Study Claims UK Public WiFi Networks Failing Child Safety Standards
A new study from Guest Metrics, which has a vested interest in selling content filtering solutions, claims to have identified “widespread failures in public WiFi compliance” after it identified that 80% of the venues it tested had no content filtering (no age checks, no splash pages, no logging) to protect children from adult content – a key part of the UK government’s new Online Safety Act (2023).
According to the study, many of these networks were powered by BT WiFi and Sky WiFi, which — despite offering filtering capabilities — had not configured or enforced safeguards at the “infrastructure level” (network level). At least one national leisure operator, partnered with a local council, was also found to have a fully open WiFi network in children’s areas. In addition, one venue certified under the “Friendly WiFi” scheme failed to block pornography.
The study doesn’t name and shame any of the venues, but it does go on to claim that public WiFi networks are “increasingly used by offenders to bypass home filtering, remain anonymous, and access illegal material“. For example, it highlights how the Internet Watch Foundation (IWF) reports that offenders actively use public networks to avoid detection, while the UK’s CEOP command (Child Exploitation and Online Protection) lists unfiltered public access points as a known vector for grooming and content access.
Advertisement
J.Robinson, Founder of Guest Metrics, said:
“The venues are at risk, but so are the infrastructure providers. If your WiFi is publicly accessible, unfiltered, and used by children — you’re now legally exposed, whether you’re the venue or the provider.
We’re not just talking about compliance gaps — we’re talking about venues where a child could access Pornhub on their phone in a swimming lesson waiting area.”
The risk here is that, under the new act, operators of such public networks face new responsibilities and requirements to ensure the connectivity they provide keeps to the law. Failing to do so could, at an extreme, result in an Ofcom investigation, as well as the potential for hefty fines (up to £18m or 10% of global annual turnover with larger firms) and reputational harm. But the rules are a bit softer for smaller operators.
However, we had to dig a little bit deeper than the press release in order to discover that this survey was actually based on direct testing of just 32 businesses in Hampshire of various sizes and types (conducted last week), which is a tiny sample size for such claims. But it does still flag up an area that some people may have overlooked, even if a more detailed, extensive and independent study is really required to do this justice.
At the same time we shouldn’t forget that there are also growing concerns about the OSA going too far, particularly with systems like Age Verification, which are being applied to systems and services that extend well beyond the politically promoted areas like pornography (here). Not to mention the data privacy and security implications of all this.
Mark is a professional technology writer, IT consultant and computer engineer from Dorset (England), he also founded ISPreview in 1999 and enjoys analysing the latest telecoms and broadband developments. Find me on X (Twitter), Mastodon, Facebook, BlueSky, Threads.net and Linkedin.
« AssetHUB and ITS Tech Partnership Aims to Boost Fibre Builds in UK Cities
Advertisement
Leave a Reply
Privacy Notice: Please note that news comments are anonymous, which means that we do NOT require you to enter any real personal details to post a message and display names can be almost anything you like (provided they do not contain offensive language or impersonate a real persons legal name). By clicking to submit a post you agree to storing your entries for comment content, display name, IP and email in our database, for as long as the post remains live.
Only the submitted name and comment will be displayed in public, while the rest will be kept private (we will never share this outside of ISPreview, regardless of whether the data is real or fake). This comment system uses submitted IP, email and website address data to spot abuse and spammers. All data is transferred via an encrypted (https secure) session.
Whatever the intentions behind it, this act will be shown to completely unworkable in practice. Much of it is just posturing by useless politicians (of all flavours) needing to be seen to be doing something.
I did some digging myself. This company claims to be a limited company but there’s no trace on Companies House. There’s traces online of a failed One Box Media company. There’s a very broad open letter on the Guest Metrics website making unfounded claims that the vast majority of UK retail WiFi is open and unauthenticated which is simply not true. The press release imho is not worth the bandwidth it was sent on.
A quick look at the website would suggest that the provenance of Guest Metrics is quite obscure. I do not think a survey originating from such an organisation can be considered of any value.
I’ve just googled the website address!
“Social WiFi platform that captures guest data, builds loyalty programs, and provides real-time analytics for hospitality venues.”
To clarify — our open letter wasn’t intended to generalise every provider, but to highlight an important regulatory gap: there is currently no consistent enforcement framework for public WiFi safety in environments where children are routinely online.
You’re right that not all UK retail or venue WiFi is open or unauthenticated — and we did find a handful of networks with strong protections in place. In fact, one venue impressed us by actively blocking VPN tunnels, making it far harder for children to bypass filters.
However, in too many locations — including a leisure centre and multiple council buildings — filters were weak or nonexistent, SafeSearch was disabled, VPNs worked freely, and no logging or risk assessment was in place. And while we’re aiming to review many more venues each week and continue publishing our findings, we believe that even one venue exposing a child to harmful content is one too many.
Wouldn’t you agree that the minimum bar should be a uniform, enforceable set of protections where children are likely to use the internet?
We welcome any dialogue around what constitutes a robust, industry-accepted standard — especially as Ofcom’s Codes of Practice evolve in the wake of the Online Safety Act. We’d be happy to collaborate on defining what “good” should look like for public WiFi.
Come on Jonny you were after a bit of free publicity for your business, which, according to your Google results, is basically selling WiFi user’s data so it’s a bit disingenuous trying to paint a horror ‘think of the children’ press release with some horror story you’ve dreamed up about pornhub in swimming pools. Walking down Fareham high street a few times to get a couple of results to fit your narrative definitely does not prove the majority of retail and hospitality access points are freely open and unmonitored as you’ve tried to suggest.
Steve,
We’ve built a DNS safety tool that checks over 300 websites across key content categories. It’s open for anyone to use or test with their own data, and we’re happy to share the full list and scoring logic if you’re curious. This isn’t about fear-mongering — it’s about raising awareness and improving standards across public WiFi networks.
Guest Metrics is a commercial business, yes — but that doesn’t mean we shy away from social responsibility. We want to highlight the lack of basic content controls in place on many networks, especially in spaces used by children.
If that awareness leads to new partnerships with venues that care about protecting their users, all the better. Those are exactly the businesses we want to work with.
Do you know what’s funny? Most people connect to some sort of VPN when on public wifi to secure their connection, so this point is entirely moot
Hi Andrew,
You’re absolutely right — children’s safety is our primary concern, which is why we actively block VPN access to prevent them from bypassing content filters and accessing harmful material.
Public WiFi is also frequently misused for illegal activity, so we go further by isolating every device on the network and applying DNS-based controls, logging, and security policies to protect all users — while ensuring accountability.
Let me know if you’d like a deeper look at how it all works.
Perhaps you should focus on educating parents on how to use the many existing tools available to them instead of trying to emulate China. It is a fact that any device given to a child can be configured to block any content the parents want. If properly configured and secured the child will not be able to install a VPN and will not be able to access any content intended for adults so there is no need to block them at the infrastructure level. There is no need at all for the current extremely harmful “censor it all” by default approach. You lot have got this entirely backwards.
It boggles my mind that you think it’s acceptable, never mind positive, for venues to keep logs! It should be the law that they cannot. Another reason why a VPN is absolutely vital for your own protection on public WiFi and we can be thankful that many of them have had years of experience protecting those living under authoritarian regimes and are able to offer ways around direct blocks. What has this country come to, and more worringly where is it going…
Guest Metrics, bypassing the VPN block is super duper easy and using a VPN on public Wi-Fi is also critical from a user security point of view. This is going to go full circle.
John,
Appreciate the perspective, but it’s worth noting that UK legislation doesn’t just permit logging in some cases — it requires it, particularly for networks that may be used in the course of a criminal investigation or where safeguarding applies.
Under the Investigatory Powers Act 2016, Internet Connection Records (ICRs) — including destination domain-level DNS lookups — can be required to be retained for up to 12 months by telecommunications operators and Internet Service Providers (ISPs), when served with a notice by a relevant authority. While most small venues are not ISPs, those providing managed public internet access (especially to children) could fall under extended obligations, depending on their relationship with the upstream provider or if acting as a communications provider under the Act.
The point of logging — in our case, anonymised DNS resolution and device fingerprinting — isn’t surveillance. It provides a lawful, minimal audit trail to support safeguarding, protect users from harm, and comply with UK Online Safety Act requirements. In certain cases (e.g. access to harmful or illegal material), not having logs could pose a legal or reputational risk for the venue or provider.
Importantly, we do not log personal data or traffic content. Logs are anonymised and focus on category-level resolution activity tied to device fingerprints — not identities. Where identity is collected (e.g. via a captive portal), it’s based on clear consent and subject to GDPR.
So before suggesting that any logging is authoritarian, I’d encourage a look at the UK’s actual legislative requirements — including the Online Safety Act, IPA 2016, and Ofcom’s public WiFi guidance. There’s a significant difference between oppressive surveillance and responsible, legally-informed safeguarding — and what we’re doing is firmly the latter.
The main reason any organisation blocks VPN is so that they can interrogate and harvest data.
Looking on the Guest metrics website it says:
“Marketing Automation
Convert WiFi users into loyal customers with targeted campaigns and messaging”
So it looks as though they are capturing customers data for marketing and messaging.
Appreciate the concern — but I think it’s important to clarify the difference between consented engagement and surveillance.
Yes, Guest Metrics provides WiFi marketing tools for venues — but only for adult users who have explicitly opted in via a splash page. We do not log or profile any marketing data from users identified as children, either through age checks, device classification, or session type. That distinction is built into our platform by design — and frankly, it’s missing from most WiFi deployments today.
In many other venues, children log in using adult credentials or via open access — and are then unknowingly exposed to cookie-based tracking, contextual ad targeting, and even SSAi (server-side ad insertion) frameworks. These systems often collect browsing data or location points without verifying the age of the user — which, under UK law and ICO guidance, is not allowed for users under 13, and heavily restricted for those under 18.
So yes — for adult users, our system allows venues to run compliant, opt-in marketing. But the real issue we’re trying to highlight is much broader: a lack of safe defaults, age checks, or meaningful safeguards on many public networks — especially in spaces frequented by families and children.
And that’s why we built the DNS safety tool in the first place — not to restrict internet access, but to give venues a way to verify whether they’re providing a safe and legally compliant environment for all users.
Happy to go deeper into the tech or regulatory side of this if it’s helpful.
In other news, nobody company from nowhere tries PR stunt. Backfires dramatically. Bystanders giggle, company looks silly. World continues to turn.
Like we said it’s a genuine effort to push for safer, more legally compliant public WiFi environments, especially where children are involved.
Legacy systems and “business as usual” simply don’t cut it anymore under current legislation like OSA. If raising awareness and proposing solutions makes a company “silly,” then perhaps it’s time we all take a closer look at where responsibility lies when something goes wrong.
We’ve started a petition to help modernise open network regulations and remove ambiguity. Public safety especially child safety shouldn’t be something we giggle about.
Happy to continue the conversation constructively if you’re interested. By all means give me a call and we can discuss.
For heaven’s sake, won’t someone think of the children?!!! Jonny you’re the gift that keeps on giving, keep it up!
This should be done by parents at device level not on everyone at access level