Utah to hold websites liable for users who mask their location with VPNs

Source: Hacker News

Image credit: Tom’s Hardware

Utah’s Online Age Verification Amendments Target VPN Use

Utah’s Online Age Verification Amendments, formally Senate Bill 73, take effect on May 6, making the state the first in the United States to explicitly target VPN use as part of age‑verification legislation.

Signed by Governor Spencer Cox on March 19, the controversial law establishes that a user is considered to be accessing a website from Utah if they are physically located there, regardless of whether they use a VPN or proxy to mask their IP address. It also prohibits covered websites from sharing instructions on how to use a VPN to bypass age checks.

Technical Flaws in Enforcement

The law assumes that a web provider can reliably:

1. Detect VPN traffic, and
2. Determine a user’s true physical location.

In practice, these assumptions are problematic:

• IP reputation databases (e.g., MaxMind, IP2Proxy) can flag traffic from known datacenter IP ranges, but commercial VPN providers rotate addresses constantly.
• Residential VPN endpoints are largely indistinguishable from standard home connections.
• Autonomous System Number (ASN) analysis can identify traffic originating from datacenter networks, yet it cannot pinpoint a personal WireGuard tunnel running on a cloud VPS, which routes through the same infrastructure as ordinary web hosting.

Visual Reference