Your phone knows where you are.
getty
It’s now certain 2026 will begin with two of the most intense privacy debates we have seen in years. Should encrypted messages be scanned for illicit content. And should VPNs be restricted or banned, killing the anonymity they bring.
Both are being pushed under the guide of online child safety. But as EFF warns, “the answer to ‘how do we keep kids safe online’ isn’t ‘destroy everyone’s privacy’.”
There’s also a third privacy debate that will intensify next year. Google introduced a “quiet form of surveillance” in 2025. This “invisible” tracking is on your phone. And it has a twist. It could help fix unworkable porn bans taking root around the world.
Device-side message scanning is not yet a U.S. issue, it’s the preserve of Europe’s ill-conceived chat control and similarly alarming proposals elsewhere. But the prospect of VPN bans is now becoming very real in both Europe and the U.S.
This is because recent legislation to ban porn entirely or for those not verifying their age or identity has been easily bypassed through VPNs. Websites don’t even attempt to catch users out, if you run a VPN and change your location, the porn sites let you in — they do not attempt to confirm who you are, where you are, or how old you are.
This stretches the core privacy focus of a VPN — perhaps to breaking point. There is clear value in securely tunneling your data across your network. This helps users in restricted locations access overseas platforms without flagging their activity.
But hiding from the websites you choose to visit is different. That’s why third-party tracking cookies are bad but first-party session cookies are not. Deceiving websites you visit touches on fraudulent behavior: defeating geographic restrictions on media or sports we watch, for example, or bypassing porn bans.
Media websites have now found ways to block access from unauthorized locations. A simple VPN redirect will not work where protections have been deployed. There are ways around this. But those require two devices or specialist VPN servers.
Digitally fingerprinting your phone “began as a fraud detection safeguard,” Guardian Digital says. “Device fingerprinting blocks credential stuffing, stops carding attacks, and flags automation. But the same signal that defends accounts can track individuals. A tool born for security now doubles as a quiet form of surveillance.”
Google massively expanded the utility of device fingerprinting in Feb., 2025. “These are now integrated into its ecosystem,” WebProNews explains, “combining device data with location and demographics to enhance ad targeting.”
Your phone readily shares dozens of signals with websites that request them via your browser. Most are innocuous — screen shape and size, fonts, plugins, GPU state, enabling those websites to optimize your user experience. But signals also include language, time zone and other signals that relatively easily discern location.
“It can be tempting to believe that the moment you flick on the VPN you can browse the internet with full privacy,” Hackaday warns. “Unfortunately this is quite far from the truth, as interacting with internet services like websites leaves a significant fingerprint.”
Browsers are starting to mask fingerprints by deploying chaff — fake data signals they share to prevent a unique and persistent fingerprint being derived. But some of the data is needed for websites to function. You don’t need to be identified to be geolocated.
Watch this space. It could well be that the answer to unworkable porn bans is already on your phone. The bad news for millions is that such technology — if deployed — would be hard to defeat. Certainly harder than a quick tap on a VPN. The good news is that it would remove the need for dangerous VPN bans or restrictions.
Device fingerprinting will not verify a user’s age — just whether they’re located in a potentially restricted location. Pornhub says website-based age verification has “failed.” Instead it proposes device-based authentication as a “better solution.” If Apple and Google add an age signal to devices, that becomes another data point given away.
