r/vpnet

Utah Senate Bill 73 takes effect tomorrow, May 6, 2026. It is the first US state law that specifically restricts VPN use, and it does so in two ways:

1. Anyone physically in Utah is treated as a Utah user for age-verification purposes, regardless of what their IP address says. The website carries the legal risk if it guesses wrong.
2. Covered websites are barred from telling visitors how to use a VPN to bypass age checks. The EFF has flagged this as a First Amendment concern.

The EFF has called it a "liability trap" because there is no reliable way for a website to detect VPN traffic and pinpoint a user's actual physical location. The only systems that come close are China's Great Firewall and Russia's TSPU. The likely outcomes: sites either block every known VPN IP, or force every visitor on Earth into an ID check.

Wisconsin tried something similar earlier in 2026 and walked it back. The UK and France have signaled they want to move in the same direction.

We put together a map of where every US state currently stands and a full breakdown of what SB 73 actually does: https://s.vp.net/ot4Is

EDIT 5/7: Great news! The law in Utah has been blocked temporarily!
https://www.sltrib.com/news/politics/2026/05/06/why-utah-now-requires-porn/

Chris from bmail.ag here, the only verifiably private email service. I have been in the privacy industry for over a decade and have seen a ton of misinformation about email providers, so I'm helping set the record straight.

Drop your email provider below and I will tell you exactly how private it is, what their architecture actually does and doesn't protect against.

Proton, Tuta, Gmail, Yahoo, AOL, Outlook, Fastmail. No one's safe.

The perpetual can-kickers in Congress have issued a 45-day extension to their 10-day extension of their 20-day extension (seriously).

Does anyone in D.C. actually work when it doesn't benefit them directly? 🤦‍♂️

A Swiss flag is not a firewall.

If a provider can log your IP address to 'monitor for abuse,' they can log it for a court order. If they can monitor a mailbox for 'safety,' they can monitor it for a government. They are not villains. They are administrators operating under whichever set of laws applies this week.

In 2021, Swiss authorities ordered ProtonMail to log a user's IP. ProtonMail complied. The architecture permitted it. Switzerland, it turned out, was a jurisdiction, not a guarantee.

bmail's API gateway runs inside an Intel SGX enclave. Client IP addresses are processed in hardware-isolated memory and never written to any storage. There is nothing to log because the architecture never permitted it.

Physically protected by hardware, not imaginary lines.

Think about what a "no-logs policy" actually is. It's a company telling you "we could watch everything you do, but we promise we won't." That's it. That's the whole security model.

You're not buying privacy. You're buying a promise.

A handful of VPNs have done third-party audits, which is better than nothing, but an audit is a snapshot. It tells you what the logging looked like the week the auditors were in the building. It doesn't tell you what's happening on the server right now. And it means taking the word of a company paid by the VPN who knows they probably aren't getting that audit job next year if they make the VPN look bad.

The actual fix is architectural: build the system so the provider literally cannot see user activity, even if they wanted to. Hardware enclaves, remote attestation, cryptography that doesn't require trusting the operator. The math does the work the promise is currently doing.

So I'm curious where this community lands:

Is a no-logs policy + audit good enough for you?

Or do you think "trust us" should be obsolete at this point?

And if you've moved to something more verifiable, what convinced you?