Internet Matters published quantitative and qualitative research titled “The Online Safety Act: Are children safer online?” which provides valuable evidence about how age assurance is working in practice for families. At a glance, it may give the impression that children are finding it simple to circumvent age checks, but a more careful analysis of the figures is less alarming.
The report identifies a range of ways children bypass age checks, but it is worth looking at what the numbers actually show. The most common method children report using is entering a false date of birth, cited by 13% of children. This is not a failure of age assurance technology – it is the absence of it. Self-declaration is precisely the system that age assurance is designed to replace. Where platforms continue to rely on date-of-birth fields, they have not in fact implemented age assurance at all.
The next most common methods are using someone else’s login (9%) and using someone else’s device (8%). These are better understood as collusion – the online equivalent of an adult buying age-restricted products for a minor. No regulatory system eliminates that risk entirely, and the report itself makes clear that much of this happens with parental knowledge or active assistance. Indeed, the report finds that 26% of parents have allowed their child to bypass age checks, with 17% actively helping. This is a significant finding, but it points toward the need for stronger social norms and clearer parental guidance rather than evidence that the underlying technology is flawed. That said, regular re-authentication or a fresh age check can mitigate the risk of this, particularly if coupled with monitoring of the activity to flag users who may be a different age from the one associated with their account.
On VPNs, perhaps the mostly oft-quoted alleged weakness, the report is itself reassuring. Only 7% of children admit to using a VPN to circumvent age checks, and the report notes this is consistent with wider sector data showing VPN use among children aged 9–17 has remained stable at around 8% since the OSA protections came into force. The report rightly describes this as an important counterpoint to claims that age checks would be easily sidestepped via VPNs. And of course, platforms should be monitoring VPN traffic even more carefully for clues the user is a child in the UK, and insisting they either prove they are abroad or do an age check.
The facial age estimation findings are also worth examining carefully. The report notes that 89% of children describe this method as easy to complete which is to be welcomed. The question is whether it is easy to defeat. The bypass methods described in focus groups – drawing on facial hair, using video game characters, submitting someone else’s face – are striking as anecdotes, but they represent a small subset of the 32% of children who report any bypass attempt, and the report does not present them as statistically significant methods. Where such techniques do work, they point to substandard implementations rather than a fundamental weakness in facial age estimation technology. Credible liveness detection should not be defeated by a drawn moustache or a cartoon character; if it is, that is a deployment problem and such systems would not pass certification tests.
The report’s most important contribution on this topic may be the finding that children who bypass age checks are less likely to discuss their online activity with their parents: 37% of those who don’t discuss activity have bypassed restrictions, compared with 26% of those who do. This suggests that open family communication is itself a protective factor, and that age assurance works best as part of a broader holistic approach rather than as a standalone gate.
The report is right that effectiveness in practice is what matters, and correct to call for highly effective age assurance rather than accepting weak implementations. The conclusion that follows from the data, however, is not that age assurance is inherently flawed. It is that where it is deployed rigorously with proper liveness detection, limits on retry attempts, re-verification on existing accounts and ongoing behavioural monitoring, the bypass methods described in the report would be substantially harder to execute. The conclusion from this report should be the need to raise the standards of deployments, not to question the resilience of age assurance technology to attacks. Attempts to evade it are inevitable, and providers must constantly monitor the performance of their systems so they can respond promptly if a new way round them is found, doing so before the overall effectiveness of the control falls below an acceptable outcome.