Two in five UK children say they bypass online age checks

Nearly two in five UK children aged 11 to 17 say they have successfully bypassed an online age check, according nationally representative research commissioned by the Department for Science, Innovation and Technology (DSIT).

The study surveyed 2,299 children in May 2026 to examine their experiences with age assurance, VPN use and methods of bypassing age checks. It also included an additional sample of recent VPN users.

Overall, 39% said they had successfully bypassed an age check at least once, while another 14% had tried unsuccessfully. Success rates rose from 28% among 11- to 12-year-olds to 43% among older teenagers.

Many children avoided age checks altogether by choosing websites, apps or games that either had no age verification or appeared easy to bypass. Among those who successfully circumvented checks, 63% said they simply pretended to be older, most commonly by entering a false date of birth.

Most successful circumvention involved simple self-declaration systems such as tick boxes and date-of-birth fields, which children also rated as the least effective.

By contrast, 86% of respondents who had encountered government ID verification considered it effective, while third-party identity services, payment card verification and facial age estimation also received substantially higher ratings.

Privacy was the most common reason for using a VPN. However, 22% of VPN users said they had used one to access age-restricted websites, apps or games, equivalent to 7% of all children surveyed.

Parents were involved in some VPN use. Among children who had used one, 22% received help from a parent to set it up, while 43% of current users said a parent paid for the service. However, older teenagers were more likely to install VPNs without parental knowledge.

Friends were the main source of information about bypassing age checks, cited by half of children who had done so. Practical consequences appeared to be the strongest deterrents, including harder-to-defeat checks, permanent account bans, and notifying parents about circumvention attempts.

The report also found an association between bypassing age checks and exposure to harmful content. Among children who had circumvented age checks, 51% reported later encountering at least one form of harmful material, including explicit content, contact from unknown adults and requests for personal information.

The researchers cautioned that the findings rely on self-reported behaviour and do not establish that VPN use or circumvention directly caused exposure to harmful content.

Why does it matter?

The findings suggest that basic self-declaration systems provide limited protection for children and are easily circumvented. As regulators increasingly require stronger age assurance under frameworks such as the UK’s Online Safety Act, the challenge will be deploying systems that are both effective and proportionate while protecting users’ privacy.

The research also highlights that technology alone is unlikely to solve the problem. Children’s motivations, platform design, parental involvement and digital literacy all influence whether age restrictions are respected, suggesting that meaningful online safety will require a combination of technical safeguards, regulation and education.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

Greece adds digital passport to Gov.gr Wallet

The Greek Ministry of Digital Governance and Artificial Intelligence has added the national passport to the Gov.gr Wallet, allowing citizens with active ordinary passports to store a secure digital version on their mobile devices.

The digital passport can be used for identification and as a travel document within Greece. Diplomatic and service passports are not currently supported.

The passport becomes the thirteenth document available through the Gov.gr Wallet, joining digital identity cards, driving licences, disability cards, unemployment cards, academic IDs, insurance information, vehicle records, driver penalty points, pet records, the Athens Ring Road permit and the Real Estate File.

According to the Ministry, more than 2.5 million digital identity cards and almost 2 million digital driving licences have already been added to the application.

The Gov.gr Wallet is available on both Android and iOS devices through wallet.gov.gr. The service was developed by the General Secretariat for Information Systems and Digital Governance and GRNET, in cooperation with the Ministry of Citizen Protection and the Hellenic Police.

Citizen data is retrieved through the government’s Interoperability Centre.

Why does it matter?

The addition of the passport further expands Greece’s digital identity ecosystem and reflects the country’s continued investment in digital public services. By enabling citizens to carry more official documents securely on their mobile devices, the government is reducing reliance on physical credentials while improving access to public services.

The initiative also aligns with wider European efforts to strengthen digital identity infrastructure. As more governments develop interoperable digital wallets and electronic identity systems, mobile credentials are expected to play an increasingly important role in public administration and cross-border digital services.

Would you like to learn more about AI, tech and digital diplomacyIf so, ask our Diplo chatbot!

Saudi Arabia launches AI tool for national data insights

Saudi Arabia’s Ministry of Economy and Planning has launched the beta version of INSAIGHTS, an agentic AI tool integrated into the Data Saudi Platform. The system is designed to improve how users access, analyse, and interact with national economic and social data.

INSAIGHTS allows users to convert questions into instant insights and analytics by drawing on more than 7,500 indicators available through the platform. The tool aims to support decision-makers, researchers, analysts and the public with faster access to reliable information for data-driven decisions.

The launch forms part of Saudi Arabia’s wider digital transformation agenda under Vision 2030 and the National Transformation Program. The Ministry plans to continue expanding the tool’s capabilities while using emerging technologies to improve transparency, innovation and user experiences across its digital ecosystem.

Why does it matter?

The INSAIGHTS highlights Saudi Arabia’s growing focus on AI as a tool to improve public data accessibility and strengthen evidence-based decision-making. By combining AI capabilities with extensive national datasets, the platform could help organisations and individuals extract insights more efficiently.

The initiative also demonstrates how governments are increasingly adopting agentic AI systems to enhance digital services and economic planning. As the technology develops, platforms like INSAIGHTS may become important models for using AI to improve transparency, research capabilities and public-sector innovation.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our chatbot!

Ofcom proposes tougher rules on scam ads

Ofcom has proposed new rules requiring major online platforms to do more to prevent scam advertising, including verifying advertisers, blocking repeat fraudsters and making fraudulent adverts easier to report.

The draft Fraudulent Advertising Code is being developed under the UK’s Online Safety Act and would apply to some of the country’s largest social media platforms, search engines and other online services.

According to Ofcom, more than half of UK adults have encountered potentially fraudulent adverts online, while victims lose an estimated £200 million each year. The regulator said online platforms have not done enough to stop criminals exploiting their advertising systems.

The proposed code sets out nearly 40 measures, including banning accounts that publish scam adverts, preventing repeat offenders from opening new accounts, verifying the identity of advertisers and confirming that firms promoting banking or investment services are properly authorised.

Platforms would also be expected to strengthen account security, reduce the risk of account hijacking, test AI-powered advertising tools against misuse and establish dedicated reporting channels for trusted organisations, including law enforcement agencies, to flag fraudulent adverts for rapid removal.

Ofcom also wants platforms to use proactive technologies to detect and block fraudulent advertising before it reaches users. A separate consultation on those proposals is expected this autumn alongside a broader package of online safety measures.

The consultation remains open until 2 October, with final decisions expected next year. Once approved by Parliament, companies that fail to comply could face fines of up to £18 million or 10% of global annual revenue, whichever is higher.

Alongside the advertising proposals, Ofcom also published draft rules for Category 1 services under the Online Safety Act. These include stronger protections for journalistic content and democratic debate, improved user controls over harmful content, more effective complaints procedures and greater transparency through published risk assessment summaries.

Why does it matter?

The proposals would expand platform responsibility beyond user-generated content to the advertising systems that increasingly enable online fraud. By introducing requirements for advertiser verification, proactive detection and stronger enforcement against repeat offenders, Ofcom is seeking to make scam prevention a core responsibility of online platforms rather than relying primarily on users to identify fraudulent adverts.

The draft code also reflects a broader regulatory trend towards greater accountability for digital advertising ecosystems. As AI-generated content and increasingly sophisticated scams become more common, regulators are placing greater emphasis on platform governance, advertiser verification and proactive risk management.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

New York City targets junk fees and subscription traps

New York City has introduced two major consumer protection measures targeting hidden charges and difficult subscription cancellations, combining mandatory all-in pricing with new ‘Click-to-Cancel’ requirements.

The Click-to-Cancel rule will take effect on 1 October 2026, making New York City the first municipality to require businesses to offer subscription cancellations that are as simple as sign-up. Companies must clearly disclose subscription terms and provide straightforward cancellation mechanisms, ending practices that rely on confusing procedures or hidden recurring charges. According to the Roosevelt Institute, the rule could save New Yorkers between $21.5 million and $162.5 million each year.

The proposed Junk Fees rule would require businesses to display the full price upfront, including all mandatory charges. Companies would be prohibited from advertising misleading prices and would have to include service and processing fees in advertised prices. Businesses that violate either rule could face consumer restitution and civil penalties starting at $525 per violation.

Consumer Reports estimates that hidden fees cost the average family of four around $3,200 annually. The Department of Consumer and Worker Protection has published guidance explaining the proposed all-in pricing rules, with public consultation remaining open until a hearing on 7 August.

Why does it matter?

The measures reflect a growing regulatory effort to tackle so-called ‘dark patterns’—design practices that make prices harder to understand or subscriptions more difficult to cancel. By requiring transparent pricing and straightforward cancellation, New York City is shifting responsibility from consumers to businesses to ensure commercial practices are fair by design.

The rules could also influence wider consumer protection policy. As many companies operate nationally or globally, local requirements on pricing transparency and subscription management may encourage businesses to adopt similar practices across multiple markets, potentially shaping future regulation in other jurisdictions.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot

Cybercrime accounts for one in five crimes in Spain

Spain recorded 488,426 cybercrimes in 2025, accounting for 19.8% of all reported crime, according to the Spanish Ministry of Interior’s latest Cybercrime Report. The figure shows a 5.1% increase from 2024, demonstrating the growing threat of digital crime nationwide.

Computer fraud and online scams continued to dominate cybercrime, accounting for nearly nine in ten reported offences with 429,677 cases. Internet-related forgery increased by 11.3% to 21,690 cases, while sexual offences rose by 21% and illegal access or interception offences surged by 40.7%, highlighting the growing diversity of cybercriminal activity.

The number of cybercrime victims reached 383,285, up 9.3% from 2024. People aged 51 to 65 were the most frequently targeted, particularly through credit card fraud and travel cheque scams, accounting for 146,737 victims. Although most victims were male, the types of cybercrime varied considerably across age groups and demographics.

Critical infrastructure operators experienced 90 cyberattacks in 2025, a 43.8% decrease from the previous year. The transport sector accounted for 42.2% of incidents, followed by the information and communications technology sector with 15.5%.

Why does it matter?

The report shows that cybercrime has become a mainstream form of criminal activity, accounting for nearly one in five reported offences in Spain. The continued growth in fraud, online scams and unauthorised access highlights how digital crime is evolving alongside greater reliance on online services by individuals, businesses and public institutions.

Although attacks on critical infrastructure declined, the overall increase in cybercrime and victim numbers suggests that law enforcement and cybersecurity authorities will need stronger investigative capabilities, cross-border cooperation and preventive measures to keep pace with increasingly sophisticated digital threats.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot

European Commission panel recommends social media restrictions for under-13s

A special panel convened by the European Commission has recommended restricting access to social media and other high-risk digital services for children under 13, arguing that platforms should prove they are safe before minors are allowed to use them.

The report was prepared by the co-chairs of the Special Panel on Child Safety Online, Prof. Dr. Jörg M. Fegert and Dr. Maria Melchior, whom European Commission President Ursula von der Leyen appointed in March 2026 to advise on child safety online and possible age restrictions for social media.

The panel met three times between March and June 2026 to examine scientific evidence on the impact of social media and digital environments on minors, review existing EU and national rules, and develop recommendations to better protect and empower children online.

The report uses the term ‘social media+’ to describe social media and other digital services that expose minors to potentially harmful features, including addictive design, infinite scroll, autoplay, recommender systems, persistent notifications, AI companions, video games and video-sharing platforms.

The co-chairs argue that providers, not children or parents, should bear the burden of demonstrating that their services are safe by design and appropriate for young users. Until then, they recommend restricting access for children under 13, while allowing member states to introduce additional precautionary measures for older adolescents if needed.

The recommendations also call for proportionate age-assurance systems, stronger safety-by-design requirements, limits on addictive platform features, more effective complaints mechanisms for minors and stronger enforcement of existing EU legislation, including the Digital Services Act, GDPR and AI Act.

The report also urges the EU to close legislative gaps on child sexual abuse online by adopting permanent obligations requiring providers to prevent, detect, report and block abuse, including in interpersonal communications.

Beyond restrictions, the report emphasises digital empowerment through stronger media literacy for children, parents, teachers and caregivers, greater participation by young people in policymaking, improved parental guidance, increased support for civil society organisations and helplines, and more investment in offline activities such as sports, arts and youth spaces.

The report concludes that protecting children online requires an ecosystem-wide approach involving regulators, digital service providers, educators, parents, caregivers and children themselves. It argues that children’s rights should apply online just as they do offline, balancing protection with opportunities to learn, participate and communicate.

Why does it matter?

The report could significantly influence future EU policy on children’s access to digital services, platform design and online safety. By recommending a default restriction for children under 13 and placing responsibility on providers to demonstrate that their services are safe, it shifts the debate away from parental responsibility towards platform accountability.

Although the recommendations are not legally binding, they are likely to inform future discussions on the Digital Services Act, the AI Act and wider EU child protection policies. If adopted, they could reshape how online platforms design services for younger users across Europe.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

CISA shares lessons from GitHub credential exposure

CISA has published details of an internal CISA incident response triggered after an investigative reporter alerted the agency to Amazon AWS GovCloud keys and other internal information exposed in a public GitHub repository.

The agency said the information was identified by a security researcher whose company continuously scans public code repositories. The repository was not part of CISA’s official GitHub environment but belonged to a contractor’s personal GitHub account.

According to CISA, its Office of the Chief Information Officer immediately took the repository offline and preserved it for forensic analysis. The agency also suspended its development environment, reset affected credentials and revoked the contractor’s system access.

The investigation found that the contractor had uploaded copies of a CISA build and deployment repository to a personal GitHub account while attempting to build cloud infrastructure independently. The repository contained infrastructure-as-code, build scripts, administrator credentials and build credentials.

Forensic analysis found no evidence that the exposed credentials had been used outside CISA environments and no customer or mission data was compromised.

CISA subsequently rotated all credentials associated with environments where the contractor had administrator privileges, expanded repository allow and deny lists, and restricted users’ ability to upload code to public repositories before restoring the development environment.

The agency said the incident reinforced the value of taking external vulnerability reports seriously, applying Zero Trust principles to development environments and maintaining detailed logging that enabled rapid investigation.

It also identified several areas for improvement, including stricter controls over public repositories, better secrets detection, clearer GitHub and cloud incident response playbooks, simpler reporting channels for security researchers, stronger development environment guardrails and more mature cryptographic key management.

CISA also said organisations should maintain clear reporting channels for incidents affecting their own environments and publish reporting instructions in multiple locations rather than relying solely on a security.txt file.

The agency said publishing its own incident response experience is intended to help other organisations strengthen their security practices and improve preparedness for similar incidents.

Why does it matter?

The incident illustrates how easily sensitive credentials can be exposed through routine developer workflows and personal code repositories, even within organisations responsible for cybersecurity. It also highlights the importance of rapid detection, credential rotation and strong access controls when managing cloud infrastructure.

By publicly documenting both its response and the lessons learned, CISA is encouraging organisations to treat incident reporting, secrets management, Zero Trust architecture and developer governance as integral parts of software security rather than afterthoughts.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

Ofcom fines adult platform over Online Safety Act age check failures

The UK communications regulator, Ofcom, has fined the operator of Fapello.com £630,000 for breaching the Online Safety Act, marking one of its most significant enforcement actions under the new regime.

The penalty includes £600,000 for failing to implement legally required age assurance measures to prevent children from accessing pornographic content, and a further £30,000 for failing to comply with a legally binding information request. Following Ofcom’s action, Fapello.com geoblocked users in the UK, although the regulator said it will continue monitoring compliance.

Ofcom also confirmed it has opened a new investigation into Bit Hive, operator of Eporner.com, to assess whether its age verification measures meet the Act’s requirement for ‘highly effective’ age assurance.

Separately, the regulator expanded its existing investigation into Kemono.cr to examine whether the platform failed to comply with statutory information requests.

Ofcom said robust age verification is a core requirement of the Online Safety Act and warned that providers failing to implement effective protections or cooperate with regulatory investigations should expect enforcement action, including substantial financial penalties.

The regulator added that it prioritises investigations according to user reach and will continue monitoring compliance across online pornography services.

Why does it matter?

The case demonstrates that the UK’s Online Safety Act has entered a new phase of active enforcement. Rather than focusing solely on guidance and compliance deadlines, Ofcom is now imposing financial penalties and investigating platforms that fail to implement effective child protection measures.

The decision also shows that enforcement extends beyond age verification itself. Companies that fail to cooperate with regulatory investigations or provide required information may face additional sanctions, reinforcing the regulator’s ability to oversee compliance across online platforms.

Would you like to learn more about AI, tech and digital diplomacyIf so, ask our Diplo chatbot!

European Commission launches consultation on data sovereignty

The European Commission has launched a targeted consultation on data sovereignty, seeking feedback on challenges affecting EU organisations, cross-border data flows and strategic data dependencies.

The consultation targets stakeholders across the data value chain and a range of economic sectors. It seeks input on data-related dependencies, including barriers to accessing or using data in third countries, obstacles to transferring data into the EU, and risks associated with third-country access to sensitive data.

The European Commission supports the Data Union Strategy adopted in November 2025, which aims to strengthen the EU’s data sovereignty and reinforce its position in international data flows.

The initiative is also linked to the European Tech Sovereignty Package, which covers semiconductors, AI, cloud computing and open-source technologies. According to the Commission, these measures are intended to strengthen Europe’s digital autonomy and support its ambition to become an AI continent.

The consultation will remain open until 8 September 2026 at 23:59 CEST.

Why does it matter?

The consultation reflects the EU’s growing view that data sovereignty is both an economic competitiveness issue and a matter of strategic security. By examining cross-border data flows, third-country access and data dependencies, the Commission is seeking to reduce vulnerabilities while preserving trusted international data exchanges.

The exercise also highlights how data governance is becoming a central pillar of the EU’s broader technology sovereignty agenda. The feedback received could help shape future policies on cloud services, AI, digital infrastructure and international data transfers as Europe seeks to balance openness with greater strategic autonomy.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!