select search filters
briefings
roundups & rapid reactions
Fiona fox's blog

expert reaction to report on children’s circumvention behaviours online, commissioned by The Department for Science, Innovation and Technology (DSIT)

A report by BMG Researched and commissioned by DSIT (The Department for Science, Innovation and Technology) looks at children’s circumvention behaviours online. 

 

Dr Ekaterina Hertog, Associate Professor in AI and Society, Oxford Internet Institute, University of Oxford, said:

“Based on the short methodology section this report looks like it is based on a reasonably well-conducted survey. Notably it is not a randomised control trial, a gold standard for scientific enquiry, and therefore provides a descriptive account only and cannot answer any causal questions about children’s exposure to online harms. I would add that the methodological details provided are limited so it is impossible to evaluate the methodology thoroughly. 

“One limitation to the survey design that is worth noting is that the sample of the underlying survey is not weighted to be representative of the UK’s ethnic diversity. This is an oversight given that facial age estimation, one of the core age assurance technologies discussed, is known to perform less accurately for people from some ethnic backgrounds. A booster sample of children from minority ethnic groups would have strengthened the work allowing us insights into their experiences with age verification technologies.

“In addition, because the survey was designed to be started by a parent or guardian before being handed to the child, children’s reports of circumventing age-verification and encountering harmful content may be conservative, and true rates of circumvention and exposure to online harms could be higher than those recorded.

“More substantively, the report raises an important question about the role age verification should play in the policy toolkit aimed at keeping children safe online. 

“The report shows that some harmful content, particularly explicit sexual material, is more likely to be seen after a child has bypassed an age check. It also highlights that much harmful content is encountered passively while scrolling on platforms children are allowed to use, and that children who never bypass a check are still exposed to substantial harm. This finding matters for policy. If children who do not circumvent age checks face substantial online harms, then age verification may not be our most effective lever to protect children. In fact, it can even be counterproductive if platforms on which children encounter harmful content introduce age verification checks and stop other efforts to reduce harmful content in their ecosystem.

“Any assessment of age verification also needs to weigh its potential harms against its benefits. Normalising requests to upload government ID, for example, could make both children and adults more vulnerable to fraud and identity theft through fake verification sites. This study does not address such trade-offs, but any discussion of any verification would benefit from carefully weighing its benefits against the associated risks.

“On the incoming ban on social media for under-16s, this research is informative but limited. It documents how readily and how early children get around age restrictions, learning mostly from friends and sometimes with a parent’s help, which suggests a social media ban would be difficult to enforce. It also says nothing about approaches that focus on equipping children to recognise and cope with online harm rather than simply attempting to protect them from experiencing online harms.”

 

Prof Oli Buckley, Professor in Cyber Security, Loughborough University, said:

“This feels like proper research, not just a PR piece. With 2,299 children it seems to be genuinely representative and sensibly boosted for VPN users. The one thing I would say is that asking kids to confess to dodging age checks just after a parent handed them the phone is a bit like asking for someone to confess to speeding with a policeman in the passenger seat. 

“It is refreshingly honest work and it keeps admitting “age alone doesn’t explain this” rather than claiming victory over causation. It also lines up with independent Ofcom and Childnet figures, so three separate surveys are telling roughly the same story, and that’s when numbers start to be more interesting.

“We need to keep in mind that this is a single snapshot, not a trend line, so it tells us what’s happening now, not whether it’s improving or worsening. The researchers also dodged asking “did you use a VPN” directly when probing bypass methods, which is smart. They clearly didn’t want to accidentally run a tutorial for eleven-year-olds on how to bypass measures but it adds a bit of static to the VPN-specific numbers, which the report acknowledges.

“The bit worth really holding on to is this study is about today’s age checks, not a dress rehearsal for a ban that doesn’t exist yet. What it shows is that flimsy checks get treated like a “keep off the grass” sign, while tougher ones like facial estimation are seen as properly effective and met far less often. If the ban leans on the same weak checks, expect the same teenage ingenuity. 

 

Dr Asma Adnane, Cybersecurity Researcher, Loughborough University, said:

“This study demonstrates that online safety measures cannot be viewed solely as a technical challenge. The findings suggest that parental awareness, attitudes, and involvement are important factors that should be considered alongside technological controls.

“The study benefits from a large sample size, which increases confidence that the findings reflect a broad range of experiences, and from collecting information from both parents and children. This provides a richer picture of online circumvention behaviours than studies relying on a single perspective.

“However, some of the findings would benefit from greater contextual detail. For example, when reporting the technologies used to access VPNs, it would be useful to understand how behaviours vary by age and device ownership.

“Online behaviours can differ considerably between younger teenagers and older adolescents, and accessing a VPN through a shared family computer may reflect very different circumstances and levels of parental involvement than accessing one through a personally owned smartphone.

“These distinctions would help researchers and policymakers better understand how children circumvent restrictions and design more targeted interventions.

“The study also provides valuable insights into how children define privacy. However, privacy awareness can be difficult to assess through survey responses alone.

“It is not always clear whether children who say they value privacy fully understand the technical implications and potential risks associated with tools such as VPNs, including data collection by VPN providers, the use of untrustworthy or malicious services, and increased exposure to inappropriate content after bypassing online safety controls.

“Additional qualitative research could help explore this in greater depth.”

 

Dr Siamak Shahandashti, Associate Professor in Cyber Security & Privacy, University of York, said:

“The method seems to be robust, but it is a simple questionnaire which can only ever give us information about stated behaviour rather than actual behaviour. 

“I’d caution on the interpretation of the data. What people say they do is different from what they do. This is a well-known effect called the social desirability bias. So, I would not summarise the results as e.g. “Around a quarter of children use a VPN” but rather “Around a quarter of children say they use a VPN”. This applies to almost all of the finding headlines. One needs to be aware of the difference and report them accordingly. Although this may seem subtle, the actual difference between stated behaviour and actual behaviour can be substantial, especially in cases where one type of behaviour is seen to be more socially desirable, which I believe applies in most of the topics in this research. 

“To me, one of the most significant findings here is “Most harmful content children encountered in the prior 3 months is encountered passively while scrolling, rather than searched for.” which indicates that the platforms need to do more (e.g. content moderation) than just putting a perfunctory age check at the outset of access. 

“Another significant finding for me is how children value their privacy and hence use VPN to feel safer. If compared with adults, this may show a significant rise in privacy consciousness in the younger generation.” 

 

Dr Hisham Al-Assam, Associate Professor in Computing, University of Buckingham, said:

“I believe this is an important and well-timed study because it moves the debate about online child safety away from political slogans and towards technical reality. One of its greatest strengths is that it recognises something many cyber security professionals have been saying for years: determined young people are not passive users of technology. They actively learn, adapt, and share methods for bypassing digital restrictions. That makes understanding circumvention behaviour just as important as understanding the risks children face online.

“From my perspective as a cyber security researcher, the findings are entirely consistent with what we know about security systems more broadly. Every security control creates incentives to find a workaround, particularly when users view the restriction as unfair or unnecessary. This is not unique to children. It is a fundamental principle of cyber security. The report therefore provides a valuable reality check by highlighting that any assessment of future age restrictions must consider not only how well they block access, but also how effectively they withstand attempts to bypass them.

“I also think the study exposes a gap between political ambition and technical reality. Public discussions often imply that age verification can reliably prevent underage access while preserving everyone’s privacy. In practice, those objectives are difficult to achieve simultaneously. Effective enforcement means millions of British adults would have to surrender passports, biometric facial scans, or financial records to technology companies simply to access online services. The burden of compliance will fall disproportionately on ordinary, law-abiding adults, while tech-savvy teenagers simply route around the barriers.

“Importantly, the study should not be interpreted as evidence that age-based restrictions cannot work. Rather, it demonstrates that success cannot be judged simply by whether age verification is deployed. The real test is how resilient those systems remain when faced with determined users. Modern technologies such as VPNs, proxy services, AI generated identities, deepfakes, and online communities that rapidly share circumvention techniques mean that any technical solution will face continuous pressure from people actively trying to defeat it.

“The report also has limitations that we should bear in mind. Like much research involving online behaviour, it relies heavily on self-reported evidence, which may not fully capture either the true scale of circumvention or the sophistication of the techniques being used. It also cannot predict how children will respond once new legislation and age assurance technologies are widely deployed. Future behaviour may change as technology, enforcement, and social norms evolve.

“For me, the most important message is that this research shifts the conversation from “Can we build an age verification system?” to the much more important question of “Can we build one that remains effective against motivated users without fundamentally changing how everyone accesses the internet?”That is a far harder challenge. I hope this report encourages policymakers to evaluate future proposals not only on their intentions, but also on their technical resilience, their impact on privacy, and the unintended consequences they may create for millions of law-abiding users.”

 

Prof Alan Woodward, Professor of Cybersecurity, University of Surrey, said:

“This is a well-designed survey. Its large, nationally representative, and consistent with independent estimates from Ofcom and Childnet. Hence, its headline numbers deserve to be taken seriously.

“Around four in ten children say they have got around an age check, but the crucial detail is which checks: most circumvention involves simply entering a false date of birth on services still using self-declaration, which the Online Safety Act already recognises as ineffective. Children encounter the advanced checks, such as facial age estimation and ID verification, far less often, and largely believe those checks work. The story here is less that age assurance is failing and more that too many services haven’t yet adopted the effective kind. The outstanding question is whether, and how, effective age verification can me implemented for this age group. The difficulties were well summarised in the recent letter from Ofcom ‘s Group Director of Online Safety on 16th June 2026 https://www.ofcom.org.uk/siteassets/resources/documents/about-ofcom/public-correspondence/2026/letter-from-oliver-griffiths-to-ollie-ilott_16june26.pdf?v=419590which followed the day after the letter from Rt Hon Liz Kendal to Ofcom asking them to study this issue https://www.gov.uk/government/publications/june-progress-statement-letter-from-dsit-secretary-of-state-to-ofcom-chair-and-ceo/june-progress-statement-letter-from-dsit-secretary-of-state-to-ofcom-chair-and-ceo

“Two caveats matter for how this is reported. First, everything is self-reported by children about sensitive behaviour, so figures may be under- or over-stated. Second, the links between VPN use, bypassing and exposure to harmful content are associations, not causes: children motivated to seek restricted content are more likely to acquire VPNs in the first place. Notably, only 7% of all children say they use a VPN to reach age-restricted material: most cite privacy or foreign content . And, parents frequently set up and pay for them. Any policy response aimed at VPNs would need to reckon with the fact that they are, for most children, a legitimate household tool.”

 

 

Independent Report – Children’s circumvention behaviours online:

https://www.gov.uk/government/publications/childrens-circumvention-behaviours-online/childrens-circumvention-behaviours-online

 

 

Declared interests

Dr Ekaterina Hertog: I do not have any relevant declarations of interest.

Prof Oli Buckley: “None.”

Dr Asma Adnane: Asma has not declared any conflicting interests.

Dr Siamak Shahandashti: “My research is partly supported by standard academic funding schemes from UKRI/EPSRC and Responsible AI UK (RAI UK). I have served on the UK Information Commissioner’s Office Privacy-Enhancing Technologies Expert Forum (2021–2022).” 

Dr Hisham Al-Assam: “I declare no conflict of interest.”

Prof Alan Woodward: “I have no conflict of interest in making my statement”

in this section

filter RoundUps by year

search by tag