Protecting Student Photos from AI Misuse Online
The new risk landscape for student photos in an AI-first internet
A smiling Year 6 sports day photo used to be the safest thing a school could publish. Today, it can be scraped, cloned, and turned into abusive material in minutes - and no school website policy written before 2023 was built for that reality.
Two years ago, the worst-case scenario for a published student photo was a stranger right-clicking and saving it. Now it's industrial-scale scraping, AI training pipelines, and "nudify" tools that can generate a realistic explicit image from an ordinary clothed photo, no technical skill required. The question every school marketer now has to answer isn't "should we stop posting photos?" - it's "how do we keep telling our story without handing attackers the raw material?"
The numbers are no longer abstract. In 2025, the Internet Watch Foundation identified 3,440 AI-generated videos of child sexual abuse - up from just 13 the year before, a 26,362% increase. Nearly two-thirds of that video content was classified at the most severe legal category. Separately, Human Rights Watch has documented how children's personal photos - including identifiable school and family images - have ended up scraped into datasets used to train image-generation models, almost always without anyone's knowledge or consent. This isn't a fringe concern anymore; it's a mainstream safeguarding issue with a paper trail.
And it's not hypothetical for UK schools specifically. In a case reported by The Guardian and confirmed by the Internet Watch Foundation, the National Crime Agency, and the UK's Online Harms Early Warning Working Group, a UK secondary school was targeted by blackmailers who scraped photos from its website, used AI to turn them into abuse material, and threatened to publish it unless a ransom was paid. The IWF assessed around 150 of the resulting images as meeting the legal definition of CSAM and worked with tech platforms to block their spread. Officials involved say it's "only a matter of time" before more schools are targeted the same way.
Here's the part that should sting: any photo sitting on a public page of your website is fair game for this. Bots crawl continuously, follow image folders, and harvest URLs around the clock. Once an image leaves your server, you have no way to see where it goes or what it becomes.
For independent schools, this collides head-on with your admissions strategy. Your website is often a family's first real glimpse of school life, and genuine, joyful photos of students are part of what sells that experience. Strip them out entirely and your site goes flat and generic - which has its own cost at enrolment time. Ignore the risk and you're leaving children exposed to something far worse than a bad photo: sexualised deepfakes, sextortion, and material that can follow a child for years.
There's no single fix here - think in layers instead. At the top is a judgment call: which images should exist publicly at all. Below that sit technical protections on your hosting and CDN. Beneath that, on-page friction that makes casual misuse harder and quietly signals to parents that you take this seriously.
A good starting exercise: build a "reality scorecard" of where student photos currently live - homepage heroes, news stories, sports galleries, PDFs, staff blogs, social feeds. For each, ask three questions. How identifiable is the student? How easily could this page be scraped? Does the story actually need this exact shot, or would a wider crowd shot, a back-of-head angle, or a candid-from-a-distance photo tell it just as well? This isn't about fixing everything at once - it's about knowing where to start.
One more thing worth sitting with: the students themselves already know this is happening. A UK survey of 13–18 year-olds by Girlguiding found that over one in four had seen a sexualised deepfake - of a celebrity, a friend, a teacher, or themselves. Your students are not naive about this risk. Bringing them into the conversation about what feels safe in your visual storytelling isn't just the ethical move - it tends to produce better decisions, and it builds trust in your school's brand rather than eroding it.
Technical protections every school website should put in place
Governance sets the direction; your website's technical setup is what actually stops the scraping. Here's where to focus:
- Manage your bots. Just as Google's crawler indexes your pages for search, AI scrapers are constantly probing for content to harvest. A properly configured web application firewall and bot management layer can tell the difference between bots you want (search engines) and bots you don't, and block or throttle the latter before they touch your image folders. This lives in DNS and hosting settings rather than your CMS - which is exactly why it's overlooked, and exactly why it's high-leverage.
- Lock down your file structure. On too many school sites, you can still browse straight to the image directory and see every photo ever published, neatly listed. Ask your website provider to close direct access to image folders, use signed or time-limited URLs where it makes sense, and block hotlinking - where another site embeds your hosted image directly, quietly using your server as their image host.
- Set deliberate CDN caching rules. Content delivery networks speed up your site by caching images around the world, but that also means copies of sensitive photos can sit in places you don't directly control. Shortening cache expiry on student-heavy pages narrows the window a cached copy can be misused in.
- Publish smaller files. AI training and manipulation tools get better results from high-resolution source images. Capping public-facing photos at sensible web dimensions - instead of the 4K originals your photographer handed over - makes those files meaningfully less useful for scraping, while looking identical to a parent scrolling on their phone.
- Adopt the emerging opt-out standards. AI and search vendors are gradually rolling out signals that say "don't train on this image" - in your robots.txt file and in image metadata via standards like IPTC's provenance fields. These are honour-system tools, but as regulators start expecting "reasonable technical measures," implementing them now puts you ahead of the curve.
- Add friction on the page. Right-click blockers, drag-to-save prevention, subtle watermarks, and hover blur won't stop a screenshot, but they raise the bar for casual misuse - and visibly signal to your community that you take this seriously. Pair this with routine metadata hygiene: strip GPS coordinates and device details before upload.
- Consider geo-blocking your most sensitive content. Early-years galleries or boarding house life may not need to be visible from anywhere in the world. Modern edge platforms can restrict traffic by country or even city. VPNs mean this isn't watertight, and it has to be weighed against international recruitment goals - but as one layer among several, it shrinks your exposure.
Governance, publishing judgment and working with parents
No CDN setting replaces a human decision about what gets published. Every school already has some version of this judgment - a do-not-photograph list, a no-names rule. What's changed is the stakes, which means the policy needs updating, not reinventing.
The shift to make: from "we post nice photos unless someone objects" to "we default to lower-risk images, and every exception needs a clear purpose and a documented consent trail."
- Revise your image policy with the right people in the room - marketing, safeguarding, IT, legal, and student voice where appropriate. Map your real use cases (admissions campaigns, news stories, classroom moments, fixtures, performances, trips) and set risk-based defaults for each: wide shots and back-of-head framing for public pages, close-ups reserved for password-protected areas or printed materials. A short visual guide showing staff the difference between "lower-risk" and "higher-risk" framing does more than a page of policy text.
- Tighten consent and takedown. Parents deserve to understand exactly where images might appear and what the AI-specific risks actually are - not just a single tick-box, but real choices (website vs. social vs. printed prospectus). Just as important: make it fast and easy for a parent to pull consent. An internal SLA - say, flagged images down within 48 hours - does real work for trust, and shrinks the window in which harm can happen.
- Don't skip the conversation with staff, governors, and students. A workshop or webinar that walks through how scraping and deepfakes actually work turns an abstract policy change into something people understand and support. The UK secondary school blackmail case makes this concrete rather than theoretical - when people see it's already happened to a school like theirs, resistance to tighter image rules tends to soften fast.
- Build the check into your workflow, not just your policy document. When someone uploads a new gallery, prompt them to confirm: consent verified, geotags stripped, resolution capped. Run an audit twice a year to catch the legacy galleries, old PDFs, and forgotten microsites that predate your new standard - these are usually where the real exposure hides, quietly, because nobody's looking at them anymore.
- Treat this as a shared problem, not a competitive one. The UK Safer Internet Centre and the Online Harms Early Warning Working Group are actively publishing checklists and incident guidance for education settings, and schools like Loughborough Schools Foundation have already redesigned their sites around these principles. Sharing what you learn with peer schools helps the whole sector move faster than the people trying to exploit it.
You won't eliminate all risk - that's not realistic while your site is public - but you can show your community you're being thoughtful, transparent, and proactive, while still telling the stories that make your school worth choosing.
Want the practical version of this?
We've turned everything above into a simple, actionable checklist your team can run through page by page - no jargon, no 40-page policy document to write from scratch.
Request your free "Keeping Students Safe Online" checklist below: