Online Safety Laws Could Backfire in Major Ways
To date, some 20 states have either passed or attempted to pass laws restricting minors’ access to a variety of websites. New research shows that these laws may actually drive users to more-dangerous sites and create surges in the use of anonymizing technology, ultimately failing to address their main policy goals. Lawmakers attempting to limit minors’ access to specific websites ought to keep this in mind when crafting regulations.
The study in question looked at online search behavior in states with laws restricting minors’ access to adult sites and found that users simply chose to visit lesser-known, more dangerous websites (often hosted overseas). Because it is nearly impossible to force these companies to comply with U.S. laws, their users are more susceptible to scams, fake websites, and identity theft.
Users also frequently circumvented age restrictions using virtual private networks (VPNs), which allow people to create the appearance of being located outside their actual jurisdiction. While some state laws have attempted to restrict the use of VPNs to bypass the law, detecting VPNs and enforcing those laws is not always possible. Similar effects have been observed across the country as states pass their own age-verification laws.
On the same day Texas passed a law blocking minors’ access to pornographic websites, one VPN service reported a 275 percent increase in traffic. Similarly, VPNs saw a 210 percent increase in traffic after a ban went into effect in Louisiana. As a privacy researcher from Top10VPN concluded, “[w]herever U.S. lawmakers have imposed age verification … there has been a clear trend in the corresponding surges in demand for VPNs.” These networks are gaining popularity because they are generally recognized for improving safety and privacy online, even for children. Outlawing VPNs would only further risk children’s online safety by taking away a tool they can use to create anonymity or prevent data tracking.
However, the ineffectiveness of online content restrictions is about more than just VPNs. After YouTube began enforcing age verification for restricted content in 2021, an open-source workaround tool was downloaded 2.5 million times from Github. It works by setting up proxy accounts with adult access and passing that access down to the user’s account. Even if law enforcement enacted an extreme level of data tracking, wherein users would be required to surrender highly sensitive information and consent to constant tracking, these laws would still be difficult or impossible to enforce. So despite their best efforts, this hack remains available and effective to this day.
In 2009, France passed the controversial “Creation and Internet law,” which formed a new agency called the High Authority for the Dissemination of Works and the Protection of Rights on the Internet (HADOPI). The law intended to reduce illegal music pirating by revoking internet access from anyone found sharing illegal files more than three times.
Studies found that the law had “no substantial deterrent effect” because those aware of it could still “illegally access content through unmonitored channels.” The law’s “graduated response,” in which penalties increase for repeat offenses, also required detailed tracking of user data by IP providers and the government, leading to privacy concerns. Although the law was rarely enforced (with only one recorded case), the program cost the government millions of dollars to operate before being rescinded.
French courts ultimately ruled the law unconstitutional, but the fiasco showed that laws restricting online behavior ultimately did not reduce the targeted behavior, driving the activity further underground instead. A meta-analysis of several countries concluded that three-strikes laws “do not reduce online piracy.”
A study of Germany’s pornography law showed that age-restriction laws do “little” to prevent children from accessing internationally based pornography websites and that the existing law lacks an “effective mechanism” to prevent access.
Perhaps the most famous example of well-intentioned but ineffective online policy is the European Commission’s ePrivacy Regulation requirement that websites must ask for cookie consent before accessing a site. While this mandate is meant to give users more transparency and control over their online data, it has changed very little about online behavior. Users either click the banner without reading, get “cookie fatigue” and simply leave the site, or worse—get tricked by nefarious actors into clicking faulty consent buttons.
The U.S. age-verification study is yet another example in this line of evidence showing that online restriction laws are often ineffective and may even result in more dangerous behaviors. When children use VPNs and other third-party software, their online activity may be harder for their parents to track. Finally, as some courts have recognized, enforcing these laws raises serious privacy and constitutional concerns.
While there is no perfect solution, these examples underscore the benefit of parental-filtering tools for personal devices. Parental controls can account for domestic and foreign websites alike, and—when done right—can pair well with VPNs to further protect child privacy while blocking undesirable content. Even (or especially) in states with age-verification laws, parents should use these tools rather than relying on a false sense of security.
In the United States, age-verification laws struggle to decrease access to undesirable sites and drive traffic to less regulated sites and technologies like VPNs to circumvent the law. Although preventing minors from accessing obscenity is a laudable goal, VPNs and jurisdictional issues make it highly unlikely that age-verification mandates could be enforced with any practical success. Rather than attempting to restrict access to objectionable content, the government should focus on educating and empowering both the industry and parents to manage children’s online behavior.