Utah Senate Bill 73 (effective May 6) makes websites liable if Utah-based users bypass age verification via VPN or proxy.
Key Takeaways
SB 73 legally defines a user as Utah-based by physical location, not IP, forcing sites to detect VPN use they technically cannot reliably perform.
IP reputation tools like MaxMind and IP2Proxy flag known datacenter ranges, but commercial VPNs rotate IPs and residential endpoints are indistinguishable from home connections.
ASN analysis catches datacenter traffic but cannot identify personal WireGuard tunnels running on cloud VPS infrastructure.
The law also bans covered websites from publishing instructions on using VPNs to bypass age checks.
No technically sound enforcement mechanism exists; compliance likely pushes sites toward blocking all known VPN IPs or applying global age verification to every visitor.
Hacker News Comment Review
Commenters broadly agree the law is technically unenforceable as written; self-hosted VPNs and residential endpoints are invisible to any detection method the law implicitly assumes.
The EFF-cited worst-case outcome – sites blanket-blocking all VPN IPs or requiring global age verification – is treated by commenters as the probable real-world result, not an edge case.
Several commenters see this as a template for federal action or KYC-style VPN regulation, framing it as early infrastructure for state-controlled internet filtering rather than a narrow child-safety measure.
Notable Comments
@kstrauser: uses personal router VPN while traveling to illustrate detection is impossible – “how is anyone expected to tell” traffic origin in this setup.
@mrbluecoat: raises the unanswered enforcement gap – self-hosted VPN options sit entirely outside any KYC or IP-blocking regime.
