Add pillar articles: parental controls guide + layers of protection (EN/DE/FR)

Two more evergreen parent-intent pillars: - Parental controls 2026 practical guide: layered comparison of Screen Time / Family Link / router DNS / VPN DNS with honest trade-offs - Seven layers of online protection: ISP → router → VPN → OS → OS plugins → browser plugins → in-app, framing VPN as the load-bearing layer that travels with the device All three languages share translationKey for hreflang. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-04-14 09:19:07 +03:00
parent 6cd3fabd0b
commit f2aa8c0cec
6 changed files with 702 additions and 0 deletions
--- a/content/en/layers-of-online-protection-why-vpn-matters.md
+++ b/content/en/layers-of-online-protection-why-vpn-matters.md
@@ -0,0 +1,152 @@
+---
+title: "The Seven Layers of Online Protection — and Why a VPN Is the One You Cannot Skip"
+date: 2026-04-14
+description: "From your internet provider down to in-app settings, there are seven layers where a child's online safety can be enforced. Here is what each one does, what it misses, and why a family VPN is the layer that holds the others together."
+tags: ["parental controls", "VPN", "DNS filtering", "router", "browser extensions", "Screen Time", "defence in depth"]
+categories: ["safety"]
+author: "Agiliton"
+slug: "layers-of-online-protection-why-vpn-matters"
+translationKey: "layers-of-protection"
+---
+
+Online safety is not a switch. It is a stack of seven layers, each covering something the others don't. When parents struggle, it is almost always because they have set up one or two layers and assumed that was enough. It never is.
+
+This article walks through all seven — from your internet provider right down to the settings inside individual apps — explains what each actually blocks, and shows why a family VPN is the layer that stops the others from leaking.
+
+## Layer 1 — The Internet Service Provider
+
+Your ISP (Deutsche Telekom, Vodafone, Orange, BT, Comcast) sits between your house and the wider internet. Most major ISPs offer a "family filter" or "safe surf" option that you can enable in your customer portal.
+
+**What it does:** DNS-level category filtering applied to your home internet connection.
+
+**What it misses:**
+- Only the connection from that one subscription — not mobile data, not when your child is at a friend's house.
+- Most ISP filters are coarse, infrequently updated, and easy to bypass by switching DNS to `8.8.8.8`.
+- Nothing is blocked on cellular data, even if the phone is on the same household.
+
+**Verdict:** Turn it on if you have it. Don't rely on it.
+
+## Layer 2 — The Router
+
+Your home router is the first device in your house that every other device goes through. Modern routers (FRITZ!Box, AVM, eero, ASUS, Unifi) let you set custom DNS servers — like Cloudflare `1.1.1.3`, NextDNS, or Quad9 — and some even let you apply different rules per device.
+
+**What it does:** Enforces DNS filtering for every device on the home Wi-Fi, including smart TVs, gaming consoles, and friends' phones when they visit.
+
+**What it misses:**
+- Leaves your house with the device. Mobile data, school Wi-Fi, coffee shops — all unfiltered.
+- A child who installs a VPN app or changes DNS on the device itself bypasses the router entirely.
+- Cannot enforce per-user rules if everyone in the house shares the same Wi-Fi SSID.
+
+**Verdict:** Essential for the home baseline. Cannot protect mobile devices away from home.
+
+## Layer 3 — The VPN with DNS Filtering (The One You Cannot Skip)
+
+A VPN installed on the child's device tunnels all traffic through a filter that travels with the device — at home, on mobile data, on school Wi-Fi, on holiday. This is the layer that makes the others actually hold.
+
+**What it does:**
+- Applies the same curated DNS blocklist on every network the device connects to.
+- Blocks ads, trackers, malware, phishing, and — crucially — full content categories (social media, adult, gambling, dating, gaming).
+- In a locked-down child profile, cannot be disabled by the child.
+- Works regardless of browser, regardless of app, regardless of which account the child signs into.
+
+**What it misses:**
+- Does not limit time spent in apps that are allowed. You still need Screen Time / Family Link for that.
+- Cannot enforce "bedtime" or "downtime" windows — this is a device-OS job.
+
+**Why this layer matters more than the others:** Every layer above this one either stops at the front door (router, ISP) or can be trivially bypassed inside the device (OS filters, browser plugins). The VPN is the only layer that travels, stays on, and cannot be switched off by a determined child. That's why we call it the layer you cannot skip.
+
+Our own product, [Agiliton VPN](https://go.agiliton.eu/vpn-app), is designed around this role — a per-device, always-on filter with **Child (0-12)** and **Teen (13-17)** profiles that block age-appropriate categories by default.
+
+## Layer 4 — The Operating System
+
+iOS, Android, Windows and macOS all provide system-level parental controls: iOS **Screen Time**, Google **Family Link**, Windows **Family Safety**, macOS **Screen Time**.
+
+**What they do:**
+- Approve app installs
+- Limit daily time per app or app category
+- Restrict communication (who can call, message, FaceTime)
+- Enforce downtime windows (e.g. no apps between 22:00 and 07:00)
+- Block in-app purchases
+
+**What they miss:**
+- Web filtering is weak. Safari's "Limit Adult Websites" is a tiny, easily-bypassed list.
+- No control over network-level traffic — if an app makes a request to a tracker or social-media CDN, the OS doesn't see it.
+- A child with the passcode can change everything. Many parents unknowingly share it.
+
+**Verdict:** Mandatory for daily time limits and downtime. Useless for content-category filtering.
+
+## Layer 5 — OS-Level Plugins and DNS Profiles
+
+On iOS you can install a DNS configuration profile (NextDNS, CleanBrowsing, Agiliton VPN acts similarly). On Android you can set Private DNS in the OS settings. These operate at the OS level without a full VPN.
+
+**What they do:** Lightweight DNS filtering without a VPN tunnel. Applies to all apps.
+
+**What they miss:**
+- Often trivially removable by a child who knows where to look.
+- DNS-only profiles don't encrypt traffic, so some networks (especially schools) may override them.
+- No profile selection by role (child vs. teen) — one-size-fits-all.
+
+**Verdict:** Fine for parents who want a light-touch solution and trust their child. Not robust enough for younger children.
+
+## Layer 6 — Browser Extensions and Plugins
+
+Extensions like uBlock Origin, Privacy Badger, or school-issued content filters run inside the browser.
+
+**What they do:** Block ads, trackers, or listed domains within that browser only.
+
+**What they miss:**
+- Only work in the one browser they're installed in. Child switches to another browser → bypassed.
+- Do not work in apps (TikTok, Instagram, Roblox all operate outside the browser).
+- On mobile, extension support is limited (Safari on iOS supports a few, Chrome Android almost none).
+
+**Verdict:** Useful addition for desktop browsing hygiene. Close to useless as a primary child-safety layer.
+
+## Layer 7 — In-App Settings
+
+Every serious app has its own parental or safety settings: TikTok Family Pairing, Instagram Parental Supervision, YouTube Kids, Roblox Account Restrictions, Discord "Safe Messaging" defaults.
+
+**What they do:** App-specific protections — restricted content modes, communication limits, screen-time nudges within that app.
+
+**What they miss:**
+- Require the child to have an account in that app with the correct age — which, as covered in [our TikTok guide](/en/is-tiktok-safe-for-kids/), children routinely falsify.
+- Apply only to that app. A second account, a different app, or the web version bypasses them.
+- Frequently redesigned; settings that were protective last year may have been quietly removed or defaulted off.
+
+**Verdict:** Worth configuring on every app the child uses. Never a primary layer.
+
+## Why the VPN Is the Load-Bearing Layer
+
+Look at what each layer covers:
+
+| Layer | Home Wi-Fi | Mobile data | School Wi-Fi | Friends' Wi-Fi | In-app traffic | Bypassable by child |
+|---|---|---|---|---|---|---|
+| ISP filter | ✅ | ❌ | ❌ | ❌ | ✅ | Trivially |
+| Router DNS | ✅ | ❌ | ❌ | ❌ | ✅ | With effort |
+| **VPN DNS (child mode)** | ✅ | ✅ | ✅ | ✅ | ✅ | **No** |
+| OS parental controls | ✅ | ✅ | ✅ | ✅ | Partial | With passcode |
+| OS DNS profile | ✅ | ✅ | ✅ | ✅ | ✅ | Often |
+| Browser extension | Browser only | Browser only | Browser only | Browser only | ❌ | Easily |
+| In-app settings | In that app | In that app | In that app | In that app | In that app | Via fake age |
+
+The VPN in child mode is the only row with a tick in every column and a "No" on bypassability. Take it away, and suddenly there is no layer covering mobile data, no layer covering school Wi-Fi, and no layer covering content-category filtering inside apps.
+
+This is not marketing. It is what the layer diagram actually shows when you draw it honestly.
+
+## Our Recommended Stack
+
+For a family with children under 16, run layers **2 + 3 + 4 + 7**:
+
+1. **Router DNS** (Layer 2) — home-network baseline
+2. **Family VPN with child profile** (Layer 3) — the always-on filter that travels
+3. **OS parental controls** (Layer 4) — app approval, time limits, downtime
+4. **In-app settings** (Layer 7) — per-app configuration for whatever your child uses
+
+Skip layers 1, 5 and 6 unless you specifically need them. They are either redundant or not load-bearing.
+
+## Further Reading
+
+- [Parental Controls in 2026: A Practical Guide](/en/parental-controls-2026-practical-guide/)
+- [Is TikTok Safe for My Child?](/en/is-tiktok-safe-for-kids/)
+- [Safe Search and Content Filtering: What Actually Works in 2026](/en/safe-search-content-filtering-2026/)
+
+{{< vpn-cta >}}