportionate restriction of the rights of young people. Such a requirement would also be inconsistent with children’s rights under the UN Convention on the Rights of the Child Articles 13 and 16, which protect their right to access information and privacy online, and with General Comment No. 25’s recognition of privacy-preserving tools as mechanisms that support rather than undermine children’s safety. Restricting the use of VPNs also removes a critical privacy tool for at-risk young users, such as children experiencing abuse in the home or members of the LGBTQ+ community, who can rely on VPNs to give them the confidence to reach out to secure help or communicate freely. The National Network to End Domestic Violence’ Safety Net Project recommends using a VPN to “minimize the chances of someone knowing that you are researching information about domestic violence, sexual assault, or stalking.” Research suggests that restricting VPNs would not be an effective measure to reduce circumvention of the UK’s online safety rules. As outlined in Mozilla’s submission to this consultation, in contrast, existing “figures suggest a user population motivated primarily by legitimate privacy and security concerns. The government should be cautious about designing policy responses to edge cases that the evidence does not show to be the dominant use.” |
Question 40: What should be considered to make age-restricting VPNs effective and workable?
For example, public trust and engagement with increased age assurance requirements, accessibility of age assurance methods and variations of age assurance approaches across services, interaction with legitimate uses of VPNs.
| As discussed in the response to Question 15, the Global Encryption Coalition Steering Committee submits that privacy-preserving functionalities such as VPNs should be explicitly exempt from any age-assurance mandates. As outlined in the response to Question 39, age-restricting VPNs by imposing identity verification on all users would significantly undermine the positive privacy protections afforded by the use of VPNs, impacting both children and adult users. We strongly caution the government against pursuing a blanket policy response that would introduce privacy and security risks at the population level, be easily circumventable, and limit young people from accessing a critical security tool that enables them to navigate safely online. |