Hello and welcome to another episode of Glitchy Things. For your delectation and enjoyment today, we’re looking at how VPNs have become a flashpoint in the battle to regulate life online, the rise of crypto money in UK electoral politics, and the cybersecurity implications of the rise of AI agents.

Why Utah’s age verification law is especially frightening to civil liberties advocates

This week, Utah became the first US state to enact legislation targeting people who use virtual private networks (VPNs) to get around online age verification checkpoints. Civil liberties advocates are concerned the law and others like it create a much bigger problem than they’re solving.

The law stipulates that a user is considered to be accessing a site from Utah if they are physically located there—regardless of whether a website provider sees a Utah-based IP address or not. It also prohibits entities that host “a substantial portion of material harmful to minors” from sharing information about how to use VPNs to bypass age checks.

The Electronic Frontier Foundation argues that the law creates uncertainty around legal liability for website providers and that it is technically impossible to comply. “Providers add new IP addresses constantly,” so it is not possible to keep a comprehensive list of VPN server IP addresses, it argued in a statement opposing the law. Since websites can’t reliably figure out where a given user is, the law may effectively be mandating age verification for everyone, the EFF warned.

Savvy users will be able to get around Utah’s new policy, it is an unmistakable escalation. Policymakers across the globe are pushing age verification rules, and people have successfully turned to VPNs to circumvent them. “Lawmakers have watched age-verification mandates fail and, instead of reconsidering the approach, have decided to wage war on privacy itself,” the EFF said in its statement.

Within the US, Utah is not alone. Earlier this year, Wisconsin attempted to include a ban on VPN services in an age verification bill, but reversed course in the face of public backlash.

At Project Glitch’s DC Privacy Summit in October, Johns Hopkins cryptographer Matthew Green warned of a coming “privacy forest fire” fueled in part by governments pushing age verification requirements. “There’s something ominous about the speed at which the entire world has marched to require identification on platforms and, as I expected, begun the process of banning anonymous VPNs,” Green tweeted this week. —Mike Orcutt

Crypto money is coming for UK politics

The crypto interests bankrolling Nigel Farage are raising some eyebrows.

The Guardian reported last week that the politician, who leads the UK’s right wing Reform party, received a £5 million ($6.8 million) personal gift from Thailand-based British billionaire Christopher Harborne in 2024. The gift came just a few weeks before Farage, who wasn’t expected to seek office, announced he’d stand in the general election in July 2024. Farage confirmed the gift and told the Daily Telegraph the money is being used to pay for his personal security.

He has also financially benefited from the crypto conference circuit. Public disclosures show he was paid £30,000 for a 30-minute keynote at Blockworks’ London conference last October, as well as £20,000 for an appearance at Zebu Live and £7,410 by BTC Inc. for a speaking engagement in the same month. “When it comes to growth in your industry, I am your champion,” he said during his appearance at the Blockworks conference, adding that financial services in the UK needs a “big bang” akin to the sudden financial deregulation of the Thatcher era, with crypto at its epicentre.

“I do make things happen, and I do make things change, and I will go on doing so,” he said.

Harborne, who goes by the legal name Chakrit Sakunkrit in Thailand, built his crypto fortune through early investments in Ethereum and Bitcoin. He also reportedly holds a 12 percent stake in Tether, the largest stablecoin issuer. Over the years he has given £270,000 to the Conservative party and £1 million to the office of Boris Johnson, just after Johnson stepped down as prime minister. In 2019, he gave £6 million to the Brexit party, which was also helmed by Farage at the time. In 2023, a firm called QinetiQ, in which Harborne was the largest single shareholder, received an £80 million contract from the Ministry of Defence.

Since Reform’s inception in 2018, Harborne has donated a total of £22 million, including £9 million last August, the largest single donation by a living person to a British political party.

(In March, the government sought to curb such donations, temporarily banning cryptocurrency donations to political parties and limiting donations from abroad to £100,000 per year.)

This all comes as policymakers in Britain are inching towards major legislation that would govern digital assets—regulators are currently readying firms for proposed rules set to come into effect in October 2027.

It’s hard to miss the parallels between how crypto’s political influence played out in the US and the pattern emerging in the UK. In both countries, a newly wealthy, lightly regulated industry has busied itself trying to convert financial capital into political influence. In both cases, that influence has clustered around trying to clear up hazy regulations in a way that gives crypto firms wide latitude to operate.

So far in the UK, donation numbers pale in comparison with the crypto money spent ahead of the last US election in 2024, where crypto political action committees (PACs) like Fairshake rounded up north of $100 million to fund pro-crypto candidates on both sides of the aisle.

Meanwhile, the Trump family has gained immense personal wealth via their crypto endeavors since the election. They’ve amassed an estimated $1.4 billion through various crypto-related ventures, including the $TRUMP and $MELANIA memecoins, the establishment of the crypto platform World Liberty Financial, and a bitcoin mining operation.

Farage’s position as a leader of a minority party means he currently has limited power to influence legislation, and he hasn’t given any details about how he plans to design a crypto-friendly environment in the UK.

But Reform’s electoral fortunes have been on the up. The party had no representation in parliament before the July 2024 election, when it won five seats with more than 14 percent. Recent polls have put Farage well ahead of Prime Minister Keir Starmer’s Labour Party, and a quarter of Brits intend to vote for Reform at the next general election, according to Ipsos, versus a 19 percent share for both Labour and the Conservatives. Voters are heading to the polls for local elections today, which will act as a litmus test of the state of play.

What we can say for sure is that crypto money is targeting UK politics, with an eye toward securing an industry-friendly outcome. —Lucy Harley-McKeown

AI identity is a far-reaching cybersecurity issue, warn the Five Eyes

The western world’s largest alliance of spy agencies is warning people about the cybersecurity implications of AI agents.

The group, made of agencies from Australia, Canada, New Zealand, the UK, and the US and commonly called the “Five Eyes” acknowledges in a new guidance entitled Careful adoption of agentic AI services that the hype is real. AI agents are doing things in the real world—important things. “Agentic artificial intelligence systems increasingly operate across critical infrastructure and defense sectors and support mission-critical capabilities.”

But as agents proliferate, so too do their well-known security vulnerabilities.

Agents inherit the risks of the LLMs they run on, including prompt injection, in which an attacker uses a malicious prompt to get the model to behave in ways its human creator didn’t intend. They also increase the attack surface, the guidance warns. “Agentic AI systems rely on a variety of components, including tools, external data sources, and memory bases to interact with their environment and expand their capabilities.” Each of these things introduces new vulnerabilities “across an interconnected attack surface.”

The document groups specific risks into five categories: privilege risks, design and configuration risks, behavior risks, structural risks, and accountability risks. It’s a complicated picture.

But there’s an important technical aspect to the problem that keeps coming up: identity.

Imagine an attacker succeeds at impersonating a trusted agent or “hijacks its credentials,” as the guidance puts it. An agent could even plausibly steal another agent’s—or human’s—identity. “Agents impersonating false identities pose multi-layered cybersecurity risks by executing actions under spoofed credentials that evade audit controls, undermine accountability, and bypass detection models,” the document warns.

Combine that with another aspect of the problem, according to the Five Eyes: “Information continuously flows between AI and non-AI systems, increasingly blurring defensive boundaries and making it difficult to isolate AI-related risks from broader cyber threats.”

Clearer boundaries and the more effective isolation of AI-related risks call for new kinds of secure identity systems for humans and agents. We need better ways for policing the boundaries and keeping track of who, or what, has access to what data.

The discourse around agents can be confusing, thanks in part to marketing slogans, pro-AI influencers, and the speed at which the technology is evolving. But the cybersecurity-related risks are clear. The question is, can technological solutions to the identity-related problems the Five Eyes highlighted be developed and deployed quickly enough to keep pace with the rapid adoption of agents? Technologies incubated in the cryptocurrency space, from zero-knowledge proofs to blockchains themselves, will likely have an opportunity to make a difference here. —Mike Orcutt