This Utah law is a risk to everyone's digital liberty

The Internet: How does it work? It's not a question that the Utah state government bothered to ask before attempting to enact its Online Age Verification law (Bill 73). Not asking this question could prove to be a massive digital autonomy and privacy issue for all of us, down the line. As such, the law is currently on hold, due to several legal interventions being fronted by the adult entertainment industry and privacy advocates like our pals at the Electronic Frontiers Foundation. But even if it's on hold, we should have a jawwag about all the rumpus surrounding Bill 73, anyway.

The loosey-goosey version of Bill 73's language says that if you're physically located in the state of Utah, the age verification law applies to you. You wanna watch some porn? Maybe buy some guns online? Well, you'll need to verify that you're at least 18 years old. Some Utah residents have been attempting to skirt around age verification by using a Virtual Private Network (VPN) to look at online bits deemed too naughty for young eyes. Utah says nah to that sorta thing: They don't want folks on their turf using a VPN or proxy to visit websites, potentially circumventing state laws. But in this level of content control, possible that every website in the world would have to make it so that users couldn't use a VPN to access them; they'd have to adopt age verification measures to ensure that no matter where you log on from, you'll have to prove your age. If you think this is an unreasonable amount of work for webmasters to take on, you're right, and most of the world outside the no-booze, no-loot, no-fun land of Industry likely wouldn't be on board. I mean, what shits does Luxembourg have for what Salt Lake City wants? And even if the word decided to get all draconian on behalf of the whims of an American state, it still likely wouldn't be enough to ensure the surveillance safety of Internet users.

Given that it assumes that a web provider can reliably detect VPN traffic and determine a user's true physical location, they can't. IP reputation databases such as MaxMind and IP2Proxy can flag traffic from known datacenter IP ranges, but commercial VPN providers rotate addresses constantly, and residential VPN endpoints are largely indistinguishable from standard home connections. Autonomous System Number analysis can catch traffic originating from datacenter networks, but can't identify a personal WireGuard tunnel running on a cloud VPS, for example, which routes through the same infrastructure as ordinary web hosting.

The only detection method that reliably identifies VPN protocol signatures is deep packet inspection, which analyzes traffic at the network level, not system- or app-level. China's Great Firewall and Russia's TSPU system deploy DPI via ISPs, but a website operator can't because it requires access to network infrastructure that sits between the user and the server, not on the server itself.

Tech-savvy users could set up what's called a Wireguard instance on a cloud server outside of Utah and direct all their traffic through it, hiding their true location. It's something I'm betting the Internet-native teens we have today could likely manage. You know who couldn't manage it? A shitload of activists, journalists, and folks who have nothing to hide but still believe that privacy is tied to their personal liberty.

While we find out which way the wind is blowing on this one, you might consider taking the time to better understand your digital rights, why online privacy is worth fighting for, and, should the bill get past the hurdles it currently faces, how to effectively hide your online traffic. Utah might be the first in the free world to try this sort of bullshit. But it won't be the last. The world is swinging back towards feudalism and autocracy: systems that thrive on knowing what citizens want and what they're doing. The time to learn how to protect your rights is now.