Blocking Nude Images on Children's Phones, The Policy Gap Nobody in Government Is Talking About

Speaking at London Tech Week on 8 June 2026, Prime Minister Keir Starmer announced that Britain would become the first country in the world where it is impossible for children to take, share or view nude images on their devices. Apple and Google have been given three months to activate device level nudity blocking by default for under 18s. If they fail to act, the government will legislate. Criminal liability for tech executives is, the announcement noted, "on the table".

The statistics cited are stark. According to government figures, 91% of online child sexual abuse reports recorded in 2024 contained self generated content from children. The average child now views pornography by age 13. More than half of all child sexual abuse and exploitation cases involve children aged 10 to 17 offending against other children. Those numbers represent real harm and the policy response, at least in intention, is serious.

Nobody is seriously arguing that children should have unrestricted access to sexually explicit material. The intent behind this policy is defensible and the scale of harm that prompted it is not in dispute. The problem is what happens when you lift the bonnet and look at how the system is actually supposed to work.

The policy hinges on age verification. Adults who want to access nude content must prove they are over 18. That sounds reasonable until you ask prove it how? In practice, age assurance systems rely on private companies holding one or more of the following, biometric data, a facial age estimate or a scan, official identity documents such as a passport or driving licence, or linked financial data. These are not abstract categories of information. They are some of the most sensitive personal data in existence.

The government's own announcement states that companies must introduce these measures "without threatening privacy or collecting any data." That instruction is what experts question whether this is technically feasible as written. Effective age verification, at device level, across every app and service, requires some form of identity signal. The government has not explained how that signal is generated without any data being held, processed or transmitted.

Who holds the keys and what happens when they're stolen?

Age verification data is a high value target. A database containing the identity documents and biometric records of millions of UK adults is not a mundane operational asset. It is exactly the kind of dataset that hostile state actors, criminal organisations and opportunistic hackers routinely pursue.

The UK's recent track record on protecting sensitive data held by government and public service bodies does not inspire confidence. The NHS has been subject to repeated ransomware attacks. The Electoral Commission disclosed in 2023 that it had been breached and that the data of approximately 40 million people had potentially been accessed. The Police Service of Northern Ireland accidentally published the personal details of all serving officers. These are not isolated incidents, they reflect a systemic vulnerability in how large public and quasi public datasets are managed.

Now consider what the government is proposing to normalise, every adult in the UK who wants access to legal content on their own device must pass their identity through a verification layer controlled by private companies operating under government mandate. Each of those companies becomes a target. Each database a single point of failure. The attack surface for the UK's cyber infrastructure does not shrink under this policy. It grows, substantially, and it does so in ways that directly affect individual citizens.

What the experts actually recommend

There is a persistent gap between how politicians frame online child safety and what those who work in the field consistently recommend. Digital rights researchers, child psychologists, and internet safety specialists have repeatedly pointed to education as the most effective long term tool, not as a replacement for technical safeguards, but as the foundation without which any technical measure is incomplete.

The argument is practical, not ideological. Technical restrictions are circumventable. Any child with a VPN, a secondary device, or a friend's login can navigate around device level blocking. What cannot be circumvented is a child who understands what they are looking at, why it may be harmful, and who to talk to if they are pressured. That understanding comes from parents and educators, not from app settings.

Critics of the government's approach also point to an unintended consequence that has emerged consistently wherever similar restrictions have been introduced, platform level restrictions and age gating do not eliminate demand. They redirect it. Services that comply with UK regulations lose users to services that do not, often smaller, less moderated platforms operating outside UK jurisdiction, or darker corners of the internet where there is no effective oversight at all. The government's approach, as currently framed, risks pushing both children and adults toward less safe environments, not safer ones.

Rights that are not being mentioned

The legal framework underpinning this policy is more complicated than the press release suggests. Three provisions of the European Convention on Human Rights, which remains part of UK law via the Human Rights Act, are directly relevant.

Article 8 - the right to private and family life, establishes that public authorities may not interfere with a person's private life without lawful basis and proportionate justification. Compelling adults to submit biometric or documentary proof to access legal content on their own devices is a significant intervention into private life. Whether it meets the proportionality test is not a settled question.

Article 2 of Protocol 1 protects the right of parents to ensure their children's education conforms to their own convictions. The legal text states that "the State shall respect the right of parents to ensure such education and teaching in conformity with their own religious and philosophical convictions." Parents who believe that educating their children about sexuality and online risk is their responsibility rather than the state's, have a plausible argument that blanket device level controls interfere with that right.

Article 10 protects freedom of expression, including the right "to receive and impart information and ideas without interference by public authority." Restricting the ability of adults to receive legal information or content without passing through a state mandated verification process engages Article 10. The government will argue that the restriction is justified and proportionate. That argument will almost certainly be tested in court.

Good intentions, unanswered questions

None of this is an argument against protecting children online. The harm the government is responding to is real and the organisations quoted in the announcement, from the NSPCC to Barnardo's to the Internet Watch Foundation are not wrong to welcome action. The data on self generated child sexual abuse material is alarming. Something needs to change.

But "something needs to change" is not the same as "this specific mechanism is well designed and safe to implement at scale." The announcement at London Tech Week was heavy on political intent and light on technical detail. The instruction that age verification must happen "without any data being collected" is either a misunderstanding of how the technology works, or an aspiration that the government has not yet figured out how to deliver.

The UK's cyber attack surface is not abstract. It is made up of every dataset, every verification system, every third party contractor holding information that people have been required to hand over to access services they use every day. Government and NHS systems have been compromised in the recent past. The question of whether the state can keep this kind of data safe is not hypothetical. And it is a question that, as yet, nobody in a ministerial role is being asked to answer.