On May 8, 2026, the European Parliamentary Research Service published a briefing that described VPN services as “a loophole in the legislation that needs closing.” The phrase has consequences beyond the briefing itself — it tells us how a category of regulator now thinks about privacy infrastructure. That framing matters for email.
What was actually said, and by whom
It’s worth being precise about the source, because secondary coverage has blurred the picture. The document is a briefing paper published by the European Parliamentary Research Service (EPRS), the in-house research arm of the European Parliament. It is not legislation. It is not a position of the European Commission. It is a research paper that frames a problem for legislators considering future action.
That distinction matters, but it matters less than people sometimes argue. EPRS briefings are read by lawmakers, cited in committee work, and shape the vocabulary of subsequent debate. When the EPRS adopts a particular framing — privacy tools as “loopholes” — that framing tends to travel. It enters parliamentary speeches, then ministerial statements, then the recitals of draft regulations. The language is the leading indicator.
The specific concern in the briefing is narrow: VPNs allow minors to bypass age-verification systems by appearing to connect from jurisdictions where those systems don’t apply. The paper acknowledges that current age-assurance methods are easy to circumvent and offers no clean solution. One option it mentions, raised by the Children’s Commissioner for England, is restricting VPN access to verified adults — which would in practice require identity verification before using a privacy tool, a contradiction the briefing does not resolve.
The UK has gone further than the briefing’s analytical posture. In January 2026, the House of Lords passed an amendment to the Children’s Wellbeing and Schools Bill by 207 votes to 159 that would require action to prohibit VPN services from being provided to children. The amendment is currently with the House of Commons. It has not become law, and it may not — but it has been voted on by an upper chamber, which is further than such proposals usually travel.
The data that complicates the narrative
The most interesting fact in the surrounding coverage isn’t the EPRS framing. It’s the response data.
After the UK’s Online Safety Act introduced age-verification requirements, VPN downloads in the UK rose by approximately 1,800%. After comparable laws took effect in Florida, VPN downloads rose 1,150%. In Utah, the increase was 967%. These are not marginal shifts. They represent a population-scale behavioral response: when faced with mandatory identification at the gate, large numbers of people choose to route around the gate rather than be identified.
The numbers are usually presented as evidence that age verification “doesn’t work.” That framing is incomplete. The numbers are evidence that age verification works exactly as expected for compliant users while creating strong incentives for non-compliant users to adopt privacy tools they wouldn’t otherwise have used. The legislation has not failed; it has produced a side effect — mass adoption of bypass infrastructure — that the legislators didn’t account for.
This is the structural fact worth holding onto. Restrictions on access create demand for the tools that bypass them. The more aggressive the restriction, the larger the population that adopts the bypass. And once that population exists, the bypass tools become harder to restrict, because they are no longer used only by edge cases.
The shift in vocabulary
The interesting question isn’t whether the EPRS briefing produces legislation. Most briefings don’t. The interesting question is what the briefing reveals about how a generation of regulators has come to describe privacy tools.
For two decades, the public framing of consumer privacy technology assumed it was a legitimate good. VPNs were sold to remote workers, journalists, expatriates streaming home-country content, travelers on unsafe Wi-Fi. End-to-end encryption was sold as the table-stakes protection against criminals and identity theft. The vocabulary of privacy was the vocabulary of safety.
The EPRS briefing represents a different vocabulary. In it, VPNs are not a privacy tool that happens to be used to bypass age checks; they are characterized by their bypassing function. The legitimate uses are mentioned but the framing is inverted. A loophole, in legal language, is a gap that wasn’t supposed to exist — an oversight to be repaired. Describing a category of technology this way reclassifies it. It moves the technology from “thing citizens may have reasons to use” to “thing legislation hasn’t yet adequately addressed.”
This is not unique to the EU. The same vocabulary has appeared in UK parliamentary debate, in Australian e-safety commission documents, in US state-level legislation in Utah, in EU member-state ministerial speeches on encryption. It has been countered — Mozilla, Proton, and the VPN Trust Initiative have published responses arguing that treating VPNs as loopholes “is a complete misunderstanding of their role” — but the counterargument runs against the grain of the new institutional vocabulary, not with it.
Why email is the next chapter in this argument
Email is downstream of where this debate goes next. The reasons are structural.
Email is the universal identifier of digital life. It is the recovery mechanism for almost every account that matters. It is the channel through which legal notices, medical communications, financial documents, and journalist-source exchanges travel. It is the most frequently subpoenaed digital artifact in legal proceedings. And it is, in most consumer implementations, almost entirely readable by the provider.
The combination of these properties means that any regulatory framework that treats privacy tools as loopholes will eventually arrive at email. The same arguments used about VPNs — that they enable bypass of legitimate identification, that they allow circumvention of safety mechanisms, that they obscure who is communicating with whom — apply to anonymous email accounts, to end-to-end encrypted mail, to Tor-routed mail traffic, to providers that don’t collect identifying information at signup.
This is not speculation. The pattern has already begun. The EU’s “Going Dark” high-level expert group has discussed mandatory data retention obligations for messaging providers. The UK Online Safety Act includes powers to require platforms to scan encrypted content, currently held in abeyance but legally available. Just last week, Meta removed end-to-end encryption from Instagram direct messages eleven days before the Take It Down Act’s compliance deadline — a sequence that, whatever its stated motive, illustrates how regulatory pressure shapes infrastructure decisions inside the largest platforms.
If you accept that “privacy as loophole” is the new institutional vocabulary in major Western jurisdictions, and you accept that email is at least as exposed to that vocabulary as VPNs are, the conclusion is straightforward: the email infrastructure of 2030 will not be the email infrastructure of 2020 unless something durable is built outside the regulatory perimeter.
What “outside the regulatory perimeter” can and cannot mean
It cannot mean operating outside the law. Every email provider, including ours, operates under specific jurisdictions and complies with the legal orders those jurisdictions issue. Anyone claiming to run an email service that is somehow magically beyond legal reach is either misleading their users or building a service that will be shut down.
What it can mean is operating with an architecture in which most legal demands cannot produce useful results, because there is nothing useful to hand over. This is a technical property, not a legal one, and it has three components — the same components we identified in last week’s analysis of Meta’s encryption rollback:
Keys held by users, not by providers. A provider that doesn’t have the keys to message content cannot be ordered to produce that content in readable form. The legal order continues to exist, but its operational result is ciphertext.
Minimal identifying data at registration. A provider that doesn’t collect a phone number, recovery email, payment information, or government ID cannot be ordered to produce data it never had. This is why anonymous registration matters beyond the headline word “anonymous” — it changes what is legally extractable.
Open source and self-hostable code. Infrastructure that exists only in one company’s data center can be shut down by a single legal action. Infrastructure that is replicated on hundreds of servers run by independent operators is not vulnerable to single-point regulatory failure. This is why our post-quantum platform, PQCServer, is released under AGPL-3.0: not as a marketing point, but as a structural property of the system.
None of these properties make a service “above the law.” They make it architecturally compatible with a future where the law has moved against privacy infrastructure. That is a different and more limited claim, but it is the claim worth defending.
What this means for the people reading this
Most readers are not journalists protecting sources, activists organizing under authoritarian governments, or attorneys handling sealed proceedings. Most readers are people who would like their email to remain their own, who find the trajectory of platform-level surveillance uncomfortable, and who notice that the language used by their own governments has shifted.
For this audience — which is most people — three things are worth doing.
First, take seriously that policy outcomes you might once have considered unlikely are now actively under discussion in mainstream legislative bodies. VPN restrictions are at the amendment stage in a major European parliament. End-to-end encryption has been rolled back on a billion-user platform within the last week. The window for treating privacy infrastructure as “optional, for when I might need it” is closing. The infrastructure question is now: which providers and which architectures will still be functioning unchanged in five years?
Second, use the tools that exist. Signal for messaging. A privacy-respecting email provider for the parts of your life that should not be readable by advertising algorithms, by future regulators, or by whatever sequence of corporate acquisitions reshapes the email industry in the next decade. Open-source software where possible, because closed-source systems can be silently weakened in ways their users cannot detect.
Third, support the institutional pushback. The VPN Trust Initiative’s response to the EPRS briefing matters. Mozilla and Proton’s joint letter matters. The 400+ scientists who have called for a pause on mandatory age-verification matters. Privacy as a public good is defended in three places: in the code, in the legislatures, and in the cultural argument about what kind of digital life is normal. All three need attention.
Closing
The EPRS briefing will probably not produce legislation directly. The UK House of Lords amendment may not become law. The Florida and Utah age-verification statutes will face constitutional challenges in US courts. Any single battle in this set may go either way.
What matters is the institutional vocabulary that is forming around all of these battles at once. When a generation of regulators describes privacy tools as loopholes — when the default assumption is that anonymity is a problem to be solved rather than a property to be preserved — the policy outcomes that follow tend to align with that vocabulary, slowly and in many small steps, regardless of how any particular battle resolves.
The right response is not panic. It is to build and use infrastructure that works correctly under the vocabulary that is coming, not under the vocabulary that is fading. Email that doesn’t depend on a provider’s continued willingness to encrypt. Identity that doesn’t depend on a registry that can be compelled. Code that doesn’t depend on one company’s continued operation. The architecture exists. It is in your hands.
Onion Mail — Anonymous email over Tor, no personal data, crypto payments. PQCServer — Post-quantum messaging, file vault, and document notary. Open source under AGPL-3.0. onionmail.org · pqcserver.com · github.com/onion-search-engine/pqcserver