In my trade we make a distinction that sounds pedantic until it costs you: the difference between a control and a setting. A control binds. A setting suggests. A firewall rule that drops traffic is a control. A policy document asking staff not to browse certain sites is a setting with a signature on it. I have spent 29 years watching organisations discover the difference the hard way, usually at 3am.

This week the government announced a midnight social media curfew for 16 and 17-year-olds. Instagram, TikTok, YouTube and the rest are to be unavailable by default between midnight and 06:00. Auto-play and infinite scroll are to ship switched off. AI chatbots must nudge under-18s to take breaks. The measures go before Parliament by the end of 2026 and are intended to take effect next spring, alongside the full ban for under-16s announced in June.

And here is the sentence that decides what kind of measure this is: teenagers will be able to opt out of it by changing their account settings.

That is not a curfew. That is a default.

In defence of defaults — briefly

Let me be fair before I am critical, because defaults are not nothing. Most people, most of the time, never change a default — it is the single most reliable finding in behavioural research, and it is why every security hardening guide I have ever written starts with what ships switched on. A 16-year-old who is only mildly attached to the scroll will hit the midnight wall, feel faint relief that the decision was made for them, and go to sleep. For that teenager — and there are many — this policy will genuinely work. Sleep will improve. The government's own trial with 300 teenagers found exactly that.

The trouble is that defaults only hold the unmotivated. And the entire premise of this legislation — the reason it exists at all — is that these platforms are engineered to motivate. We are deploying a control that works on people who don't really need it, against a product designed to create people who do.

Threat modelling the teenager

When I assess a control, the first question is not "does it work?" but "who is it working against?" You then model the adversary: their motivation, their time, their skills, their access.

Now model a 17-year-old. Motivation: high — the thing being restricted is, by the legislation's own argument, addictive. Time: effectively unlimited. Skills: grew up on the platform being restricted. Access: full control of their own account settings, because the law grants it. Cost of circumvention: one toggle, or failing that, a free app.

There is no security engineer alive who would sign off a control with that adversary model and that circumvention cost. We would call it what it is: compliance theatre. One analyst quoted by the BBC called it "a mildly annoying settings prompt with a government press release attached", which is less polite than my version but not less accurate.

We do not have to speculate about what happens next, because we ran this experiment last summer. When the Online Safety Act's age checks for adult content came into force on 25 July 2025, Proton VPN reported a 1,400% surge in UK signups — within hours, and sustained. The age gate did not stop motivated users; it trained a generation in circumvention and handed their traffic to whichever VPN operator bid hardest for the app store ranking. It is trivial to bypass, and everyone under 25 knows it. The government, notably, has decided against restricting VPNs this time — reasonable in itself, whistle-blowers and family privacy are real — but it means the side door is not merely unlocked; it is signposted.

The layer problem

Here is the part of the story that deserved the headline and got a paragraph: the argument about where enforcement should live.

There are three layers you can enforce at. The app layer — each platform implements its own settings, which is what the government has chosen. The network layer — blocking and filtering, which the VPN decision has already conceded. And the device layer — the operating system knows the user's age and enforces it everywhere, which is what Apple has now shipped and what Baroness Kidron and, self-servingly but not wrongly, Meta have both argued for.

Any security architect will tell you which layer wins: the one with the smallest circumvention surface. App-layer enforcement means every platform is its own gate, every gate has its own toggle, and every new platform starts ungated — you are playing whack-a-mole with the entire internet. Device-layer enforcement means one gate, set by a parent at setup, that follows the child into every app and browser. It is not perfect — shared devices, older handsets and determined teenagers remain — but the circumvention cost moves from "one toggle" to "acquire and conceal a second device", which is a real cost, visible to a parent, and precisely the kind of friction that actually changes behaviour.

The government has legislated at the weakest layer and left the strongest to the discretion of two American companies. That is the technical decision buried inside this policy, and almost nobody is talking about it.

Where I land — honestly

I will say plainly what I think, because this is my page and you can disagree with me at the kitchen table. The intent of this law is good. The harms are real; I have written about them at length in this series' predecessors. And if we accept the harm case — which the government evidently does, having banned the platforms outright for under-16s — then I think the honest position is a blanket rule for everyone under 18, enforced at the device layer, stated without apology. Sixteen-year-olds cannot buy alcohol, and we do not ship them a bottle with a "please don't drink until morning" label and a screw cap.

A curfew you can switch off is neither one thing nor the other: it inconveniences the teenagers who least needed protecting, does nothing for those who most did, and lets everyone involved say something was done.

The strongest counter-argument deserves stating properly. Professor Sonia Livingstone points out that a hard curfew could cut off a vulnerable teenager reaching for trusted support in the middle of the night, and she is right that blunt controls have casualties — we learn the same lesson in corporate security every time an over-zealous block stops a responder reaching the tool they need during an incident. The answer there is the same as here: design the exception path deliberately (helplines, support services, messaging carve-outs), rather than making the whole control optional because an exception might one day be needed.

What this series is

What has struck me most, reading the announcement and the reaction, is how little of the argument is about whether any of this can actually be enforced. The questions that decide whether this law means anything are technical, unglamorous, and largely unasked:

And before any of it: what even counts as social media, when the grooming happens in a chat window inside a game the ban list never names? Who receives the enforcement letter when the "platform" is Mastodon — ten thousand federated servers, some run by one volunteer in another country? What happens when the pathway isn't an app at all but Tor or i2p, where there is no operator to compel? What about browser-in-a-browser services, where the "site" a teenager visits is a remote browser rendering the real site from a jurisdiction that has never heard of Ofcom? And what does the short, unhappy history of pornography age verification — trivially bypassed since the day it arrived — predict about all of it?

Each of those gets its own piece. Not to sneer at the law — the intent is right, and I want a version of it that works — but because "how, exactly?" is the question I have asked in every architecture review of my career, and this policy has not yet survived it.

What to do tonight, regardless

None of this waits for Parliament. If you have a teenager: put the phone charger outside the bedroom — a physical control, unbypassed since the invention of the plug. Turn the defaults on yourself the day they ship, and say why out loud; a default a parent has endorsed holds better than one Whitehall set. And have the conversation about why the scroll is engineered to be endless — a teenager who understands the mechanism is better defended than one who is merely fenced. The fences, as we will see over this series, have some remarkable holes in them.

Next in the series: what counts as social media? — why the law names the brands parents can already spell, while the harm follows a function the list forgot.