Mozilla to UK regulators: VPNs are essential privacy and security tools

Something I learned just recently—the Australian government (surprisingly!) actually recommends VPN usage, they even provide a bit of a guide and how to; https://beconnected.esafety.gov.au/topic-library/advanced-on...

It is perhaps worth highlighting that Mozilla has done this in response to a specific UK government consultation [1] all about "growing up in the online world", which has, buried about 30 pages deep, a specific question about age-gating VPNs and similar technologies.

As far as I can tell, there is no requirement to be a UK citizen to answer this – if you are, were, or could be resident in the UK I urge you to fill it out and help provide a voice of reason...

[1] https://www.gov.uk/government/consultations/growing-up-in-th...

Has Google made a statement like this?

I guess since I complain about Mozilla a lot for their past 5-10 years (minimum) of poor management decisions, I should give them their due when they do come out with a statement of support on our rights.

1984 was meant to be a warning, not the UK’s digital infrastructure roadmap

While their arguments are sound, Perhaps Mozilla should disclose in this document that they are also a VPN reseller.

That's why the government wants to get rid of them.

> Rather than age-gating technologies like VPNs, we believe that regulators should address the root causes of online harm by holding platforms to account

Honest question: if you tell Pornhub "now you will be fined heavily if you let 10-year old kids access porn", won't Pornhub implement some kind of age verification?

How else would the platform "address the root cause"?

[flagged]

I have seen some of the inside of this and it's not quite as clear cut.

One side of this is driven by a bunch of not too reputable think tanks behind the scenes who persuaded a couple of fringe academics to agree with them and push for it via the civil service. The government is taking bad, paid for advice. I don't know what the agenda is there but there is one and I reckon it's commercial. Probably a consortium of businesses wanting to create a market they can get into.

However the security services do not agree with the government or the think tanks and actually promote advice contrary to the regulators. They will ultimately win.

Attacking the regulators and revealing who is behind all this is what we should be doing.

Interesting that they mention the UK but forget that the EU also wants to protect the kids by banning VPNs

And also VPNs are tools to open doors in the minefield of legislations that they need to create to improve the incoming of some business, not of the people that voted for them.

I just don't accept any ban on VPNs, I will just be a criminal. I'm not fighting for a country I'm not allowed to wave the flag of and I'm not respecting any digital safety laws that simply do not apply to me because I am not a child. I will provision my own infra if thats what it takes, I simply don't care. Fuck this country.

I love how the comments miss that the problem these laws address deserve addressing, but from the producers side: making safe products for the public. This specific solution is fashioned after tobacco and alcohol regulation, which was never primarily about parental supervision, it's about what can be sold and how. And in public health we'd want everyone moving away from both not just kids. The boneheadness of age verification is that unlike tobacco and alcohol, where the best we can do is restrict access, online harm can actually be fixed at the root by regulating what these services are allowed to do to users in the first place.

So far age gating VPNs is just a possibility they are considering, not actual policy. I just went on the feedback page to ask they don't do it - it'd be a pain for me.

User to Mozilla: Cannot read your statement with a variant of your own browser because you have it "protected" by an internet gatekeeper.

It is unclear to me what VPNs have to do with the conversation with respect to age gating.

If a government has the ability to fine content providers for providing content to its citizens, why accept IP verification is good enough to determine the user’s jurisdiction and not fine them anyway for providing the content?

Is the charitable reading of whatever’s going on in Europe right now that European states don’t believe they can hold American tech giants accountable to their laws? I genuinely don’t see why a law banning under-14 year olds from social media wouldn’t be the first step.

I think this is a genuinely difficult problem that happens to look exactly like what you’d need for extended surveillance. When I think about it seriously, I end up coming up with the idea of a whitelist enforced on device for local accounts used by children.

This would probably block most of the internet, and allow access only to sites that are validated as being safe. This would put a lot of pressure on sites and service providers to ensure safety, such as children-only walled gardens within their broader services.

We already have piecemeal attempts at something like this through on device private age restriction software, but it’s not organised at the state level, and I think it’s not effective enough as a result.

If legally enforced it could be made into a pretty effective system that would give adults freedom and anonymity and provide safety for children, while pushing the costs of child safety onto the platforms, which is where it belongs. If you want to cater to children, prove that you can make it on to the whitelist. Otherwise that’s an audience you’re just not able to access.

I think better enforcement against harmful platform behavior and better digital literacy would do more without normalizing surveillance as the default

Actually with data fusion VPN does not fix privacy. Ad networks does data fusion of Javascript browser finger print. So you are de cloaked any way on a VPN

The regulators don't want you to have neither privacy nor security (from them).

You can't ever win this argument against the public and the powers that be by staking it all on "but privacy is important, don't you like privacy?".

That's what they keep reducing it to. They're also making it a false dichotomy of sorts, but in reality it's a gradient of possibilities. For example, VPNs aren't like Tor in that they can't really resist "NSA" level global wiretap monitoring in any meaningful way. Or even ISP-level data-analysis driven investigations.

It's also important to correlate any privacy protections VPNs provide, with a real-world pre-internet equivalent. paper mail for example has always been subject to Mitm by the authorities. It is possible to divulge who visited what site, and at what time, and only directly to the authorities, and make that disclosure public (after gag orders expire, if any are issued).

You can use VPNs for privacy against all sorts of creepy eyes, but your local government being considered one of those hostile actors is the threat model that's under attack here.

I would argue for example that the pre-internet equivalent would be two people chatting in the privacy of one of their homes. A bit of a stretch, but alright. But in that there must be the element that the two persons are able to identify each other positively. If one of them is harmed by the other, the victim can identify the attacker to the authorities and pursue justice. How can that be done with VPNs? If middle-actors can't snoop, then can logs on both ends positively identify the other party? Was there a common way pre-internet, where people anonymously gathered and discussed things, with capability to harm each other, but without the authorities being able to do anything about it after the fact?

If the authorities are able to gain access to a private key, or some other proof of possession of one end of the connection, can the VPN provider, the network, or the protocol disclose the identity of the source of traffic on the other end?

I'm only making these arguments to point out how nuanced the topic is. The false dichotomy of all-or-nothing for VPNs is silly. this is moving towards an outright ban of VPNs with criminal consequence, and with that all other similar tech (including Tor) and privacy measures go down the toilet. Would you rather have that or propose a nuanced compromise one jurisdiction at a time?

I get this is just PR for Mozilla though.

Didn't people make kinda that huge and broad movement too terminate PIPA and SOPA?

Could you, my wonderful Western friends, do that again?

I mean, all of it is even on video and largely on YouTube.

That VPNs are undoubtedly essential privacy and security tools is precisely the problem the UK government has with them.

It's worth pointing out that some people under some circumstances need to use VPNs. For example, timestamp.apple.com stalls when I call it from my machine, so I cannot sign any executables for macOS. When I use a VPN that changes my IP number, signing and notarizing works perfectly fine. My CI chain would literally not work without a VPN.

The UK government does whatever Meta tells them to do. We tax cigarettes because they’re bad for you. Let’s tax algorithmic news feeds.

> VPNs are essential privacy tools

Does Mozilla not understand that this is the exact reason why the UK wants to forbid them?

The UK gov needs to sod off with all this 1984 BS

UK regulators are just hearing another excuse for a loicense.

It should be possible for VPNs to only give UK customers UK exit nodes so that sites can still properly enforce the law. Same thing with having VPNs that ban explicit sites. It's not an all or nothing thing.

UK is not and has never been a free society, UK elites have an authoritarian streak.

Historically they were fairly smart at doing it subtly but the mask slipped during Covid and they never really put it back on.

Also - outside the HN bubble this stuff isn’t even unpopular. Normies supported covid lockdowns and they don’t want their kids watching porn either.

The people yearn to be ruled and nannied

[dead]

[flagged]

[dead]

I hear the UK regulator did want to respond but Mozilla office doesn't have a fax machine. So the grandpas in charge of regulating modern tech just took a nap instead

[dead]

This is a fairly difficult problem. I think the internet should be for adults only, like many other things. But we've fucked up by giving children internet access and it's going to be hard to undo it. I think rather than fighting these measures we need to work on alternatives because keeping children off the internet is a good idea, we just need to implement it in a good way.

What about just banning phones for children? Could we ever make that work? It would be like cigarette bans except we now have 5 year olds addicted to tobacco and addict parents who don't want to make them go cold turkey.

Public libraries and schools can be used for genuine research purposes, but not addictive shit. And implemented ad blockers at the network level.

Here is my beef. I'm pro-VPN. The ability to gain more control over who can track your online communication is a net-positive to me, personally and philosophically. However, I can't justify their existence from a utilitarian perspective.

Practically speaking, when I look at the actual number of people affected by VPN I estimate that:

  - Very low: Protecting political activists and dissidents
  - Low: Circumvention of overzealous blocking and surveillance
  - Low-to-Medium: Hiding abusive and malicious behavior
  - Medium: Additional layers of trust and network security (mostly business related, which makes it tangental to the consumer VPN market)
  - VERY High: Enabling piracy and avoiding geo-content restrictions (no judgment on good-vs-bad, just asserting magnitude)

So... conundrum! If I take the position that piracy-related stuff isn't a net drag and that business VPN use is fundamentally a separate beast, VPNs in this context are hard to justify.

USA entities tend to think that terms like "privacy", "security" have same meanings and assumptions across the globe, and that the USA laws are universal. Maybe they also think that entire world is just as dumb or dumber than USA.

For a start, you should consider this fact: Privacy for a bad actor goes directly against the security for citizens and good actors.

So when you talk about privacy you are making an assumption that it is contributing to safety. But for whom? Bad actors or good actors? Without such qualification, you are just talking lofy-sounding but meaningless ideals.