“Arguing that you don’t care about the right to privacy because you have nothing to hide is like saying you don’t care about free speech because you have nothing to say.”
Edward Snowden
Introduction
Clermont-Ferrand - 2010/2012
Back when I was studying computer science at an IUT, my day-to-day life was shaped by one exciting event after another. Apart from my various and varied projects such as a keylogger under Linux allowing me to access a friend’s Facebook account, it is above all the time of the release of first Raspberry Pi, the arrival of Free on the mobile market and the shutdown of Megaupload.
One of the technologies that fascinated me at the time was TOR. Total anonymity, until the USA created the majority of the nodes, thus making it possible to trace the origin of almost all of the traffic. TOR remains today a relatively robust anonymity solution, on condition of not offending the bad government. Bitcoin is based on the same principle. Not in terms of anonymity obviously, but for the question of uncensorability and the decentralization. Only, obtain the majority of computing power on Bitcoin is much more complex than creating half the nodes.
States have thus begun a legislative war in order to control the uncontrollable, gradually moving towards the ban on self-hosted wallets and the ownership of its assets. We’re not there yet, but we’re getting there.
And then everything accelerated. Since COVID, we have seen a series of bills gradually eating away at our privacy.
Chat Control, identity control… the world is moving towards a total elimination of anonymity.
What are the risks and issues? Of the solutions for not providing systematic proof of identity in a world where data theft are daily and the convictions low enough to become an “acceptable risk”?
Fasten your seat belts: we’re taking a journey into modern digital technology.
Chat Control: normalization of the loss of anonymity?
A little history: communications encryption has not always been legal. In the USA, the encryption tools were reserved for military use and strictly prohibited to civilians. This episode is known as “Crypto Wars”. We experienced the same episode in France where cryptographic means were democratized on June 21, 2004. These technologies have since been used on a daily basis in a transparent manner.
20 years later, all this is gradually being called into question.
Under the guise of combating sexual abuse of minors, the European Union has been working since 2022 on a text which marks a clear break with a fundamental principle: confidentiality of communications. This project bears the sweet name of Chat Control or CSA Regulation. But then, what is Chat Control? On May 11, 2022, the European Commission presented a proposal aimed at imposing obligations on digital service providers (messaging, emails, social networks, sharing platforms) to detect, report and remove content related to sexual abuse of minors, including in private communications. In the different versions debated since, one point remains: the possibility of imposing automated content detection in private messages, including when they are end-to-end encrypted. The text has not yet been definitively adopted, but it is structurally ready.
But don’t worry, the surveillance will be targeted. In theory. Defenders of the text insist on one point: detection orders would only be triggered in the event of “significant risk”, and presented as a last resort, under judicial supervision.
In fact, several elements pose a problem. Already, the notion of significant risk remains vague and largely interpretable. Then, the technologies considered are based on automated mass analysis, with documented false positive rates. And above all, the scope explicitly includes encrypted communications, which mechanically implies a questioning of their integrity and confidentiality.
These concerns are widely relayed in the European Parliament, including within political groups that are in favor of firm action against sexual crimes.
But let’s look at encryption for a moment. On a technical level, the problem is simple: there is no way to scan an encrypted message without weakening the encryption itself. The proposed solution, the client-side scanning, introduces a checkpoint directly to the user’s terminal. This mechanism creates an additional attack surface, can be diverted for other purposes (censorship, political surveillance) and breaks the promise of confidentiality made to users.
This is not a theoretical hypothesis. In October 2025, the president of Signal publicly indicated that the application could leave the European market rather than compromising its end-to-end encryption.
In any case, the heart of the debate goes well beyond the question of sexual abuse because it creates a dangerous legal precedent. Several MEPs, the European Data Protection Supervisor (EDPS) and numerous organizations point to a potential incompatibility with:
- Article 7 of the Charter of Fundamental Rights of the EU (respect for private life),
- Article 8(protection of personal data),
- and the consistent case law of the CJEU on the prohibition of generalized surveillance.
In practice, Chat Control introduced preventive control of all private communications, regardless of any individual suspicion. Welcome to Minority Report. It is precisely this shift from targeted investigation to surveillance by default that makes this text a major milestone in the gradual erosion of digital privacy in Europe. This milestone was also closely followed by other repressive measures against a backdrop of protection of minors: identity checks imposed to access social networks.
Social networks banned for under 15s in France: privacy as collateral damage?
On January 26, 2026, the French National Assembly adopted the central article of a proposed law prohibiting access to social networks for minors under 15 years old. Entry into force is planned for the start of the school year in September 2026, with full deployment of age verification mechanisms expected no later than January 1, 2027.
On paper, the objective is clear: protect adolescents from the harmful effects of platforms (addiction, exposure to harmful content, cyberharassment). In fact, the text poses a much more structuring question: how to prohibit without identifying? France already knew the concept of digital majority at 15 years old, introduced in 2023, which made registration on a social network conditional on a parental authorization below this age. This system has never really been applied, in particular because of legal blockages at European level and the absence of reliable technical mechanisms.
The text adopted in January 2026 goes further: it is no longer a question of regulating access, but of ban it outright. This semantic shift is far from trivial. It implicitly transfers the burden of proof to the platforms, and therefore to the users.
For such a ban to be effective, the platforms will have to put in place robust age verification mechanisms. However, to date, no technical solution makes it possible to verify the age of a user without collecting or processing identity data. The government assumes this half-heartedly: the verification will concern all users, including already existing accounts, minor or major. This mechanically implies the generalization of systems of digital identity or official supporting documents, the creation of additional sensitive databases, and increased traceability of online uses.
Because yes, beyond the registration verification, the platforms will not take any risk. If they one day have to prove that a given user is an adult in court, they will not just do the verification, then delete the identity documents: they will keep everything to cover themselves. In other words, a measure presented as targeted at minors reconfigures access to social networks for the entire population.
This movement is part of a broader European framework. In July 2025, the European Union has explicitly opened the way to national regulations on the age of access, as part of the Digital Services Act (DSA), leaving it to the Member States to set the terms and conditions. The problem is not so much the protection of minors, a widely shared objective, as the method chosen: a ban technically applicable only at the cost of a structural weakening of anonymity and online privacy. It is this gap between the stated intention and the systemic implications which makes this text particularly revealing of the time.
Finally, one point remains largely under-addressed in the public debate: the very qualification of “social network”. Platforms like YouTube occupy a gray area. They combine social functionalities (comments, subscriptions, algorithmic recommendations) with a role that has become central in access to knowledge, including school. For a middle school or high school student, YouTube is today a massive source of educational content(mathematics, sciences, languages, computer science), support for popularization often more accessible than textbooks.
However, legally, YouTube fully falls within the European definition of an online platform service as formulated by the Digital Services Act (DSA), since it allows the public distribution of content and interaction between users. The French text adopted in January 2026 does introduce certain exclusions: online encyclopedias, non-profit educational directories, but commercial platforms with educational use are not explicitly protected. Their fate will depend on implementing decrees, lists established by ARCOM and regulatory choices that have not yet been stabilized.
The risk is therefore concrete: restrict access to essential educational resources, not by intention, but by regulatory side effect. A classic paradox of contemporary digital policies: wanting to protect without distinguishing, and ending up impoverishing access to knowledge while strengthening control mechanisms. Thus, users wishing to maintain a minimum of privacy will probably turn to the eternal solution to all legal restrictions: the VPN.
Or maybe not…
United Kingdom: identity checks in the background of VPN use?
The United Kingdom today offers a very concrete overview of what regulation based on generalized age verification produces: a progressive shift in control, from content to the network access tools themselves.
Since the entry into effective application of the Online Safety Act, on July 25, 2025, platforms distributing content deemed sensitive are required to implement “highly effective” age verification mechanisms. In practice, this means: scanning of official documents, bank verification or age estimation by facial recognition.
Unsurprisingly, this obligation has led to an explosion in VPN use in the United Kingdom. From the first week of application, Proton VPN indicated an increase in more than 1,400% of registrations, a phenomenon confirmed by several publishers and independent observers. This circumvention poses an obvious problem for the authorities: if access to a service depends on location and identity, VPN becomes a regulatory obstacle.
Officially, at this stage, VPNs are not banned and no text today requires identity verification for their use as such. But several weak signals converge. In December 2025, a cross-partisan House of Lords committee proposed an amendment aimed at prohibiting the use of VPNs by minors, by imposing security mechanisms on VPN providers age or even identity verification, under penalty of sanctions. The reasoning is clear: platforms must verify age, VPNs make it possible to bypass these verifications, so they become a link to regulate.
Even without formal adoption of this amendment, the Ofcom has already indicated that platforms should neither encourage nor facilitate the use of VPNs to circumvent controls, and that additional obligations could emerge if the circumvention becomes massive.
Let’s be clear: what is at stake here goes far beyond the question of adult content. By conditioning Internet access to proof of age and identity, then by seeking to restrict the tools allowing anonymity to be preserved, the United Kingdom outlines a model where access to the network becomes traceable by default and where privacy protection tools are suspected a priori.
A VPN is no longer a security or privacy tool but is becoming a political issue. This shift is central to understanding future debates on privacy in Europe. It announces a future where the question will no longer be just what you view, but with what tools you have the right to do it.
Future challenges: anonymity, an anomaly?
Taken separately, the measures mentioned so far serve noble causes. Fight against sexual abuse, protection of minors, content moderation, accountability of platforms… Each text has its own justification.
The problem is multiple: decline in privacy with each new measure, accumulation of imposed regulations and convergence towards a model where States are omniscient. Given the almost daily frequency of data theft and the absence of deterrent penalties, adding more data collection would only harm citizen security.
Furthermore, in line with the video surveillance mechanisms deployed during the Olympic Games and continued thereafter, our government and its successors will have a complete toolbox to control, identify and arrest just about anyone. This shift was identified very early by the European Data Protection Supervisor. In several opinions issued since 2023, the EDPS emphasizes that the generalization of age and identity verification mechanisms creates a structural risk: that of transforming exceptional measures into permanent surveillance infrastructure, without the citizen really having the possibility of avoiding it.
Thus, anonymity ceases to be a normal state to become a suspicious exception. The tools which until now made it possible to preserve a form of discretion (strong encryption, VPN, anonymizing networks) are no longer perceived as legitimate security mechanisms, but as obstacles to regulation. The United Kingdom perfectly illustrates this dynamic: it is no longer just the content that poses a problem, but the technical means allowing it to escape controls.
This paradigm shift also poses a security problem that is often overlooked. However, European cybersecurity agencies regularly remind us that encryption and the protection of privacy are not antagonistic to public security. They are an essential component, particularly for journalists, whistleblowers, sensitive professions or citizens living under authoritarian regimes. Weakening these mechanisms for reasons of regulatory compliance amounts to weakening the entire ecosystem, including those whom these measures claim to protect.
Criminals, then activists, then political opponents or curious journalists… No one will be safe anymore. The dark web, the object of all fantasies, is not only the den of crime. It is also a space where information can circulate outside the scope of dictatorships. Same for Bitcoin and VPNs (for the moment). This is precisely what Alexander Stachchenko emphasized in his Praise of anonymity: anonymity is neither a militant posture nor a refuge for deviant behavior. It constitutes a functional condition of freedom of expression, experimentation and, more broadly, democracy in digital spaces.
The question that now arises is therefore no longer whether these measures are motivated by good intentions. It is about understanding what network model we are standardizing and to know if we accept that anonymity becomes a deviation to be corrected.
What solutions to protect your privacy?
The first step is to abandon a stubborn illusion: privacy is no longer a state that can be turned on or off. It is constantly negotiated, at the intersection of technical constraints, political choices and daily uses.
In this context, the democratic question becomes central. The decisions that are redefining digital access are today taken without real explicit consent of the population. They are technical, hard-to-read laws, even though they profoundly transform fundamental freedoms.
Submitting this type of choice to strong democratic mechanisms such as a referendum would at least reintroduce a simple principle: what lastingly modifies the conditions for exercising freedoms should not be an electoral blank check. The argument that “you voted, so we decide” reaches its limits here. But democracy supposes something other than a one-off right to vote. It presupposes access to quality information. However, this prerequisite is increasingly weakened.
Indeed, basic knowledge of cognitive biases and manipulation techniques is only taught in specialized schools. However, it is an essential tool for any citizen with the right to vote, in a world where every politician, every guest on stage, masters rhetorical tools at the tip of their fingers.
In France, almost 90% of the media are controlled by a handful of billionaires, an observation documented for a long time, notably by the documentary Media Crash and by several convergent journalistic investigations. This concentration is not neutral: it promotes spectacular information, polarized and often reduced to TV debates, to the detriment of investigation, verification and epistemic prudence. ARCOM, failing to defend quality and sourced information, is officially responsible for guaranteeing pluralism. However, its action remains occasional and limited, its choices based on hearing the channel owners rather than on a strict analysis of the content offered. The recurring criticisms of Reporters Without Borders point to a structural inability to correct the most flagrant imbalances, even when these are documented on massive volumes of data. Regulation exists, but it struggles to produce effects commensurate with the democratic issues it is supposed to protect.
Added to this democratic deficit is the confusion surrounding privacy protection tools. VPNs, so-called “privacy-friendly” browsers and tracker blockers are often presented as solutions in themselves. In reality, they only shift trust. Using a VPN, for example, does not remove collection; it comes down to choosing who you trust with your metadata. The European Cybersecurity Agency also points out that these tools must be evaluated as components of a system, with clear limits and explicit threat models, and not as universal shields.
This complexity has a consequence that is rarely acknowledged: privacy tends to become a privilege of experts. When truly effective solutions involve renting servers abroad, deploying your own VPN infrastructures, and mastering the underlying network and legal layers, a large part of the population is de facto excluded. The protection of privacy is then no longer an effective right, but an advanced technical skill, accessible to those who have the time, means and knowledge.
This is undoubtedly the most worrying point. A freedom that can only be exercised at the cost of expertise is not freedom. As long as the response to the decline in privacy relies primarily on individual adaptation, it will reinforce inequalities instead of correcting them. And this is precisely why the question of solutions cannot be dissociated from that of the political and democratic framework in which they fit.
Conclusion
The question of privacy is no longer a technical debate reserved for specialists, nor an abstract clash between security and freedom. It has become a societal choice, often formulated without really being stated. Texts accumulate, devices overlap, and anonymity recedes in the name of the common good.
What is striking, when reading these developments, is not so much their brutality as their trivialization. Surveillance becomes preventive, identification becomes implicit, and protection tools end up appearing suspicious.
Privacy has never been synonymous with impunity. It has always been a condition for freedom of expression, experimentation, dissent and, more broadly, democracy. Weakening it sustainably in the name of its own protection is a paradox whose effects can never be measured in the short term.
There remains a simple question, but rarely phrased like this: in a digital world where every access is conditioned, every exchange potentially inspectable and every identity verifiable, what remains of freedom by default?
Until this question is asked collectively, the answers will continue to be provided for us, without us.
Bibliography
- Council of the European Union – Preventing and combating child sexual abuse online: https://www.consilium.europa.eu/en/policies/prevent-child-sexual-abuse-online/
- European Parliament – Parliamentary question E-10-2025-003250: https://www.europarl.europa.eu/doceo/document/E-10-2025-003250_EN.html
- European Parliament – Parliamentary question E-10-2025-003993 (Signal & encryption): https://www.europarl.europa.eu/doceo/document/E-10-2025-003993_EN.html
- European Parliament – Parliamentary question P-10-2025-003246: https://www.europarl.europa.eu/doceo/document/P-10-2025-003246_EN.html
- Regulation (EU) 2022/2065 – Digital Services Act: http://data.europa.eu/eli/reg/2022/2065/oj/eng
- Euronews – France: ban on social networks for under 15s (January 26, 2026): https://fr.euronews.com/my-europe/2026/01/26/france-linterdiction-des-reseaux-sociaux-aux-moins-de-15-ans-approuvee-par-lassemblee-nati
- Leclaireur Fnac – Digital majority at 15: https://leclaireur.fnac.com/article/318418-reseaux-sociaux-la-majorite-numerique-a-15-ans-definitivement-adoptee-par-le-parlement/
- The Specialist – Ban on social networks for minors in France: https://www.lespecialiste.be/fr/actualites/la-france-adopte-un-texte-interdisant-les-reseaux-sociaux-aux-moins-de-15-ans.html
- Euronews – Supervision of social networks and DSA: https://fr.euronews.com/2025/11/19/france-une-proposition-de-loi-pour-encadrer-lutilisation-des-reseaux-sociaux-par-les-mineu
- Le Parisien – What does the text on the ban on social networks contain?: https://www.leparisien.fr/politique/interdiction-des-reseaux-sociaux-aux-moins-de-15-ans-que-contient-le-texte-26-01-2026-OGLTHWOCJNCYLMTQTZ3KO6PKEA.php
- Ofcom – Online Safety Act & age assurance: https://www.ofcom.org.uk/online-safety
- The Guardian – UK online safety law leads to surge in VPN use: https://www.theguardian.com/technology/2025/jul/30/uk-online-safety-law-leads-to-5m-extra-age-checks-a-day-and-surge-in-vpn-use
- Euronews – VPN searches skyrocket in the UK: https://www.euronews.com/next/2025/07/28/searches-for-vpns-skyrocket-in-the-uk-after-new-online-age-verification-rules-enacted
- Full Fact – Claims about VPN bans in the UK: https://fullfact.org/technology/uk-internet-vpn-users-id-false/
- TechRadar – UK Lords proposes ban on VPNs for children: https://www.techradar.com/vpn/vpn-privacy-security/uk-lords-propose-ban-on-vpns-for-children
- Financial Times – UK considers further action on VPN circumvention: https://www.ft.com/content/abe78aa2-6e62-419b-925c-9818e86e7179
- European Commission – eIDAS 2.0 & European Digital Identity Wallet: https://digital-strategy.ec.europa.eu/en/policies/eidas-regulation
- ENISA – Data Protection Engineering: https://www.enisa.europa.eu/publications/data-protection-engineering
- ENISA – Cryptography & Encryption: https://www.enisa.europa.eu/topics/cryptography
- ENISA – Privacy Enhancing Technologies Control Matrix: https://www.enisa.europa.eu/news/enisa-news/enisas-pets-control-matrix-a-tool-to-evaluate-online-and-mobile-privacy-tools
- CNIL – Control my data: https://www.cnil.fr/fr/maitriser-mes-donnees
- Regulation (EU) 2016/679 – GDPR: https://eur-lex.europa.eu/eli/reg/2016/679/oj
- Reporters Without Borders – Lack of pluralism and ARCOM: https://rsf.org/fr/d%C3%A9faut-de-pluralisme-sur-la-cha%C3%AEne-fran%C3%A7aise-cnews-rsf-saisit-l-arcom
- Wikipedia – Media Crash (film): https://fr.wikipedia.org/wiki/Media_Crash_(film)
- Alexandre Stachtchenko – In praise of anonymity: https://www.linkedin.com/pulse/%25C3%25A9loge-de-lanonymat-alexandre-stachtchenko/