Mozilla to UK Regulators: VPNs Aren't a Loophole, They're Plumbing

Mozilla just sent an open letter to the UK government, and the subtext is sharper than the text. After months of British politicians floating the idea of restricting VPNs, Mozilla decided someone needed to say the quiet part out loud: VPNs aren’t a loophole, they’re infrastructure. The letter is short. The implications aren’t.

How VPNs Became the Villain

The UK’s Online Safety Act kicked in last year, and the age-verification piece is where things got messy. Adult sites now require government ID uploads or face scans before you can access them. Britons did what people always do when friction shows up online — they routed around it. VPN downloads in the UK spiked overnight. A few free VPN apps shot to the top of the App Store charts within days.

Awkward for regulators. You pass a law, citizens shrug and install a workaround in ninety seconds. So a handful of MPs and Ofcom-adjacent voices started suggesting the next logical step: regulate the VPNs themselves. Hold providers liable. Restrict consumer access. The framing shifted from “VPNs are a privacy tool” to “VPNs are how lawbreakers operate.”

Mozilla’s Counter: This Is Roads, Not Burglary Tools

Mozilla’s letter to Ofcom makes one core argument: VPNs are everyday infrastructure, not specialty gear. Three points carry the weight.

First, the user base is mundane. Remote workers connecting to corporate networks. Journalists protecting sources. Aid workers, business travelers, anyone who’s ever opened a laptop in a coffee shop. Second, VPNs are the baseline defense against public Wi-Fi snooping — the kind of thing security teams have recommended for a decade. Third, and this is the one that should sting: whatever the UK normalizes, authoritarian regimes will copy. A British precedent becomes a Chinese justification. An Ofcom rule becomes a Tehran template.

The analogy Mozilla is reaching for is a familiar one in policy circles. You don’t ban highways because some drivers speed. You enforce against the behavior, not the medium.

Why Mozilla Moved First

The interesting part isn’t the argument — it’s the signatory. Google didn’t write this letter. Neither did Apple or Meta. A nonprofit foundation did. That’s not an accident. Mozilla isn’t dependent on ad revenue or government contracts in the way the trillion-dollar guys are. Privacy is literally its brand. It can afford to throw the first punch.

But read it as a starting gun. The UK’s approach is being watched in Brussels, Canberra, and Ottawa. Specialist VPN companies like Proton and Mullvad have been screaming about this for over a year, and the broader industry mostly stayed quiet. A browser maker going on the record changes the optics. This is no longer fringe-privacy-people vs. regulators. It’s becoming platform-builders vs. regulators, which is a fight with very different leverage.

The Real Fight Isn’t About Porn

Strip away the headline framing and the actual issue is this: how much of your online identity should the state see by default? UK-style age verification is, functionally, an ID layer on top of large parts of the web. Which site, which user, which timestamp — all loggable, all subpoena-able.

Today the requirement targets adult content. The infrastructure that gets built, though, is general-purpose. Once age gates exist as a technical and legal pattern, applying them elsewhere is a policy decision, not an engineering one. Political forums. Trade union sites. LGBTQ spaces. Mental health platforms. Anywhere a government decides “users should be identifiable,” the same plumbing works. That’s the slope Mozilla is pointing at, and it’s not theoretical — the scope of online age verification has expanded in nearly every jurisdiction that’s tried it.

What to Watch Next

The boring prediction: Ofcom thanks Mozilla for the input and changes nothing. The interesting prediction: the EU’s upcoming Digital Fairness Act consultations pick up the same VPN language, and suddenly this stops being a UK story. Watch which other browser vendors sign on to similar letters in the next sixty days. Apple’s silence here would be especially loud, given Private Relay sits in roughly the same conceptual space as a consumer VPN.

The old “security and liberty vs. law enforcement” debate just got a fresh skin. Which side you’re on probably feels obvious right now. The question worth sitting with is whether your answer holds up in five years, when the same toolkit is being used for something you didn’t see coming.