Category: Technology | Published: 2026-05-19
The Moustache Problem No One Predicted
When the UK government introduced the Online Safety Act, the expectation was that platforms would implement age-verification systems robust enough to keep children away from harmful content. What nobody quite anticipated was that children would respond by drawing fake moustaches on their faces with makeup pencils.
According to a new report from Internet Matters, a UK online safety organisation, that is exactly what some children are doing. The organisation surveyed more than 1,200 UK children and parents and found widespread awareness among young people about how to get around online age checks. The fake facial hair method is not a fringe case. Internet Matters reported it as working in multiple instances against facial age-estimation systems.
The finding is striking, but it is really just the most vivid illustration of a deeper problem. Online age checks are not working as well as regulators and platforms need them to.
What The Research Actually Found
The Internet Matters report paints a fairly clear picture of where things currently stand. Among the children surveyed, 46 per cent said they believed online age checks were easy to bypass. Only 17 per cent described them as difficult. Around a third of children admitted to having bypassed age checks themselves.
The methods they used go well beyond novelty tricks with makeup. Children reported entering false dates of birth, using a parent's or sibling's account, uploading photographs of adults, using VPNs to route around geographic or platform restrictions, and in some cases using AI-generated faces or video game character images to fool facial recognition systems.
The parental dimension is also significant. The report found that 26 per cent of parents had either actively helped their child bypass an age check or had knowingly allowed it to happen. That is not a small figure, and it points to a gap between what the law expects platforms to enforce and what many families actually want in practice.
Age verification encounters were common. Around 53 per cent of children reported being asked to verify their age online recently, with checks appearing on platforms including TikTok, YouTube, Instagram, Reddit, Roblox, Discord, and Twitch.
Why Online Age Checks Are Expanding
The push for stronger online age checks in the UK is being driven primarily by the Online Safety Act, which places obligations on platforms to protect children from harmful content, including pornography, graphic violence, self-harm material, and features designed to encourage addictive use patterns.
Ofcom has described the requirement for pornography services as demanding highly effective age assurance, a standard that basic date-of-birth entry clearly does not meet. In response, platforms are deploying a range of more sophisticated approaches, including facial age estimation, government ID document uploads, third-party verification services, and AI-driven behavioural analysis.
Similar regulatory pressure is building in Australia, across the European Union, and in several US states. This is a global trend, and it is accelerating. The question is not whether online age verification will become a standard part of digital life. It is whether the technology can actually deliver on the expectations regulators are placing on it.
How AI Is Being Used For Age Estimation
The industry has moved considerably beyond asking users to type in a birthday. Meta is perhaps the most prominent example of how AI is now being applied to age assurance at scale.
The company has confirmed that it uses AI systems to analyse photos, videos, captions, interactions, and behavioural patterns across Instagram, Facebook, Messenger, and other platforms to estimate whether a user may be younger than they claim. Meta describes its approach as using visual analysis to assess general cues such as bone structure and proportions, while being explicit that this is not facial recognition in the biometric sense.
When the system flags a user as potentially underage, they are moved into stricter Teen Account settings automatically, or their access is suspended pending age verification. The goal is to catch children who have registered with false ages, which is a known and widespread behaviour.
The approach reflects the direction the industry is heading: passive, continuous AI-driven age estimation layered over existing systems rather than a single gate that users pass through once at sign-up.
Why The Technology Still Has Real Limits
The Internet Matters findings are a useful reminder that sophisticated systems and determined workarounds tend to evolve together. Facial age estimation uses probability, not certainty. The output of these systems is a confidence score, not a definitive answer, and that score is affected by lighting, camera quality, image editing, makeup, accessories, and the specific training data the model was built on.
The fact that drawn-on facial hair can affect the output of a facial estimation system reflects a genuine technical vulnerability rather than an absurd edge case. These systems are trained to associate certain visual patterns with certain age ranges. Alter the visual pattern enough and you shift the estimate.
More sophisticated bypass attempts, such as using AI-generated face images or video game avatars, reveal a different kind of vulnerability. When the verification system is presented with an image that was never a real person, but looks plausible enough to the model, the underlying assumption that the system is seeing a genuine face breaks down entirely.
Privacy concerns add another layer of complexity. The Internet Matters report found that both parents and children expressed discomfort about uploading passports, driving licences, or facial scans to third-party verification companies. Those concerns are not unreasonable. Large databases of identity documents and biometric data are attractive targets for cybercriminals, and a breach of a verification provider could expose sensitive personal information at scale.
What This Means For Organisations
For UK businesses operating online platforms, customer portals, or any digital service that touches younger audiences, the regulatory direction is clear. The Online Safety Act is already in force, and Ofcom's enforcement approach is becoming more active. Businesses that collect or process data from younger users, or that provide access to content or services with age restrictions, need to understand what effective age assurance actually requires under current guidance, not just what is technically convenient to implement.
The cybersecurity dimension is equally important. Building age verification into a platform without thinking carefully about what happens to the data it collects is storing up a significant risk. Verification systems that capture biometric data, ID documents, or detailed behavioural profiles need to be governed with the same rigour as any other category of sensitive personal data under UK GDPR. That means clear data minimisation principles, defined retention limits, robust access controls, and a clear understanding of the supply chain risk if third-party verification providers are involved.
The moustache story is funny, and it has rightly attracted attention. But the underlying lesson is a serious one: automated systems that make trust decisions based on probability are vulnerable to manipulation in ways that are difficult to fully anticipate. Combining technical controls with clear governance, appropriate oversight, and realistic expectations about the limits of the technology is how you build something genuinely robust rather than just something that looks compliant on paper.
Data governance and cybersecurity sit at the heart of this challenge, and they are central to the work we do with clients through our cyber security services. If your business handles sensitive user data, operates age-restricted services, or is working through what the Online Safety Act means in practice, getting the right foundations in place now is considerably easier than retrofitting them after an incident.