Remember when the internet was just somewhere you went? You'd dial up, the modem would do its handshake song, and you were in. AOL or Geocities or Yahoo or whatever. Read the news, hit a chatroom, log off. Nobody was building a permanent file on you. Nobody was selling your search history to ad brokers. Nobody was crafting laws about what you could and couldn't see based on whether you were "really" in Idaho or just pretending to be in Idaho.
Yeah. Funny how that worked out.
Tomorrow, May 6, 2026, Utah Senate Bill 73 takes effect. The first US state law that explicitly holds websites liable for users who access them via VPN. And before you scroll past because you don't live in Utah, hang on a second. Because what's happening tomorrow in one state is the opening move of something a lot bigger, and the VPN industry walked us right into it.
The Law Itself Is a Dud
Let's get this part out of the way. Utah SB 73 targets websites that host material harmful to minors, requires those sites to verify users are 18 or older, treats VPN users as if they're physically located in Utah even when they aren't, and prohibits anyone from publishing instructions on how to use a VPN to bypass the age check. EFF, NordVPN, and TechRadar have all flagged the law as technically impossible to comply with as written. Wisconsin tried to pass a near-identical bill in February 2026, got laughed off, and shelved it. Utah pushed through anyway.
If the law was the whole story, this would be a short article. The law is not the story. The trajectory is.
What Happens If This Goes Federal
Utah is one state with about 3.4 million people. Most readers don't live there and might be tempted to file this under "not my circus, not my monkeys." Fair. So let's run the thought experiment that puts skin on the bone. What does this country look like if Congress passes a federal version of SB 73 in the next two years? It's not a wild question. Twenty-five other states already have age verification laws on the books in some form. The dominoes are already lined up. Somebody just has to flick the first one.
The first thing that changes is the websites. Right now sites can choose how aggressively to block VPNs based on their own appetite for risk. Federalize this and "optional best practice" becomes "your legal exposure if you don't." Every adult site, every social platform with content moderation obligations, every sportsbook, every cannabis retailer, anything that touches state-level liability starts treating known VPN IP ranges like radioactive waste. Not just the explicitly age-restricted stuff. Anything that creates exposure.
The CAPTCHA wall thickens for everyone. Cloudflare and Akamai start treating VPN traffic as presumptively suspicious by default, the way Reddit already does. Legitimate VPN users (journalists, abuse survivors, business travelers, privacy-conscious normal people who just don't want their ISP selling their browsing history to data brokers) start solving CAPTCHAs to load almost any page. The internet gets a little more hostile, a little more annoying, a little more "are you really a human?" every day.
The big consumer VPNs respond by quietly buying residential IP ranges. They're already doing this, by the way. Instead of routing your traffic through clean datacenter IPs, they route it through compromised home routers and paid residential proxy services. You're paying a VPN to use someone else's home internet connection. The cost of operating a VPN goes up, margins get squeezed, smaller providers get acquired or fold. The big ones stick around but get noticeably worse, the same way airlines got noticeably worse after deregulation. Same energy. Same era. Different industry.
That's just the opening move. The interesting move is what comes next.
The VPN Industry Set This Table
The reason a federal Utah-clone won't be the end of it is because step one doesn't actually work. Teenagers can spin up a five-dollar WireGuard tunnel on AWS in about ten minutes. Residential proxies are indistinguishable from home traffic. The infrastructure to actually enforce these laws does not exist and cannot be built. Step one fails to do what it was supposed to, which is exactly when step two shows up. And step two is when VPN providers themselves become liable.
"If you let a Utah resident use your service to bypass age verification, you're liable." This isn't speculation. The UK House of Lords has already voted to ban VPN use for under-eighteens. France's digital affairs minister said in early 2026 that VPNs are "next on my list." The wave is already breaking on other shores and it's coming here.
And here's the part that nobody in the VPN industry wants to admit, so I'll say it. They walked us into this.
The big consumer VPNs spent the last decade marketing maximalist anonymity. Proton. Mullvad. NordVPN. Surfshark. ExpressVPN. The pitch was "we cannot be touched. We see nothing. The government cannot reach us." They built billion-dollar businesses on that pitch. They sponsored every YouTuber on earth. They made privacy theater into a subscription product. And governments, who have a job to do whether you like that job or not, watched an entire category of business publicly announce that it was engineered to defeat lawful process. Then they started writing laws.
The reaction is to an action. The customer demand was always pretty modest. People wanted to read the news without their ISP selling that data to brokers. They wanted to use coffee shop WiFi without getting their email password sniffed. They wanted to feel like the internet didn't have a permanent file on them. That's a small ask. The industry could have answered it with a small product. Instead they answered with a fantasy of being uncatchable, oversold the fantasy, kept oversupplying it, and now we're all going to eat the regulatory consequences together.
You can disagree with what the government does. That's fine. Healthy, even. But picking a public fight with the United States government and broadcasting that you're engineered to defeat them? That's not a strategy. That's how you get the laws written that come for you. Nobody beats the house. Even WarGames figured that out, and the computer in WarGames was an early-80s mainframe.
The Privacy Conversation Got Hijacked
Take a step back from Utah for a minute. The whole reason this debate has narrowed to VPNs is that VPN companies have spent ten years hijacking the privacy conversation for their own marketing. "VPN equals privacy." "Get a VPN to protect yourself." Hundreds of millions of dollars in YouTube sponsorships, podcast reads, affiliate networks paying out per signup. The result is that when an average person thinks "I want privacy online," they think VPN.
It's a tiny piece of the actual problem.
Your browser is broadcasting a fingerprint that uniquely identifies you to every site you visit, and it's stable across sessions whether you have a VPN or not. Your phone is sending your location to ad networks every few minutes, and the FBI buys that data without a warrant because it's commercially available (look up "Fog Reveal" sometime when you want to ruin your afternoon). Your smart TV reports what you watch. Your car reports where you drive. Your Ring doorbell reports who knocks. None of that is fixed by a VPN. None of it.
But a VPN is what gets sold, because it's a subscription product with affiliate margins and a thirty-second ad read. The actual surveillance pipeline running through your devices, the one that makes a VPN almost cosmetic by comparison, doesn't have a thirteen-dollar-a-month upsell to fight against it. So nobody talks about it. Nobody's getting paid to talk about it.
Even the warrant canary thing is mostly theater. We run one for SafeNet because customers expect it, and not running one looks like we're hiding something. The honest truth, which we say on our own website, is that warrant canaries have never been tested in court. Nobody actually knows if they'd hold up. Low-effort credibility signal that the industry trained customers to demand instead of doing the harder structural work of just collecting nothing in the first place.
The Part Where I Actually Talk to You
I've been around long enough to remember when "going online" was a verb that meant something specific. I'm a child of the eighties. Latchkey kid generation. We came home, did our homework, watched MacGyver, and dialed into BBSes when our parents weren't on the phone. The internet of that era was small and weird and full of strangers, and nobody was monetizing the experience because there was nothing yet to monetize. You logged on, you read stuff, you logged off. The computer didn't follow you around.
That feeling is what the privacy market is actually selling. Not invisibility. Not Guy Fawkes. Just a little bit of that old internet where you weren't a product. People want their browsing to feel like 1999 again, and the VPN industry has been monetizing that feeling for a decade by promising more than what people actually wanted. They didn't want to defeat the FBI. They wanted to read CNN without an ad network logging the visit and selling it to seven brokers before the page finished loading.
That was the small product. That was the easy answer. The industry skipped over it and went straight to selling the cape and the cowl, and now the cape and the cowl are getting legislated out of existence.
Where This Lands
The VPN market is going to split in two within a few years. On one side, compliant commercial VPNs that log everything, KYC at signup, operate in US jurisdiction or somewhere the US can pressure. Many of them are already owned by companies whose actual business is monetizing your data, you just don't know because the ownership is buried three holding companies deep. (Kape Technologies owns ExpressVPN, CyberGhost, and Private Internet Access. Most "VPN review sites" you've ever read are owned by VPN companies. The whole space is wallpaper for an advertising business.) These survive but they're surveillance with extra steps. The pitch becomes "trust us with your data instead of your ISP," which, when you say it out loud, kind of falls apart.
On the other side, self-hosted and architecturally minimal services. People who care spin up their own WireGuard tunnels on AWS or Hetzner. Five bucks a month. Works fine. Unless you've got the chops, you're not doing this. And you shouldn't have to.
The middle gets squeezed out. The "we promise we don't log, please trust us" tier either complies (becoming indistinguishable from the surveillance tier), gets blocked at the network level (foreign-jurisdiction providers refusing US logging mandates), or restructures architecturally to be uncompellable. The third option is the only one that's actually interesting, and it's the only one that doesn't end with the customer either getting tracked or kicked off the network. But it's hard, because it requires designing a service where the data the government wants does not exist in the first place. Most providers can't get there from where they are. Their whole business is built around collecting customers, not avoiding them.
That third lane is where SafeNet lives. We don't pretend you're invisible. We don't promise you can't be touched. We don't pick fights with the United States government we know we'd lose. We run a small, curated, transparent VPN for adult Americans who want to read the news without their ISP selling that data. The configs are public. The blocklists are plain text files anyone can download. We collect almost nothing because there's almost nothing worth collecting. That's the whole pitch. One link. Moving on.
The Honest Read
VPNs aren't dying. The maximalist VPN model is dying, and the difference between those two sentences is the whole article.
The companies that promised more than they could deliver are about to be forced to either deliver it or stop selling it. The companies that quietly designed for the actual problem (a tunnel that doesn't announce you, run by people who collect nothing because there's nothing worth collecting) are going to look more relevant in two years than they do today. Smaller. Quieter. Less Hollywood. Closer to what the original idea was supposed to be before some marketing team decided privacy needed to be a superhero franchise.
Utah's law won't survive constitutional challenge. EFF is already lining up. But the precedent is what matters. Twenty-five other states are watching what happens tomorrow, and at least a few of them are taking notes. The internet was built to route around censorship. It will route around this too. The question is who's still standing when it does, and what their service looks like once the dust clears.
If it ends up looking a little like dialing into a BBS in 1989, when nobody was watching and the computer didn't follow you home, that's not a regression. That's the point.
Welcome back to the old internet. It's been a minute.