Technology

However, such efforts are technically flawed because the only reliable method for identifying VPN protocol signatures is deep packet inspection at the network level, which the EPRS paper doesn’t mention.

I mean, you can tunnel whatever over whatever. You can tunnel a VPN over anything else that's encrypted, so unless you also want to ban SSH and HTTPS connections and suchlike (well, okay, for UDP-based VPNs, you'd probably prefer something UDP-based, but I think that the point stands), you're going to have trouble, say, blocking OpenVPN connections.

Tor exists for the explicit purpose of not being blocked.

Maybe you could try to characterize VPN traffic and do traffic analysis without being able to look inside the encrypted payload, say "VPN traffic tends to look like this", but again, it's not that hard to add noise to the signal.

And you don't even mostly need a full-on VPN for most of this, since it's mostly just people trying to access Web services.

Get yourself any Linux system in some less-restrictive location (which I'll call server) running OpenSSH. SSH into it from client like so:

[tal@client ~] $ ssh server -N -D127.0.0.1:1080

On the client, install the Proxy Toggle Firefox plugin. Set it to use localhost, port 1080 as a SOCKS5 proxy. Click the toolbar button to toggle on proxy use. Now all your browser traffic is coming from that remote server. All a network provider can see is an SSH connection. Click again, and you're back to normal mode.

But tal, that's complicated. Some people won't know how to use SSH.

So is virtually everything that a computer does. Raytracing. Image composition. Decoding discrete cosine transformation encodings. Rendering real-time video game worlds. If there's a need, someone goes out and writes software that makes it easy for the end user. And if you create a situation where there is an unlimited quantity of stuff that a lot of end users want access to behind a wall which someone can make a one-click program to bypass, it's probably a reasonably safe bet that that those one-click programs are going to show up.

There is no loophole that can be trivially closed here. It's a fundamental limitation

if users are going to be able to send traffic that you cannot inspect the inside of

and avoiding that would mean encryption spanning your borders being disallowed, which you probably do not want

then they can appear to be coming from wherever in the outside world they want.

And plenty of people pointed out that this was a problem before age-verification stuff was put into force. This isn't a situation where one just does the thing and there are a few lingering minor issues to iron out. It's fundamental to the concept of doing age verification.

But voters don't want their kids seeing porn.

Well, frankly, if said kids have Internet access and they want to see porn, they probably are going to be able to see porn or otherwise enjoy use of the least-restrictive set of rules out there. That's part of having a world-spanning network where people can communicate with each other. There is going to be blasphemy and pornography and political extremism and stuff saying that Santa Claus doesn't exist out there. Some of that is going to be material that doesn't conform to the set of social norms where you live and will conform to social norms elsewhere in the world. I don't personally see that as all that catastrophic.