Source: Freedom of the Press Foundation — https://freedom.press/issues/how-journalists-rely-on-vpns-to-protect-press-freedom/
VPNs are often discussed in the U.S. now as a workaround for age-verification laws. For journalists, that framing is too small. A VPN can be the difference between a quiet investigation and a target seeing reporters coming.
Freedom of the Press Foundation argues that attempts to restrict or ban VPNs in response to age-verification evasion would carry a direct press-freedom cost. The point is not that VPNs solve every security problem. They do not. The point is narrower and stronger: reporters use VPNs to reduce specific, real ways their work can be exposed through ordinary internet infrastructure.
The press-freedom issue behind VPN restrictions#
Age-verification laws are spreading across parts of the United States. As those laws force users to prove age or identity before accessing certain online services, some Americans are using VPNs to avoid handing over personal information or to route around state-based access blocks.
That has pushed VPNs into the policy fight. According to Freedom of the Press Foundation, Utah has enacted a limited VPN-related measure tied to enforcement of its age-check law, and other states are considering similar approaches.
For lawmakers, the temptation is simple: if VPNs let users evade age gates, restrict VPNs. For journalists, the damage lands elsewhere. A VPN is not only a tool for accessing blocked services. It is part of the operational security stack reporters use when researching hostile subjects, protecting source relationships, and working on networks they do not control.
A VPN does one basic thing that matters here: it routes traffic through an external server, so the site or network being used does not see the reporter’s home, office, or newsroom IP address in the same direct way. That does not make a reporter anonymous against every adversary. It does reduce several common leaks.
Sensitive research can expose an investigation#
When a reporter visits a website, that website can log the visitor’s IP address. In some cases, the IP address may be associated with a newsroom, a media company, or a reporter’s workplace. If the website belongs to a company, political figure, agency, extremist group, or other subject under investigation, that log can become a warning system.
This is not a theoretical concern. Freedom of the Press Foundation points to a 2017 CyberScoop report involving a New York politician and his son, who were later convicted of corruption. They were reportedly tipped off to a New York Times investigation after IP addresses from the Times’ office appeared in web server logs for a company the men were accused of illegally aiding.
That example is useful because it is mundane. No elite spyware was required. No dramatic breach was needed. A server log did what server logs do: it recorded visitors. The operational mistake was letting newsroom infrastructure announce interest in the target.
A VPN changes that visible signal. If the reporter routes research through a VPN, the site sees the VPN server’s IP address rather than the reporter’s office or home connection. That may not defeat every tracking method. Browser fingerprints, logged-in accounts, cookies, malware, payment trails, and human mistakes can still identify a user. But it can prevent one of the simplest and most damaging disclosures: the target learning that a newsroom is looking.
For investigations, timing is often protection. A subject who learns too early that reporters are digging can destroy records, pressure sources, coordinate a public response, or move assets. A tool that reduces early warning has value even if it is imperfect.
ISP records can create source risk#
Confidential sources depend on more than encrypted messages. They depend on the reporter not leaving avoidable trails that connect them.
Freedom of the Press Foundation highlights a second use case: shielding journalists and sources from records held by internet service providers. An ISP can see a subscriber’s internet activity at the network level, including domains visited unless protections are in place. In a leak investigation or another government inquiry, those records may become a target.
The risk is not only that an ISP record shows a journalist visiting a source’s personal website. It could show visits to a company or government site associated with a source. It could also expose peer-to-peer connection metadata in some communication scenarios, such as a voice or video call through apps like Signal or WhatsApp. Some modern apps include protections to hide IP addresses during calls, but the broader point remains: network metadata can reveal relationships even when message content stays encrypted.
A VPN limits what the ISP can see. Instead of seeing the final websites visited, the ISP sees a connection to the VPN provider. That can deprive the ISP of records that would otherwise be useful to investigators seeking to map a reporter’s research or contacts.
This is not magic anonymity. The VPN provider becomes a trust point. A weak provider, a logging provider, or a provider subject to legal pressure may create its own risk. Journalists still need to think about provider jurisdiction, logging claims, payment trail, device security, account separation, and whether Tor or another tool is more appropriate for a specific threat model.
Still, the trade-off is clear. Without a VPN, the local ISP has direct visibility into more of the reporter’s activity. With a VPN, that visibility is reduced and shifted. For many newsroom workflows, that is a material improvement.
Public WiFi is still an attack surface#
The third case is network exposure. Journalists often work from coffee shops, libraries, hotels, airports, courts, government buildings, conferences, and other places where they do not control the network.
A VPN can protect against some attacks on insecure WiFi by encrypting traffic between the journalist’s device and the VPN server. That matters when an attacker is monitoring traffic on the local network, abusing a compromised router, or operating in a place where the network administrator may log user activity.
HTTPS already protects much of the modern web, and that should not be understated. But a VPN can still reduce what the local network sees, including the sites being contacted. In a government building or other sensitive location, that can matter even if nobody is actively attacking the connection. Logging alone can create a record of what a reporter was researching.
The limit is just as important. A VPN does not stop phishing. It does not stop a malicious attachment. It does not prevent a reporter from installing malware. It does not secure a compromised phone. It does not make a logged-in social account anonymous. Treating VPNs as a total security shield is bad practice.
The correct claim is narrower: VPNs help against network-level observation and some traffic-interception risks. That is enough to make broad restrictions dangerous.
What lawmakers should not flatten#
The policy debate around age verification tends to flatten VPNs into an evasion tool. That misses legitimate, high-stakes uses.
Journalists use VPNs because ordinary internet systems leak operational details. Websites log visitors. ISPs hold records. Public networks can be watched. Those facts affect reporting on corruption, national security, abuse of power, extremist groups, and companies under scrutiny.
A VPN ban or restriction would not only make it harder for some users to bypass age gates. It would remove or weaken a practical safety layer used by reporters and, by extension, their sources. The burden would fall hardest in sensitive reporting where exposure can change the outcome of an investigation.
The better policy question is not whether VPNs can be used to evade a law. Many general-purpose tools can be misused. The question is whether the enforcement mechanism damages protected work that depends on private research and confidential communication.
On the evidence FPF cites, the answer is yes: restricting VPN access creates a real press-freedom risk.
Practical takeaways for journalists#
Reporters should not treat a VPN as a one-click anonymity product. It is one layer.
Useful checks:
- Use a VPN when researching hostile or sensitive targets, especially sites that may log and review visitor IPs.
- Do not conduct sensitive research from a newsroom IP address if the target could see that traffic.
- Remember that a VPN shifts trust from the ISP to the VPN provider. Pick carefully.
- Keep phishing and malware defenses separate. A VPN will not save a compromised device.
- For high-risk source work, match the tool to the threat model. A VPN may be necessary but not sufficient.
The policy takeaway is simpler. If states restrict VPNs to enforce age-verification rules, they are not only regulating consumer circumvention. They are touching the infrastructure journalists use to keep investigations quiet and sources safer.