Papers
Topics
Authors
Recent
Search
2000 character limit reached

Children Are Not the Enemy: Child-Fit Security as an Alternative to Bans and Surveillance

Published 16 Jun 2026 in cs.CR, cs.CY, and cs.HC | (2606.17957v1)

Abstract: Digital technologies are now central to children's learning, play, communication, identity formation, and social participation. Yet dominant approaches to children's online safety often rely on containment mechanisms, including bans, age gates, parental controls, monitoring, and screen-time restrictions. These approaches can be useful in specific contexts, but they often frame child protection primarily as a problem of restricting access to systems designed for adults. In this paper, we argue that this framing is inadequate for children's digital lives and insufficient as a security paradigm. We propose Child-fit security, a design paradigm in which technologies likely to be used by children treat a child as legitimate users, not attackers to be excluded, vulnerabilities to be patched, or risks to be managed. In this paradigm, children's wellbeing, development, privacy, safety, agency, and rights become core security requirements. This shifts the focus of protection from apps, accounts, and data to the child-system relationship, which means protecting both the child and their participation. We conceptualise child-fit security, contrast it with containment-oriented approaches, define its core principles, and discuss its implications for security design. We conclude by presenting a research agenda for making child-fit security operational.

Summary

  • The paper introduces Child-Fit Security, reframing child online protection from exclusion to system-level safeguards that support children’s rights and development.
  • It employs empirical critiques of traditional containment models and promotes design principles such as participatory design and developmental appropriateness.
  • The work shifts accountability from users and caregivers to system designers by advocating native security features over reactive controls.

Child-Fit Security: Reframing Online Child Protection Beyond Exclusion

Context and Critique of the Containment Paradigm

Prevailing models in online child protection emphasize containment, characterized by access restrictions, age-based bans, surveillance, and content filtering. These approaches position children as vulnerabilities to be controlled rather than legitimate digital citizens. Regulatory regimes such as COPPA in the US and the proliferation of age verification systems exemplify this orientation. Empirical analysis demonstrates that such interventions frequently shift accountability from system designers to users and caregivers, driving platform responses focused on legal compliance rather than robust, child-centered architectures.

These interventions produce significant side effects: circumvention by minors, privacy-invasive age assurance, weakened security guarantees for all users (notably threats to E2EE in the name of detection), and exacerbation of access inequalities, especially among marginalized or already vulnerable children. Critically, surveillance-driven controls can undermine trust and paradoxically decrease safety by incentivizing unsupervised access to less-regulated environments.

Reconceptualizing Security: Child-Fit Security Paradigm

The paper introduces Child-Fit Security as a design paradigm, which asserts that digital systems likely to be used by children must treat children as legitimate users whose core assets include not just data and account integrity, but privacy, agency, development, identity, and emotional wellbeing (2606.17957). This marks a paradigmatic shift: the focus moves from securing systems against children to securing for children, emphasizing their needs, evolving capacities, and rights as axes of first-order analysis. Figure 1

Figure 1: Six core requirements of Child-Fit Security—rights, wellbeing, development, privacy, safety, agency—proposed as inseparable security properties for systems likely to be used by children.

Central principles include:

  • Legitimacy of child users: Systems must anticipate child users as default, not edge cases.
  • Developmental appropriateness: Protections and affordances must be tailored to stage-appropriate needs, recognizing heterogeneity among children.
  • Agency support: Children should be enabled to make, understand, and reverse choices, with agency accommodated in threat models.
  • Participatory design: Children’s perspectives must directly inform feature design and risk modeling; mechanisms for input and override must be concrete.
  • Rights preservation: Core children’s rights (privacy, autonomy, expression, access, and participation) must be secured, not traded off for convenience or regulatory minimalism.

From Containment to Systemic Protection

The authors articulate operational differences between the containment and Child-Fit paradigms:

  • Threat Modeling: Traditionally, threat modeling frames children as bystanders or even adversaries (e.g., attempting to bypass controls). Child-Fit approaches expand the asset and threat space, making children’s privacy, autonomy, and social relationships explicit targets of protection. They argue for considering design features like recommender systems, adult controls, and exploitative UI patterns as adversarial surfaces. Figure 2

    Figure 2: Rethinking threat modeling to center the child-system relationship, moving beyond technical adversaries to include system features and institutional practices that can produce harm.

  • System-level interventions: Rather than layering reactive controls atop adult-centric designs, systems should architect protection natively, including age-graded affordances, privacy-preserving defaults, developmentally appropriate explanations, and participatory mechanisms for feedback and escalation.
  • Accountability: The burden of ensuring safety is shifted from children, parents, and educators—who are poorly positioned to audit or counteract platform dynamics—to technology designers and providers, who own the system architecture and its consequences.

Implications for Security, Practice, and Research

This reconceptualization broadens the scope of security research by including harms not reducible to external attack—compulsive use as attention capture, algorithmic surfacing of age-inappropriate content, or manipulative UI—as security failures. The approach demands extensions or reinterpretations of threat modeling techniques (e.g., re-framing “information disclosure” to encompass wrongful exposure of identity or developmental vulnerabilities).

Practically, this reframing calls for:

  • Technical standards and APIs supporting child-fit defaults, reporting, and override.
  • Developer support: Concrete templates, test suites, and design patterns to operationalize progressive affordance, participatory input, and bias assessment against extractive models.
  • Empirical methods to rigorously study child-centric risk, resilience, and protective affordance in situ, resisting one-size-fits-all regulatory approaches.
  • Governance and compliance models that reward system-level design for child-fit security rather than checkbox legalism.

Contradictory and Strong Claims

A central, bold claim is that harms traditionally framed as user failures—circumvention, unwitting oversharing, exposure to exploitation—are security failures traceable to the absence of child-centered system architecture. The paper contests the adequacy of exclusion and surveillance, asserting that such measures not only fail to guarantee safety but can amplify risk, marginalize vulnerable groups, and weaken infrastructure-level guarantees.

Future Prospects

The research agenda highlights several open lines: embedding developmental insight into engineering practice, establishing systematic participatory design with minors, and evolving threat modeling to treat children’s developmental needs as core assets. There is a call to develop empirical and design methodologies commensurate with the regulatory momentum toward child protection. Substantial work remains in specifying, prototyping, and evaluating Child-Fit Security mechanisms at platform scale.

Conclusion

The containment model of child digital protection is shown to be technologically naive, empirically ineffective, and ethically problematic. Child-Fit Security reframes child protection as a security engineering challenge, requiring the inclusion of children’s rights, agency, and developmental needs as security properties rather than afterthoughts. This inversion of paradigm has profound implications not only for system architecture, but for the conceptual boundaries of security research itself, opening new trajectories for theory, technical design, and policy (2606.17957).

Paper to Video (Beta)

No one has generated a video about this paper yet.

Whiteboard

No one has generated a whiteboard explanation for this paper yet.

Open Problems

We haven't generated a list of open problems mentioned in this paper yet.

Collections

Sign up for free to add this paper to one or more collections.

Tweets

Sign up for free to view the 1 tweet with 2 likes about this paper.