Schools across the UK are being urged to review or remove identifiable photographs of pupils from their websites and social media accounts, following warnings that criminals are using artificial intelligence tools to manipulate those images into child sexual abuse material (CSAM) and then threaten to release it unless a ransom is paid.
The guidance, issued by the UK Online Harms Early Warning Working Group (EWWG), follows a confirmed incident in which an unnamed secondary school was targeted by blackmailers who sourced photographs from the school's own online presence and used AI tools to generate sexually explicit imagery of pupils. Internet Watch Foundation (IWF) analysts assessed approximately 150 images connected to the incident as confirmed CSAM. The images were then converted into digital fingerprints and added to a blocking list shared with technology platforms.
The EWWG - whose members include the National Crime Agency (NCA), the NSPCC, the IWF, Education Scotland, the Welsh Government, the Safeguarding Board for Northern Ireland, and the Lucy Faithfull Foundation - has cautioned that while such incidents are not yet widespread, it considers it "only a matter of time" before more schools are targeted.
Schools are advised that paying a ransom demand may in certain circumstances be unlawful, and are told they should contact police immediately if targeted, preserve any criminal material as evidence, and remove the original images from public view. The IWF can assist by hashing images so that major platforms are prevented from hosting them.
The new guidance suggests that the routine publication of identifiable photographs of pupils on school websites may carry material safeguarding risk that needs to be weighed in any data protection impact assessment.
The EWWG recommends that schools avoid publishing face-on, identifiable images of pupils; consider replacing them with distance shots, blurred images or back-of-head photographs; regularly audit all pupil images published online; and renew image consent agreements with parents and guardians on a frequent basis. Names should not be paired with photographs, and privacy settings should be used to restrict viewing where images are shared. The guidance also notes that adult staff and pupils over 18 are equally vulnerable to being targeted in this way.
Jess Phillips, Minister for Safeguarding and Violence Against Women and Girls, described the threat as "deeply worrying," and confirmed that the government intends to legislate to ban AI tools designed to generate CSAM and to criminalise the sharing of guidance on how to create it.
She indicated the government would "not hesitate to go further if necessary" to keep legislation current with emerging threats.
The EWWG's published checklist for education settings covers the following key actions:
• Review all pupil images currently published on websites and social media
• Consider whether face-on, identifiable images are necessary and replace where possible
• Ensure image consent agreements are current and regularly reviewed
• Do not pair pupils' names with their images
• Apply appropriate privacy settings to any published images
• Establish a clear internal process for responding to blackmail attempts, including immediate police contact and evidence preservation
• Contact the IWF if images need to be blocked from online distribution
The full guidance is published at www.saferinternet.org.uk/guide-and-resource/image-guidance-for-education-settings.
