Research by Internet Matters published this week found that 32% of UK children have successfully bypassed age verification measures introduced under the Online Safety Act, with methods ranging from fake birthdates and shared logins to, in at least one documented case, a 12-year-old drawing a moustache on his face with an eyebrow pencil and being verified by facial estimation software as 15 years old.
The moustache story is funny precisely because it should not be. The Online Safety Act came into force in the UK in July 2025 and mandated that pornographic sites, social media platforms, and online services likely to be accessed by minors implement age verification before granting access. Ofcom, the regulator enforcing it, explicitly approved facial age estimation, digital identification, and one-time photo matching as acceptable compliance methods and described self-declaration as easily bypassed and ineffective. The regulatory logic was that upgrading from birthday fields to biometric estimation would raise the bar high enough to matter. A 12-year-old with an eyebrow pencil has provided empirical evidence that the bar remains low enough for children to clear with craft supplies.
The broader numbers make the anecdote less exceptional than it appears. Internet Matters surveyed 1,000 UK children and found 46% believe age checks are easy to bypass, and 32% admit to having done so in the past two months. One in six parents, 16%, have actively helped their children circumvent age checks. VPN downloads in the UK spiked immediately following the Online Safety Act enforcement date, becoming the most downloaded application category on the Apple App Store. Childnet reported increased VPN usage among children in the three months immediately following enforcement, which is precisely the age group the legislation was designed to protect. The Ofcom-mandated infrastructure went live, children and parents adapted, and the bypass rate settled at roughly a third of the target population. That is not a compliance story. It is a circumvention story dressed in compliance language.
For founders and investors in age verification technology, the liability question that emerges from this data is specific and uncomfortable. Age assurance startups are selling two things simultaneously: a technical product that performs probabilistic age estimation, and a regulatory shield that allows platform operators to demonstrate compliance with the Online Safety Act and equivalent legislation. The regulatory shield has commercial value because it protects platforms from Ofcom enforcement action. But if the technical product is defeated by 32% of the children it is supposed to gate, the shield and the product are performing different functions. A platform that deploys Ofcom-approved facial estimation, suffers a harm incident involving a minor who bypassed that system with a costume-level disguise, and then faces a negligence claim is in a complicated position. It complied with the regulation. The regulation turned out to be insufficient. The question of who bears that liability, the platform that deployed the compliant technology, the regulator that approved a method demonstrably defeatable by a child with cosmetics, or the age verification startup that sold the product as fit for purpose, has not been tested in UK courts yet. It will be.
The comparison across verification methods is worth making precisely because regulators have approved all of them and treated them as roughly equivalent compliance pathways. Document-based verification, matching a submitted identity document against facial imagery, is more robust against the moustache attack but creates a privacy architecture where a startup holds copies of children's identity documents or biometric data for compliance purposes, a tradeoff that the ICO has already flagged as creating separate data protection risks. VPN workarounds bypass all methods simultaneously, because they operate at the network routing layer rather than the identity layer. Shared account access bypasses facial estimation and document checks equally, because the person completing the verification is an adult. The fundamental problem with the current UK age assurance framework is not that any individual method is technically inadequate. It is that motivated circumvention has multiple vectors, and a regulatory framework that requires passing any single check allows the motivated user to route around whichever check is most convenient.
The startup opportunity that this data actually describes is not better facial estimation for the 32% who are actively bypassing. It is friction-aware risk scoring that combines signals across multiple dimensions, device patterns, behavioral indicators, session timing, account history, and identity verification status, rather than treating age assurance as a binary gate that a single check either passes or fails. That is a harder product to build, a harder product to sell to a compliance team that wants a checkbox rather than a probabilistic model, and a harder product to regulate because it operates on continuous inference rather than discrete pass and fail outcomes. It is also more technically accurate to the actual problem, which is probabilistic risk management rather than identity verification. The companies building in this direction are solving the right problem. The companies selling biometric gates as compliance solutions while a third of children defeat them with eyebrow pencils are selling something else.
The broader signal for founders building products in regulated markets is that regulatory mandates create revenue opportunities that can decouple from the underlying problem the regulation was designed to solve. Age verification startups have grown because the Online Safety Act created a compliance requirement, not because the technology reliably keeps children off harmful content. When those two things, compliance and efficacy, diverge far enough, the liability exposure eventually forces a reckoning. The moustache data is the reckoning arriving in anecdote form before it arrives in court.
Also read: Musk Tried to Settle With OpenAI Two Days Before Trial and What He Said When It Failed Reveals More Than His Legal Strategy • Cerebras Is Trying to Go Public at $26.6 Billion With 86% of Its Revenue Coming From Two UAE Customers • Japan's $2,000 cardboard drones are not a novelty and the defense startup implications are more serious than the material suggests
