Ofcom Watch

Ofcom writes:

Since the age check rules came into force, there has been considerable public debate about children bypassing the protections, including by using virtual private networks (VPNs). VPN use is common in the UK and can offer privacy and security benefits. However, because VPNs allow internet users to change their virtual location and IP address to another country, they can be used to try and get around the protections of the Online Safety Act, including its age check requirements.

 Following the introduction of the age check requirement in July we saw an initial spike in the use of VPNs in the UK – with UK daily active users of VPN apps doubling to around 1.5 million. However, by the end of October usage had fallen back to under 1 million daily active users.21 This early spike in VPN usage was expected and has happened in other countries and US states that have introduced age check requirements. There is currently no reliable up-to-date data on how far the increased use of VPNs is due to children or to adults who wish to avoid having to complete age checks.

Data from Internet Matters, collected before the rules came into force, suggests that around one in ten under-18s used VPNs, with use skewing towards older teenagers. This would suggest the new age checks will already be offering significant protections to children. However, further evaluation is needed.

We continue to build our evidence base to help us understand children’s level of usage and familiarity with VPNs. This month we are launching a children’s advisory panel with the Children’s Commissioner for England to hear directly from children about their online experiences and how they are changing, including VPN usage. We have introduced questions on VPNs to our Children and Parents Media Literacy Tracker and we plan to publish data and analysis on this in May 2026. These questions focus on the awareness and use of VPNs among children aged 13-17. We also ask parents of 3-17s who use parental controls, whether they use tools to block VPN usage. Finally, we will continue to collect information about VPN adoption in the UK, as we have done since age assurance measures came into force, as part of our work to understand how people in the UK use the internet. This evidence base will help guide thinking and decisions about whether there is a need for further action in this area, and what would be proportionate.

There has also been concern from some stakeholders about whether age checks are being implemented in a way that preserves privacy and protects users’ data. Ofcom has been clear that all age assurance methods involve processing of some personal data and therefore platforms and vendors implementing age checks must comply with UK data protection laws. We have worked closely with the Information Commissioner’s Office, which oversees and enforces these laws, in developing our approach and guidance for highly effective age checks.

Finally, we have observed instances of over-moderation where content not harmful to children was inaccessible to them, especially soon after age checks were more broadly introduced. We have provided clear, detailed guidance on what kinds of content we consider to be illegal content or content harmful to children – and therefore consider to be in-scope of safety measures. Where we are concerned that content which does not meet these definitions is inaccessible, we are discussing these issues with the providers involved through our Supervision teams.

Ofcom writes:

Since the age check rules came into force, there has been considerable public debate about children bypassing the protections, including by using virtual private networks (VPNs). VPN use is common in the UK and can offer privacy and security benefits. However, because VPNs allow internet users to change their virtual location and IP address to another country, they can be used to try and get around the protections of the Online Safety Act, including its age check requirements.

 Following the introduction of the age check requirement in July we saw an initial spike in the use of VPNs in the UK – with UK daily active users of VPN apps doubling to around 1.5 million. However, by the end of October usage had fallen back to under 1 million daily active users.21 This early spike in VPN usage was expected and has happened in other countries and US states that have introduced age check requirements. There is currently no reliable up-to-date data on how far the increased use of VPNs is due to children or to adults who wish to avoid having to complete age checks.

Data from Internet Matters, collected before the rules came into force, suggests that around one in ten under-18s used VPNs, with use skewing towards older teenagers. This would suggest the new age checks will already be offering significant protections to children. However, further evaluation is needed.

We continue to build our evidence base to help us understand children’s level of usage and familiarity with VPNs. This month we are launching a children’s advisory panel with the Children’s Commissioner for England to hear directly from children about their online experiences and how they are changing, including VPN usage. We have introduced questions on VPNs to our Children and Parents Media Literacy Tracker and we plan to publish data and analysis on this in May 2026. These questions focus on the awareness and use of VPNs among children aged 13-17. We also ask parents of 3-17s who use parental controls, whether they use tools to block VPN usage. Finally, we will continue to collect information about VPN adoption in the UK, as we have done since age assurance measures came into force, as part of our work to understand how people in the UK use the internet. This evidence base will help guide thinking and decisions about whether there is a need for further action in this area, and what would be proportionate.

There has also been concern from some stakeholders about whether age checks are being implemented in a way that preserves privacy and protects users’ data. Ofcom has been clear that all age assurance methods involve processing of some personal data and therefore platforms and vendors implementing age checks must comply with UK data protection laws. We have worked closely with the Information Commissioner’s Office, which oversees and enforces these laws, in developing our approach and guidance for highly effective age checks.

Finally, we have observed instances of over-moderation where content not harmful to children was inaccessible to them, especially soon after age checks were more broadly introduced. We have provided clear, detailed guidance on what kinds of content we consider to be illegal content or content harmful to children – and therefore consider to be in-scope of safety measures. Where we are concerned that content which does not meet these definitions is inaccessible, we are discussing these issues with the providers involved through our Supervision teams.

Ofcom has fined the AVS Group of porn websites £1,050,000 with an ultimatum to fix its ID/age verification system by 6th December else it will face daily files of £1300 for 3 months or until it fixes its websites.

The AVS Group did in fact implement ID/Age verification for UK visitors which requires a verifiable email and a photo for age estimation. However ths system did not check that this was a selfie and any photo of an any adult seems to suffice.

The AVS Group Ltd sites are:

• pornzog.com
• txxx.com, txxx.tube
• upornia.com
• hdzog.com, hdzog.tube
• thegay.com, thegay.tube
• ooxxx.com
• hotmovs.com
• hclips.com
• vjav.com
• pornl.com
• voyeurhit.com
• manysex.com
• tubepornclassic.com
• shemalez.com, shemalez.tube.

These sites still require for UK viewers a valid email and a photo of an adult but are available using a VPN.

The BBC notes that Ofcom has never received any replies from queries to TubeCorporate, the company behind AVS Group Ltd. TubeCorporate apparently has a registered address in Belize that is shared with many other offshore companies, and it may prove difficult to enforce these fines.

 

Ofcom writes:

Ofcom has determined that AVS Group Ltd has failed to comply with section 12 of the Act and this failure is ongoing. Section 12 imposes a duty on providers of services that fall under Part 3 of the Act, and allow pornographic content, to ensure that children are prevented from encountering pornographic content through the use of highly effective age assurance.

From 25 July 2025 until at least 25 November 2025, each of the AVS Group websites either:

• did not implement any age assurance measures; or

• implemented measures that were not highly effective at determining whether a user was a child. In particular, AVS Group Ltd deployed a photo upload check on its services that does not include liveness detection and as such is vulnerable to circumvention by children (for example, by uploading a photo of an adult). Ofcom considers that this method is not capable of being highly effective within the meaning of the Act.

We are imposing a penalty on AVS Group Ltd of £1,000,000 in respect of the contravention of section 12. This penalty was set having regard to our Penalty Guidelines.

In addition, AVS Group Ltd is now required to comply with section 12 by taking steps to implement highly effective age assurance on all remaining AVS Group websites that do not currently have such measures in place by 5pm GMT on 6 December 2025.

Should AVS Group Ltd fail to comply with this requirement, a daily rate penalty of £1,000 per day will be imposed starting from 6 December 2025 until the section 12 duty is complied with or 16 March 2026, whichever is sooner.

Ofcom has also determined that AVS Group Ltd has failed to comply with section 102(8) of the Act by failing to respond to a statutory request for information within the specified time frame issued as part of the investigation. We are imposing a penalty on AVS Group Ltd of £50,000 in respect of the contravention of section 102(8). This penalty was set having regard to our Penalty Guidelines.

In addition, AVS Group Ltd is now required to take immediate steps to provide Ofcom with a complete list of all sites operated by AVS Group Ltd.

Should AVS Group Ltd fail to comply with this requirement, a daily rate penalty of £300 per day will be imposed starting from 4 December 2025 until the section 102(8) duty is complied with or 1 February 2026 whichever is sooner.

 

 

Ofcom writes:

Since we opened our investigation into 4chan Community Support LLC ('4chan') and its compliance with its duties to protect users from illegal content, new duties to protect children under the Online Safety Act 2023 ('the Act') 203 the Protection of Children duties - have come into effect.

Such duties require providers of regulated user-to-user services, which are likely to accessed by children, to use proportionate systems and processes which are designed to effectively reduce the risk of harm to children from content available on their site and to prevent children from encountering certain types of harmful content, known as Primary Priority Conten, altogether. In particular, section 12 of the Act requires providers of services that fall under Part 3 of the Act, and allow one or more kinds of Primary Priority Content (including pornographic content), to use highly effective age verification or age estimation (or both) to prevent children from encountering that kind of content where identified on the service.

Ofcom is therefore expanding this investigation to include consideration of whether there are reasonable grounds to believe that 4chan has failed, or is failing, to comply with its duties under section 12 of the Act.