Piccadilly Circus, London.
Keir Starmer now demands state spyware on every mobile device, always watching the screen, scanning everything, looking for things the government disapproves of.
'We have decided not to limit VPNs'
Online Saftey minister Kanishka Narayan told #BBCBreakfast the Government has decided not to restrict access to Virtual Private Networks (VPN) as part of a social media ban for under 16s, despite initially suggesting it would take action
https://t.co/eVcbOEAtA8
'We have decided not to limit VPNs'
Online Saftey minister Kanishka Narayan told #BBCBreakfast the Government has decided not to restrict access to Virtual Private Networks (VPN) as part of a social media ban for under 16s, despite initially suggesting it would take action
https://t.co/eVcbOEAtA8
London Underground. VPN restrictions are still on the table in the UK. Much of it depends on the next Prime Minister. Hopefully, that question mark won't turn into a full stop.
Piccadilly Circus. The London Councils didn’t like our campaign against the upcoming state spyware in the UK. So, first the word ”government” was blacked out. Then the whole message was scrapped.
On the other side of the road, though: alive and kicking.
Chat Control 1 is back. Despite the European Parliament voting down the legislation twice this year, the Council of the European Union and parts of the Parliament today managed – through an urgent procedure – to extend it for another two years. The law was originally introduced as temporary legislation, so that its effectiveness could be evaluated. At the end of 2025, the European Commission itself concluded that it was not possible to determine whether the law had any measurable effect. Even so, it has now been pushed through.
Some of today's amendments could have stopped the law. And a majority of the voting MEPs wanted to do so. By a margin of 314-276, the Parliament voted to reject the proposal through these amendments. However, since it was an urgent procedure, 361 votes were required. As a result, the majority lost today and Chat Control 1 was passed. The urgent procedure was a dirty play by the Council and parts of the Parliament – it’s a procedure not meant to be used on legislation already rejected by the Parliament.
For now, Chat Control 1 will remain in effect. This means that tech companies may continue scanning communications without a warrant or suspicion.
However, the real battle is Chat Control 2. Unlike Chat Control 1, it would require all providers to scan communications, and to do so far more extensively than Chat Control 1 ever has.
After releasing 2026.3 on iOS, we have observed that the Force all apps feature doesn't prevent automatic updates from succeeding. This is good news. The bad news is that a reboot is still required to fix networking after the update has taken place. We've updated our blog post about Force all apps to reflect this.
https://t.co/brcncyKOCd
On Thursday, the European Parliament votes on Chat Control 1 (the voluntary scanning, not the mandatory scanning, called Chat Control 2). Again.
The Parliament has already voted against Chat Control 1. Two times. But the Council of Ministers and the Parliament President refuse to accept it.
Now, the Council has demanded an urgent procedure. This is a procedure that is meant to be used for new legislative proposals, not proposals that the Parliament has already rejected. An urgent procedure requires an absolute majority to be rejected (361 out of the Parliament's 720 members). This will be difficult to reach, since those who abstain from voting are counted as a yes-vote in an urgent procedure. By scheduling the vote during the summer, they are making it even harder to reach those 361 no-votes. This is downright dirty tactic by the Council and the President of the European Parliament.
The President of the European Parliament has sided with the Council against her own chamber. For context, this is the EP President, Roberta Metsola:
---
Great meeting film legend, entrepreneur and all round good guy Ashton Kutcher @aplusk at @Europarl_EN today to discuss Europe's efforts to protect children.
Grateful for his tireless commitment and determination in the fight against child abuse and trafficking.
Mullvad is a political company. We fight for freedom of speech, freedom of information and the right to privacy. These are firmly held values of the founders of Mullvad.
Mullvad protects the right for people to express things we don't agree with. We protect the right of everyone to access views we don't agree with.
We also live these values by being tolerant in our daily work. Everyone is welcome to collaborate with Mullvad if they share these narrow core values. As employees, contractors, customers, suppliers, lobbyists, campaign partners or whatever it might be. No matter what their other opinions are and no matter whether the founders or anyone else in Mullvad dislike them. The founders themselves fundamentally disagree on several important issues.
This is what allows us to advance our common causes. Being in a tolerant and intellectually open environment is also liberating and promotes truth seeking.
The more people do this, the better a place the world will be.
It should be obvious that Daniel's private donation to a political party is not part of Mullvad's values or mission, in the same way that someone's opinions on animal rights, taxes or public healthcare policy isn't.
That said, if you no longer want to be a Mullvad customer for philosophical reasons, we think it's important to honor that, and will gladly refund you.
The UK government spyware demand means that the government decides exactly what should be censored on every mobile device. They say they will start with nude pictures (if you don’t identify yourself as an adult). But it could at any time be expanded to anything the government disapproves of. Today, 30 people are arrested every day in the United Kingdom for writing something online that the government classifies as "grossly offensive". It is obvious that they will use this tool to restrict free speech.
Currently, there appears to be no requirement to report findings outside the device. However, with both legal and technological decision-making power taken away from individuals and transferred to the government, that is only a pen stroke away.
This means that the government could also use this system for total mass surveillance.
And they can do so in secret.
The government recently, in secret, tried to pressure Apple (which is now agreeing to client-side scanning) to build backdoors into its end-to-end encrypted cloud service. They can do this under the Investigatory Powers Act 2016, also known as the "Snoopers' Charter" – a law that makes it illegal for tech companies to disclose secret demands from the government.
This is what the UK spyware proposal means.
There must be government spyware on every mobile device. It shall watch everything that happens, including always watching the screen, looking for things the government disapproves of.
When anything is flagged by the software as something the government doesn't like, the software must block it from being sent or displayed (in realtime).
The user of the device must not be able to shut this watching and blocking off. The only way to shut it off would be to ask the government or its proxies to do so for you, at their discretion.
Therefore the whole device must be locked down. Administrator rights and the decision of what software or operating system to run or not to run must be taken from the owner/user and handed to the government and its proxies.
Apple and Google are themselves working hard to lock down the devices they are involved in to shut out competition and establish a duopoly.
The UK government says it is "working closely" with Apple and Google and currently they synchronise and coordinate their communication on this subject.
The UK government is now proposing to mandate what would otherwise be illegal anti-competitive practices.
@GrapheneOS on the Apple and Google duopoly:
https://t.co/rbRmcUDTRu
Statement from @signalapp
https://t.co/vJILcSrs4s
@ReclaimTheNetHQ on the state spyware:
https://t.co/3FCi06bP77
The government announcement:
https://t.co/ynYjR3DIRo
Our statement on the UK government’s demand that all content on all devices sold or used in the country be scanned, on the presumption of nudity, using a dystopian combination of age verification and content scanning. This proposal will not safeguard children. It endangers us all.
https://t.co/VdWe9uhi8p
Some politicians in the UK think it is a good idea to introduce identity verification for using VPN services.
It could be that these politicians do not understand what they are proposing. The alternative, that they do understand, would be even worse.
Whistleblowers, activists, and journalists depend on anonymous VPN services. Requiring identity verification for VPN services would put them at risk. It would also have a chilling effect on online debate (VPNs can help people post anonymously on social media).
In authoritarian countries, VPN services are crucial forcriticizing the government. That is precisely why such governments seek to ban or restrict them. Hopefully, the UK will not join that list.
Is the UK on the verge of banning VPNs?
On May 26, the consultation intended to help the British government make decisions on age verification for websites, digital services, and social media platforms came to an end. Some form of restrictions regarding at least age limits for social media already appear inevitable; government officials have confirmed as much. The only question is what kind of restrictions will be imposed.
For example, the age verification restrictions could end up including VPN services. National restrictions for websites and social media can be bypassed using tools such as VPNs, virtual phone numbers, eSIM cards, Tor and dedicated services. It is therefore unsurprising that politicians have begun looking toward VPN services, which are the most common and accessible method of changing one’s geographic location.
In early 2026, the House of Lords sent an amendment(regarding the Children’s Wellbeing and Schools Bill) to the House of Commons, proposing an 18-year age limit for using VPN services. The House of Commons rejected the House of Lords amendment four separate times. However, the House of Commons instead introduced its own proposal, which was passed and has now become law. This agreement grants the government the power to introduce restrictions through secondary legislation, with only limited parliamentary scrutiny.
Unfortunately, the risk that the UK government will crack down on VPN services is real – effectively joining countries such as China and Russia in opposing VPN services. Officials have already hinted that they may consider introducing age restrictions for VPN usage under the slogan “No platform gets a free pass”.
If VPN services were to implement identity verification, this would mean collecting data that could be abused through either malice or incompetence. It would, for example, make such services risky for whistleblowers and activists, make it harder for journalists to work with sensitive information, and create a chilling effect on online debate (VPNs can help people post anonymously on social media). In a society like the UK, where 30 people are arrested every day for writing something online that authorities classify as “grossly offensive”, VPN services are an important tool for free speech.
If VPN providers were to impose an age limit on their service, this would also mean that underage users would effectively lose their right to online privacy. Ironically, one consequence would be that social media companies mapping people’s lives through third-party trackers on websites could continue monitoring young people’s online behavior via their IP addresses without any interference. In other words, politicians would remove one of the protections children have against the very companies they claim to want to protect children from.
So-called age verification for social media is spreading across the world, framed as an effort to create a safer internet for children. In reality, age verification lays the foundation for a fully controlled internet.
The age verification rush must be slowed down, and politicians need to recognize the consequences of different types of legislation and systems.
Age verification is the wrong approach to fix “the social media problem”
The big tech social media companies are bad. Their business model is bad; it is based on mass surveillance and manipulation, and they cooperate with governments in mapping entire populations. But age verification is fundamentally the wrong approach to preventing children from using big tech social media platforms. Introducing age verification is based on coercion; the state forces social media companies to verify their users’ identities. But the big tech social media platforms already know which of their users are children. Their business model depends on knowing this. They know how old users are, and they know exactly what type of person they are. As age verification is based on coercion, politicians could instead force platforms to stop doing the things politicians consider harmful to children, or force them to block children (again, they know who they are) from using their services. But instead, politicians seek to massively invade everyone’s privacy and undermine democratic rights on a global scale. In other words, the latter is the real objective – they do not want to protect children; they want to impose control.
Slippery slope of age verification
It is undeniable that age verification threatens freedom of expression, risks increasing mass surveillance, and is likely to lead to censorship. It will not only shrink the online world and reduce young people’s right to privacy (for example, if VPN services were to be restricted); but also risks becoming a significant step toward a controlled internet for everyone.
Most age verification is identity verification
Most countries are now considering introducing age verification systems, meaning that everyone would have to identify themselves either to the service/website they want to use or to a third party capable of linking them to their activity on that service or website. This is not age verification but identity verification, and the consequence is therefore that freedom of information is restricted (you can no longer visit regulated websites anonymously) and that you can no longer post anonymously on social media. This is a major problem in countries like the UK and Germany where the police conduct raids on people’s homes for posting content on social media that the authorities dislike. Or in the United States, where authorities are trying to pressure tech companies into revealing the identities behind accounts protesting ICE. Social media identity verification removes important tools for activists in countries where criticizing those in power is dangerous.
Restrictions on app store or operating system level
Some countries are looking to impose identity verification at the app store level or even within the operating system itself. This is an exciting experiment, since this is possible to circumvent using open-source operating systems. Some countries are already looking to include open-source systems. Since open-source systems cannot be controlled, politicians would ultimately need to ban devices that are not controlled by the state. The end point: telescreens like those in Orwell’s 1984, devices that both monitor you and broadcast only the information approved by the state.
The Zero-Knowledge Proof (ZKP) alternative and the EU
The EU has presented its own age verification app as “completely anonymous”. The idea is to use Zero-Knowledge Proof (ZKP) cryptography to break the link between the age credential issuer (EU governments) and the regulated services/sites. Currently, the EU app does not have ZKP functionality, contrasting Ursula von der Leyen’s claim that the app ”is technically ready to be used”. But more importantly, the app is currently designed to always function without ZKP technology; if ZKP is unavailable, the app falls back to a non-ZKP model. Even if fully developed ZKP technology could be implemented in the future, it would remain an optional extra feature that countries may choose to disable and that the EU could remove at any time.
Read more on our site.
https://t.co/wTVKHMS1zg
The EU age verification app is presented as “completely anonymous”. But the risk is that member states (the countries are supposed to create their own versions of the open-source EU app) use it to introduce identity verification that makes it impossible to post anonymously on social media.
The idea behind “completely anonymous” is to use Zero-Knowledge Proof (ZKP) cryptography to break the link between the age credential issuer (EU governments) and the regulated services/sites. Currently, the EU app does not have ZKP functionality, contrasting Ursula von der Leyen’s claim that the app ”is technically ready to be used”. But more importantly, the app is designed to always function without ZKP technology; if ZKP is unavailable, the app falls back to a non-ZKP model. Even if fully developed ZKP technology could be implemented in the future, it would remain an optional extra feature that countries may choose to disable and that the EU could remove at any time.
This means that the EU could decide at any time that ZKP may no longer be used, and in one stroke the app would fall back to its default mode, meaning that every post on social media carries an ID tag. By that point, an infrastructure will already have been rolled out; people will have gotten used to it, and it will be harder to roll it back.
More details on https://t.co/wTVKHMS1zg
Our Android app has for the second time passed MASA, a standardized security assessment, conducted by Leviathan Security Group.
Read more: https://t.co/4v8Zo4gq0R
On Friday the 15th of May, we became aware of a fingerprinting issue affecting Mullvad users.
We have a method which changes this behaviour currently being tested, with plans to begin rolling it out to our VPN servers in the coming weeks.
Read more here: https://t.co/MH32Odwrj0
A new VPN leak that allows any app to leak traffic outside the VPN tunnel has recently been discovered by @cybaqkebm
Read more here: https://t.co/K9bxtiGHbw
It’s absurd that American authorities can purchase personal data – that they’re not allowed to gather themselves without a warrant – directly from data brokers. This violates the Fourth Amendment, and it’s time to close the data broker loophole.
Today, @RepThomasMassie, @RepBoebert and @naomibrockwell at the @LudlowInstitute introduced the Surveillance Accountability Act. It requires warrants based on probable cause for all government surveillance and data access. You can read more about it at https://t.co/iFX17ELSLA
Apple's networking stack is preventing the iOS app from being as secure as possible, we have now secured our app to mitigate this despite the rough edges around the update procedure.
Read more here: https://t.co/sbX72s2O7m