Security Now #1053: Banning VPNs

Date: November 26, 2025
Hosts: Steve Gibson & Leo Laporte

Episode Overview

This week, Steve Gibson and Leo Laporte dive into the newly proposed US state laws that would effectively ban the use of VPNs for accessing adult content—a move with dire implications for privacy, business, security, and free speech. The episode also covers a spate of major recent tech stories, including the futility of AI guardrails, a staggering privacy lapse in WhatsApp, Cloudflare’s recent global outage, upcoming changes in Windows 11, and the growing legislative pressure on software vendors. The tone is conversational, insightful, and at times incredulous, with Steve and Leo offering both technical explorations and passionate commentary.

Key Topics & Discussion Points

1. Legislative Moves to Ban VPNs in Wisconsin & Michigan

[115:30]

• Overview:
  Wisconsin and Michigan have introduced bills (WI SB130/AB105, MI "Anti-Corruption of Public Morals Act") mandating age verification for sites with "harmful to minors" content and requiring such sites to block all access via VPNs.

• Implications:

  • Overbroad: The bills require the outright blocking of all VPN users, not just minors, when attempting to access adult content.
  • Technical Impossibility: It is not possible for websites to reliably distinguish VPN traffic or users' true geographic/residency status.
  • Enforcement Issues: Sites must either block all VPN users globally or cease operations in these states due to liability risk.
  • Potential for Overreach: Definitions in the bills could apply to a huge array of content, not just explicit material.

Quote:

"Wisconsin and Michigan have proposed legislation... saying that adult content websites are no longer allowed to accept access to their sites from any person using any VPN service provider, period, full stop. That's actually what the proposed legislation says." – Steve Gibson [119:19]

EFF Position:
The Electronic Frontier Foundation (EFF) strongly opposes these efforts, warning of "war on privacy," chilling effects, and technical ignorance by lawmakers.

Quote:

"One state's terrible law is attempting to break VPN access for the entire Internet, and the unintended consequences of this provision could far outweigh any theoretical benefit." – EFF, as read by Steve Gibson [139:11]

Notable Timestamps

• [115:30] – Intro to Proposed Bills
• [127:47] – Michigan's "Anti-Corruption of Public Morals Act"
• [139:11] – EFF's analysis and warnings
• [150:18] – Impact in the UK and worldwide

2. Global Trend: The War on VPNs and Digital Privacy

[150:18]

• UK Example:
  New requirements for age checks on adult sites have caused VPN app downloads to spike 1800%; now, UK authorities and "Children's Commissioner" call for age verification to use VPNs as well.
• Technical Reality:
  People can and will circumvent such bans via alternative privacy tools (open proxies, home-brew VPNs, Tor, etc.), making enforcement effectively impossible.
• Collateral Damage:
  VPN bans impact not just "naughty" site users, but businesses, students, abuse survivors, journalists, activists, and anyone who values or needs privacy and secure connections.

Quote:

"VPNs mask your real location by routing your Internet traffic through a server somewhere else. When you visit a website through a vpn, that website only sees the VPN server's IP address, not your actual location... When Wisconsin demands that, ‘websites block VPN users from Wisconsin,’ they're asking for something that's technically impossible." – EFF excerpt read by Steve Gibson [139:11]

3. Other Major Security & Tech Stories

Chat Control Legislation in the EU

[15:50]

• Initial panic over "chat control" (mandated mass surveillance of all EU chats for CSAM) has subsided:
  • EU will stick with voluntary, not mandatory, monitoring.
  • Privacy-respecting apps remain safe (Signal, Telegram, etc.).

WhatsApp 3.5 Billion User Privacy Enumeration

[75:29]

• Austrian researchers showed that, until recently, WhatsApp allowed enumeration of its entire user base by brute-forcing phone numbers, extracting profile photos and text—over 3.5B users—with no rate limiting.
• Meta ignored prior warnings since 2017 but has recently patched the issue after the responsible disclosure.
• Metadata remains vulnerable: Even with E2E encryption, public APIs may leak contextual data.

Quote:

"To probe over 100 million phone numbers per hour without encountering blocking or effective rate limiting... 3.5 billion users' phone numbers from the messaging service." – Steve Gibson [77:33]

Cloudflare Global Outage Post-mortem

[83:40]

• Outage impacted huge swaths of the internet, including OpenAI, X, Shopify, Uber, etc.
• Root cause: Internal configuration mistake doubled a feature file size; outdated file size limits caused core routing failures. Not a cyberattack, but a "tripping over a cord" moment.
• CEO Matthew Prince’s public explanation praised for transparency.

Quote:

"Cloudflare’s network began experiencing significant failures... triggered by a change to one of our database systems’ permissions, which caused the database to output multiple entries into a feature file... it doubled in size... caused the software to fail." – Steve Gibson [85:21]

Futility of AI Guardrails & New Attack Techniques

[53:27]

• Research group Hidden Layer shows how simple token sequences—e.g., appending "=coffee"—can bypass LLM guardrail models meant to filter prompts for malicious content.
• Current "AI as guardian for itself" schemes are fundamentally vulnerable to these kinds of adversarial attacks.

Quote:

"You take a prompt that should be filtered and add an equals sign and the word coffee to the end of it... now it passes straight through the protective filter." – Steve Gibson [63:06]
"Equals coffee." – Steve Gibson [161:36]

Windows 11 Adding Native Sysmon Functionality

[29:47]

• Sysmon (a critical forensic/tracing tool) will be included natively in Windows 11, streamlining security operations for enterprise admins.

Pressure for Software Vendor Liability

[98:39]

• UK lawmakers call for holding software vendors liable for the economic and national security fallout of vulnerable software.
• Steve and Leo speculate on far-reaching consequences; potentially a seismic shift for the software industry.

Quote:

"Can you imagine Microsoft being held responsible for all the specific instances of damage caused by bugs and security failures in their software? Wow." – Steve Gibson [101:41]

Notable Quotes

• Steve Gibson [119:19]:
  “Wisconsin and Michigan have proposed legislation... saying that adult content websites are no longer allowed to accept access to their sites from any person using any VPN service provider, period, full stop. That's actually what the proposed legislation says.”

• EFF via Steve Gibson [139:11]:
  "One state's terrible law is attempting to break VPN access for the entire Internet, and the unintended consequences of this provision could far outweigh any theoretical benefit."

• Steve Gibson [63:41]:
  "We have a prompt examiner [AI] which is in front of the domain LLM, and the prompt examiner has the job of deciding whether this is a malicious prompt or not. And if you say =coffee, the prompt examiner goes, 'oh, okay, and you can pass.' These are not the droids you're looking for."

Timestamps for Key Segments

| Segment | Timestamp | |--------------------------|-------------| | Show theme preview | 00:00 | | Main topic—Banning VPNs | 115:30 | | EFF analysis | 127:47 | | CNET on Michigan law | 127:53 | | UK/Global trends | 150:18 | | WhatsApp enumeration flaw| 75:29 | | Cloudflare outage report | 83:40 | | AI guardrails bypass | 53:27 | | Pressure for software liability| 98:39 |

Analysis and Takeaways

Legislative Overreach and Technical Naiveté

• State-level efforts to control online morality risk catastrophic overreach and are based on fundamental misunderstandings of network technology.
• Attempts to ban VPNs are unenforceable and damage legitimate interests (personal privacy, business, education, activism).

Privacy Erosion as Legislative Collateral Damage

• As geofencing and age verification efforts proliferate, demand for VPNs and privacy tools will soar; so will attempts to criminalize or block their use.
• Vulnerable populations—those who most depend on privacy—are disproportionately harmed.

The Limits of Automated Controls (AI and Legislation alike)

• Whether it’s AI guardrails or legislative attempts to fence in the internet, determined users and creative attackers find ways around blunt controls, often with unintended harmful consequences.

Closing Thoughts

Steve and Leo end with a mixture of amusement (“Equals coffee!”) and genuine concern about the direction of internet regulation—especially as it threatens privacy, freedom, and even the practical functioning of the modern web.

"Lawmakers need to abandon this entire approach. The answer to 'how do we keep kids safe online?' isn’t destroy everyone's privacy." – EFF (via Steve Gibson) [149:40]

For thorough technical explanations, expert legal context, and pointed humor, listen to the full episode.