I have spent six instalments explaining why the government's plan will not do what it promises. That is the easy half. Criticism is cheap, and a security career spent only finding holes produces a particular kind of insufferable person — the one who reviews every design, approves none, and builds nothing. So this part pays the debt the other six ran up: if someone handed me the pen instead of the red ink, what would I actually write?
Here it is, and I will defend it including the parts that will cost me friends on both sides.
First, decide honestly what you are trying to do
Every failed control I have ever reviewed failed first as a goal, not a mechanism. The government's plan is incoherent before it is unenforceable: it bans social media outright for under-16s, then offers 16 and 17-year-olds a curfew they can switch off themselves. Either these products are harmful to minors or they are not. Picking "harmful, but only until you tick a box" is the tell of a policy designed to survive a headline rather than a threat model.
So decide. I think the honest reading of the evidence — the evidence the government itself cites when it bans the platforms for under-16s — supports a single, unembarrassed line: no under-18s on algorithmic social media and stranger-contact platforms, stated plainly, defended openly. Sixteen-year-olds cannot buy alcohol, cannot vote, cannot marry without consequence we've decided they're not ready for. We do not offer them those things with an off-switch. If the harm case is real enough for a ban at 15 years and 364 days, the case does not evaporate the next morning. Draw the line at 18, or admit the line is theatre.
That is the position that will cost me friends on one side. Here is the one that costs me the other.
Second, enforce at the device, because it is the only place the child actually is
Six parts of this series converged on one point, and I did not plan it that way — the writing led me there. Every enforcement layer except one can be interposed, streamed, proxied, federated or offshored around. The VPN moves the location. The browser-in-a-browser moves the whole visitor. Federation removes the operator. Tor removes the address. The destination age check inspects a messenger and builds a honeypot doing it.
There is exactly one inspection point in the entire chain that is unavoidably in the room with the child: the device in their hand. The phone or tablet a parent set up knows whose it is. It sits below the VPN, below the proxy, below the browser — it is the thing all of those run on top of. An age set at the operating-system level, by a parent, at setup, travels with the child into every app, every browser tab, every federated instance and every offshore site, because they all execute on that device. It cannot be laundered by a data centre in Frankfurt, because the check happens before the traffic ever leaves Fife.
This is not science fiction. Apple already ships operating-system-level age signals; the platforms already know how to read them. What is missing is not the technology. It is the political will to put the obligation on the two companies that make the phones — Apple and Google — instead of on ten thousand websites that will never comply. Age assurance belongs at the layer that meets the person, and there is only one of those.
Third, attach the rule to the function, not the brand
The ban lists TikTok, Instagram, Snapchat. It will always be a list, always out of date, always naming the platforms a parent can already spell while the harm sits in a game's chat window the list forgot. Legislating by brand is legislating against last year's internet.
Attach the duty to the function instead: any service that lets an unknown adult initiate private contact with a child, or that algorithmically amplifies content to them, carries the duty — whatever it calls itself, whether it is a social network, a game, a chat feature bolted onto something else, or a thing not yet invented. Roblox stops being "a game, therefore exempt" and becomes "a service where strangers can message children, therefore in scope." The definition writes itself the moment you stop thinking in logos: the duty follows the capability to harm, not the category on the app store.
Fourth — and this is the part the hardliners skip — design the exceptions in
Here is where I part company with the "just ban it all" instinct that my first three points might suggest I share. A control with no relief valve is not strong; it is brittle, and brittle controls fail catastrophically. Professor Livingstone's objection from part one — that a blunt curfew could cut off a vulnerable teenager reaching for help at 3am — is not an argument against the rule. It is a specification for it.
Every serious security control I build has a documented exception path: the break-glass account, the emergency access, the reviewed override. You design them deliberately, in daylight, with logging — precisely so that people don't route around the whole control the moment it becomes inconvenient. The teen internet rules need the same. Helplines, crisis and support services, educational tools, a means for an isolated LGBT teenager or an abused child to reach trusted help — these are carved out by design, not left to the accident of which VPN a child happens to install. A rule that makes the safe exceptions easy is a rule people don't feel compelled to break wholesale. A rule with no exceptions teaches every teenager to become an expert in circumvention, and then they use that expertise on everything.
What this does not fix, stated plainly
Now the honesty tax, because a proposal that only lists its own strengths is a sales pitch, and I have spent six parts objecting to those.
My version does not stop a determined 17-year-old with a second-hand phone the parents never configured. It leans heavily on Apple and Google, concentrating power in two American firms who will not relish the liability. It does nothing about the child whose home has no adult willing or able to set the device up — arguably the child who needs it most, which is the sharpest objection to the whole approach and I will not pretend it away. And device-level enforcement raises real privacy questions of its own: an OS that knows and enforces your age is an OS that knows your age, and that data has its own honeypot risk, smaller than the nationwide ID store of destination checks but not zero.
I offer it not because it is perfect but because it fails better: it protects more children, punishes fewer good actors, builds a smaller honeypot, and — crucially — it is honest about being a floor rather than a wall. Every other option in this series fails worse on every one of those axes. In security you rarely choose the safe option; you choose the least bad one and you say so out loud.
Where the series lands
The thread through all seven parts was never "leave children unprotected." It was the opposite: I want the protection to be real, and real protection starts with refusing to lie about where the line can be held. A curfew you can switch off, a ban a proxy defeats, an age check that inspects a data centre — these are not protection. They are the appearance of protection, and the appearance is worse than nothing, because it lets everyone stop worrying while the harm continues in the chat window nobody's watching.
So the closing argument of the series lands where it opened, and it is aimed at parents rather than Parliament, because Parliament will do what Parliament does. The law will arrive next spring, and it will leak. The controls that actually hold are the ones in your house: the device you configured, the settings you closed, and — worth more than all the legislation combined — the ongoing, unglamorous, slightly awkward conversation with your child about why any of it matters. Governments regulate platforms. Parents raise people. Only one of those has ever reliably kept a child safe, and it was never the one issuing press releases.
This was the constructive close of the argument — but an argument about protecting children owes parents more than a policy it can't pass. So there is one more part. Next: so what do I actually do? — the practical, do-it-this-weekend guide to protecting your own child, whatever Parliament does next spring. The full series is collected here.