Utah already requires age verification for certain websites. This does not actually stop anyone in Utah from getting around that, even if the site blocks all connections identifiable as coming from within the state because of virtual private networks (VPNs). Now, Utah is going to require that any site they deem “harmful to minors” engage in age verification regardless lest they face penalties. SB 73, in part, reads:
(3) An individual is considered to be accessing the website from this state if the individual is actually located in the state, regardless of whether the individual is using a virtual private network, proxy server, or other means to disguise or misrepresent the individual’s geographic location to make it appear that the individual is accessing a website from a location outside this state.
(4)A commercial entity that operates a website that contains a substantial portion of material harmful to minors may not facilitate or encourage the use of a virtual private network, proxy server, or other means to circumvent age verification requirements, including by providing:
(a)instructions on how to use a virtual private network or proxy server to access the website; or
(b)means for individuals in this state to circumvent geofencing or blocking.
The only way a company anywhere in the world can comply is to block all known and unknown VPN addresses and use age verification that meets Utah’s requirements even if they want nothing to do with Utah. Furthermore, this bill prohibits such sites from even talking about VPNs, which raises serious 1st Amendment issues, especially since knowledge of how to use VPN and protect yourself and your anonymity online is completely legal. Further:
“The law is also technically flawed, given that it assumes that a web provider can reliably detect VPN traffic and determine a user’s true physical location — they can’t. IP reputation databases such as MaxMind and IP2Proxy can flag traffic from known datacenter IP ranges, but commercial VPN providers rotate addresses constantly, and residential VPN endpoints are largely indistinguishable from standard home connections. Autonomous System Number analysis can catch traffic originating from datacenter networks, but can’t identify a personal WireGuard tunnel running on a cloud VPS, for example, which routes through the same infrastructure as ordinary web hosting.
“The only detection method that reliably identifies VPN protocol signatures is deep packet inspection, which analyzes traffic at the network level, not system- or app-level. China’s Great Firewall and Russia’s TSPU system deploy DPI via ISPs, but a website operator can’t because it requires access to network infrastructure that sits between the user and the server, not on the server itself.”
Oh, and they are also applying a 2% excise tax to boot.
But this won’t stop with just “protecting the children”. The implementation of such requirements now opens the door to crushing VPNs, proxies, and anonymity for anyone, since “harmful content” is whatever this state, or other states/countries, deem to be “harmful”.
The bill, as enrolled, can be read here or below:
