"Well, sir, if you look in our terms of service, it says quite clearly that if most of your traffic goes to a set of services that we have determined are most likely VPNs because we control most of the end-traffic on the internet, well then we can disconnect you. I know, sir, machine learning is wonderful as I'm sure you've read on Hacker News that you visit regularly. What's that? You swear it isn't VPN traffic? Ok, can you provide any evidence to that effect? You can't? Ok, well, you have been disconnected sir, and if you like, you can pay a $300 fee to get reconnected and rejoin our new VPN plan at $150 per month. If you want to use our VPN plan that will be $30 per month on top of all the other services you will need to select"

I suspect Google, Apple, Microsoft, Facebook soon thereafter jump into the always on VPN market in some form or another.

They don't have to inspect the traffic for this scenario. They can do it purely based on the routing requested.

VPN handshake detection is pretty easy for modern packet-inspection hardware.

Yes, you can beat this, but it is inaccurate to characterize it as being completely unstoppable.

I suspect you can. You can certainly analyze the timing and lifetime's to identify VPN's vs HTTPS (at the expense of a few websocket false positives). And I suspect you could even characterize entropy.

Even if this were true, it would be very easy for an ISP to insist that their own certificates be trusted as part of the terms of usage. This would give the ISP data access.

Depends on the VPN. Https handshakes are very different than say openvpn. But you can definitely hide your vpn behind the https protocol.

most modern NGFW's identify traffic by the layer 7 application. many (but not all) are identified by the time a tcp handshake completes.