A friend sent me this new telecommunication directive by ICTA, and after reading through it, I really went down a rabbit hole. It’s about protecting children online, which is obviously a super important goal that we all agree on.
But as I dug into the technical details of how they propose doing it, I realized it brings up a lot of complicated questions about cybersecurity, how the internet works, and the future of an open web.
It’s a classic example of how a policy with really good intentions can lead to some tricky technical side effects. Let’s explore it together!
What is this directive?
It’s called Telecommunication Directive 4 of 2025, issued by the ICTA in Mauritius.
The basic idea is pretty straightforward: it requires internet service providers (ISPs) and mobile operators to offer special “Child Online Protection” (COP) commercial plans by December 2025.
Here is the gist of what these plans are supposed to do:
- They are designed to curtail access to harmful content for anyone under 18 (like pornography, content promoting self-harm, violence, etc.).
- They need to incorporate protection “by design”.
- Crucially, adopting these plans is currently voluntary for parents and guardians. You have to opt-in.
Sounds good so far, right? We all want kids to be safe.
The technical “how” is where it gets sticky
Where my ears perked up was reading the sections on how the ISPs are supposed to implement this. The directive talks about a few different layers of control, but it relies heavily on “network-level control”.
This means the filtering doesn’t just happen on your kid’s iPad; it happens upstream at the ISP’s infrastructure. The ISP is acting as a giant gatekeeper for traffic on those specific mobile plans.
To make sure clever teenagers don’t just bypass these filters, the directive explicitly suggests some tough technical measures:
“These may include the blocking of most popular Virtual Private Networks (VPN) as well as locking the SIM card to the plan subscribed to.”
Whoa. Blocking VPNs? That’s a big deal in the networking world.
Why this makes me a little nervous
When you mandate that ISPs build infrastructure to filter content and block privacy tools like VPNs, you are building powerful machinery. Even if the intention right now is to protect children voluntarily, the architecture itself has some worrying implications.
1. The Cybersecurity Angle
Good security is like an onion: it needs layers. Experts call this ‘defense-in-depth’. This directive tries to do that, but by suggesting we block VPNs, it’s actively weakening a major security tool. VPNs aren’t just for sneaking around; they are essential for protecting your privacy on public Wi-Fi and for many people doing remote work securely. Breaking encryption tools to enforce a filter is a risky trade-off.
2. The “Slippery Slope” of Internet Freedom
Right now, this is voluntary and for kids. But the directive mentions that the authority has broader powers to curtail “harmful and illegal content” in general, not just for children.
By normalizing ISP-level filtering and VPN blocking, we are creating the exact technical infrastructure needed for broad, centralized censorship. If that machinery is lying around, it becomes very tempting to use it for other things later on, like blocking political dissent or targeting other demographics. It turns the ISP into a surveillance hub by linking a specific person’s SIM card to a filtered internet experience.
What do the experts say? (The “Better” Solutions)
It turns out that current industry best practices and international guidelines (like those from UNICE and the EU) suggest a much different approach.
They argue that a more effective and rights-respecting model moves away from centralized ISP blocking and toward a layered, user-centric model.
Here is what that looks like:
1. Device-Centric Controls (The “Smart” Layer)
Instead of filtering the entire internet connection at the ISP level (which requires inspecting all traffic), controls should sit on the device itself.
- How it works: Parents use built-in OS tools (e.g., Apple Screen Time, Google Family Link) or third-party apps (e.g., Qustodio, Microsoft Family Safety).
- Why it is better:
- Granularity: It can block specific apps (e.g., TikTok) or set time limits for games, which an ISP filter cannot easily do (ISPs mostly see web traffic, not app behavior).
- Portability: The protection travels with the child. If the child switches to Wi-Fi at a friend’s house or uses a different SIM, the device is still protected.
- Privacy: The ISP does not need to log the child’s activity. The monitoring data stays between the parent and the child’s device/account.
2. Privacy-Preserving Age Verification
The Mauritius directive suggests linking a SIM card to a specific identity plan, creating a surveillance log. A better solution uses Zero-Knowledge Proofs or Third-Party Trust Services (advocated by CNIL and EU bodies).
- How it works: A trusted third party (e.g., a bank or government ID app) confirms the user is “Over 18” or “Under 18” to a website or app without revealing the user’s name or browsing history to the website or the ISP.
- Why it is better: It verifies age without tracking what the person is doing online. It solves the “child safety” problem without creating a “surveillance” problem.
3. “Safety by Design” (Platform Responsibility)
International guidelines (UNICEF, UK/US agreements) emphasize that the platforms themselves (Instagram, YouTube, Roblox) must be safe by design, rather than relying on ISPs to block bad things.
- How it works: Platforms are legally required to default children into the highest privacy settings, turn off auto-play, disable location tracking, and filter harmful content algorithmically before it is served.
- Why it is better: It addresses the source of the content. ISP filters often fail to block harmful content inside encrypted apps (like bullying in a WhatsApp chat or a harmful video on an encrypted YouTube stream).
DIY: Tools You Can Use Right Now
You don’t need to wait for the government to change the policy. You can use DNS Filtering today to protect your home network without giving up your privacy or locking your SIM card.
- Cloudflare for Families (1.1.1.3): A free DNS setting that blocks malware and adult content automatically. It’s fast and privacy-focused.
- CleanBrowsing: A service that enforces “Safe Search” on Google and YouTube and blocks bad domains.
A Quick Look Back: Why the Context Matters
We all remember the social media blackout in November 2024.
When the government tried to block social media to stop the “Missie Moustass” leaks, it didn’t really work. Why? Because everyone immediately downloaded a VPN and bypassed the block.
This new directive seems to learn from that “mistake.”
By explicitly authorizing the blocking of VPNs, it closes the escape hatch we used last time. It builds the exact machinery needed to make a future shutdown actually work. Today, this machinery is labeled “Child Safety.” But once it is installed, the capability to block VPNs is permanent.
So, what should we do?
It’s about deciding what kind of internet we want to build. The infrastructure we accept today becomes the censorship tool of tomorrow.
If you care about digital rights, we need to draw a hard line.
-
Refuse to Normalize Surveillance: Do not accept the premise that “safety” requires “locking down” the network. Network-level blocking is a lazy, dangerous solution that treats every user like a suspect. We must demand that ISPs keep the “pipes” neutral and dumb.
-
Defend Encryption: VPNs are not “loopholes” for criminals; they are essential safety gear for the digital age. Any policy that treats encryption as a threat is an attack on your digital self-defense. We need to be loud about this: No blocking of privacy tools. Ever.
-
Take Back Control: Don’t let the state or the ISP be the parent. Use the DIY tools, set up your own encrypted DNS, and teach your community how to do the same. When we rely on our tools rather than their filters, we make centralized censorship irrelevant.
The internet was built to be open. Let’s make sure we don’t accidentally build a cage around it.