A tragedy repurposed as a mandate
On April 14 and 15, 2026, two Turkish schools were attacked within twenty-four hours — first in Siverek, Şanlıurfa, then at a school in the Onikişubat district of Kahramanmaraş, where a teenage student killed nine people, eight of them children and one a teacher. The grief was immediate and national. Within a week, so was the policy response: on April 21, Nordic Monitor reported that Justice Minister Akın Gürlek was using the attacks to fast-track a sweeping internet-control package — anchored by a new licensing regime for virtual private networks and a requirement that social media users log in with their national ID numbers, with unverified accounts closed after a transition period.
The government's stated logic is that the attackers had been "exposed to violent digital content," and that tighter control of circumvention tools and anonymous accounts will keep such material away from minors. That argument deserves to be taken seriously before it is taken apart.
The strongest version of the government's case
States have a real and legitimate interest in protecting children online, and Turkey is not alone in worrying about it: Australia has legislated a social-media age limit, and the EU and UK are mid-debate over age assurance and platform duties. VPNs genuinely do let minors route around age gates and filters, and anonymous accounts genuinely do shelter some predators. A government that did nothing after a school massacre would be fairly criticized. So the question is not whether Ankara may act — it is whether this action is proportionate to this harm.
What the draft actually does
It is not, on inspection, a child-safety measure. According to reporting on the bill and Turkish legal analyses of it, the draft amends the 2008 Electronic Communications Law No. 5809 — the statute that created the telecoms regulator BTK and its authorization regime — to reclassify VPNs as "virtual network services." Providers would have to obtain a BTK license, incorporate a local Turkish company, appoint an authorized representative, store user data inside Turkey and build in "lawful monitoring" capability. Non-compliant services face administrative fines reported at 1 million to 30 million lira, bandwidth throttling, and outright nationwide blocking.
Strip away the framing and what remains is a data-localization and interception mandate applied to the one tool that currently lets Turkish users communicate privately. A VPN that logs its users inside Turkish jurisdiction and exposes traffic to "lawful monitoring" is, by design, no longer a privacy tool. None of those obligations — local incorporation, data retention, interception — does anything to stop a determined teenager from finding violent content. They do everything to identify an adult journalist, opposition organizer, or LGBT user.
It fails its own proportionality test
A proportionate rule is narrowly tailored to its harm and picks the least restrictive effective means. This one is the inverse. It captures all encrypted traffic to address content consumed by a handful of individuals; it imposes identity-linkage on the entire population to police a minority of bad actors; and it is most likely to fail on its own terms, because the minors it claims to target are precisely the users most willing to side-load an unlicensed app, while businesses, remote workers, and ordinary citizens who rely on mainstream VPNs bear the cost.
The national-ID login requirement compounds the problem. Tying every account to a verified identity, and closing unverified ones, abolishes online anonymity by statute. Anonymity is not a loophole; it is the precondition for whistleblowing, dissent, and journalism in a country that Freedom House rates "Not Free," with an internet-freedom score of 31 out of 100.
Turkey's own record predicts the outcome
This proposal extends a decade-long trajectory rather than breaking from it. In November 2023, Freedom House records, BTK ordered ISPs to block 17 VPN services without a court order. The Freedom of Expression Association (İFÖD) documented that Turkey restricted roughly 950,000 domains, 260,000 URLs, and 67,000 tweets in 2023 alone, as catalogued by Poland's OSW. And when access is cut, citizens vote with circumvention: Top10VPN measured a 301% spike in VPN demand the day Instagram was blocked in August 2024, and a 188% jump after the March 2024 detention of President Erdoğan's chief rival.
That last figure is the tell. VPN demand in Turkey spikes alongside political events, not school shootings — a strong signal about what a VPN licensing regime would actually be for.
What protecting minors would look like
There is broad expert agreement that blanket access restrictions are the wrong instrument. Future of Privacy Forum CEO Jules Polonetsky, speaking to Rest of World in May 2026, argued that bans "may backfire" and that real safety requires norms, guidance, and better moderation, not prohibition. That same month, the EFF and 18 other organizations urged UK policymakers to address the roots of online harm rather than reach for restrictive shortcuts. Those roots — mental health, school security, media literacy, age-appropriate design enforced against platforms, well-resourced parental tools — are harder and slower than a VPN ban, but they touch the actual harm.
A school shooting demands a serious response. A licensing regime that fingerprints every encrypted connection and abolishes anonymous speech is not that response; it is a surveillance expansion that was already on the shelf, waiting for a justification. Turkey's lawmakers should decline to confuse the two.