Scanning the Screen
Policy implications of the UK Government's call for device-level scanning to prevent children from creating and sharing intimate images and videos
On 8 June, the UK Government announced its plan to stop children from taking, sharing or viewing nude images. When Home Office Minister Jess Phillips resigned in May of this year, she cited the PM’s indecision on this issue as one factor in her resignation.
The proposal appeared rushed, and many media reports indicated that the PM was pressing ahead quickly with this plan, and a mooted announcement on a “social media ban” next week, ahead of the Makerfield byelection on June 18. An event that may lead to the eventual exit of the PM if Andy Burnham wins the byelection for Labour, and then triggers a leadership election. The PM will also have next week’s G7 Summit on his mind, with children’s safety likely to be on the agenda. Under the French Presidency, the G7 has already released “Common Set of Principles defining a safer and more secure digital space for minors”.
The government’s plan is linked to the consultation, Growing up in the online world: a national conversation, which closed on 26 May. In chapter 2 of the consultation “Interventions for safer, more positive experiences” the Government posed a number of questions about restricting access to services based on features and functionalities. It contained the following:
Ability to send and receive images and videos containing nudity: The creation, possession and sharing of indecent images of children is illegal under UK law. Over 92% of sextortion cases involved recording or sharing content on social media, with teenage males aged 14-17 particularly at risk of this harm. Many platforms already deploy technology to detect the sending and receiving of images containing suspected nudity. In practice, these tools are often used to blur or warn, rather than to block the transmission of illegal content. This detection can occur before a message is sent and does not require access to message content, including in end-to-end encrypted services. The consultation therefore seeks views on whether and how companies should be required to prevent children accessing services which allow the transmission of nude images, rather than relying on voluntary or partial measures.
12. Some online services allow their users to engage with the following functionalities. Do you think these functionalities should be age restricted so that children below a certain age cannot engage with them? (Please select all that apply)
a. Live streaming
b. Ability to send nude images or videos
c. Disappearing content
d. Location sharing
e. Connecting or talking to strangers
f. None of the above
g. Other (please specify)
h. Don’t know/ Prefer not to answer
13. Based on your previous answers, please specify your preferred minimum age for each of the functionalities below:
a. Live streaming
b. Ability to send nude images or videos
c. Disappearing content
d. Location sharing
e. Connecting or talking to strangers
f. None of the above
g. Other (please specify)
14. To what extent do you agree or disagree with the following statement: “Restricting children’s access to these features/ functionalities, would provide for a safer online experience for children”. Features/functionalities include live streaming, the ability to send nude images or videos, disappearing content, location sharing and connecting or talking to strangers.
a. Strongly agree
b. Somewhat agree
c. Neither agree nor disagree
d. Somewhat disagree
e. Strongly disagree
f. Don’t know/ Prefer not to answer
15. What do you think the impacts would be if some online services were required to introduce age restrictions on specific features and functionalities? For example, impacts on the safety and wellbeing of children, or the impact for parents and carers, as well as other users. You could also comment on the impact on all users’ privacy and data or on business costs, revenue, and innovation.
The government have now commenced partial disclosure of the evidence it received from the consultation, only releasing the quantitative data for one small set of questions on parental support for a social media minimum age of 16, which indicated overwhelming support for setting the age of access at 16. Though none of the qualitative responses are referenced (and may not have yet been analysed given the short time that has elapsed since the consultation closed). Overall, 116,211 responses were received.
But crucially for the issue at hand, the responses to the questions about images and videos containing nudity were not disclosed. So we currently have a policy proposal without the consultation evidence to support it. The harms to children being addressed are clearly important and pressing, and such an approach risks legal challenge and failing to do full justice to the concerns raised.
What have the Government proposed?
The Prime Minister said he wanted to ensure that: “Britain is the first country in the world to make it impossible for children to take, share or view nude images”. Firstly, it is relevant to note the use of the term “impossible” - this sets a high expectation that may be very difficult to meet in the complex reality of implementation.
The proposal has not been supported by a full policy paper or draft legislation but we have been provided with this level of detail:
Device providers such as Apple and Google must activate built-in features or implement technical solutions on smartphones and tablets to detect and block nude images for children. The Government also suggests this could be extended to others in the supply chain, such as retailers, but provides no further detail on how this would work.
Adults will still be able to take, share or view nude content through an age verification process.
If companies do not act within 3 months, the government will introduce legislation to compel them to activate the technology. This will include fines for companies. As a last resort, the government is exploring criminal liability for company executives who fail to comply.
The government indicates that existing nudity detection safeguards do not fully address how images are created and shared on cameras, broader apps, third-party messaging services, or search functions. The aim is to block nudity across the whole device by default, so it can only be deactivated via age assurance.
The government cites the example of British safety tech firm SafeToNet as showing this change is already achievable, with software that blocks nude content and prevents images from being taken if the camera detects a child. (To note that their HarmBlock technology only works on Android devices).
Companies must introduce these measures without threatening privacy or collecting any data.
The proposal was also discussed in the House Commons in response to an urgent question from Liberal Democrat MP Munira Wilson. Minister for AI and Online Safety Kanishka Narayan responded for the government but did not provide more detail in his answers, though he did stress the government “wants to work collaboratively with industry to build solutions” and then mentioned the threat of legislation. The vast majority of MPs supported the proposal, with concerns raised about how long it has taken the government to act. The outright opposition came from Suella Braverman from Reform, on the grounds that this will introduce “state-mandated surveillance and digital ID”.
The government’s proposal pivots on the importance of effective age assurance in making this safety-by-default measure work. It is light on technical detail, leaving it to companies to work it out in practice, presumably also recognising that Android phones and iPhones running iOS are architected differently, with Android available on an open-source basis.
It is also unclear how the proposal might apply to devices other than phones and tablets, such as laptops, or to emerging tech like smart glasses.
It is also presumed that Ofcom will enforce the obligations, but this is not spelt out. While the proposal references companies protecting privacy and not collecting data, it makes no reference to compliance with UK data protection law (GDPR) and to the role of the UK DP regulator, the ICO, in overseeing how privacy safeguards are addressed in practice. The government’s approach to privacy is predicated on the basis that, as scanning would take place at the device level, it can remain private. It also neglects to address the safeguards needed to prevent future governments from expanding scanning requirements.
The case for a device-level safety-by-design measure is strong, but the government will ultimately need to address the legitimate questions and implications that arise, particularly if legislation is proposed. Avoiding the questions risks setting back the implementation of urgently needed safeguards.
The evidence supporting the call to action
The evidence cited by the government is stark and clearly makes a case for action:
91% of online child sexual abuse reports recorded in 2024 contained self-generated content from children themselves and the average child now views pornography by age 13. The effects of this can have long lasting impacts on young people’s lives and contributes to abuse in younger relationships, with 39% of teenagers aged 13–17 experiencing emotional or physical abuse from a partner.
Child sexual abuse material and pornography are also increasing misogyny and the normalisation of harmful sexual behaviour. 52% of all child sexual abuse and exploitation cases involve children aged 10–17 offending against other children.
Additionally, we also have 2025 UK evidence cited by NSPPC that the Police recorded 7,263 Sexual Communication with a Child offences in the last year, almost double since the offence came into force in 2017/18.
There is also significant research evidence on the mental health and social impact of nonconsensual sharing of sexual images (NCSSI). For example, a systematic review published by Schmidt et al (researchers at the University of Manchester) found the following:
The findings suggest that NCSSI is associated with negative mental health and social repercussions. Five quantitative studies found evidence suggestive of increased depression, anxiety, and suicidal ideation in young people following NCSSI. The identified qualitative evidence highlighted a range of adverse impacts in the social lives of those affected, including associated bullying, harassment, and victim-blaming attitudes that many individuals face following an experience of NCSSI, which may contribute to a negative sense of self and exacerbate distress.
A further systematic review by Hellevik et al on the outcomes of image-based sexual abuse among young people also provides a similar picture of the harms.:
The findings highlight severe emotional and psychological distress, including fear, anxiety, depression, and suicidal ideation. Social repercussions such as bullying, ostracization, and victim-blaming further exacerbate these impacts. Additionally, IBSA is associated with significant disruptions in educational and occupational trajectories, with victims reporting school relocation and/or job loss. These outcomes underscore the parallels between IBSA and physical sexual abuse, emphasizing the need for targeted prevention strategies, improved legal frameworks, and informed victim support services…
What has the reaction been?
The government have cited support from important organisations who are close to evidence and see the harms at first hand, such as the Internet Watch Foundation, the NSPCC and the UK Safer Internet Centre. Civil Society groups such as the Molly Rose Foundation have also welcomed the proposal.
The companies themselves have been fairly circumspect in their response, making reference to their ongoing commitments to safety and measures already taken - presumably keeping their powder dry for the meetings with the government to come, and perhaps tactically with an eye to the fact that a major change to the government is on the way if Burnham becomes PM.
Those against the plan present it as “surveillance by default” and warn that it risks setting a precedent that future governments could use to extend surveillance into harmful and intrusive areas. Legitimate questions that will clearly need to be addressed, but often fail to recognise the role devices play in image-based abuse.
Messaging app provider Signal has been highly critical, issuing a statement titled “Surveillance Is Not Safety.” They argue the proposal “will not safeguard children. It endangers us all, whilst strengthening Apple, Google, and Microsoft’s market dominance…Forcing all UK residents to prove their age and/or have all their content scanned, simply to exercise their fundamental right to communicate, is a perilous proposition”. It is hard to accept the binary position of Signal, which seems to reject that devices and apps play any role in the harms caused by intimate image abuse; they simply point to the need for education, harms caused by government cuts and grooming gangs.
The Open Rights Group also warns: “Scanning tech would turn every phone into a surveillance device. Ministers may claim this is to stop children sharing intimate images. But it means forcing every adult through a digital ID checkpoint and scanning all private images by default. Once the infrastructure is in place, it will be expanded. It would award every future UK government and every tyranny across the globe a mechanism to pre-censor everything anyone does with their phone.”
The issues raised by the UK government’s proposal have strong echoes of the ongoing debate that has been running for many years about client-side scanning (CSS) and proposals to use it to detect child sex abuse material (CSAM) on mobile devices. Key drivers in the debate about CSS have been the May 2022 European Commission proposal for a regulation on the detection of CSAM and Apple’s August 2021 plan to scan photos that users stored in iCloud for CSAM, though this was subsequently withdrawn in 2022 after a major debate about privacy and security implications for device-level encryption, despite Apple’s proposed safeguards. The policy and technical issues surrounding CSS are well laid out in this 2024 article by Abelson et al. Bugs in our pockets: the risks of client-side scanning. Though some concerns regarding CSS for CSAM differ from the government’s current proposal, the proposed CSS systems would alert law enforcement to content, whereas the proposal in question would merely blur it without reporting.
Finally, it is well worth reading this thoughtful piece on LinkedIn from Alexander Martin, UK Editor at The Record, which offers a critique of the government’s approach and its critics.
How would data protection law apply?
Whether specific legislation is passed or not to compel the companies to introduce these safeguards, there is still the question of whether data protection law (UK GDPR) would apply to the data processing that would take place. As inmate images are involved, it is clear that personal data is processed, though privacy-preserving measures should be possible to ensure that all the processing takes place on the device. The question then arises whether the companies that add the safeguards would be classed as a “controller” under the GDPR if the data is processed only on the user’s device. The answer to this question is not entirely clear, as it depends on how the safeguards are technically configured and how processing is kept entirely on-device. It could therefore be possible for a company to argue that they do not use or process the data for their own purposes and do not access or see any detail of the content.
An article by Dahi and Corrales Compagnucci sets out the argument that device manufacturers often have sufficient influence over processing to be deemed controllers under the GDPR, even where personal data is processed only on-device, without any direct processing by the manufacturer. This is because device manufacturers may, in certain cases, ‘determine the means and purposes of the processing’ - key criteria for determining whether an entity is a controller under GDPR.
If a company is deemed a controller, then it would need to comply with the full suite of obligations under GDPR, including identifying a lawful basis under Article 6. This is more complex for a company if it is doing this of its own accord than if legislation compels it to do so. The former would probably point the company to consider the Article 6 condition that processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, but then balanced against the interests of the individuals whose personal data is being processed. Alternatively, Article 6 also offers a condition that processing is necessary for compliance with a legal obligation to which the controller is subject. You can therefore see, from a data protection perspective, that legislation provides a more straightforward route to compliance, though the controller will still need to determine what is necessary and proportionate, depending on how much guidance the legislation provides.
Therefore, the position of the ICO, the UK data protection regulator, on how the proposal should be approached from a data protection and privacy perspective is also a key consideration in implementing the government’s plans.
The ICO also previously set out a Framework for Analysing End-to-End Encryption in an Online Safety Context in 2021. This framework sought to highlight the risks of weakening end-to-end encryption while recognising the value in accelerating innovations that enable the detection of harmful content without compromising privacy.
What are companies doing already?
At present, the solutions focus on the messaging and video-calling services provided by Apple and Google, not third-party apps or the camera.
Apple present device-level processing as a key privacy protection for users of iPhones: “On-device processing allows Apple Intelligence to be aware of your data without collecting your data.”
In April 2026 Apple implemented age assurance for iPhone and iPad users in the UK for specific apps and services. On 8 June, Apple also announced a suite of new safeguards for child accounts, including protections to blur gore or violent content when detected in shared images or videos via iMessage and FaceTime, alongside the existing protections that blur intimate images.
On Android Google messages have sensitive content warnings that can:
Detect and blur images that may contain nudity in Google Messages
Trigger a warning if you try to receive, send, or forward a nude image.
Provide resources for you to get help when you receive this type of content.
Writing in The New Scientist, Chris Stokel-Walker notes that there are also “questions about whether Apple’s current Sensitive Content Warning system could be used on all devices. It requires phones to be updated to iOS 17 or later – something that around 10 per cent of devices currently in use worldwide don’t have. Google’s equivalent is available only on Android 9 devices or later, meaning around 5 per cent of devices worldwide couldn’t use it. While specific UK figures aren’t available, this could amount to millions of devices.”
The position on Android may also be more complex, as its open-source basis also means there could be greater risks of third-party software add-ons that provide a workaround.
What could happen next?
Affected companies may launch a judicial review (JR). A published plan (with a threat of legislation) could be viewed as government policy that impacts individual rights and is therefore susceptible to JR (See more: Can the Courts Hold the Government to the Word of a Policy?). The courts can overturn secondary legislation, made by ministers, but not primary legislation. A JR could focus on whether there was effective consideration of proportionality, privacy, and security risks. A JR may be more likely when there is a more detailed formulation of the policy decision, including a white paper or draft regulations. The bar for a successful JR requires proving that a public body’s decision or action was unlawful, irrational, or procedurally unfair -courts do not assess the merits of the decision itself. So this would not be a straightforward task but the government’s process so far opens up this.
If legislation is brought forward, it would allow for a Parliamentary debate on how the proposal should work in practice, long-term enforcement and oversight, what effectiveness looks like, what safeguards are needed to address privacy and security concerns, and the risk of intrusive extension by future governments. The legislation would also require a statement on compatibility with the Human Rights Convention. Though concerns could be raised if the government sought to do this through secondary rather than primary legislation, which would entail much less debate. The Hansard Society have already set out its concerns about consigning changes to online safety law to delegated legislation, following the recent late-stage government amendments to the Crime and Policing Bill and the Children’s Wellbeing and Schools Bill. These changes would allow the government to swiftly implement the response to the consultation using secondary legislation in the form of regulations.
Final thoughts
The evidence of the growing harms to children from intimate image sharing is significant, growing, and cannot be ignored. A safety-by-design solution that protects children from this conduct at the device level can be an important step forward in reducing that risk. It is therefore right that the proposal is on the table. We cannot see it as a silver bullet, as age assurance will never work 100% of the time and devices other than mobiles and tablets could still be used.
Adherence to the new ISO 27566 standard for age assurance and vigilance in auditing how solutions meet Ofcom’s age assurance criteria of “technically accurate, robust, reliable, and fair”, including privacy, could create an age assurance system that serves as an effective gateway to applying the safeguards. There is a need for greater clarity on what these criteria mean in practice, e.g., how to quantify accuracy within a range.
We also need to guard against a techno-solutionist mindset that sees a simple solution. The proposed safeguards should be delivered as part of a connected suite of policies that also address education, social policy, and law enforcement.
There are many questions about how solutions for detecting and blurring/blocking images will work in practice, including with third-party applications. Without seeing the details, the risks to privacy and security can only be debated at a high level.
There is also a policy question about whether the solutions are best provided voluntarily through discussions between the government and companies, thereby sidestepping the issues of state-mandated device scanning and future legal precedent. Or whether the issues are so significant that legislation should be in place to ensure effective oversight, that the protections work in practice, and that key guardrails are in place to protect privacy, and ultimately Parliament considers and decides on how to address the precedent this may set.
A messy policy approach that also lacks foresight could undermine the action so many seek to protect children online.