Turkey's telecom regulator, the Information and Communication Technologies Authority (BTK), has spent three years playing whack-a-mole with virtual private networks. A May 15, 2026 analysis published by Tech Startups documented BTK reaching its 20th-plus blocked major VPN service through what it calls a "wave-based" strategy: periodic enforcement bursts that combine domain blocks, app-store delistings, and IP-range blocklisting, intensifying during politically sensitive moments and easing in between. Now a draft bill would end the game of cat-and-mouse the only way a regulator can decisively win it — by flipping the default. Instead of chasing VPNs one at a time, the proposal would require every commercial provider to obtain a BTK licence, and block the unlicensed by default.
What the draft actually does
The licensing proposal, analyzed by Turkish law firm Kurucuk & Associates, would reclassify commercial VPNs as regulated digital services rather than neutral tools. Foreign providers would need to appoint a local legal representative, submit to BTK authorization, and — per reporting on the broader package — log user activity and surrender it to authorities on request. Enforcement options reportedly include not just outright blocking but bandwidth throttling of up to 90 percent, a slow-strangle tactic that degrades a service without the political visibility of a hard ban. The legal scaffolding already exists: under Law No. 5651, the 2007 internet statute, BTK can issue administrative blocking orders without prior judicial review, a power that peer-reviewed analysis in Internet Policy Review traced back to the law's original design.
The measures are being marketed under a child-safety banner. The same package includes a parental-controlled "child line" for mobile users under 18 and caps on how many SIMs one person can register. Officials frame it as protecting minors after a series of school incidents.
The case for licensing, stated fairly
There is a real argument here, and it deserves to be met head-on rather than dismissed. States legitimately regulate telecommunications providers, and a VPN that terminates millions of citizens' traffic is, functionally, a telecom intermediary. A government can reasonably ask who operates such infrastructure, where liability sits, and whether a provider will cooperate with narrow, court-supervised investigations into genuine crimes — child sexual abuse material, fraud, terrorism financing. Anonymity is not an unqualified good; it shields predators as well as dissidents. A licensing regime, in the abstract, is a more orderly instrument than the current scattershot blocking, which sweeps up ordinary users with no notice and no appeal.
Why this version fails the proportionality test
The problem is not that Turkey wants oversight. It is that this design inverts the relationship between the citizen and the state. A proportionate measure regulates a harm; this regulates a capability. By requiring licensed VPNs to log and disclose user activity, the bill destroys the single property — confidentiality — that makes a VPN worth using. Proton VPN has said flatly it will "never" log usage for authorities, which means a no-logs provider cannot be licensed in Turkey by definition. The licence is therefore not a gateway to compliance; it is a filter that admits only surveillance-compatible products and bans the rest.
That matters because of who actually uses these tools and why. Turkey's record is not one of a government reaching for VPN controls to fight crime. Freedom House's Freedom on the Net 2025 report scored Turkey 31 out of 100 — "Not Free" — and documented authorities throttling social media for 42 hours during the March 2025 protests over the arrest of Istanbul Mayor Ekrem İmamoğlu, plus a nine-day Instagram block in 2024. When BTK blocked 27 VPN services in August 2024, the Stockholm Center for Freedom noted it came the same week as an Instagram ban and against a backdrop of 219,059 URLs blocked in 2023 alone. The pattern is that circumvention tools get throttled precisely when citizens most need to see and speak — during protests, elections, and scandals. A licensing regime hard-wires that capability into permanent law.
The demand signal the bill ignores
The market is already voting. On April 18, 2026, Proton VPN reported that daily sign-ups from Turkey had doubled following news of the proposals — the predictable response to a censorship threat, and the same dynamic seen in Iran and Russia. This is the structural flaw in any permission-based VPN regime: it assumes demand is a tap the state can close, when it is a flood the state can only redirect. Block the licensed providers' competitors and users migrate to peer-to-peer architectures, obfuscated protocols, and self-hosted tunnels that no licensing list can enumerate. The wave-based strategy already struggled against this; licensing will not fare better, because the people most determined to evade surveillance are exactly the ones who will never touch a logged, government-approved VPN.
A better path
Proportionate regulation is possible. It would target conduct, not tools: pursue specific criminal content through transparent, court-supervised orders with published statistics and a genuine appeal route, rather than reclassifying an entire privacy technology as contraband. It would preserve no-logs services as lawful, because confidentiality is a feature of a functioning digital economy — banks, journalists, lawyers, and businesses all depend on it. The test of a democracy's internet policy is not whether it can block a VPN. It is whether it builds tools that survive a change of government's intentions. Turkey's draft, by design, does not.