Earlier this week I published my second report on children’s exposure to pornography, ‘Sex is kind of broken now: children and pornography’.
It was written to capture the state of play just before new rules under the Online Safety Act 2023 to protect children from pornography came into force. It showed that when it comes to the kind of violent, degrading content children are seeing with ease and frequency – from a young age – we are at rock bottom.
The Online Safety Act now requires some online platforms, including pornography websites, to implement Highly Effective Age Assurance (HEAA), and other social media sites to take steps to prevent children seeing porn on their sites.
These are significant measures that have the potential to be transformative. But I’ve been clear from my earliest conversations with Ministers and regulators that the Act will only be effective if it has the agility to keep up with new risks as they emerge.
One of those is the potential for Virtual Private Networks (VPNs) to be misused by children as a way to circumvent the rules.
VPNs are themselves not a danger. There is no case for limiting their use among adults. In many cases, they are beneficial for cybersecurity. They are used widely in the UK for business and by individuals, and the scope of the Online Safety Act does not cover their use.
The majority of children have told me they stumble across harmful content by accident, often on social media. A smaller number of children reported that they actively looked for this content on pornography websites. Within days of the Act the use of VPNs in the UK increased dramatically. We don’t know if that increase was driven by under-18s, but the ease with which children could access VPNs threw light on the issue.
That’s why I’ve called on the government to explore how the circumvention of the new rules can be prevented. One example is by looking at how VPNs impact the use of Highly Effective Age Assurance protections under the Online Safety Act.
The Online Safety Act states that pornography must not normally be accessible to children. It requires pornography services to use Highly Effective Age Assurance to make this happen. Taken together, that means if a child can still normally access this content using, for example, a VPN, then Highly Effective Age Assurance is not working. The Act enables us to manage this risk – and my report highlights why it is so essential that we make it as close to impossible for children to access this harmful content, including pornography.
I want to see online services compelled to identify users who are using VPNs and require those that are likely to be based in the UK to prove their age.
Technology providers have the capacity to assess the behaviour of users on these sites, to easily determine if they are likely to be based in the UK – and whether they are children. Small clues like accessing the site in UK daytime but not school hours, searching for terms popular among UK children and using free services, rather than paid-for sites, are just some ways that services can easily identify a child user. This behavioural data is already used in this way by many online platforms for other purposes, such as determining what adverts should be shown to a user. It can, and must, also be used to keep them safe.
The principle behind the Online Safety Act is to protect children, allowing them to benefit from all the advantages of being online without the risks to which so many of them have been exposed – and the resulting damage to their beliefs, their self-esteem, their attitudes towards each other and to their relationships.
No one can reasonably argue against keeping children safe online, just as we do offline.
