Why the War on VPNs Will Be Lost

\ The pattern is older than the internet — and the infrastructure of circumvention has won every previous round. \ When governments lose the argument, they reach for the infrastructure. This is not a new story. It is a pattern that has played out, with remarkable consistency, for the better part of five hundred years. The current global push to restrict, regulate, and outlaw VPN technology is the latest chapter in a long sequence: a regime declares an emergency, restricts the threatening medium, takes control of the infrastructure that distributes ideas, and finally criminalizes the workarounds. The medium changes — books, pamphlets, radio, encrypted email, peer-to-peer protocols, VPN tunnels. The human pattern doesn't. I run a privacy company, and I've spent the past twelve years building the kind of infrastructure that governments under narrative pressure tend to find inconvenient. Sixty million users across the United States, Europe, and emerging markets now rely on what my team has built. From that vantage point, the question isn't whether the current global wave of restrictions will succeed. It won't. The interesting question is what the historical record actually tells us — because most of it is not the story most people expect. \ The Printing Press Was Once the VPN To understand the current war on VPN technology, the most useful place to start is the workshop of a German goldsmith named Johannes Gutenberg, around the year 1450. Gutenberg's movable-type printing press did something the Catholic Church had spent four centuries successfully preventing: it made the production and distribution of unauthorized ideas economically viable for ordinary people. The Church's response was the most sustained and disciplined attempt to control information distribution in European history. The Index Librorum Prohibitorum — the Index of Forbidden Books — was promulgated in 1559 and updated, edition after edition, for over four centuries, until it was finally abolished in 1966. It listed thousands of authors and titles whose reading was forbidden to Catholics. Enforcement was real: people lost positions, suffered imprisonment, and in some cases were executed for printing, possessing, or distributing banned works. It did not work. Martin Luther's writings, formally banned, were printed in clandestine workshops across the German states, the Netherlands, and northern Italy and distributed across the continent within years of being condemned. Erasmus, Galileo, Voltaire, Diderot, Rousseau, Hugo — generations of European authors found themselves on the Index, and generations of European readers found ways to read them anyway. By the time the Index was finally retired in 1966, it had become not a tool of effective censorship but a marketing device. An author's appearance on the list frequently boosted their sales. The pattern: a powerful institution recognizes that a new distribution technology threatens its narrative authority. It deploys legal, social, and economic tools to control the technology. The technology continues to operate, sometimes openly and sometimes underground. The institution's controls become, over time, less a barrier to information than a monument to its discomfort with what its own subjects want to read. \ The Crypto Wars Were the Direct Precedent The closest historical analogue to the current VPN debate isn't a centuries-old printing-press story. It happened thirty years ago, in the United States, when the federal government attempted to control civilian access to strong cryptography. In the early 1990s, encryption software was classified by the U.S. as a munition. Exporting strong cryptographic tools — including software capable of protecting ordinary email — required a license under the International Traffic in Arms Regulations. The position of the federal government, in essence, was that mathematics above a certain key length was a weapon of national consequence and could not be freely distributed. The position did not survive contact with reality. In 1991, a programmer named Phil Zimmermann released a piece of software called PGP — Pretty Good Privacy — which allowed ordinary users to encrypt their email with a level of security that civilian tools had not previously offered. The federal government opened a criminal investigation against Zimmermann. While the investigation was active, PGP was distributed globally through every channel that bypassed export controls: it was printed in a paperback book and shipped abroad (a paperback being a constitutionally protected form of speech, not a munition); it was uploaded to international FTP servers by anonymous third parties; it was passed hand-to-hand on floppy disks at hacker conferences. By 1996, the federal government dropped the investigation. The export controls themselves quietly collapsed in 1999. By the early 2000s, strong cryptography was simply part of the standard internet stack. The other major intervention of this period was the Clipper Chip — a proposal that all telecommunications equipment include a government-accessible backdoor. Industry, civil liberties advocates, and a coalition of cryptographers organized against it. By 1996, Clipper was dead. The Crypto Wars were over. The civilian cryptography community had won. This is the most direct historical precedent we have for the current debate, and it is worth dwelling on because the pattern is identical: a government identifies a technology as threatening to its surveillance and enforcement model. It deploys legal restrictions, criminal investigation, and lobbying pressure on industry. The technology spreads anyway, because the underlying demand is real and the infrastructure to meet that demand is globally distributed. Eventually the government recognizes the controls are unenforceable and quietly retreats. It happened with PGP in the 1990s. It is happening now, in slower motion, with VPN technology. The 2016 Apple-FBI dispute over the San Bernardino iPhone is a useful coda. The FBI sought a court order compelling Apple to write software that would weaken the security of iOS. Apple refused. Before the legal question was decided, the FBI announced it had found another way into the phone using a third-party tool. The case was withdrawn. The conclusion the technology industry drew was unambiguous: encryption backdoors are not politically achievable in the United States, and even when a specific government wants one, the alternative tooling already exists. \ One Example From the Other Side of the Wall There is, however, one example from twentieth-century Soviet history that belongs in this story, because it captured the underground-infrastructure dynamic more clearly than any Western parallel: samizdat. Samizdat — literally "self-published" — was the network of typewritten, hand-copied, and clandestinely distributed literature that circulated in the Soviet Union from the 1950s through the 1980s. The mechanics were primitive. A person with access to a manuscript would type a copy using carbon paper, producing perhaps five or six legible duplicates. The duplicates would be passed to trusted readers. Some of those readers would re-type, producing more duplicates. The infrastructure was distributed, decentralized, and required no center. The KGB recognized samizdat as a structural threat and tried to dismantle it. Distributors were arrested, manuscripts confiscated, typewriters tracked through registries. None of it worked at the scale that mattered. The samizdat infrastructure outlasted the security apparatus that tried to suppress it. By 1991, when the Soviet system collapsed, the writers and philosophers whose work had circulated through samizdat were public intellectuals. The system that had spent decades trying to suppress them was gone. The reason samizdat matters as a precedent for VPN technology is that the underlying mechanism is the same. Both are responses to information scarcity created by infrastructure control. Both build distributed networks of trust around banned content. Both prove difficult to suppress because the suppression cost grows faster than the enforcement budget. The difference is scale. Samizdat at its peak reached perhaps a few hundred thousand readers in the Soviet Union. Modern VPN infrastructure reaches hundreds of millions, runs on a foundation of open-source code, and is maintained by a global development community that no single government can compel. \ The Current Wave The contemporary version of the pattern is distributed across multiple regions and political systems, which is part of what makes it worth examining as a pattern rather than as a list of unsavory governments. Russia, China, Iran, and Myanmar have each enacted aggressive restrictions on VPN technology over the past several years, documented in detail by Freedom House's annual Freedom on the Net reports. Less commonly noted in the same conversation: the United Kingdom's Online Safety Act, in its current enforcement phase, has produced exactly the demand spike the historical pattern predicts. When age-verification requirements for adult content sites took effect in 2025, VPN apps moved to the top of the UK App Store charts within days. The European Union's recurring Chat Control proposals — periodic attempts to mandate client-side scanning of encrypted messages — have not passed in their strongest form, but they keep returning. Australia's eSafety commissioner has expanded content-takedown powers since 2022. India and Pakistan have used periodic internet shutdowns as routine instruments of crowd control during protests and elections. Access Now's monitoring documented at least 296 internet shutdowns in 54 countries during 2024 — a record number. Freedom House's Tunnel Vision report identifies anti-censorship tools, including VPNs, as actively blocked in at least 21 of 72 countries surveyed. The point of cataloging this is not to draw moral equivalence between governance systems. It is to recognize that the impulse to control distribution infrastructure when narrative authority is contested is not a marginal phenomenon limited to a handful of regimes. It is the default response across the political spectrum. \ Why the Pattern Loses There are several structural reasons the current global push will, on a long enough horizon, fail. The most important is that VPN technology is now core economic infrastructure, not just political tooling. A complete ban would break corporate remote access, secure banking sessions, cloud services, and basic enterprise security. This is why every regime that pursues consumer VPN restrictions ultimately has to maintain "approved" tunnels — and any approved tunnel is mathematically identical to an unapproved one. China's decade-long approach has been to permit corporate-grade VPN deployments while restricting consumer use; the underlying protocols are the same. You cannot make a technology available for legitimate use and unavailable for unauthorized use, except by degree. The second is that restrictions reliably increase demand. When Russia blocked Meta platforms in 2022, VPN demand spiked to roughly 2,088 percent above the typical daily baseline in the days before the block took effect, according to Top10VPN data reported by Reuters. The UK saw the same pattern in 2025. The mechanism is unavoidable: restriction signals to users that infrastructure is contested, and demand follows the signal. The third is asymmetry of adaptation. When VPN websites are blocked, mirror sites appear within days. When standard protocols are fingerprinted by deep-packet inspection, obfuscation layers and pluggable transports emerge. When Tor itself is blocked, users adopt bridges and Snowflake — a system, originally documented by the Electronic Frontier Foundation, that allows ordinary users worldwide to run temporary proxies that help people in censored regions reach the open internet. One protocol-design change defeats months of regulatory drafting. The asymmetry favors developers because developers iterate faster than legislatures. The fourth is cost. The Internet Society's policy work has documented that internet shutdowns reduce economic growth, undermine trust in infrastructure, impair business continuity, and damage emergency-services communications. A government can temporarily defeat individual citizens, but it pays in degraded national digital-economy capacity. As more economic activity migrates onto digital infrastructure, that cost compounds. The bill comes due. The fifth is the Lindy effect. Distribution infrastructure that has survived multiple attempts at suppression tends to survive future ones, because each round of attempted suppression produces a hardened, more decentralized version of the infrastructure. PGP went underground in 1991 and emerged as the standard for end-to-end encryption. BitTorrent emerged from the wreckage of Napster. Tor emerged from U.S. Naval Research Laboratory research before becoming the most widely deployed anonymity network in the world. The infrastructure of circumvention is now diversified across thousands of organizations, hundreds of jurisdictions, and a developer community measured in millions. \ The Symptom, Not the Cause The deepest point in the policy debate, the one that rarely gets stated plainly, is that VPN technology is not the cause of state-citizen friction over information flow. It is a symptom. If citizens of any country need a VPN to access ordinary global infrastructure, the state has already lost the trust argument before the VPN arrived. When the state then attacks the tools of bypass, it is implicitly acknowledging what the actual opponent is: not a foreign website, not a messaging app, not a specific encryption protocol — but the independent choice of individual humans. That choice has been the constant across the historical record. The communication infrastructure changes — Gutenberg's press, PGP, BitTorrent, Tor, consumer VPN — but the underlying demand to compare, verify, and communicate without supervision does not. The pattern of governance systems trying to control distribution while people build infrastructure around the controls is older than the modern state and shows no sign of ending. The current global wave of restrictions will run its course. Individual services will be blocked. Individual users will be fined. App stores will be pressured into removing apps. None of this will succeed in its primary objective, because the underlying infrastructure is now too distributed, too economically embedded, and too globally maintained for any single jurisdiction to dismantle. The Index of Forbidden Books lasted four centuries before it was retired. The Crypto Wars lasted a decade. The current wave will run its course on whatever timeline the political moment allows. The end state is the same. The infrastructure wins. It always has.