Piccadilly Circus, London. Keir Starmer now demands state spyware on every mobile device, always watching the screen, scanning everything, looking for things the government disapproves of.

The UK government spyware demand means that the government decides exactly what should be censored on every mobile device. They say they will start with nude pictures (if you don’t identify yourself as an adult). But it could at any time be expanded to anything the government disapproves of. Today, 30 people are arrested every day in the United Kingdom for writing something online that the government classifies as "grossly offensive". It is obvious that they will use this tool to restrict free speech. Currently, there appears to be no requirement to report findings outside the device. However, with both legal and technological decision-making power taken away from individuals and transferred to the government, that is only a pen stroke away. This means that the government could also use this system for total mass surveillance. And they can do so in secret. The government recently, in secret, tried to pressure Apple (which is now agreeing to client-side scanning) to build backdoors into its end-to-end encrypted cloud service. They can do this under the Investigatory Powers Act 2016, also known as the "Snoopers' Charter" – a law that makes it illegal for tech companies to disclose secret demands from the government.

This is what the UK spyware proposal means. There must be government spyware on every mobile device. It shall watch everything that happens, including always watching the screen, looking for things the government disapproves of. When anything is flagged by the software as something the government doesn't like, the software must block it from being sent or displayed (in realtime). The user of the device must not be able to shut this watching and blocking off. The only way to shut it off would be to ask the government or its proxies to do so for you, at their discretion. Therefore the whole device must be locked down. Administrator rights and the decision of what software or operating system to run or not to run must be taken from the owner/user and handed to the government and its proxies. Apple and Google are themselves working hard to lock down the devices they are involved in to shut out competition and establish a duopoly. The UK government says it is "working closely" with Apple and Google and currently they synchronise and coordinate their communication on this subject. The UK government is now proposing to mandate what would otherwise be illegal anti-competitive practices. @GrapheneOS on the Apple and Google duopoly: x.com/GrapheneOS/status/2053… Statement from @signalapp x.com/signalapp/status/20640… @ReclaimTheNetHQ on the state spyware: reclaimthenet.org/starmer-ca… The government announcement: gov.uk/government/news/new-p…

Some politicians in the UK think it is a good idea to introduce identity verification for using VPN services. It could be that these politicians do not understand what they are proposing. The alternative, that they do understand, would be even worse. Whistleblowers, activists, and journalists depend on anonymous VPN services. Requiring identity verification for VPN services would put them at risk. It would also have a chilling effect on online debate (VPNs can help people post anonymously on social media). In authoritarian countries, VPN services are crucial forcriticizing the government. That is precisely why such governments seek to ban or restrict them. Hopefully, the UK will not join that list.

Is the UK on the verge of banning VPNs?   On May 26, the consultation intended to help the British government make decisions on age verification for websites, digital services, and social media platforms came to an end. Some form of restrictions regarding at least age limits for social media already appear inevitable; government officials have confirmed as much. The only question is what kind of restrictions will be imposed.   For example, the age verification restrictions could end up including VPN services. National restrictions for websites and social media can be bypassed using tools such as VPNs, virtual phone numbers, eSIM cards, Tor and dedicated services. It is therefore unsurprising that politicians have begun looking toward VPN services, which are the most common and accessible method of changing one’s geographic location.   In early 2026, the House of Lords sent an amendment(regarding the Children’s Wellbeing and Schools Bill) to the House of Commons, proposing an 18-year age limit for using VPN services. The House of Commons rejected the House of Lords amendment four separate times. However, the House of Commons instead introduced its own proposal, which was passed and has now become law. This agreement grants the government the power to introduce restrictions through secondary legislation, with only limited parliamentary scrutiny.   Unfortunately, the risk that the UK government will crack down on VPN services is real – effectively joining countries such as China and Russia in opposing VPN services. Officials have already hinted that they may consider introducing age restrictions for VPN usage under the slogan “No platform gets a free pass”.   If VPN services were to implement identity verification, this would mean collecting data that could be abused through either malice or incompetence. It would, for example, make such services risky for whistleblowers and activists, make it harder for journalists to work with sensitive information, and create a chilling effect on online debate (VPNs can help people post anonymously on social media). In a society like the UK, where 30 people are arrested every day for writing something online that authorities classify as “grossly offensive”, VPN services are an important tool for free speech.   If VPN providers were to impose an age limit on their service, this would also mean that underage users would effectively lose their right to online privacy. Ironically, one consequence would be that social media companies mapping people’s lives through third-party trackers on websites could continue monitoring young people’s online behavior via their IP addresses without any interference. In other words, politicians would remove one of the protections children have against the very companies they claim to want to protect children from.

So-called age verification for social media is spreading across the world, framed as an effort to create a safer internet for children. In reality, age verification lays the foundation for a fully controlled internet. The age verification rush must be slowed down, and politicians need to recognize the consequences of different types of legislation and systems. Age verification is the wrong approach to fix “the social media problem” The big tech social media companies are bad. Their business model is bad; it is based on mass surveillance and manipulation, and they cooperate with governments in mapping entire populations. But age verification is fundamentally the wrong approach to preventing children from using big tech social media platforms. Introducing age verification is based on coercion; the state forces social media companies to verify their users’ identities. But the big tech social media platforms already know which of their users are children. Their business model depends on knowing this. They know how old users are, and they know exactly what type of person they are. As age verification is based on coercion, politicians could instead force platforms to stop doing the things politicians consider harmful to children, or force them to block children (again, they know who they are) from using their services. But instead, politicians seek to massively invade everyone’s privacy and undermine democratic rights on a global scale. In other words, the latter is the real objective – they do not want to protect children; they want to impose control. Slippery slope of age verification It is undeniable that age verification threatens freedom of expression, risks increasing mass surveillance, and is likely to lead to censorship. It will not only shrink the online world and reduce young people’s right to privacy (for example, if VPN services were to be restricted); but also risks becoming a significant step toward a controlled internet for everyone. Most age verification is identity verification Most countries are now considering introducing age verification systems, meaning that everyone would have to identify themselves either to the service/website they want to use or to a third party capable of linking them to their activity on that service or website. This is not age verification but identity verification, and the consequence is therefore that freedom of information is restricted (you can no longer visit regulated websites anonymously) and that you can no longer post anonymously on social media. This is a major problem in countries like the UK and Germany where the police conduct raids on people’s homes for posting content on social media that the authorities dislike. Or in the United States, where authorities are trying to pressure tech companies into revealing the identities behind accounts protesting ICE. Social media identity verification removes important tools for activists in countries where criticizing those in power is dangerous. Restrictions on app store or operating system level Some countries are looking to impose identity verification at the app store level or even within the operating system itself. This is an exciting experiment, since this is possible to circumvent using open-source operating systems. Some countries are already looking to include open-source systems. Since open-source systems cannot be controlled, politicians would ultimately need to ban devices that are not controlled by the state. The end point: telescreens like those in Orwell’s 1984, devices that both monitor you and broadcast only the information approved by the state. The Zero-Knowledge Proof (ZKP) alternative and the EU The EU has presented its own age verification app as “completely anonymous”. The idea is to use Zero-Knowledge Proof (ZKP) cryptography to break the link between the age credential issuer (EU governments) and the regulated services/sites. Currently, the EU app does not have ZKP functionality, contrasting Ursula von der Leyen’s claim that the app ”is technically ready to be used”. But more importantly, the app is currently designed to always function without ZKP technology; if ZKP is unavailable, the app falls back to a non-ZKP model. Even if fully developed ZKP technology could be implemented in the future, it would remain an optional extra feature that countries may choose to disable and that the EU could remove at any time. Read more on our site. mullvad.net/blog/age-verific…

The EU age verification app is presented as “completely anonymous”. But the risk is that member states (the countries are supposed to create their own versions of the open-source EU app) use it to introduce identity verification that makes it impossible to post anonymously on social media. The idea behind “completely anonymous” is to use Zero-Knowledge Proof (ZKP) cryptography to break the link between the age credential issuer (EU governments) and the regulated services/sites. Currently, the EU app does not have ZKP functionality, contrasting Ursula von der Leyen’s claim that the app ”is technically ready to be used”. But more importantly, the app is designed to always function without ZKP technology; if ZKP is unavailable, the app falls back to a non-ZKP model. Even if fully developed ZKP technology could be implemented in the future, it would remain an optional extra feature that countries may choose to disable and that the EU could remove at any time. This means that the EU could decide at any time that ZKP may no longer be used, and in one stroke the app would fall back to its default mode, meaning that every post on social media carries an ID tag. By that point, an infrastructure will already have been rolled out; people will have gotten used to it, and it will be harder to roll it back. More details on mullvad.net/blog/age-verific…

Our Android app has for the second time passed MASA, a standardized security assessment, conducted by Leviathan Security Group. Read more: mullvad.net/blog/2026-securi…

On Friday the 15th of May, we became aware of a fingerprinting issue affecting Mullvad users. We have a method which changes this behaviour currently being tested, with plans to begin rolling it out to our VPN servers in the coming weeks. Read more here: mullvad.net/blog/exit-ip-fin…

A new VPN leak that allows any app to leak traffic outside the VPN tunnel has recently been discovered by @cybaqkebm Read more here: mullvad.net/blog/any-app-on-…

It’s absurd that American authorities can purchase personal data – that they’re not allowed to gather themselves without a warrant – directly from data brokers. This violates the Fourth Amendment, and it’s time to close the data broker loophole. Today, @RepThomasMassie, @RepBoebert and @naomibrockwell at the @LudlowInstitute introduced the Surveillance Accountability Act. It requires warrants based on probable cause for all government surveillance and data access. You can read more about it at surveillanceaccountability.c…

Apple's networking stack is preventing the iOS app from being as secure as possible, we have now secured our app to mitigate this despite the rough edges around the update procedure. Read more here: mullvad.net/blog/force-all-a…

This is Senate House in London. When George Orwell wrote 1984, the building served as the model for the headquarters of the Ministry of Truth (the propaganda ministry). The Ministry of Truth decided what was true, for example that 2 2=5. It was responsible for censorship and rewriting history, and it banned the word “free” in the sense of freedom. When we projected our banned TV ads onto buildings in London, we thought this would be a fitting location. Nineteen Eighty-Four was supposed to be a warning, not an instruction manual.

Chat Control 1 is dead. Let’s end Chat Control 2. Members of The European Parliament: stand firm in your position – no mass surveillance whatsoever!

Starting with 16.0a1 alpha release, Mullvad Browser Alpha is based on the Firefox Rapid Release channel rather than the Extended Support Release (ESR). The alpha release is now available on Linux ARM. Read more here: mullvad.net/blog/mullvad-bro…

No and then, Keir Starmer.

The only way we want our ads to come down. When people take them home. a) Keep them. b) Send them to Ashton Kutcher. c) Put them outside 10 Downing Street.

Our TV ads – under the concept And Then? – were banned in the UK, by Clearcast (an organization formed by the major TV channels in the UK which, on behalf of the authorities, must approve all TV advertising in the UK). Their arguments included: · “The overall concept lacks clarity.” · “It is unclear why certain examples are included, who the ‘speaker’ represents, and the role of individuals depicted in the car.” · “Several examples (e.g., paedophiles, rapists, murderers) risk causing serious offence and could imply that the VPN facilitates criminal activity.” · “Referencing topics such as: Paedophiles, Rapists, Murderers, Enemies of the state, Journalists, Refugees, Controversial opinions, People’s bedrooms, Police officers, Children’s headsets … is inappropriate and irrelevant to the average consumer’s experience with a VPN.” We think their arguments are nonsense. On the one hand, censorship and mass surveillance are escalating in the UK, through new laws, government pressure and proposed legislation. On the other hand, criticism of censorship and mass surveillance is being blocked through processes that are arbitrary and – to use their own words – unclear. When we tried to criticize the TV ads ban through outdoor ads, they were also banned by government bodies. We believe the situation is both Orwellian and Kafkaesque. You can watch all the banned ads and read more about escalating mass surveillance and censorship in the UK on our site: mullvad.net/and-then/uk And then? When our ads were banned on British TV, we took them to the streets instead and projected them onto walls in London.

Looking to be a star on CCTV?

Mass surveillance and censorship are escalating in many countries right now. There is a global attack on secure encrypted communication. Often, authorities, politicians, and tech companies work together to push for new laws. One example: when Ashton Kutcher (yes, the actor), through his tech company Thorn, tried to introduce total surveillance of all EU citizens through undemocratic and corrupt methods. First, Ashton Kutcher convinced the EU Commission that they could scan everything on an EU citizen’s phone or computer (messages, photos, emails, phone calls, all of it) for child sexual abuse material without, at the same time, looking at the content of other types of communication. And then? And then EU Commissioner Ylva Johansson presented the legislative proposal called Chat Control, which aimed to scan everything on all EU citizens' phones and computers (including conversations in end-to-end-encrypted messaging services). The message from the Commission was: we will only search for child sexual abuse material (CSAM). And then? And then experts from all over the world explained to her that the kind of scanning she was talking about (as Ylva described it: a drug-sniffing dog that can detect illegal content in a message without reading the message) simply cannot be done safely, and that Chat Control would mean the end of privacy and pose a security threat to all Europeans. Ylva responded with: “what about the children?” And then? And then it was revealed that Thorn, the organization founded by Ashton Kutcher and which had been lobbying for Chat Control from the beginning, was selling the kind of scanning technology that could be used for Chat Control – despite being registered as a charity organization in the EU’s lobbying registry. And then? And then it was revealed that Thorn, together with the EU Commission, had also started and funded “children’s rights organizations” that had supported the proposal. What appeared publicly to be charitable organizations were in fact lobby groups. And then? And then it was revealed that Europol wanted unlimited access and wanted to use the scanning for more than just child abuse crimes, saying that all data – also unfiltered and innocent material – should be stored because it “could at some point be useful to law enforcement”. And then? And then it was revealed that employees at Europol had joined Thorn, to lobby their old colleagues. And then? And then politicians in Brussels wanted to exempt themselves from the scanning. And then? And then the European Parliament, in an almost historic consensus, voted against the proposal and called Chat Control nothing but mass surveillance. As one of the members of the parliament said: “The Commission wasn’t focusing on protecting children but wanted mass surveillance.” And then? And then The Council of the EU (law proposals must go through both the Parliament and the Council), after three years of negotiation, finally reached a common position on Chat Control. The requirement for mandatory scanning (including end-to-end encrypted messaging services) was removed, which is a major victory, but several problematic elements remain in the Council's position. For instance, the Council wants to demand ID Control to use messaging services (including end-to-end encrypted). And then? And then, in 2026 the final negotiations began, between the European Commission, the European Parliament, and the Council of the EU. At the same time, the European Commission is working on a Plan B, through the initiative Going Dark/ProtectEU, where they once again try to force total surveillance (this time organized crime is the excuse) on the citizens of the EU. And then? youtube.com/watch?v=fPzvUW8q…