The UK government's ban on political donations made via cryptocurrency has been presented as a national security measure. Ministers argue that digital assets pose a risk of foreign interference and that the "true source" of funds cannot be reliably verified.
But when you examine the Rycroft Review and place it alongside the government's ongoing attempts to restrict VPN use, a clearer pattern emerges.
This isn't really about crypto. And it isn't really about VPNs. It's about a state that repeatedly struggles to understand modern technologies, repeatedly ignores expert evidence, and repeatedly chooses prohibition over adaptation.
Key Points at a Glance
- The Rycroft Review did not conclude that crypto is untraceable, it concluded that government institutions lack the capacity to verify it
- The ban signals the government does not trust the Electoral Commission, HMRC, the FCA, or political parties to handle the technology
- VPNs are standard cybersecurity tools used by businesses, journalists, and ordinary citizens not niche circumvention devices
- Blockchain analytics can trace transaction histories, exchange on-ramps, and fiat purchases, crypto is often more traceable than cash
- The UK has a consistent pattern of restricting technologies it cannot easily surveil, from encryption backdoors to age verification systems
- Other countries have built proportionate regulatory frameworks for both crypto donations and VPNs, the UK chose not to
The Crypto Ban: A Lack of Trust in the State's Own Institutions
The Rycroft Review, commissioned to assess the risks posed by foreign interference in UK political funding, examined whether cryptocurrency donations created particular vulnerabilities. Its conclusion was carefully worded but significant.
The Review did not conclude that crypto is untraceable, that blockchain transparency is insufficient, or that digital assets are inherently dangerous.
Instead, it concluded:
Rycroft Review: "We cannot guarantee that political parties and the Electoral Commission can verify the true source of cryptoasset donations."
This is not a critique of the technology. It is a critique of the state's capacity.
What the Government Is Implicitly Saying
By banning crypto donations, the government is signalling that it does not trust the Electoral Commission to verify provenance, HMRC's crypto taxation framework to track acquisition and disposal, FCA regulated crypto exchanges to enforce know your customer (KYC) and anti money laundering (AML) requirements, or political parties to perform due diligence.
Rather than modernise these systems, the government chose the simplest path, to ban the vector. This is not technological caution. It is institutional insecurity.
The irony is that a declared crypto donation already includes the donor's name, the wallet address, and the transaction hash. From there, blockchain analytics can trace the entire transaction history, exchange on-ramps, fiat purchases, mixer interactions, and cross chain movements. Crypto is often more traceable than cash and more transparent than a number of traditional banking routes.
A Proportionate Alternative Was Available
The government could have required donations only from FCA regulated exchanges, mandated provenance documentation, aligned reporting with HMRC's existing crypto rules, used blockchain analytics to verify flows, and defined "beneficial ownership" for digital assets. Other jurisdictions have done precisely this. The UK chose not to.
The VPN Debate: Another Case of "Ban First, Understand Later"
The UK's approach to VPNs follows the same pattern.
In the context of the Online Safety Act and related proposals, VPNs have been framed primarily as tools for evading age verification, accessing harmful content, and bypassing platform controls.
But this framing ignores the reality that VPNs are standard cybersecurity tools, essential for remote work, and used routinely by journalists, businesses, activists, and ordinary citizens who simply want privacy. Most commercial VPNs keep connection logs, comply with court orders, and operate under UK or EU jurisdiction. They are not inherently anonymous, and they are not used overwhelmingly for circumvention.
What Experts Have Said
Experts have consistently explained that VPNs cannot be meaningfully banned, that blocking them breaks legitimate digital infrastructure, that enforcement is technically unworkable, and that the proposals reflect a misunderstanding of how the internet actually functions.
Yet legislation has continued to be drafted as though VPNs are a niche circumvention tool, rather than a foundational part of modern digital life.
The Pattern Repeats
When faced with a technology that reduces state visibility or decentralises control, the UK's instinct is not to adapt its regulatory framework. It is to restrict the technology itself.
This same instinct has appeared across digital policy: encryption backdoor proposals, age verification systems that break privacy architecture, investigatory powers that exceed technical feasibility. The common thread is not the technology. It is the state's discomfort with decentralisation, user autonomy, and systems it cannot easily surveil or control.
A Structural Problem: The UK Regulates by Fear, Not Understanding
Across a number of digital policy areas, the UK has shown a consistent pattern. When faced with uncertainty, the default response is not to modernise institutions or invest in technical capability. It is to restrict the technology.
This matters because each individual decision can appear reasonable in isolation. The crypto ban sounds like a security measure. The VPN restrictions sound like child protection. Encryption backdoors sound like law enforcement necessity. But when you look at all of them together, the pattern is harder to dismiss.
In each case, the technology being targeted is not inherently dangerous. In each case, experts have explained why the proposed restriction will not work as intended. And in each case, the government has proceeded with prohibition rather than addressing the underlying institutional capability problem.
The Evidence from the Online Safety Act
The Online Safety Act's age verification requirements which VPN restrictions are partly designed to enforce have already produced unintended consequences. Data from internet monitoring company Similarweb, shared with LBC, shows that unregulated offshore sites saw traffic increases of over 800% in a single month after the OSA's age verification powers came into force. Research by the Lucy Faithfull Foundation found that nearly half of UK porn watchers said they had accessed unrestricted sites after the OSA took effect. Restricting VPNs does not resolve this dynamic, it escalates it.
What a Competent Approach Would Look Like
The argument here is not that crypto donations should be unregulated, or that VPNs should be entirely free from any legal framework. It is that prohibition is not the same as regulation, and that effective regulation requires understanding what you are regulating.
For Crypto Donations
A workable framework would require donations only from FCA regulated exchanges with verified KYC compliance, mandate provenance documentation as part of the existing political donations reporting regime, align with HMRC's existing crypto tax rules, deploy blockchain analytics as a verification tool rather than treating the blockchain as opaque, and establish clear definitions of beneficial ownership for digital assets. This is not speculative, other countries have built frameworks along these lines.
For VPNs
A workable approach would formally recognise VPNs as essential cybersecurity infrastructure, focus safety obligations at the platform level rather than the network level, accept that circumvention is a technical reality that cannot be legislated away, and build policy around realistic technical constraints rather than an idealised picture of how the internet works.
Conclusion: The Real Issue Is Institutional Capability
The UK didn't ban crypto donations because crypto is opaque. It banned them because the government does not trust its own regulators, enforcement bodies, political parties, or its ability to adapt existing frameworks to modern technologies.
The VPN debate shows the same structural problem: a government legislating for a version of the internet that doesn't exist, while ignoring expert evidence about the version that does.
Until the UK confronts its structural discomfort with digital systems it cannot fully control, this pattern is likely to continue. When the government doesn't understand a technology, or doesn't trust itself to regulate it, the default response is to ban first and learn later. The costs of that approach to digital rights, to legitimate users, and to the credibility of UK regulation are accumulating.