Deep Dive · Digital Rights · May 3, 2026 · 9 min read
Governor Spencer Cox signed Senate Bill 73 on March 19, 2026. It took effect May 6. Utah is now the first state in the country to hold websites legally liable for users who mask their location with a VPN.
The law's stated purpose is protecting children from harmful content online. Nobody reasonable disputes that goal. What's disputable — what's actually worth examining — is whether this law does anything close to that, and who it actually affects in practice. Those two questions have answers. Utah's government has not engaged with either of them.
What Is Confirmed
SB 73 operates through Section 14, amending Section 78B-3-1002 of Utah's statutes. Two provisions matter. First: a user is legally considered to be in Utah if they're physically there, regardless of whether a VPN masks their IP. Second: websites hosting material harmful to minors cannot share instructions on using a VPN to bypass age checks — including, per the EFF's reading of the text, basic explanations of how VPNs work.
Wisconsin drafted nearly the same thing earlier this year. Pulled it after pushback. Utah didn't pull it.
NordVPN called compliance "technically impossible" before the bill passed. The EFF called the detection requirement a "technical whack-a-mole that likely no company can win." The Utah Legislature and Governor's office have not publicly responded to either characterization. Not a rebuttal, not an alternative technical framework, nothing. The bill passed. The Governor signed it. That's the full public record of engagement with the technical objections.
No legal challenge filed as of publication. The EFF has flagged serious First Amendment concerns. Both things can be true.
The Detection Problem
Here is what a website operator actually has access to when trying to identify VPN traffic.
IP reputation databases — MaxMind, IP2Proxy — flag known datacenter ranges. Autonomous System Number analysis catches traffic originating from hosting networks. Both methods are partial. VPN providers rotate addresses. Residential endpoints look identical to regular home connections. Deep packet inspection can actually identify VPN protocol signatures, but it operates at the network layer, between the user and the server, not on the server. China runs it via ISP mandate. Russia runs it the same way. A website operator has no access to that infrastructure. Full stop.
So what happens when a Utah teenager wants to get around an age gate? They spin up a personal WireGuard instance on any major cloud provider. Takes maybe fifteen minutes if they've never done it before. That connection is indistinguishable from ordinary web traffic. No blocklist catches it. No server-side tool flags it.
That's the kid this law is designed to stop.
Meanwhile the commercial VPN user — the journalist, the abuse survivor, the remote worker hitting a corporate tunnel — gets caught in whatever dragnet the platform deploys trying to demonstrate compliance. Because platforms don't get to say "we tried." They get to say "we blocked it" or they get to explain to a court why they didn't. NordVPN's word for this situation was "technically impossible." That's accurate. There is no compliant state reachable through server-level tools. Utah has legislated a requirement for something that cannot be done, attached liability to failing to do it, and moved on.
The EFF's framing: the internet is designed to route around censorship. This isn't a political statement. It's a description of how TCP/IP was architected. The protocol doesn't care what Utah wants.
The Speech Problem, Which Is Separate and Also Bad
The liability clause gets most of the attention. The speech restriction is arguably worse, or at least weirder.
Covered sites can't facilitate or encourage VPN use to bypass age checks. Per EFF's analysis this extends to sharing instructions on how VPNs work, linking to VPN providers, explaining the technology. A cybersecurity outlet that also publishes adult content — and some do — faces potential liability for a tutorial explaining WireGuard. Not for the adult content. For the tutorial.
VPNs are legal. Explaining them is legal. The First Amendment protects the dissemination of truthful information about lawful tools, pretty clearly and pretty consistently. The EFF has called this prior restraint. No court has weighed in yet so that's still an open question legally. But the underlying structure isn't ambiguous: Utah prohibited a category of true speech about a legal product without articulating why that prohibition satisfies constitutional scrutiny.
The practical effect doesn't wait for court rulings. When legal exposure is unclear, platforms don't litigate the edge cases. They delete the content. Help pages go down. Guides disappear. Nobody sues over a deleted tutorial. The chilling happens quietly, in content management systems, in legal team reviews, in product decisions that never make the news.
Who Actually Gets Hurt
The EFF, NordVPN, and Proton have separately identified the same people. None of them are the teenager the law is meant to reach.
Domestic abuse survivors and stalking victims use VPNs specifically to prevent their physical location from being inferred through internet activity. Journalists and whistleblowers use them to communicate without trails. Political dissidents — including foreign nationals physically present in Utah on visas — treat them as basic operational security. Remote workers use corporate tunnels to reach company networks. If platforms respond to SB 73 by blocking all known VPN IP ranges, that traffic gets caught too. That's one of the two compliance paths the EFF identified as likely.
The other path is global age verification for every visitor regardless of location. Because a platform can't rule out that any given user might be a Utah resident behind a VPN. So you verify everyone. A user in Germany encounters an identity requirement because of a law passed in Salt Lake City. Proton CEO Andy Yen has said that this trajectory — not just Utah, but the cumulative direction of these laws across jurisdictions — means the end of anonymity online. That reads as hyperbole until you follow the logic of the enforcement structure. Then it reads as a forecast.
The teenager this law targets will have a self-hosted WireGuard instance running within a few hours of the law taking effect. Probably already does. The domestic abuse survivor on a commercial VPN service does not build private infrastructure. She pays $5 a month for NordVPN and trusts that it works. If platforms pull VPN access or mandate ID verification, that's the person who loses the tool. Not the kid.
These are the trade-offs. They were documented before the law passed. They were submitted to the legislature. The law passed anyway.
This Is Happening Elsewhere Too, Which Doesn't Make It Better
Wisconsin pulled its VPN provisions. Utah kept them. The UK House of Lords voted 207-159 in January to ban VPN services for under-18s. France's digital affairs minister has said VPNs are "next on my list." Every time age verification enforcement has actually gone into effect — Florida is the clearest example — VPN usage surged over 1,000% in the first days. Same result, every time.
The legislative response to that pattern has been to target VPNs. Which is roughly equivalent to responding to people using umbrellas by banning umbrellas, then being surprised when people get wet differently. The workaround gets banned, the underlying behavior finds another workaround, repeat.
The only governments that have actually suppressed VPN use at scale are China and Russia, both via ISP-level deep packet inspection deployed as national infrastructure. That works because they control the physical layer of the network. A democratic government using website liability to chase the same outcome is trying to get the same effect from a mechanism that doesn't touch the layer where the effect would have to happen. You cannot legislate physics. Utah is finding that out in real time. They just don't know it yet.
What BARB Gets Right, And What It Doesn't
Wrong article. Skip that.
The fair thing to say is this: child protection online is a real problem without an easy answer. Platforms have historically done a poor job of it, and some government intervention is probably warranted. The EFF and NordVPN are not neutral observers — they have interests, and their public assessments are partly advocacy.
The technical facts they're citing, though, aren't advocacy. They're engineering. VPN detection via server-level tools doesn't work at the scale required for legal compliance. That's not disputed by anyone who understands how the systems work. The Utah Legislature was told this and passed the law anyway. They have not explained, publicly, what technical framework they expect covered websites to use to comply.
That question has been asked. No answer has come back.
What The Record Shows
SB 73 is in effect. Utah is the first US state to hold websites liable for VPN-masking by physically-present users. No server-level tool reliably detects whether a user is behind a VPN. The law prohibits truthful speech about a legal privacy product. Wisconsin removed the same provisions after backlash. Domestic abuse survivors, journalists, and remote workers will bear compliance costs. The teenager this law targets will circumvent it within hours. No court has ruled on any active claim. The legislature has not provided a technical explanation of how compliance is supposed to work.
The child-protection intent is real. The compliance impossibility is also real. Courts will handle the constitutional questions eventually. Until then: a liability standard for something undetectable, passed by a body that has not said how it expects detection to happen.
All claims attributed to named sources or official documents. No court has issued findings on SB 73 as of publication. Technical assessments sourced from NordVPN official statements, EFF analysis (April 29, 2026), and independent engineering reporting. Legislative timeline sourced from Utah Legislature official records.
Sources: EFF Deeplinks (April 29, 2026). Utah SB 73 enrolled bill text, le.utah.gov. NordVPN official statement (March 2026). TechRadar (May 1 & March 5, 2026). Tom's Hardware (May 3, 2026). PolicyEngage legislative tracking. Proton CEO Andy Yen public statements. Wisconsin S.B. 130 / A.B. 105 amendment record (February 25, 2026).
