Login

r/vpnet

VPN laws across US states as of May 6, 2026 (Utah becomes the first restricted state)
▲ 1.3k r/vpnet+1 crossposts

VPN laws across US states as of May 6, 2026 (Utah becomes the first restricted state)

Utah Senate Bill 73 takes effect tomorrow, May 6, 2026. It is the first US state law that specifically restricts VPN use, and it does so in two ways:

  1. Anyone physically in Utah is treated as a Utah user for age-verification purposes, regardless of what their IP address says. The website carries the legal risk if it guesses wrong.
  2. Covered websites are barred from telling visitors how to use a VPN to bypass age checks. The EFF has flagged this as a First Amendment concern.

The EFF has called it a "liability trap" because there is no reliable way for a website to detect VPN traffic and pinpoint a user's actual physical location. The only systems that come close are China's Great Firewall and Russia's TSPU. The likely outcomes: sites either block every known VPN IP, or force every visitor on Earth into an ID check.

Wisconsin tried something similar earlier in 2026 and walked it back. The UK and France have signaled they want to move in the same direction.

We put together a map of where every US state currently stands and a full breakdown of what SB 73 actually does: https://s.vp.net/ot4Is

EDIT 5/7: Great news! The law in Utah has been blocked temporarily!
https://www.sltrib.com/news/politics/2026/05/06/why-utah-now-requires-porn/

u/V3R1F13D0NLY — 6 days ago
▲ 178 r/vpnet+4 crossposts

California fines GM $12.75M for selling driving data of hundreds of thousands of drivers to LexisNexis and Verisk. Largest CCPA penalty on record.

The California Attorney General announced this week that GM agreed to a $12.75 million settlement over a four-year practice (2020 to 2024) of selling names, contact information, precise geolocation, and driving behavior of hundreds of thousands of California drivers to two data brokers: Verisk Analytics and LexisNexis Risk Solutions. The brokers built a driver-rating product out of the data and sold it to auto insurers, who then used it to raise premiums for drivers in states where that's legal. Nationwide, GM made roughly $20 billion off this category of data sharing.

A few details worth knowing:

  • California drivers weren't hit with rate hikes because state law blocks insurers from using driving data to set premiums. Drivers in other states paid for it.
  • GM has 180 days to delete the data, request the same of the brokers, and stay out of the consumer reporting agency business for five years.
  • This is the 8th CCPA enforcement action under AG Bonta and the first one to use the 2023 data minimization rule.

The brokers themselves haven't been named in any enforcement action, only the source of the data. Should the brokers be on the hook too, or is GM the right pressure point when the data originated with them?

Full breakdown with all source links here: https://s.vp.net/6nTTy

u/V3R1F13D0NLY — 7 days ago
▲ 6 r/vpnet+5 crossposts

vpn basically lets you pretend youre somewhere else on the internet

u/Economy-Rip5676 — 6 days ago
▲ 43 r/vpnet+3 crossposts

The Kremlin has been throttling the internet and blaming security threats. Many Russians aren't buying it

cbc.ca
u/Economy-Rip5676 — 8 days ago
▲ 14 r/vpnet+2 crossposts

Three reasons why everyone should actually care about using a VPN

u/FriendHot7938 — 8 days ago
▲ 23 r/vpnet

Connecticut SB 4 passes House 141 to 6: data broker registry, one-request deletion, ban on sale of precise geolocation data, named federal agencies as a threat category

Connecticut's SB 4 cleared the House 141 to 6 and the Senate 31 to 4 back on April 23rd. Governor Lamont is expected to sign. It's being described as the strongest state privacy bill in years, and the specifics back that up.

Key provisions:

  • State-run registry of data brokers operating in Connecticut
  • A single deletion request mechanism that wipes a resident's data from every registered broker at once
  • Ban on the sale of precise geolocation data
  • Restrictions on the sharing of automated license plate reader information
  • Mandatory disclosure of facial recognition use in public spaces
  • Mandatory disclosure of algorithmic surveillance pricing

The unusual part is the sponsor's framing. Senator James Maroney, the lead sponsor, said the bill protects residents from data brokers, surveillance technology companies, and federal agencies. Naming federal agencies as a threat category in a state privacy bill is not standard. Most state laws stop at private-sector data handling.

The interesting question is whether the deletion mechanism actually works at scale once brokers are registered. California's Delete Act has a similar concept and the implementation has been slow. Connecticut's bill borrows from that playbook but adds the federal-agency language on top.

Full Write-Up & Source list here: https://s.vp.net/3Cfh9

u/V3R1F13D0NLY — 8 days ago
▲ 33 r/vpnet

Utah's SB 73, the first state law restricting VPN use, was frozen pending a lawsuit on the same day it took effect

Utah's SB 73 took effect Wednesday, May 6th. By the end of that same day, the Salt Lake Tribune was reporting that enforcement was already on hold pending a lawsuit. The bill makes websites liable for users who access age-gated content through a VPN, and it also bans those same sites from publishing how a VPN works. Civil liberties groups spent months warning Utah lawmakers that the First Amendment was going to eat the publishing-ban half before it ever got enforced.

Key points:

  • SB 73 took effect May 6, 2026, frozen the same day pending suit
  • Makes websites liable when users reach age-gated content via VPN
  • Bans those sites from publishing explainers on how a VPN works
  • Fight for the Future called the statute language "AI slop" and pre-endorsed any lawsuit filed
  • Passed 22-2 in the Senate, 66-1 in the House, three Republican dissents total

The publishing-ban portion is the obviously dead piece on First Amendment grounds. The liability-for-user-VPN-use portion is the more interesting question because it pushes legal exposure onto websites for what's happening on the network layer.

Additional reading with the full statute walkthrough and what comes next: https://s.vp.net/zbckd

youtube.com
u/V3R1F13D0NLY — 10 days ago
▲ 10 r/vpnet+1 crossposts

'Swiss Privacy" has more hole than Swiss cheese

A Swiss flag is not a firewall.

If a provider can log your IP address to 'monitor for abuse,' they can log it for a court order. If they can monitor a mailbox for 'safety,' they can monitor it for a government. They are not villains. They are administrators operating under whichever set of laws applies this week.

In 2021, Swiss authorities ordered ProtonMail to log a user's IP. ProtonMail complied. The architecture permitted it. Switzerland, it turned out, was a jurisdiction, not a guarantee.

bmail's API gateway runs inside an Intel SGX enclave. Client IP addresses are processed in hardware-isolated memory and never written to any storage. There is nothing to log because the architecture never permitted it.

Physically protected by hardware, not imaginary lines.

u/V3R1F13D0NLY — 12 days ago
▲ 27 r/vpnet+1 crossposts

Lavabit, an email provider, once printed 410,000 encryption keys in 4-point font on 11 pages, handed them to the FBI, then deleted the entire company

A clip from this week's Hide & Speak where we discussed the insane Lavabit story.

A court order arrived demanding the encryption keys that protected 410,000 user accounts. The founder complied... technically...

He printed every key in 4-point font across 11 pages and handed the physical stack to the FBI. 🤣 What a legend.

They were not amused. They demanded an electronic copy and gave him almost no time to produce it.

He chose option three. He deleted the company. 410,000 accounts and inboxes wiped overnight.

A few things worth pulling out:

  • The legal mechanism that forced the keys is still on the books
  • Most email providers would have complied without the printout stunt or the deletion
  • Users had no warning and no way to verify what was happening on the backend
  • This was not a hypothetical. It was a real court order, in 2013, against a real provider that thousands of people trusted with their email

The part that sticks with me is that the choice even existed. If the keys are accessible to the provider, they are accessible to anyone with a court order or anyone who compromises the provider.

For anyone who has read about this case before, what other providers do you think would have made the same call he did?

Full episode here: https://www.youtube.com/watch?v=X0TAd-4eIb8

Written breakdown here: https://s.vp.net/iQi47

youtube.com
u/V3R1F13D0NLY — 13 days ago
▲ 19 r/vpnet

San Jose hit with federal class action alleging 474 Flock cameras committed 360 million Fourth Amendment violations in 2024

Three San Jose residents, represented by the Institute for Justice, filed a federal class action targeting the city's network of 474 Flock automated license plate readers. The complaint alleges the system logged every plate, every car, and every trip in San Jose, totaling roughly 360 million warrantless searches in 2024 alone. The lawsuit asks the court to shut the program down.

There's a second layer worth knowing about. 404 Media reported that ICE has been running searches through the Flock network without direct access. Friendly local officers run plate queries on ICE's behalf, with no warrant and no paper trail. So a system pitched to city councils as a local crime tool has been quietly functioning as a federal immigration dragnet.

For context, the Flock CEO has said publicly that he wants a license plate camera on every street corner.

If the court agrees that bulk plate logging is a Fourth Amendment search, what happens to the thousands of other cities running Flock networks under the same model? Does this kill the business or just force a warrant requirement?

More background on the suit and the ICE backdoor: https://s.vp.net/cbvq3

youtube.com
u/V3R1F13D0NLY — 14 days ago