Children across the United Kingdom are routinely bypassing online age-verification systems by using fake identities, VPN services, and facial manipulation techniques, according to new research that raises concerns about the real-world effectiveness of protections introduced under the Online Safety Act.
A report published by Internet Matters found that nearly half of children surveyed believe age assurance systems are easy to defeat, while a significant portion admitted they had already bypassed restrictions themselves. The findings come as regulators and technology companies continue expanding mandatory age verification measures across social media, adult websites, gaming services, and other digital platforms.
The UK’s Online Safety Act was introduced to reduce children’s exposure to harmful material online, including explicit content, cyberbullying, self-harm material, and predatory behavior. Platforms are now increasingly required to implement systems capable of estimating or verifying user age before granting access to certain features or services. However, the report suggests many of those systems remain relatively easy to evade.
According to the findings, 46% of children said age verification checks are simple to bypass. Around 30% admitted they had personally circumvented age restrictions online.
The methods used are often straightforward. Many children simply enter false birth dates when creating accounts, a tactic that continues to work on platforms relying on self-reported ages rather than stronger verification tools. Others borrow accounts from older siblings or adults to access restricted services.
VPN usage has also become a major workaround. By routing internet traffic through servers located outside the UK, users can avoid region-based age verification requirements entirely. Cybersecurity researchers and privacy experts have already reported a sharp increase in VPN adoption since age assurance rules began rolling out more aggressively.
Some children are also exploiting weaknesses in facial age estimation systems. These technologies typically use AI models to estimate a user’s age based on a selfie or webcam image. But the Internet Matters report documented cases where minors successfully manipulated those systems using makeup, altered lighting, camera angles, or costume-style facial modifications.
One parent interviewed in the report described how their child passed a facial verification check after drawing a fake moustache with an eyebrow pencil. The anecdote has become one of the clearest examples of how immature or inconsistent some age assurance technologies remain despite their growing use.
The report also highlighted the role of parents in bypass behavior. Around 26% of parents surveyed acknowledged they had knowingly allowed children to circumvent age checks under certain circumstances.
In some cases, parents considered restrictions too intrusive or impractical, while others believed their children were mature enough to access blocked platforms.
Despite the weaknesses identified, the research did indicate that many users are seeing visible changes online as platforms adapt to the Online Safety Act. Approximately 68% of children and 67% of parents reported noticing additional safety features and protections across digital services.
Some respondents also reported improvements in platform moderation and recommendations. More than half of the surveyed children said they were seeing more age-appropriate or child-friendly content compared to previous years. However, exposure to harmful content remains widespread. Nearly half of the children surveyed said they had experienced some form of online harm within the previous month.
The findings underscore the growing technical and ethical challenges surrounding age verification online. Current systems generally fall into several categories: self-declared age input, facial estimation technology, government ID verification, banking verification, or third-party identity services. Each method carries different privacy and security implications.
Privacy advocates have repeatedly warned that large-scale age verification requirements could create new risks by encouraging platforms to collect highly sensitive personal information, including biometric scans and identity documents. Critics argue that centralized storage of such data could become an attractive target for hackers or lead to broader surveillance concerns.
Technology companies are also struggling with implementation consistency. Some services rely on lightweight age checks that can easily be bypassed, while others have introduced more invasive identity verification systems. The fragmented approach has created uneven enforcement across the digital ecosystem, allowing users to move between stricter and weaker platforms.
The debate has also expanded beyond child safety into questions about internet anonymity and accessibility. Digital rights groups argue that mandatory identity verification could discourage lawful anonymous activity online, including whistleblowing, activism, or participation in sensitive communities.
At the same time, regulators face mounting pressure to prove that the Online Safety Act is delivering measurable results. The UK has positioned itself as one of the world’s most aggressive regulators of online child safety, and other governments are closely watching the effectiveness of its enforcement model.
The Internet Matters report concluded that while awareness of online safety has improved, the burden of protection still falls heavily on families and individual users rather than platforms themselves.
Researchers warned that age verification alone is unlikely to fully solve online safety issues unless paired with stronger moderation systems, platform accountability, and digital literacy education.
As governments continue pushing for tighter controls on internet access for minors, the report suggests the current generation of verification tools may still be struggling to keep pace with the creativity and technical adaptability of younger users.