Microsoft deepfake protection: what it means for UK users

News · 8 Jun 2026 · Claire Bennett

Microsoft deepfake protection moved up a gear on 27 May 2026, when the company said it would expand its detection of known non-consensual intimate imagery (NCII) across consumer services including Teams Free, OneDrive and Xbox, using validated hashes from the UK-run StopNCII.org. Microsoft confirmed the change in a post by Jenny Lay-Flurrie, its vice-president of the Trusted Technology Group, timed to the US Take It Down Act coming into force. For UK adults and parents, the practical question is simpler: if an intimate image of you, real or AI-generated, is circulating online, what can you actually do about it, and how do the law and the platforms now back you up?

What Microsoft deepfake protection actually changed in May 2026

The headline is detection at scale. Microsoft says it has expanded its use of validated StopNCII.org hashes across consumer services including Teams Free, OneDrive and Xbox, building on a pilot it began in Bing in September 2024. A hash is a unique digital fingerprint of an image. Once an intimate image has been hashed, platforms can spot copies of it being uploaded again without anyone needing to view the picture itself, which is the point: the system blocks re-sharing while keeping the original out of human hands.

Two other changes matter for ordinary users. Microsoft has rebuilt its global reporting form so it now carries clear options to describe the harm, “including both real and AI-generated images”. That distinction is the whole story of the past two years: synthetic intimate images of real people, produced by so-called nudification apps, are now as much of a problem as leaked photographs. Microsoft says it will accelerate removals and automate where appropriate while keeping human review for reported cases and a route to appeal. It has also partnered with Childnet, a UK online-safety NGO, to create teaching materials aimed at stopping teenagers misusing AI to generate this content in the first place. If you follow Microsoft’s wider AI strategy through our coverage of the Microsoft Work Trend Index 2026, this is the same company arguing that trust has to be engineered in, not bolted on.

How PhotoDNA and StopNCII keep your image off your phone

The technical engine under all of this is PhotoDNA, a Microsoft image-matching technology that has been used against child sexual abuse material for years. Two years ago Microsoft gave StopNCII.org an updated version of PhotoDNA that lets a victim generate the hash of an intimate image without that image ever leaving their device. You select the photo or video on your own phone or laptop, the tool creates the fingerprint locally, and only that fingerprint, not the picture, is shared with StopNCII.org and the participating companies.

That on-device design is the bit worth understanding, because it removes the most frightening part of asking for help: you never have to send your most private images to a stranger or upload them to a website. StopNCII.org is free and operated by the Revenge Porn Helpline, which is part of the UK not-for-profit charity SWGfL. The helpline says it has successfully removed over 300,000 individual non-consensual intimate images from the internet, with an over 90% removal rate. Microsoft is one of a number of technology firms that ingest those hashes, which is what makes the new expansion to Teams Free, OneDrive and Xbox meaningful rather than symbolic. The same privacy-preserving logic underpins a lot of modern platform safety work, including the encryption debates we covered in RCS end-to-end encryption.

Content Credentials and why provenance is the longer game

Detection deals with images that already exist. Provenance tries to make synthetic images legible in the first place. Microsoft attaches Content Credentials, based on the open C2PA standard, to images generated in its own tools such as Bing Image Creator and the AI features in Microsoft 365 Copilot. These credentials are a set of cryptographically signed metadata that record whether a piece of media was generated or edited with AI, and they are designed to travel with the file so that later tampering can be detected.

We would not oversell this. Content Credentials only cover content made with participating tools, and a determined abuser using an unmarked nudification app will not be stamping their output with a tidy provenance record. C2PA is a transparency layer, not a lock. But it does two useful things: it gives platforms, journalists and courts a way to verify whether a Microsoft-generated image is what it claims to be, and it normalises the expectation that AI images should be labelled. For UK readers weighing up which assistant to trust, this provenance work sits alongside the broader comparison we draw in Microsoft Copilot versus Google Gemini and the question of whether you even need a paid tier, which we tackle in our UK view on paid AI subscriptions.

The UK law: the Online Safety Act and the new deepfake offence

The UK legal position is now genuinely protective, and it is worth being precise about it rather than vague. Sharing an intimate image of someone without their consent is a criminal offence in England and Wales under the Sexual Offences Act 2003, following amendments brought in by the Online Safety Act 2023. That covers deepfakes too: a synthetic intimate image of a real person shared without consent is treated as intimate image abuse. The government has gone further and announced a distinct offence of creating a sexually explicit deepfake without consent, which gov.uk says will carry up to two years’ custody, alongside the existing rules on sharing.

The enforcement teeth belong to Ofcom. Since 17 March 2025, online platforms have had a legal duty to protect users from illegal content, and Ofcom has set out codes of practice describing the measures services should take. Ofcom has been explicit that protecting women and girls, who are disproportionately affected by intimate image abuse, is a compliance priority, and it has recommended that certain services use hash-matching technology to stop known non-consensual images being re-uploaded, exactly the mechanism Microsoft and StopNCII rely on. Where a platform fails, Ofcom can impose fines of up to £18m or 10% of qualifying worldwide revenue, whichever is greater. That is the backdrop to Microsoft’s announcement: a company expanding voluntary detection in a market where a UK regulator can now compel it. For the wider regulatory mood, our piece on the CMA’s Google AI search ruling shows how active UK oversight of big tech has become.

The fingerprint of your image is shared with platforms, never the image itself, so asking for help no longer means handing over your most private photos.

How a UK adult or parent reports and removes an image now

If an intimate image of you is online, or you fear it is about to be, there is a clear order of operations. Start with StopNCII.org if you have a copy of the image: create the hash on your own device and submit it, which proactively blocks the image across participating platforms including Microsoft’s. If the image is already posted somewhere specific, report it directly to that service using its NCII reporting route; Microsoft’s redesigned form now lets you flag both real and AI-generated images. For UK adults, the Revenge Porn Helpline (the same charity behind StopNCII) offers free, confidential support and can chase removals on your behalf.

Parents have an extra layer to think about. If the person affected is under 18, the imagery is child sexual abuse material regardless of how it was made, and you should report it to the Internet Watch Foundation and the police rather than treating it as an adult NCII case; Childnet’s materials, which Microsoft helped produce, are aimed squarely at preventing teenagers from generating this content. Keep evidence before anything is taken down: note URLs, take screenshots of the page context (not gratuitous copies of the image), and record dates, because the police and platforms will ask. On the data-protection front, you can also exercise your rights under UK GDPR: where a platform processes your personal data unlawfully, you can complain to the Information Commissioner’s Office, though for live abuse the StopNCII and police routes are faster. If you are setting up family safety more broadly, our guide to WhatsApp and Meta AI privacy settings covers adjacent ground.

Where the tooling still falls short for UK users

It would be naive to treat any of this as solved. Hash-matching only works once an image exists and has been fingerprinted, so the first leak or the first synthetic image always slips through before detection can bite. The reporting and appeal process, however improved, still puts the burden on the victim to find the content and submit it. And the nudification apps doing the most harm operate well outside Microsoft’s ecosystem, often hosted in jurisdictions that ignore UK law entirely, which is why Ofcom enforcement and the new creation offence matter as much as any single company’s tooling.

There is also a transparency gap. Microsoft publishes its NCII commitments and its Content Credentials work, but the public has limited visibility into how often automated removals get it wrong, how fast appeals are resolved, or how many synthetic images its detection actually catches versus misses. We would like to see the kind of regular, audited reporting that Ofcom is now in a position to demand. For context on how seriously Microsoft is investing in its trust and security stack overall, its work on automated defence, summarised in our coverage of Microsoft’s free AI data tooling and the broader Copilot rollout in our M365 Copilot rollout guide, shows a company spending heavily on AI safety infrastructure. The open question is whether that investment reaches victims fast enough.

Our verdict

Our view is that this is a genuine, useful step rather than a press-release gesture. Expanding validated StopNCII hashes to Teams Free, OneDrive and Xbox, building reporting that explicitly covers AI-generated images, and keeping the on-device, image-never-leaves-your-phone design are exactly the right moves, and they land at a moment when UK law finally has both an intimate-image-abuse framework and an Ofcom regulator that can enforce it. UK adults worried about an image should act today: submit to StopNCII.org and call the Revenge Porn Helpline, because those routes work now and are free. Parents of teenagers should treat any under-18 imagery as a police and Internet Watch Foundation matter, not a platform-form matter. What would change our assessment is hard evidence, ideally published and audited, on removal speed and on how much synthetic abuse the detection actually stops. Until then, treat the tooling as a strong safety net, not a guarantee.

Related reading on MTW

• WhatsApp Meta AI privacy UK: the settings to check
• How to roll out Microsoft 365 Copilot in a UK business
• CMA Google AI search ruling: UK publishers and searchers