On May 15, 2026, Mozilla published a submission to the UK’s Department for Science, Innovation and Technology opposing proposals to age-restrict VPNs. The consultation stems from observed circumvention of Online Safety Act age checks. This article examines what the Mozilla response reveals about the pattern underlying the proposal: a cycle in which regulations trigger technical responses, which then become targets for further regulation.
What Mozilla Actually Said, and to Whom
The UK’s Department for Science, Innovation and Technology opened a consultation on additional measures to prepare young people for a digital world, and that consultation considers age-gating virtual private networks following users circumventing age assurance systems mandated under the Online Safety Act. The consultation is open until May 26, 2026.
Mozilla’s submission, published to its policy blog on May 15, was not an isolated voice. Mozilla joined a coalition of 19 digital rights organizations and technology providers in a joint statement on May 5, and the May 15 post references a formal written response to DSIT. Mozilla argued that regulators should address root causes of online harm by holding platforms to account, encouraging responsible use of parental controls, and investing in digital skills.
The backdrop matters. The European Parliamentary Research Service published a briefing paper describing VPN use as a loophole in legislation that needs closing, and noted that one app developer reported an 1,800 percent increase in downloads in the first month following the UK’s Online Safety Act taking effect. Ofcom estimates that daily VPN users rose to around 1.5 million following the introduction of mandatory age checks on adult websites.
The UK House of Lords voted 207-159 in January to ban VPN services for under-18s, though that amendment applied to a different legislative vehicle. The current consultation represents a separate, broader review of VPN restrictions tied explicitly to age assurance policy.
The Monitoring Infrastructure Already in Place
UK regulators are not speculating about VPN adoption. They are tracking it. Ofcom stated it uses a leading third-party provider to gather information on VPN usage, combining multiple data sources to train models and generate usage estimates, with data aggregated at the app level. Ofcom confirmed that third party is Apptopia, though it withheld specifics about the data being collected under commercial confidentiality exemptions.
Ofcom added questions on VPNs to its Children and Parents Media Literacy Tracker, with a report expected in May 2026, and stated these information-gathering exercises are intended to build an evidence base and inform decisions on whether further action on VPNs is required.
According to UK government guidance, platforms have a responsibility to prevent children from bypassing safety protections, including blocking content that promotes VPNs or other workarounds specifically aimed at young users, and platforms that deliberately target UK children and promote VPN use could face enforcement action.
Monitoring VPN adoption to inform further restrictions introduces a structural problem: the regulator treats increased use of privacy tools as evidence of non-compliance rather than as a signal that the underlying policy imposes costs users find unacceptable.
The Predictable Cycle This Represents
The UK Online Safety Act mandates age verification for services hosting adult or harmful content. Under the Act, all adult and harmful content sites must verify visitors are 18 or older before allowing access, and some social media sites like X and Reddit were also affected. Adults, unwilling to submit identity documents or biometric scans to access legal content, adopted VPNs to route connections through jurisdictions without such requirements.
Proton VPN saw a 1,400 percent jump in new users from the UK just minutes after the measures came into effect. The day after the Act went into effect, half of the top ten app downloads in the UK were for VPNs or identity verification apps.
This response was not unanticipated. Privacy advocates, civil liberties organizations, and technologists warned throughout the bill’s passage that age verification mandates would drive VPN adoption. The government proceeded anyway, implemented the requirement in July 2025, observed the predicted outcome, and now proposes restricting the tools that enable circumvention.
The pattern is: mandate surveillance, observe avoidance, classify avoidance tools as the problem. England’s Children’s Commissioner called for VPN services to be restricted to adults only. The DSIT consultation operationalizes that call.
The consultation considers age restrictions for a broad range of services, including search engines, games, and VPNs. Each restriction requires all users to submit to age assurance systems, creating universal verification infrastructure justified by child safety but applicable to the entire population.
Why This Pattern Matters for Email Services
Email providers operate in the same regulatory environment. The Online Safety Act applies to any user-to-user service or search service accessible by UK users, regardless of where the provider is based. The Act applies to any service accessible by UK users no matter where the company is based, leaving companies to choose between offering services in the UK or providing end-to-end encryption.
While the government has stated it will not enforce the content scanning clause until feasible technology becomes available, that deferral does not eliminate the authority. The Act empowers Ofcom to order encrypted services to use accredited technology to look for and take down illegal content, but no such technology currently exists that also protects privacy through encryption, so companies would have to break their own encryption.
If VPNs can be age-gated or restricted because they enable circumvention of age checks, anonymous email services become vulnerable to the same logic. Services that accept registration without identity verification, that route connections over Tor, or that enable use without exposing IP addresses could be framed as circumvention infrastructure.
Open Rights Group wrote that trying to regulate VPNs because they might bypass age assurance would be as unworkable as banning web browsers because they allow access to adult content, and that pursuing a perfect age assurance system no one can circumvent is not technically feasible and would involve extreme digital authoritarianism.
The threat is not that every privacy tool will be banned outright. The threat is that incremental restrictions, justified by child safety, establish precedent and infrastructure that normalize identity verification as a prerequisite for internet access. Email services operating under US jurisdiction face the same extraterritorial pressure if they serve UK users.
Jurisdictional Reality and Architectural Principle
Onion Mail is registered as a US LLC. This does not place it outside UK regulatory reach if it serves UK users and falls within the Online Safety Act’s scope. Offshore registration is not a defense. To date, the only governments that have made meaningful progress blocking VPN traffic are authoritarian regimes with ISP-level surveillance infrastructure, but fines and service blocks do not require technical success to impose costs.
PQCServer, the open-source post-quantum cryptography platform under AGPL-3.0, represents a different architectural principle. It is not a service with users to block or a company with revenue to fine. It is code. Regulators can target deployment, but not the specification itself.
The distinction matters. Mozilla, Proton, Mullvad, and other coalition signatories are all companies offering services. They can be fined, blocked, or compelled. Open protocols and self-hosted infrastructure shift the enforcement burden from service providers to end users and infrastructure operators, a shift that changes the cost structure of compliance and the feasibility of enforcement.
This does not make email services immune. It suggests that long-term resilience depends on architecture that does not concentrate enforcement points in entities subject to a single jurisdiction’s legal process. Tor’s design embeds this principle. So does PGP. Services built atop those foundations inherit some of that resilience, but only if the service itself does not become the chokepoint.
What the Mozilla Submission Signals
Mozilla’s argument is not novel. Coalitions have made similar submissions opposing chat control proposals in the EU, age verification mandates in US states, and client-side scanning requirements globally. The consistency of the opposition has not prevented the proposals from advancing.
What the May 15 submission reveals is not that Mozilla has a unique counterargument, but that the UK government is proceeding with a consultation premised on restricting VPNs despite knowing the technical and civil liberties objections. The consultation closing date is May 26. Implementation timelines are not yet public, but a related consultation launched in March 2026.
The cycle does not stop when advocates explain why the next restriction will fail or cause harm. It iterates. Each failure to achieve the stated goal becomes justification for deeper intervention. VPNs enabled circumvention of age checks, so restrict VPNs. If age-restricted VPNs are circumvented by other means, those means become the next target.
The endpoint of this logic is infrastructure where anonymous access is not possible, where every connection is attributable to a verified identity, and where encryption exists only with government-accessible backdoors. That endpoint is technically achievable only under conditions that also eliminate the open internet. The question is how much of that architecture gets built before the cost becomes politically unsustainable.
Services that accept registration without identity verification and route connections over Tor are designed around this architectural principle.
Onion Mail operates this way by design — not as a policy choice, but as a technical constraint that limits what can be disclosed even under legal compulsion. Visit onionmail.org to create an account without submitting any identifying information.