The UK has finally done something that looks, on its face, like common sense. It has moved beyond the old regime where the law mostly cared after the damage was already done, after the image was shared, after the humiliation had gone viral, after families and careers were torched.

Share

Now, the UK has criminalized the creation of non-consensual “purported intimate images” of adults, meaning AI-generated intimate deepfakes, and it has also criminalized requesting their creation.

Good. Some things really are evil. And non-consensual sexual deepfakes are not “edgy internet culture.” They are a mass-produced form of sexual harassment aimed straight at women, relationships, reputations, and by extension families.

But here is the part you should not sleep through.

The government did not stop at criminalization. It is also building the machinery for “detection,” with the kind of corporate partner that never misses a chance to turn a public panic into a permanent system.

What the law actually targets, and why the details matter

The legal concept is the “purported intimate image.” The UK’s own explanatory notes define it as an image that appears to be, or include, but is not, or is not only, an authentic photo or film of the person, appears to be of an adult, and appears to show them in an “intimate state.”

The offence is not limited to uploading content to public platforms. It targets intentional creation without consent or reasonable belief in consent, with a “reasonable excuse” defense where the burden sits on the defendant. The notes are blunt that the bar should be especially high when the image appears to show sexual activity, and even mention “satire” as an excuse the government expects to fail in practice.

But there’s more.

The offence for requesting creation is written to capture more than a direct message to a specific person. The statutory text includes making a request “so that it is available to one or more persons (or people generally), without directing it to a particular person.”

And the explanatory notes go further. They explicitly say the request offence can apply even if the image is never created, and they give the example of multiple people voting in a poll to request a particular image, with each voter committing the offence.

We are not talking about punishing a distributor. We are not even talking about punishing a creator who posts content. We are talking about criminal liability for the act of requesting, including through broad availability mechanisms, including things like polls.

Maybe you think that is necessary to choke demand. Maybe it is. But it is also a template for something much bigger, because once you criminalize “requesting,” enforcement pressure starts hunting for visibility into conversations, platforms, and private spaces.

That is where “detection frameworks” arrive, smiling politely.

The Microsoft partnership: “standards” are never just standards

Reuters reports that Britain will work with Microsoft, academics, and experts to develop a system to spot deepfakes online and a detection evaluation framework that sets consistent standards.

The UK government’s own announcement says the framework will test detection technologies against real-world threats like sexual abuse, fraud, and impersonation, then use the results to set “clear expectations” for industry.

That phrase, “clear expectations,” is where freedom goes to die.

Expectations become guidance. Guidance becomes compliance. Compliance becomes audits. Audits become reporting pipes. Reporting pipes become a quiet, always-on channel between platforms and authorities.

Leave a comment

Also, note the rhetorical move. The government leans on a scary number, estimating 8,000,000 deepfakes shared in 2025, up from 500,000 in 2023. That kind of statistic is not useless, but it is the classic lever used to justify infrastructure that never shrinks again once it is installed.

And yes, the government is already signaling further bans, including “nudification tools.”

If you are liberty-minded, you already know the pattern. The initial target is real. The secondary target is broader control.

The European pattern: “narrow exceptions,” then permanent expansion

If you want to see how this movie usually ends, look at how Europe describes biometric surveillance.

The European Commission’s AI Act FAQ says real-time remote biometric identification in public spaces for law enforcement is prohibited, subject to “narrow exceptions,” then lists categories of serious crime, missing persons, and threat prevention. It also notes that in “urgency,” approval can be requested within 24 hours.

That is the blueprint.

First, you create a moral emergency. Then you carve out exceptions. Then you teach the public to accept those exceptions as normal. Then you discover new emergencies that mysteriously require the same tool.

Deepfake detection frameworks are not facial recognition, but the governance logic is identical. Build the system to “protect women and girls,” then keep the system because it is “too useful” to dismantle.

Fight deepfakes is possible without building a censorship machine

You do not need to choose between doing nothing and letting the state build an internet panopticon.

1) Push provenance, not scanning
The C2PA “Content Credentials” standards are designed to attach tamper-evident provenance to media so people can verify where something came from and how it was edited. This is not magic, and it is voluntary, but it is fundamentally less compatible with mass surveillance than mandatory detection pipelines.

The Content Authenticity Initiative exists to drive adoption of Content Credentials and related provenance tooling across the ecosystem.

2) Keep detection decentralized where possible
If detection tools are needed, the healthiest version is local or organizational, not a single government-blessed choke point. A lot of research and tooling is visible in open repositories and can be studied or run without begging permission.

3) Demand due process in plain terms
Whenever “expected standards” are announced, demand the real protections, not slogans.

• Is there independent authorization for investigative use

• Is there transparency about false positives

• Is there a fast appeal process for takedowns

• Is there an expiry date that actually expires

If the answer is vague, the scope will expand. It always does.

Quick takeaways

The UK’s new offence targets a genuine abuse. The law’s own notes make clear it is meant to capture AI-generated intimate images and even the act of requesting them in broad ways.

But pairing that law with a Microsoft-linked “detection evaluation framework” should set off every alarm bell you own, because “standards” are how emergency measures become permanent infrastructure.

Protect women and families, yes. Punish real offenders, yes. But do not let the same institutions that cannot stop a phone scam build the machinery to inspect everyone’s digital life under the banner of safety.

Explore more from Popular AI:

Start here | Local AI | Fixes & guides | Builds & gear | AI briefing