The VPN Ban
The Catch 22 of a Denial
One of the problems faced by lawmakers is that the laws they make can only be enforced within the jurisdiction. That is what is referred to as the principle of territoriality. Laws do not have an extraterritorial effect. A person who steals something from a supermarket in Sydney cannot be prosecuted for theft in the New Zealand Courts. Why? Because the offence did not take place within the territorial jurisdiction of New Zealand.
There are very few laws that are designed to have extraterritorial effect. And those that do must undergo a careful level of scrutiny before a State will assert jurisdiction elsewhere than in its own territory.
A real challenge to the traditional concepts of territoriality and extraterritoriality comes when you consider the impact of the Internet – a global communications system which although elements of it are physically grounded within certain jurisdictions, in other aspects presents as a borderless system.
What happens, for example, when an online publication emanating from the United States contains defamatory material about a well-known Australian. Where would that person go for the purposes of damages. Would he sue in the USA where defamation law is bound up with freedom of expression principles? Or would he sue in Australia, where defamation law is a little more plaintiff-friendly?
The High Court of Australia held that defamation involved publication. And jurisdiction to hear a case about defamation depended upon the place of publication. One argument was that publication was in the USA. That was where the material emanated. But the Court said that publication in fact took place where the defamatory material was seen and comprehended. And because the online publication had Australian subscribers who read and comprehended the material in Australia then that element of defamation had taken place in Australia and the Australian Courts could hear the case.
Now that conclusion would mean that an action in defamation might lie in any jurisdiction where the publication was seen and comprehended and that was a tactic that was adopted in the early days of the Internet by one Dr Godfrey who made claims against Internet publishers in a number of different jurisdictions although many of his claims were settled.
The issue of jurisdiction in a world without borders is a highly complex one although it has its intellectual fascinations. But it comes into sharp focus when it the effectiveness of a local law is dependent upon enforceability within the jurisdiction.
What happens if there is a technical means by which a local law involving offshore internet based social media platforms can be circumvented.
Here is the problem. As is well-known there is a proposal before Parliament that access to certain social media platforms should be restricted for those under the age of 16.
I have already written about the problems of age verification in such a proposal, and that age verification will apply not only to under 16’s but to anyone else who may wish to open a social media account with the relevant platform.
But what happens where an under-16 can use a circumvention tool to fool the platform that they are not in New Zealand but in another jurisdiction where the social media age restrictions do not apply, thus allowing them to sign up.
Taking a lesson from copyright law the answer would be to pass a law restricting the use of circumvention devices.
The device that might enable circumvention of the age restrictions proposed is known as a VPN – a Virtual Private Network.
The Education and Workforce Select Committee Report on Online Harms flagged the problem with VPNs. It said
“Parents and caregivers can also choose to download third-party parental control applications on devices. These may be easier to circumvent as young people may be able to uninstall the apps. Network-level controls, such as network filters offered by ISPs, or internet router-based filtering, can be bypassed using a VPN or mobile data.” (P. 29)
Under the heading in the report “Reducing opportunity to evade restrictions” the report stated:
“Virtual private networks (VPNs) as a means to evade restrictions—We acknowledge there is well-founded concern that age restrictions on social media could be evaded by young people using VPNs. There is a very real risk of this in any situation where geo-blocking is the primary intervention. We recommend that this is an area for further exploration by the regulator.”(P. 33)
And
“Collaboration with online platforms to limit VPN use—We are aware that online platforms may share our interest in limiting users’ ability to use VPNs to bypass any restrictions on using their platforms. We encourage the Government to explore this further.” (P. 33)
Both ACT and the Greens opposed restrictions on VPNs.
It is clear, therefore, that the Government was aware of the fact that VPNs could be used to circumvent age restrictions. The question was whether or not it was going to do anything about it.
Before I proceed to consider that question it may be helpful to understand what a VPN does, the uses that such devices might have and also the dangers inherent in them.
What is a VPN?
A VPN, or Virtual Private Network, is a technology that creates an encrypted connection — usually called a tunnel — between your device and a remote server, so that all your internet traffic passes through that server before reaching its destination. The name captures the idea well: it’s virtual because no dedicated physical line connects you to the server, private because the traffic is encrypted, and a network because your device effectively becomes part of the remote network it connects to.
Normally, when you visit a website, your device sends data through your local network (say, café Wi-Fi) to your internet service provider, which routes it across the internet to the destination. Two things are exposed in this arrangement. First, anyone controlling infrastructure along the way — the Wi-Fi operator, your ISP — can see where your traffic is going, and if it’s unencrypted, what it contains. Second, the destination website sees your real IP address, which reveals your approximate location and identity to your ISP.
A VPN inserts an intermediary that solves both problems: observers near you can only see that you’re talking to a VPN server, and the destination only sees the VPN server, not you.
Let’s Get Technical
1. Establishing the tunnel. When you switch on a VPN, your device (running VPN client software) contacts the VPN server and performs a handshake. During this handshake the two sides authenticate each other — typically using certificates or pre-shared keys — and negotiate encryption keys using public-key cryptography, so that even someone watching the handshake can’t derive the keys. Common protocols governing this process include WireGuard, OpenVPN, and IKEv2/IPsec.
2. Encryption. Once the tunnel is established, everything your device sends is encrypted before it leaves. Modern VPNs use strong symmetric ciphers such as AES-256 or ChaCha20. Encryption happens at the operating system level, so it covers all traffic from your device, not just your browser — apps, background services, everything.
3. Encapsulation. This is the clever bit. Your original data packet — which contains the true destination address, say a news website — is encrypted and then wrapped inside a new packet addressed to the VPN server. Think of it as sealing a letter inside a second envelope addressed somewhere else. Your ISP handles and delivers the outer envelope but cannot open it to see the inner one. All it knows is that you’re sending traffic to a VPN server.
4. Decryption and forwarding. The VPN server receives the outer packet, strips it off, decrypts the contents, and finds your original request inside. It then sends that request onward to the real destination — but using its own IP address as the source. From the website’s perspective, the visitor is the VPN server, perhaps in another city or country entirely.
5. The return journey. The website’s response goes back to the VPN server, which encrypts it and tunnels it back to your device, where the client software decrypts it and hands it to your browser or app. All of this happens continuously and fast enough that you generally don’t notice, apart from some added latency.
Uses for VPNs
VPNs are one of those technologies where the legitimate uses vastly outweigh the illegitimate ones, and where the illegitimate uses mostly involve things that are already illegal anyway.
Legitimate Uses
Security on untrusted networks. This is probably the most common everyday use. When you connect to Wi-Fi at an airport, café, or hotel, your traffic passes through infrastructure you have no reason to trust. A VPN encrypts that traffic so the network operator (or anyone snooping on it) can’t read or tamper with it. For anyone handling banking, work email, or health information on public Wi-Fi, this is basic hygiene.
Remote work. Corporate VPNs are foundational to modern business. Employees working from home connect to company networks through VPNs to access internal systems securely.
I used a VPN (supplied by the Ministry of Justice) when working away from the Court. It was the only way I could access work in progress that required a high degree of security.
Banning VPNs would essentially break remote work for a huge share of the economy, including government agencies themselves, which rely heavily on them.
Protection from surveillance and profiling. Your internet service provider can see every site you visit and, in many countries, is legally permitted to sell that data to advertisers. A VPN prevents that kind of commercial surveillance. Privacy from data brokers is a legitimate interest even for people with nothing to hide.
Safety for vulnerable people. Journalists protecting sources, activists in authoritarian countries, domestic abuse survivors hiding their location from a stalker, whistleblowers, and LGBTQ people in countries where their identity is criminalised all depend on VPNs. In these cases a VPN can literally be life-saving.
Circumventing censorship. In countries that block independent news, VPNs are often the only way citizens can access accurate information. This is why authoritarian governments are the ones most eager to ban them, which is itself telling.
Research and testing. Security researchers, developers testing how services behave in different regions, and businesses checking how their ads or sites appear internationally all use VPNs routinely.
Illegitimate Uses
VPNs can be used to hide criminal activity (fraud, hacking, distribution of illegal material), to evade law enforcement, to violate terms of service (streaming content licensed for other regions), or to bypass legitimate institutional controls like school or workplace filters.
Criminals do use them to obscure their tracks.
But this is true of nearly every useful tool. Cars enable getaway driving; encryption protects both dissidents and criminals; cash facilitates both groceries and money laundering.
We don’t ban these things because the underlying activities are what’s illegal, and banning the tool punishes millions of legitimate users to inconvenience a minority of bad actors — who, notably, are the group most willing and able to break a VPN ban anyway.
I have VPN software. It was offered to me by a software provider with whom I deal. Ironically, when the social media ban was first mooted the VPN software was advertised as a way of getting around such restrictions and preserving online privacy. But I had deployed the software well before the social media ban was front of mind.
I use the software in very limited circumstances. One of the issues that I have with the online world is the way in which geoblocking takes place. This means basically if content is available on the Public Broadcasting System (PBS) in the US, that content is available for those in the US. If I want to view something on PBS (and they have some excellent content) the website checks my Internet Protocol number (IP) which determines my geographical location. When it sees I am not in the US access is denied.
Enter my VPN. The software I use allows me to indicate which country I want to “be” in. If I choose Los Angeles in the US the software “spoofs” my IP number so that the PBS website thinks I am in the US and presto – access to content.
Some providers are aware of this work around. Amazon Prime in the US and the US variety of Netflix have systems that can detect if a VPN is being used and will deny access and at the same time tell you why. This has nothing to do with whether or not I have a contract with Amazon Prime and Netflix (I do).
Back to the VPN Ban
Over the last few days there has been some furious publicity about a possible VPN ban.
Remember – the problem of VPNs had been signalled and it was a topic that required some work. The UK was contemplating a VPN ban as part of its social media restrictions provisions but have decided not to.
Henry Cooke in The Post wrote that it understood from multiple sources that a VPN ban or restriction was part of Erica Stanford’s plan.
Sources (leaks) indicated that the VPN issue was soon to be before Cabinet. Thus the proposal had reached the point where a Cabinet paper was in contemplation.
This is not beyond the realms of possibility. The Education and Workforce Report had flagged VPNs as a means by which age restrictions could be circumvented and recommended that the matter receive further consideration.
And let us not forget the spectre of the Department of Internal Affairs (DIA) which sits like a shadow over these proceedings. Let us not forget that the DIA has significant funding precisely for the purposes of implementing a policy that is not yet crystallised.
There was pushback that followed Henry Cooke’s revelations and on 7 July 2026 Henry Cooke wrote that
“Erica Stanford says Government not pursuing VPN restriction after ACT rules it out”
In fact the Government messaging has gone even further to suggest that a VPN ban was never considered. There have been a number of articles in Mainstream Media to the effect that a VPN ban was not on the table.
This raises a number of interesting issues. One is that VPNs were on the table and that is made clear from the Select Committee Report. It is therefore facile to say that a ban was never considered.
Had Erica Stanford truly dismissed the possibility of a VPN ban she should have couched it as a rejection of the suggestion in the Select Committee Report. The present messaging is a denial further down the track but the next issue is whether it was necessary to deny that something was contemplated that was never contemplated.
This demonstrates a curious almost Catch 22 quality to Government messaging – to couch the message as a denial. A review of some of the articles is quite revealing
7 July 2026 - Erica Stanford says Government not pursuing VPN restriction as part of social media ban - after ACT rules it out
7 July 2026 - Government denies it’s looking to ban or restrict VPNs
7 July 2026 - Erica Stanford claims VPN ban never considered, NZ First says early proposal could have led to ban and digital IDs
That article contains the following observation:
“A criticism of the proposed ban is that it can be easily circumvented with a VPN. This criticism was made in a select committee inquiry that looked into digital harm and a potential ban. The committee said there was a “well-founded concern” VPNs could be used to evade a ban and recommended further exploration of the issue. Both the Act Party and the Green Party submitted a minority view saying they disagreed with any crackdown on VPN use.”
7 July 2026 - Ryan Bridge: National needs Labour’s support on its social media bill
7 July 2026 - Erica Stanford claims Government never considered VPN ban
7 July 2026 – Erica Stanford: Education Minister explains why Government not looking to ban VPNs
This is a selection of sources that I have tracked down. There are others.
What follows from this is that there has been a concerted effort by the Government to step back from a VPN ban because politically it would be a bridge too far.
There is no doubt that Luxon is right behind this proposal. He sees it as a vote winner. It removes him from the image of a “business guy” to that of a social reformer. Depending on the survey between 65% and 74% of the NZ public supports a social media ban for children under 16. Politically it is a winner.
He has handed the project to Erica Stanford as the lead – a dedicated committed person who is results focussed and is intolerant of opposition. She wants to put forward a workable solution, ignoring the fact that age verification has significant privacy and intrusiveness elements that would give the State and the DIA significant surveillance over Internet activity. She effectively is the Thomas Cromwell to Luxon’s Henry VIII.
There is opposition to the proposal from ACT and in some respects from NZ First. Without their support, National will not achieve its goal. So National is looking for cross-party support from Labour. And they will get it. Although Hipkins will whine about having to see the language of the legislation, the Labour Left will be right behind it. They have long seen regulation of Internet platforms as a goal from the days of the Safer Online Services and Web Platforms proposals from the DIA.
It is perhaps extraordinary that National would turn to Labour for help as they will have to do. They must be keen on this regulatory invasion of the parental space to go so far. But it perhaps demonstrates an uncomfortable reality about some members of the National Caucus, including their leader, who may be characterised as Labour Lite.
Conclusion
Clearly the VPN proposal was not going to fly and was quickly kicked for touch along with the expected flurry of denials. Perhaps an example of protesting too much, methinks.
It is of interest to speculate as to what might be proposed.
A prohibition on the distribution of VPN tools? Easily circumvented. Just access an overseas supplier.
A prohibition on the possession on VPN software? It could be policed based on the use of such a tool but that would involve a level of surveillance of Internet activity that would be incompatible with even a society as regulated as that of New Zealand.
A prohibition on the use of VPNs? Likewise a surveillance issue is a concern.
And if there were some blockage of access to VPN distribution sites, before such a proposal was implemented it would be a simple matter to download the software and store it in a Cloud account (Mega or One drive for example) or store it on a USB stick. That being the case the environment for a flourishing blackmarket would be in place.
The issue reduces to this.
A VPN ban would fail on its own terms while causing real damage. Determined criminals would simply use illegal VPNs, foreign servers, or other obfuscation tools, since they’re already breaking laws.
Meanwhile, the compliant majority would lose security on public networks, businesses would lose secure remote access, and vulnerable people would lose protection.
It would also hand ISPs and governments complete visibility into citizens’ browsing, which is a serious civil liberties concern regardless of who is in power at any given moment.
Enforcement would be technically messy too, since VPN traffic is hard to distinguish from other encrypted traffic without deep packet inspection, which itself raises privacy problems.
There’s also a signalling problem: the countries that have banned or heavily restricted VPNs (China, Russia, Iran, North Korea, Turkmenistan) are not company most democracies want to keep. The bans in those countries exist primarily to control information, not to fight crime.
But then, control of information is what the under 16 restrictions are all about.




A great summary of VPN technology. There is peer-reviewed research that identifies the problem facing online teens isn't so much social media as ubiquitous access to smart phones. https://pmc.ncbi.nlm.nih.gov/articles/PMC12588125/
Beneath all of this too is a desire by Forces of Evil and Darkness to control access to and content on the internet. Developments in the UK provide some insights as to where all of this censorship nonsense may end.
One of the best summaries of VPNs. I have several of the free ones on my computers, they are OK, but not quite in the same league as Surfshark, a pay to use one. I have worked for 3 organisations now that required VPNs for access to their network, presumably MPs and public servants would also? Have they given a moments thought to this?
I had not thought of downloading VPNs onto a USB stick, but will now, given the childish trash ex politicians. And yes the black market for these will be welcome!
On the matter of extra-territory law, it’s fascinating to watch the legal battle just starting between the UK OFCOM and the 4Chan site in the USA