A sweeping proposal in Michigan would ban porn and, for the first time, make any sales of distributed “circumvention tools,” meaning virtually any software tool that can hide an online transaction, including VPNs, proxy servers, or encrypted tunneling, illegal. Legal scholars and cybersecurity professionals say the approach would also run up against the First Amendment, contemporary business practices and simple effectiveness on an internet teeming with hostile actors.
What the Michigan plan would do beyond age-gating sites
The bill, filed by six Republican state representatives, encompasses far more than age-gating adult websites. It determines broad categories of “harmful” or “pornographic” material and imposes an expansive ban on tools that could get around the restrictions, with a specific mention of virtual private networks and any other encrypted routing methods.
One provision would prohibit “one biological sex imitating, depicting, or portraying him/herself as a member of the opposite biological sex.” Taken literally, that could sweep in portrayals of transgender people, drag show performances and actors cross-dressing on stage and screen — and even images or scenes from classic films and plays where characters disguise their gender. The broad scope of the measure means it would quickly face First Amendment challenges if it moves ahead.
For now, the plan is still a proposal. No enforcement mechanism has been adopted, and the breadth of the mandate poses substantial technical challenges, not to mention that some of the very encrypted technologies lawmakers seek to burrow into are a part of everyday digital life.
A direct blow to cybersecurity and remote work
VPNs aren’t some niche privacy add-on — they are the workhorse of secure remote access. Giant companies and tiny mom-and-pops — automakers, banks, hospitals, tech firms and corner stores — rely on VPNs because they deter digital theft. Michigan’s public agencies and universities access internal systems through VPNs. Blocking VPNs, or “encrypted tunneling,” would disrupt routine business throughout the state.
Federal guidance underscores that reality. The Cybersecurity and Infrastructure Security Agency recommends organizations secure remote access with VPNs or zero-trust substitutes with encrypted tunnels. NIST standards and guidelines (e.g., SP 800-53, SP 800-77) treat network tunnels as generic controls to protect information. A ban would put Michigan out of step with those standards and increase the risk of breach.
There is also an economic factor. Hybrid work endures; WFH Research estimates that some 25 percent to one-third of U.S. paid work days today are remote. An unworkable ban on commonly used remote access tools would complicate hiring, hinder departments’ abilities to respond swiftly to security incidents and saddle IT teams with expensive workarounds — costs that would be borne by Michigan employers and workers.
Legal minefield: speech, identity and the open internet
Earlier Supreme Court decisions set a very high bar for laws that have the effect of broadly suppressing online material. In Reno v. ACLU, the Court invalidated overbroad indecency regulations for cyberspace; in Ashcroft v. ACLU, it held that online broadcast controls that silenced adults were never legit; and in Ashcroft v. Free Speech Coalition it said no to unlawful bans on legal expression. Any such attempt to turn huge tracts of protected speech in Michigan into criminal expressions would be subject to strict scrutiny.
The Dormant Commerce Clause raises a separate issue: States cannot place an undue burden on interstate commerce, which now extends to the national — and international — internet. Federal courts have repeatedly reminded them that state-by-state content mandates can be used to regulate activity across state lines in every practical sense. Recent lawsuits seeking to counteract state age-verification laws also illustrate how fast such measures wind up in court, usually on the grounds of free speech or interstate commerce.
Constitutional conflict on another front may come from depictions of gender identity. And civil liberties groups from the ACLU to LGBTQ legal organizations have long argued that such bans targeting transgender expression are content- and viewpoint-based restrictions, which are presumptively unconstitutional under First Amendment and equal-protection principles.
Enforcement would be a nightmare for ISPs and businesses
Even if it were at some point made law, however, policing VPNs is technically tricky. Internet providers would probably have to deploy deep packet inspection to detect particular protocols such as IPsec, OpenVPN and WireGuard. That can be circumvented by protocol obfuscation and starts to feel an awful lot like surveillance for privacy advocates. It’s possible to overblock, as countless legitimate services traffic in the same kind of encrypted patterns, at least in cloud environments.
There are theoretical distinctions, but in practice the line between “encrypted tunneling” and basic HTTPS can blur. Intense blocking could interfere with online banking and telehealth, as well as enterprise apps. There would certainly be collateral damage, and whatever game of cat-and-mouse would play out in the day-to-day operation would foist additional costs on ISPs, enterprise customers, and end-users without effectively attaining the objectives set forth by the bill.
And around the world, VPN restrictions mimic internet controls in authoritarian nations like China, Russia and Iran — an approach that contrasts sharply with U.S. policy promoting secure encryption to protect consumers and critical infrastructure.
What to look for in Lansing as the bill advances
The proposal is all but certain to be met with swift opposition from civil libertarians, technology trade associations, higher education and some of the nation’s biggest employers that have remote or distributed workforces. Look for calls for clear carve-outs, if not outright rejection, and for lawmakers to get queries about how such a regime would be enforced without hobbling foundational internet services.
If the bill progresses, quick court challenges are all but inevitable. Taken together, the sweeping content bans, restrictions on depictions of gender identity and limits on the use of encryption would pose a challenge to multiple constitutional doctrines all at once. For now, Michigan’s plan is more evidence of a broader national trend to crack down hard on the internet — and it illustrates the high technical and legal stakes for doing so.