Instead of panic and screaming “AAAAAAAGRHHH!! EU will forbid VPNs!!! DIGITAL CIVIL LIBERTIES AND FREEDOMS ARE DYING! WE ARE GOING TO A DIGITAL GULAG!!!!!” I decided to explore some boring details. It seems to be something less stressful thing for me to do.
I guess VPN would have to adapt, like “ok, we will update our products to bind age markers into traffic without exposing what kind of traffic goes through us”. I guess that some W3C work group or IETF already exists for all that.
This can be done via updating specs and demand some special headers with “signed age token” being passed through the network requests. With this you provide some bit of data (age verification document? Government ID?) at VPN product sign up or profile page, and get some token (age attestation token) you pass through to VPN connection server). These “age attestation tokens” can be different for each origin (protocol, host name, port). This can be reasonable thing, because, if I understand this correctly, VPN provider can see your traffic anyway.
VPN provider still can offload actual authentication to some third-party service, especially smaller and free VPNs. And this is another place where things can go ugly. Not sure whether some age verification providers will exist as NGOs as this would require a strong PCI compliance, likely. But non-commercial age verification system whose purpose would be to provide age verification and online identity service would be necessary in such legal landscape, as large commercial service would have motivation to sell advertising data based on such digital identity and binding it a behavior profile.
Then this age verification/attestation can be expanded to non-VPN connection at ISP level at some point, after people would use various tricks which invented for people surviving in dictatorships where VPNs are being suppressed or outlawed already, e. g. in Russia. Such as special packets fragmentation tactics, or wrappings into IMAP or HTTP requests, when encrypted part of traffic is represented as an image or PDF attachments or other tricky ways.
And most of the people would accept the need to go through digital identification, especially if it would be bound to integration of passkeys, like as way to grid of annoying passwords, when you use same identity (or few identities, created once at digital identity provider) instead filling same username, email, nickname, profile picture, and password boxes at sign up, making this a single-click activity. “Ease of use” peppered with some security improvement (or fancy promise of it) will sell very well to most of people.
Percentage of people who would be against all that would be same as people who do not use any Meta product, such as WhatsApp, Instagram, Facebook, Oculus headset, or what else they have now. And this is not some panic boo, this is description of reality where I live, when 95% of Georgia country people use Facebook and WhatsApp, and during travels, hotels and taxi travels by default assume we have WhatsApp. So this is sorta worldwide thing. That happens no matter what Meta does or does not.
So same will happen with “age-less” VPNs.
