Second-Order Thinking: What the UK's Age-Check Law Taught Us About Regulation (and Why It Matters for AI)

In late July 2025, the UK government celebrated as domestic traffic to adult sites halved within days of mandatory age-verification. Yet by August, they'd inadvertently run the country's most successful VPN marketing campaign.

Second-order thinking asks: what new behaviours has this regulation unleashed? The UK's own history provides a cautionary lens.

When Compliance Happens Instantly

• Seat-belts (Jan 1983). Wearing front seat-belts became compulsory. Within days, wearing rates soared from ~30% to over 90%¹.
• Smoke-free England (Jul 2007). Banning indoor smoking took effect. Within a month, compliance hit ~97–98% — nearly universal².
• London Congestion Charge (Feb 2003). Traffic dropped ~15% and congestion ~30% in the first month³.
• Carrier-bag charge (Oct 2015). Tesco reported a 78% drop in single-use bags within the first month⁴.

In all cases, the intended behaviour became easier than resisting; backed by enforcement, friction, or cost.

When the Policy Teaches Resistance

Contrast that with July 2025's age checks. Instead of nudging, the law taught millions a workaround. VPN sign-ups in the UK surged nearly 2,000% within three days of enforcement, and stayed elevated through early August. VPN apps dominated the UK app-store charts⁵.

This wasn't compliance ; it was adaptation through circumvention.

The privacy implications should have been obvious to legislators. Tying official IDs to adult site usage creates an irresistible target for hackers. The Tea dating app breach — stemming from a simple misconfigured cloud storage bucket — exposed intimate user data. Now imagine that vulnerability, but with government-verified identities attached to browsing histories.

The VPN Trade-Off: A Cautionary Paradox

VPNs shift your trust. Instead of your ISP, VPN providers — often overseas and opaque — see your entire browsing activity. Not all earn that trust.

Recall Facebook's acquisition of Onavo (2013). Onavo's VPN, marketed as private, secretly funnelled user traffic to Facebook — enabling the company to monitor app usage and guide acquisitions like WhatsApp. Apple removed Onavo from the iOS App Store in 2018 for violating data collection rules, and Facebook shut it down completely in 2019 after public backlash⁶.

In chasing an inconvenience (age checks), many UK users may have sought refuge behind VPNs — unknowingly giving their browsing to unregulated actors.

The Regulation Trap: Why This Matters for AI

This isn't just about content moderation. The same dynamics are emerging in AI regulation, where the pace of innovation consistently outstrips legislative response.

Regulation, by its nature, addresses yesterday's problems with tomorrow's restrictions. In fast-moving fields, this temporal mismatch becomes critical. The UK's age-verification law tried to solve a 2020s problem with 2010s thinking, not anticipating how normalised VPN usage had become.

Now consider AI regulation:

• The EU's AI Act, effective from August 2024, imposes a risk-based, highly prescriptive framework. Systems are categorised by risk, with outright bans and heavy compliance burdens⁷.
• The US leans towards a principles-based and prohibition-focused approach: instead of outlining what AI must be, it emphasises what it must not do (e.g., no illegal discrimination). This model aims to protect rights whilst preserving innovation flexibility⁸.

The distinction matters. Prescriptive regulation assumes we can predict AI's evolution and preemptively define acceptable forms. But if the UK's experience teaches us anything, it's that technology users are remarkably creative at routing around restrictions. The EU's approach risks creating an innovation exodus whilst failing to achieve its protective goals — the worst of both worlds.

The US approach, by focusing on harms rather than forms, maintains adaptability. It accepts that we cannot predict every AI innovation but can establish clear boundaries around unacceptable outcomes.

Be Careful What You Wish For

Second-order thinking matters because every policy teaches the public something. Seat-belt laws taught safety. Bag charges taught reuse. And the age-verification law taught millions to vanish online.

Whilst the government sought child protection, it ended up:

• Driving mainstream VPN adoption
• Reducing visibility into domestic internet traffic
• Exposing citizens to opaque VPN operators
• Normalising circumvention as standard practice

Final Takeaway

Regulation will always lag innovation — be it content control, data security, or AI. The choice is clear: do we regulate by prescription (defining exactly what systems must do) — or by setting meaningful limits (defining what they absolutely must not do)? The latter enables adaptability and safer innovation.

The UK set out to protect its users online. Instead, it ran a VPN masterclass. In a digital world, second-order thinking isn't optional — it's survival.

Footnotes

1. PACTS (UK, 2003). Seat-belt wearing jumped to >90% after law started 31 Jan 1983. PACTS site. URL: https://www.pacts.org.uk/40-years-of-uk-seatbelt-wearing-saves-thousands-of-lives-2/ ↩
2. Smokefree England (2007). Indoor smoking ban compliance hit ~97–98% within one month. Smokefree England site. URL: https://smokefreeengland.co.uk/media/smokefree-england-one-month-on ↩
3. Transport for London (2003). Congestion Charge cut traffic ~15% and congestion ~30% within the first month. TfL Impacts Monitoring Report. URL: https://content.tfl.gov.uk/impacts-monitoring-report-2.pdf ↩
4. Tesco plc (2015). Carrier charge cut single-use bag use by 78% in first month. Tesco plc news release. URL: https://www.tescoplc.com/plastic-bag-use-slashed-by-nearly-80-since-introduction-of-government-bag-charge/ ↩
5. Top10VPN (2025). UK VPN demand surged +1,327% to +1,987% in first days, remained elevated in early Aug. Top10VPN live tracker & tech press. URL: https://www.top10vpn.com/research/vpn-demand-statistics/ ↩
6. Onavo acquired 2013, used for monitoring competitors. Removed from iOS in 2018, shut down in 2019. Wikipedia / WSJ / TechCrunch. URLs: https://en.wikipedia.org/wiki/Onavo, https://www.wsj.com/articles/facebooks-onavo-gives-social-media-firm-inside-peek-at-rivals-users-1502622003, https://techcrunch.com/2019/02/21/facebook-removes-onavo/ ↩
7. Wikipedia / Regulation of AI. EU AI Act (Regulation 2024/1689) in force 1 Aug 2024: risk-based framework. URL: https://en.wikipedia.org/wiki/Regulation_of_artificial_intelligence ↩
8. Congressional Research Service (2025). US AI regulation focuses on voluntary commitments & limited prohibitions; EU focuses on broader binding regulation. CRS report. URL: https://www.everycrsreport.com/reports/R48555.html ↩