What the UK's Online Safety Act Reveals
DSA vs OSA: the EU regulates platforms, the UK regulates users. VPNs become more than privacy tools. They signal a shift in digital trust.
In the days following the UK's Online Safety Act (OSA) coming into force, VPN sign-ups in Britain surged by more than 1,400%, according to ProtonVPN. A technical footnote perhaps but also a social signal. Many users, it seems, are choosing to route around their own infrastructure.
While VPNs are often associated with data privacy in cafés or the occasional attempt to access geo-restricted media, this spike points to something deeper. A growing unease with state-mediated access to the open web.
A Tale of Two Regulatory Models
The European Union and the United Kingdom are now walking divergent regulatory paths:
- The Digital Services Act (DSA), which governs the EU (including the Netherlands), regulates platforms. It demands transparency, risk mitigation, and accountability for how platforms operate and moderate.
- The Online Safety Act (OSA) in the UK shifts attention away from platforms and toward end-users and network-level restrictions. It introduces provisions that can compel providers to restrict access or scan for certain content, even if that content is legal but considered "harmful."
The distinction matters. The DSA structures responsibility; the OSA enforces access.
Rob Hoeijmakers
VPNs as a Response to Infrastructure Control
Technically, VPNs do one thing: they obscure origin. That’s all. But socially, that act carries weight. The current surge suggests that British citizens no longer trust the neutrality of their connection. They are moving toward encrypted, transnational routes. And not to break the law, but to stay outside its expanding scope.
A VPN becomes not only a privacy tool but an infrastructural form of dissent.
Identity and Access: A Subtler Shift
Underpinning this shift is the changing nature of digital identity.
In most Western countries, your online identity is still largely constructed through accounts and cookies. But increasingly, access is tied to IP-level data, device fingerprints, and national infrastructure. If legislation pressures internet service providers to monitor or filter based on content types or user activity, then identity ceases to be opt-in. It becomes ambient. Attached to your location. Your device. Your movements.
Even Apple's end-to-end encryption, long a benchmark for user privacy, has come under pressure in the UK. In 2023, the British government proposed that Apple should build a backdoor into encrypted iMessage content to allow for content scanning. Apple refused and threatened to pull certain features from UK devices altogether. It was a standoff, not just over child safety, but over who owns the infrastructure of trust.
Clare Duffy, Lisa Eadicicco
Not a Protest, But a Migration
What makes the current VPN surge so telling is its tone. It’s not loud. It’s not organised. It’s infrastructural. A quiet migration. A layer deeper than opinion or debate, a user behaviour that speaks before words do.
We should listen carefully to what it says.
A Subtle Warning
This isn’t a call to digital arms. It’s not a critique of safety as a goal. But it is a note of caution. When safety is enforced by tightening access rather than improving trust, the cost may not be immediately visible. It shows up in migration. In circumvention. In users silently moving their data paths elsewhere.
And once users leave the default infrastructure, they may not come back.
"When infrastructure becomes policy, what options remain for those who disagree with the policy?"
Closing
The VPN surge is not the story. The underlying shift is. In a web increasingly defined by regulation, control, and traceability, tools like VPNs remind us that freedom is no longer a setting. It travels with the route you choose.
Rob Hoeijmakers
Rob Hoeijmakers