Skip to main content

Schools Are Removing Student Photos From Websites - AI Sextortion Is Why (2026)

8 min readBy Viallo Team

Quick take: A UK coalition of the NSPCC, National Crime Agency, and Internet Watch Foundation is urging schools to remove student photos from public websites. The reason: criminals are scraping ordinary school photos, running them through AI deepfake tools to manufacture child sexual abuse material, and using the results for sextortion. One English secondary school had 150 manipulated images produced from its website photos alone. Girls account for 94% of victims.

Empty school corridor with blue lockers along the wall, natural light coming through windows at the far end

What happened: UK schools told to pull student photos offline

In May 2026, a coalition of the NSPCC, National Crime Agency, and Internet Watch Foundation issued guidance urging UK schools to review and remove pupil photos from public-facing websites. The advisory was developed with help from the Early Warning Working Group (EWWG), a body that coordinates safeguarding responses across UK institutions.

This isn't a theoretical concern. An English secondary school discovered that 150 manipulated images had been produced from photos publicly available on its website. Criminals downloaded ordinary class photos, sports day pictures, and school event shots - then fed them through AI tools that generated explicit deepfake images of the students.

UK safeguarding minister Jess Phillips called it a "deeply worrying emerging threat." The guidance is clear: if a school photo is publicly accessible, it can be weaponized. The only guaranteed protection is removing the source material entirely.

How the attack works: from school photo to sextortion

The pipeline is disturbingly simple. Criminals use automated scraping tools to harvest images from school websites, which typically have no bot protection or access restrictions. They collect hundreds or thousands of student photos in minutes.

Those photos are then processed through AI deepfake generators - the same class of tools documented in our investigation of nudify apps on app stores. These tools take a clothed photo and generate a synthetic nude that matches the subject's body proportions, skin tone, and facial features. The output is convincing enough to cause real psychological harm.

The manufactured images are then used for sextortion: criminals contact the child directly, show them the fake explicit image, and demand payment - threatening to distribute the image to classmates, teachers, or family if the child doesn't pay. Some never contact the victim at all, instead distributing the material on dark web CSAM forums.

A classroom whiteboard with papers pinned to a bulletin board beside it, desks visible in the foreground, no people present

The numbers: how fast this is growing

The Internet Watch Foundation reported that by November 2025, reports of AI-generated CSAM had more than doubled year over year - from 199 to 426 confirmed cases. That's just what gets reported and verified. The actual volume is almost certainly far larger.

Girls account for 94% of victims in these cases. The targeting is overwhelmingly gendered, and school-age girls are the primary demographic being exploited.

The NSPCC's Report Remove service - which helps under-18s get intimate images taken down from the internet - received 394 reports involving blackmail attempts in 2025. That's a 34% increase compared to 2024. Each report represents a child who discovered that someone was using fabricated intimate images to extort them.

The UK became the first country to ban AI tools specifically designed to generate CSAM in February 2025. But legislation alone hasn't stopped the supply of source material - school websites remain an easy, unprotected target for criminals looking for input photos.

What schools should do right now

The EWWG guidance is specific. Schools should take these steps immediately:

  • Audit all public-facing pages for student photos. This includes the main website, social media accounts, newsletters posted online, and third-party platforms like school event photo galleries.
  • Remove individual student photos where the child is identifiable. Group shots taken from a distance are lower risk, but close-up portraits, team photos, and award ceremony images should come down.
  • Review consent forms. Many schools have blanket photo consent from years ago. Parents who signed those forms never imagined AI deepfake tools - they were consenting to a school newsletter, not to their child's face being publicly available in an era of synthetic CSAM.
  • Switch to access-controlled sharing. Schools still need to share event photos with parents. The answer isn't to stop photographing school life - it's to share those photos through private, access-controlled channels instead of public websites.
  • Train staff on the threat. Teachers and administrators uploading photos to school websites need to understand why this matters. A single teacher posting class photos to a public Facebook page creates the same exposure as the school website.

What parents should do

Don't wait for your child's school to act. You can take steps now to reduce your family's exposure.

  • Ask your school about their photo policy. Find out what photos of your child are publicly accessible and request removal of any you're uncomfortable with. Under GDPR, schools must comply with image withdrawal requests.
  • Revoke blanket consent. If you previously gave open-ended permission for your child's image to be used, you can revoke it at any time. Be specific: consent to appear in a password-protected parent portal is different from consent to appear on a public website.
  • Audit your own posting habits. School photos aren't just on school websites. Every time you share a school event photo publicly on Facebook or Instagram, you're creating the same risk. Our guide to sharenting covers this in detail.
  • Talk to your children. Older children need to understand that photos they post publicly - including on TikTok, Snapchat, and Instagram - can be scraped and manipulated. This isn't about fear - it's about informed choices.
  • Know where to report. If your child receives a sextortion attempt, contact the police and the NSPCC's Report Remove service. Don't pay. Don't engage with the blackmailer. Report immediately.

How to protect children's photos in 2026

The pattern is clear. Publicly available photos of children are being weaponized through AI tools. The platforms where most people share family photos - Facebook, Instagram, Google Photos shared links - weren't designed with this threat model in mind. Facebook's default album sharing is set to "Friends" but that still means hundreds of people have access. Google Photos shared albums can be forwarded indefinitely.

The shift we're seeing - from schools, from safeguarding bodies, from parents who've been through sextortion attempts - is toward private-by-default photo sharing. Not social media posts that happen to be set to "private." Actually private platforms where photos aren't indexed, aren't scrapable, and aren't accessible without explicit authorization.

This is the problem Viallo was built to solve. It's a private photo sharing platform where photos are shared through access-controlled links, never indexed by search engines, and never used to train AI models. When you share school photos through Viallo, the only people who see them are the people you specifically choose.

The difference matters because of how scraping works. Bots that harvest images from school websites and social media rely on photos being publicly addressable - accessible via a URL without authentication. Private sharing platforms that require access tokens for every image request make bulk scraping operationally impractical. It's not a theoretical advantage. It's a different architecture that removes the attack surface entirely.

For a deeper look at how deepfake protection works at the platform level, see our deepfake photo protection guide.

A parent and child walking together along a tree-lined path, photographed from behind with warm afternoon light

Frequently Asked Questions

Can criminals really make deepfakes from ordinary school photos?

Yes. Modern AI deepfake tools only need a single clear photo of someone's face to generate synthetic explicit images. The photo doesn't need to show anything inappropriate - a standard school portrait or sports day photo provides enough data for these tools to work with. One UK school had 150 manipulated images produced from its website photos.

Is AI-generated CSAM illegal in the UK?

Yes. The UK became the first country to specifically ban AI tools designed to generate CSAM in February 2025. Possessing, distributing, or creating AI-generated child sexual abuse material is a criminal offense under UK law regardless of whether the image depicts a real or fictional child. Creating or possessing such material for the purpose of blackmail adds additional charges.

What should I do if my child is targeted by sextortion?

Do not pay and do not engage with the blackmailer. Contact your local police immediately and report to the NSPCC's Report Remove service, which helps under-18s get intimate images removed from the internet. Save any evidence (screenshots of messages) but do not forward or share the explicit images themselves. Reassure your child that they are not at fault - the criminal is entirely responsible.

Should I withdraw consent for my child's photo to be used by their school?

Consider withdrawing consent for public-facing use (school website, public social media accounts, press releases) while maintaining consent for access-controlled uses (password-protected parent portals, printed materials distributed only to families). Under GDPR, you have the right to withdraw consent at any time and schools must comply. Be specific about which contexts you're withdrawing from.

How does Viallo help schools share photos safely?

Viallo lets schools share event photos through private, access-controlled albums that only authorized parents can view. Photos aren't indexed by search engines, can't be scraped by bots, and each shared link can be revoked at any time. It replaces the public school website gallery with a private channel that keeps student photos off the open internet entirely.

Related articles

Meta Layoffs: What 8,000 Cuts Mean for Your Facebook Photos

Meta is cutting 8,000 jobs while spending $135 billion on AI. The layoffs hit Reality Labs, Facebook social, and operations teams. What this organizational shift means for the billions of photos on Facebook and Instagram.

Read more

AI Image Labeling Laws: Photos Must Carry Digital Watermarks (2026)

Utah and Washington became the first US states to require AI-generated images to carry embedded provenance data. What these new digital watermark laws mean for verifying whether photos are real or AI-generated.

Read more

COPPA 2026: What New Children's Privacy Rules Mean for Photos

COPPA's first major update in 12 years took effect April 22, 2026. New rules protect biometric data, require separate consent for AI training, ban targeted advertising to children by default, and mandate data deletion. Here's what changes for your kids' photos.

Read more