Your Daily Broadsheet

Ofcom writes:

Since the age check rules came into force, there has been considerable public debate about children bypassing the protections, including by using virtual private networks (VPNs). VPN use is common in the UK and can offer privacy and security benefits. However, because VPNs allow internet users to change their virtual location and IP address to another country, they can be used to try and get around the protections of the Online Safety Act, including its age check requirements.

 Following the introduction of the age check requirement in July we saw an initial spike in the use of VPNs in the UK – with UK daily active users of VPN apps doubling to around 1.5 million. However, by the end of October usage had fallen back to under 1 million daily active users.21 This early spike in VPN usage was expected and has happened in other countries and US states that have introduced age check requirements. There is currently no reliable up-to-date data on how far the increased use of VPNs is due to children or to adults who wish to avoid having to complete age checks.

Data from Internet Matters, collected before the rules came into force, suggests that around one in ten under-18s used VPNs, with use skewing towards older teenagers. This would suggest the new age checks will already be offering significant protections to children. However, further evaluation is needed.

We continue to build our evidence base to help us understand children’s level of usage and familiarity with VPNs. This month we are launching a children’s advisory panel with the Children’s Commissioner for England to hear directly from children about their online experiences and how they are changing, including VPN usage. We have introduced questions on VPNs to our Children and Parents Media Literacy Tracker and we plan to publish data and analysis on this in May 2026. These questions focus on the awareness and use of VPNs among children aged 13-17. We also ask parents of 3-17s who use parental controls, whether they use tools to block VPN usage. Finally, we will continue to collect information about VPN adoption in the UK, as we have done since age assurance measures came into force, as part of our work to understand how people in the UK use the internet. This evidence base will help guide thinking and decisions about whether there is a need for further action in this area, and what would be proportionate.

There has also been concern from some stakeholders about whether age checks are being implemented in a way that preserves privacy and protects users’ data. Ofcom has been clear that all age assurance methods involve processing of some personal data and therefore platforms and vendors implementing age checks must comply with UK data protection laws. We have worked closely with the Information Commissioner’s Office, which oversees and enforces these laws, in developing our approach and guidance for highly effective age checks.

Finally, we have observed instances of over-moderation where content not harmful to children was inaccessible to them, especially soon after age checks were more broadly introduced. We have provided clear, detailed guidance on what kinds of content we consider to be illegal content or content harmful to children – and therefore consider to be in-scope of safety measures. Where we are concerned that content which does not meet these definitions is inaccessible, we are discussing these issues with the providers involved through our Supervision teams.

Baroness Benjamin Liberal Democrat;

To ask His Majesty's Government what measures have been put in place to prevent children using virtual private networks to avoid age verification to access harmful material online.

Baroness Lloyd of Effra Parliamentary Under Secretary of State (Department for Science, Innovation and Technology),

The Online Safety Act requires services to use highly effective age assurance to prevent children in the UK from encountering harmful content. ofcom's guidance makes it clear that age assurance must be robust to prevent circumvention. Services must also take steps to mitigate against circumvention methods that are easily accessible to children. Providers that do not comply with their child safety duties by deliberately promoting the use of VPNs could face enforcement action under the Act.

Baroness Benjamin

I thank the Minister for that Answer. However, Childnet has discovered an increase in the use of VPNs by children in the last three months. While younger children are deterred by age-verification checks, teenagers actively seek out and share methods to circumvent them. Many minors are downloading free VPN applications that often monetise user data and expose devices to viruses. Also, by relocating to countries with few or no internet safety Laws, children can be exposed to more extreme, illegal or unmoderated content. Perhaps children under 16 should be banned from social media altogether. What action will the Government take to address the increasing number of children using VPNs? Will they instruct ofcom to follow the lead of the Australian e-safety commissioner and require that digital services check VPN traffic for technical and behavioural red flags that suggest a user in the UK may be a child? Let us act sooner rather than later.

Baroness Lloyd of Effra

We recognise the international efforts to better protect children online, including in Australia, and we are working with the Australian Government to understand the impact of their policies, including that one. There is currently limited evidence on how many children use VPNs, and the Government are addressing this evidence gap. We welcome any further evidence in this area, such as that quoted by the noble Baroness, Lady Benjamin, to complement our understanding. The Government will ensure that we act where we need to, as we have seen in other areas, and that future interventions are proportionate and evidence based.

...

Lord Carlile of Berriew Chair, Northern Ireland Scrutiny Committee

On the Radio 4 Today programme this morning, ofcom admitted that none of the three fines levied so far has been paid. Is it not right that Ofcom should be encouraged to take much stronger enforcement action against those who do not pay by making it clear that within a very short time, they will lose their right to appear on any screen in the United Kingdom unless their enforcement is fit for purpose?

Australian internet censors will enforce a new rule that basically requires search engines into safe mode for unlogged in users and require ID/age verification to login.

Under the new rules, search results that include pornography or extreme violence will be blurred by default for users under 18, or for anyone using search without logging in. At the same time, search engines must verify the age of logged-in users. If the user is identified as a minor, safe search settings, filtering out pornography, high-impact violence and disordered-eating content, must be applied automatically.

In addition, searches by Australians related to suicide, self-harm or eating disorders will now automatically redirect to mental health support services.

The new censorship rules will kick in on December 27 2025.

People will not need an account to search the internet. The codes do not require users to log in, and they do not notify the government about what people are searching. For users who are logged in, age assurance mechanisms will be used, possibly including ID/age verification. Adults will still be able to access content if they choose. Blurred images can be clicked through to view, but only once the user accepts they are over 18.

Ofcom writes:

Since we opened our investigation into 4chan Community Support LLC ('4chan') and its compliance with its duties to protect users from illegal content, new duties to protect children under the Online Safety Act 2023 ('the Act') 203 the Protection of Children duties - have come into effect.

Such duties require providers of regulated user-to-user services, which are likely to accessed by children, to use proportionate systems and processes which are designed to effectively reduce the risk of harm to children from content available on their site and to prevent children from encountering certain types of harmful content, known as Primary Priority Conten, altogether. In particular, section 12 of the Act requires providers of services that fall under Part 3 of the Act, and allow one or more kinds of Primary Priority Content (including pornographic content), to use highly effective age verification or age estimation (or both) to prevent children from encountering that kind of content where identified on the service.

Ofcom is therefore expanding this investigation to include consideration of whether there are reasonable grounds to believe that 4chan has failed, or is failing, to comply with its duties under section 12 of the Act.

The UK internet censors has launched new industry guidance demanding that tech firms step up to deliver a safer online experience for millions of women and girls in the UK. Ofcom writes:

Ofcom's guidance includes a wide range of practical safety measures that the regulator is urging tech firms to adopt to tackle these harms. These go above and beyond what is needed to comply with their legal duties under the Online Safety Act, setting a new and ambitious standard for women's and girls' online safety.

The guidance was developed with insights from victims, survivors, safety experts, women's advocacy groups and organisations working with men and boys. Its launch is also supported by Sport England as part of their wider This Girl Can campaign, and WSL Football to raise awareness of women's safety when taking part in sport and exercise.

Ofcom has written to sites and apps setting an expectation that they start to take immediate action in line with the guidance. We will also publish a future report to reveal how individual companies respond.

Ofcom's practical guidance, supported by case-study examples, sets out where tech companies can and should do more, while taking account of important human rights including freedom of expression and privacy. Focusing on the following four main areas of harm, our guidance makes clear how we expect services to design and test their services with safety in mind, and improve their reporting tools and support systems to better protect women and girls:

Misogynistic abuse and sexual violence.

This includes content that spreads hate or violence against women, or normalises sexual violence, including some types of pornography. It can be both illegal or harmful to children and is often pushed by algorithms towards young men and boys. Under our guidance, tech firms should consider:

• introducing prompts asking users to reconsider before posting harmful content;

• imposing timeouts for users who repeatedly attempt to abuse a platform or functionality to target victims;

• promoting diverse content and perspectives through their recommender for you systems to help prevent toxic echo chambers; and

• de-monetising posts or videos which promote misogynistic abuse and sexual violence.

Pile-ons and coordinated harassment.

This happens when groups gang up to target a specific woman or group of women with abuse, threats, or hate. Such content may be illegal or harmful to children and often affects women in public life. Under our guidance, tech firms should consider:

• setting volume limits on posts (rate limiting) to help prevent mass-posting of abuse in pile-ons;

• allowing users to quickly block or mute multiple accounts at once; and

• introducing more sophisticated tools for users to make multiple reports and track their progress.

Stalking and coercive control.

This covers criminal offences where a perpetrator uses technology to stalk an individual or control a partner or family member. Under our guidance, tech firms should consider:

• bundling safety features to make it easier to set accounts to private;

• introducing enhanced visibility restrictions to control who can see past and present content;

• ensuring stronger account security; and

• remove geolocationby default.

Image-based sexual abuse.

This refers to criminal offences involving the non-consensual sharing of intimate images and cyberflashing. Under our guidance, tech firms should consider:

• using automated technology known as hash-matching to detect and remove non-consensual intimate images;

• blurring nudity, giving adults the option to override;

• signposting users to supportive information including how to report a potential crime.

More broadly, we expect tech firms to subject new services or features to abusability testing before they roll them out, to identify from the outset how they might be misused by perpetrators. Moderation teams should also receive specialised training on online gender-based harms.

Companies are expected to consult with experts to design policies and safety features that work effectively for women and girls, while continually listening and learning from survivors' and victims' real-life experiences - for example through user surveys.

What happens now?

Ofcom is setting out a five-point action plan to drive change and hold tech firms to account in creating a safer life online for women and girls. We will:

1. Enforce services' legal requirements under the Online Safety Act We'll continue to use the full extent of our powers to ensure platforms meet their duties in tackling illegal content, such as intimate image abuse or material which encourages unlawful hate and violence.

2. Strengthen our industry Codes As changes to the law are made, we will further strengthen our illegal harms industry Codes measures. We're already consulting on measures requiring the use of hash-matching technology to detect intimate image abuse and our Codes will also be updated to reflect cyberflashing becoming a priority offence, next year.

3. Drive change through close supervision. We have today written an open letter to tech firms as the first step in a period of engagement to ensure they take practical action in response to our guidance. We plan to meet with companies in the coming months to underline our expectations and will convene an industry roundtable in 2026.

4. Publicly report on industry progress to reduce gender-based harms We'll report in summer 2027 on progress made by individual providers, and the industry as a whole, in reducing online harms to women and girls. If their action falls short, we will consider making formal recommendations to Government on where the Online Safety Act may need to be strengthened.

5. Champion lived experience The voices of victims, survivors and the expert organisations which support them will remain at the heart of our work in this area. We will continue listen to their experiences and needs through our ongoing research and engagement programme.