Institutional Convergence, Memetic Evolution and the New Architecture of Digital Governance. Building on my earlier Age-Gated Internet articles, this essay examines the evidence presented by Mike Benz and Michael Shellenberger and then proposes a broader systems model. Rather than framing online governance as either coincidence or conspiracy, it argues that institutional convergence, memetic evolution, technological change and AI-driven legitimacy pressures are collectively reshaping the internet into an increasingly governed, identity-centric infrastructure.
Executive Summary
The internet is not simply becoming more regulated.
It is being re-architected.
Age assurance is the first highly visible manifestation of a much broader transition in which identity, provenance and trust are becoming foundational components of internet infrastructure rather than optional application features.
This transition is not best explained by either coincidence or grand conspiracy. While documented coordination between governments, platforms and civil society organisations certainly exists, the deeper explanation lies in institutional convergence. Faced with common problems, organisations exposed to similar incentives increasingly arrive at similar architectural solutions. Memetics, institutional isomorphism, commercial incentives, and technological change together create governance architectures that appear centrally designed even when no single actor controls them.
The fundamental driver of this convergence is the arrival of artificial intelligence. As synthetic cognition becomes effectively unlimited, authenticity becomes scarce. When anyone can generate convincing text, images, software or conversation, the economic value shifts from producing information to verifying its origin. Identity, provenance and reputation, therefore, become increasingly valuable, not simply as regulatory tools, but as mechanisms for establishing legitimacy within an environment saturated by synthetic participation.
The resulting identity infrastructure should not automatically be regarded as authoritarian. Democracies require governance, authentication and trust. The important questions concern proportionality, accountability, decentralisation, reversibility and constitutional restraint. The debate is therefore not whether identity should exist, but how identity should be architected to strengthen liberal democratic values rather than quietly undermine them.
Viewed historically, this represents another stage in the long evolution of civilisation. Throughout history, new coordination technologies have repeatedly transformed how societies organise themselves. Artificial intelligence is creating another such transition. The Age-Gated Internet describes what institutions are building. The Web Unbundled explains how ideas propagate. Societal Evolution explains why civilisations repeatedly reorganise themselves. Hard-Wired Wetware explains why artificial intelligence changes the underlying economics of trust. Together, they describe a single transition viewed through different analytical lenses.
Ultimately, this is not an article about age verification.
It is an article about what happens when authenticity becomes the scarcest resource in the digital economy.
Everything else follows from that observation.
Acknowledgements
As with much of this series, this article owes a great deal to countless conversations over the years. In particular, I would like to acknowledge Ian Dunmore, formerly of Public Sector Forums, Simon Freeman, a leading architectural thinker, John Caswell, Founder and CEO of Group Partners, and many others whose questions, perspectives, and brave leadership have influenced my thinking, even where they may not agree with my conclusions.
Contents
- Executive Summary
- Acknowledgements
- Contents
- 0. Precursor: Related Articles in this Series
- 1. Introduction: Neither Coincidence Nor Conspiracy
- 2. The Censorship Industrial Complex
- 3. Memetics, Systems and Convergence
- 3.1 Institutions Do Not Copy Policies. They Copy Successful Solutions.
- 3.2 Memetic Evolution and the Governance Ecosystem
- 3.3 The Unbundled Web and Invisible Propagation
- 3.4 Institutions as Society’s Immune System
- 3.5 Why Institutions Optimise for Different Things
- 3.6 Why Better Technologies Rarely Win
- 3.7 The Missing Economics
- 3.8 Identity Economics
- 3.9 The Adoption and Lock-in Model
- 3.10 Historical Precedents: Identity Has Changed Before
- 4. The Age-Gated Internet
- 5. The Architecture Choices
- 5.1 Could Privacy-Preserving Identity Change This?
- 5.2 The Architecture Is Not the Policy
- 5.3 The Difference Between Architecture and Authoritarianism
- 5.4 Designing Liberal Identity Infrastructure
- 5.5 Remembering Is Easy. Forgetting Is Civilisation.
- 5.6 What Would Falsify This Model?
- 5.7 Liberal Identity Design Principles
- 5.8 Counterarguments and Steelmanning
- 6. Civilisational Implications: Looking Beyond the Age-Gated Internet
- 7. Wrapping Up: Design Principles for the Next Internet
- 8. Conclusion: Surviving the Convergence
- 9. References
0. Precursor: Related Articles in this Series
This article forms part of a broader body of work.
- The Age-Gated Internet: Child Safety, Identity Infrastructure, and the Not So Quiet Re-Architecting of the Web
- The Age-Gated Internet Revisited: Identity, Trust and the Architecture of Control
- The Age-Gated Internet Series
- The Web Unbundled Series
- Societal Evolution Series
- Hard-Wired Wetware, aka the Asymmetric Integration Model (AIM) Series
1. Introduction: Neither Coincidence Nor Conspiracy
My earlier articles argued that age verification was the first large-scale identity attribute to be embedded in internet infrastructure. I still believe that remains true. What I did not fully explain was why so many apparently independent institutions were converging on remarkably similar solutions. That is the question this article attempts to answer.
Across the Western world, remarkably similar ideas are emerging at roughly the same time.
- Age verification.
- Digital identity.
- Online harms.
- Trust and Safety.
- Counter-disinformation.
- Resilience frameworks.
- Duty-of-care legislation.
- AI safety governance.
- Algorithmic moderation.
- Platform accountability.
The language differs slightly from country to country, but the pattern is unmistakable. Governments, regulators, NGOs, academics, think tanks, media organisations and technology companies increasingly converge around the same broad governance instincts.
To critics, this resembles the emergence of what has come to be known as the “Censorship Industrial Complex”. An overlapping ecosystem of institutions attempting to regulate online speech, shape digital behaviour and increasingly manage the informational environment itself.
Investigators such as Mike Benz and Michael Shellenberger have spent years documenting:
- institutional overlaps;
- funding pathways;
- personnel circulation;
- government-platform partnerships;
- NGO involvement;
- and the growth of counter-disinformation infrastructure across the United States and Europe.
Some of this documentation is substantial and deserves serious attention.
At the same time, there is also a danger in collapsing everything into a totalising conspiracy narrative in which every institution becomes merely a puppet of some hidden central authority. That explanation is emotionally satisfying because it simplifies complexity into agency. It creates villains, motives and clear lines of causality.
Reality is usually less cinematic.
The more unsettling possibility may be something else entirely.
Modern societies may no longer require explicit central conspiracies to produce highly coordinated governance outcomes. Instead, highly networked institutional systems, operating under similar incentives, fears, pressures and professional cultures, may naturally drift towards similar solutions.
Not coincidence. Not omnipotent conspiracy. Evolution.
This distinction matters because understanding the difference between:
- documented coordination;
- interpretive inference;
- and speculative extrapolation;
is essential if we want to understand what is actually happening.
The internet may not be becoming governed because someone designed a singular master plan. It may be becoming governed because large-scale digital societies under conditions of memetic acceleration and synthetic informational abundance naturally evolve towards governance-heavy architectures.
That possibility is both less dramatic and considerably more important.
2. The Censorship Industrial Complex
The purpose of this chapter is not to prove a conspiracy, but to distinguish evidence from assumption, correlation from causation, and systems from stories.
The phrase “Censorship Industrial Complex” has become deeply polarising. To some, it describes a documented and expanding ecosystem of governments, NGOs, academics, regulators and technology companies shaping online discourse. To others, it has become little more than a conspiracy label designed to dismiss legitimate attempts to tackle genuine online harms. Before considering either position, it is worth examining what the principal investigators have actually documented, where their evidence is strongest and where interpretation begins.
2.1 Mike Benz and the National Security State Model
Mike Benz presents perhaps the most comprehensive geopolitical interpretation of the modern online governance ecosystem.
His central thesis is relatively straightforward.
The infrastructure now associated with online censorship, moderation and counter-disinformation did not emerge in isolation. According to Benz, it evolved from pre-existing national security, information warfare, and democracy-promotion architectures developed during the post-Cold War period.
In his framing, the early internet was not initially viewed by Western institutions as a threat. Quite the opposite. Internet freedom was actively promoted as an instrument of geopolitical leverage.
Social media and open digital communications were seen as useful tools for:
- destabilising adversarial regimes;
- supporting dissident movements;
- circumventing state-controlled media;
- and facilitating soft power projection.
Benz frequently points to:
- the Arab Spring;
- democracy-promotion initiatives;
- US State Department digital diplomacy programmes;
- and Western enthusiasm for internet-enabled political mobilisation;
as evidence of this earlier paradigm.
In this interpretation, the internet only became a problem once uncontrolled digital speech began destabilising Western institutions themselves.
Benz identifies the post-2014 geopolitical environment as the critical turning point.
- Crimea.
- Ukraine.
- Russian influence fears.
- Brexit.
- Trump.
- European populism.
- Migration crises.
- The declining authority of legacy media.
These developments, in his view, triggered a profound institutional shift.
According to Benz, national security institutions increasingly concluded that:
uncontrolled internet speech itself had become a strategic threat.
This is the core of his thesis.
He argues that institutions originally built to:
- counter extremism;
- manage foreign influence operations;
- conduct information warfare;
- and support geopolitical stabilisation;
were gradually repurposed towards domestic informational management.
Benz frequently focuses on organisations such as:
- the Global Engagement Center;
- the Atlantic Council;
- Election Integrity Partnership;
- Stanford Internet Observatory;
- Graphika;
- NewsGuard;
- DHS/CISA;
- NATO-linked strategic communications initiatives;
- and various NGO-government partnerships.
Some of the institutional overlap he identifies is clearly documented.
There is substantial public evidence demonstrating:
- government-platform communication;
- moderation coordination;
- trusted flagger systems;
- NGO involvement in moderation frameworks;
- and the expansion of counter-disinformation ecosystems after 2016.
The Twitter Files strengthened many of these observations by revealing extensive contact between platforms and institutional actors.
At the same time, it is important to distinguish between:
- the existence of institutional overlap;
- and the interpretation placed upon it.
Benz often interprets these developments as evidence of an increasingly integrated political infrastructure aligned with national security priorities.
Critics argue that some of his conclusions overstate coherence, intentionality and centralisation.
This distinction matters.
The strongest aspect of Benz’s work is not necessarily his final interpretation. It is his mapping of connective tissue.
He is particularly effective at:
- tracing institutional relationships;
- identifying personnel circulation;
- surfacing policy coordination;
- and demonstrating how governmental, academic, NGO and platform ecosystems intersect.
Where his analysis becomes more contentious is in the implied leap from:
significant convergence and coordination
to:
seamless centralised orchestration.
Large institutional systems are rarely that coherent.
Nevertheless, dismissing the entire framework would also be intellectually dishonest. The infrastructure Benz describes clearly exists in some form. The question is not whether convergence exists. The question is how that convergence should be understood.
2.2 Michael Shellenberger and the Institutional Ecosystem Model
While Benz tends towards a geopolitical and national-security interpretation, Michael Shellenberger approaches the issue from a more institutional and civil-libertarian perspective.
Shellenberger’s work, particularly through the Twitter Files investigations, focuses less on covert strategic warfare and more on the gradual bureaucratisation of speech governance.
His central argument is that a broad ecosystem emerged around:
- misinformation;
- election integrity;
- public health communication;
- online harms;
- and digital safety.
This ecosystem includes:
- government agencies;
- universities;
- NGOs;
- media organisations;
- trust and safety teams;
- think tanks;
- and technology platforms.
Unlike Benz, Shellenberger generally avoids framing the phenomenon as a singular covert operation.
Instead, he presents it as a form of institutional overreach driven by:
- bureaucratic expansion;
- mission creep;
- moral certainty;
- reputational risk management;
- and elite consensus formation.
The Twitter Files played a major role in shaping this narrative.
The disclosures appeared to demonstrate:
- extensive moderation requests from governmental actors;
- informal pressure channels;
- NGO moderation influence;
- and coordinated responses to politically sensitive narratives.
Particular attention focused on:
- COVID discourse;
- election legitimacy;
- the Hunter Biden laptop story;
- and the role of the Election Integrity Partnership.
Shellenberger’s analysis is strongest when documenting:
- how moderation systems became institutionalised;
- how informal pressure mechanisms operated;
- and how public-private governance ecosystems expanded.
He frequently uses the concept of “soft coercion”.
The idea is not necessarily that governments directly ordered platforms to censor speech. Rather, governments, regulators and institutional actors created environments in which moderation became strongly incentivised.
This distinction is important because it reflects how modern governance systems often function.
Direct authoritarian command structures are comparatively rare in liberal democracies.
Instead, governance frequently emerges through:
- pressure;
- incentives;
- reputational management;
- regulatory ambiguity;
- liability concerns;
- and networked institutional expectations.
Shellenberger’s concerns are fundamentally civil-libertarian.
He argues that systems initially justified around:
- terrorism;
- extremism;
- foreign propaganda;
- and election security;
gradually expanded into broader management of legitimate political discourse.
Again, some of these concerns are clearly grounded.
Mission creep is a well-established institutional phenomenon.
At the same time, several cautions remain necessary.
Not every moderation decision was government-directed.
Platforms retained substantial internal agency.
Many moderation systems emerged organically in response to:
- advertiser pressure;
- public backlash;
- legal risk;
- and genuinely harmful online behaviour.
The internet does contain:
- manipulation;
- harassment;
- extremism;
- synthetic propaganda;
- and coordinated influence operations.
Acknowledging this does not invalidate concerns about overreach.
It simply prevents the analysis collapsing into moral absolutism.
Like Benz, Shellenberger is strongest when:
- surfacing institutional relationships;
- exposing governance creep;
- and documenting the expansion of moderation ecosystems.
His work is weaker when interpreted as proof of total informational control.
The real significance of both Benz and Shellenberger lies less in proving a singular conspiracy than in revealing the emergence of a highly networked governance ecosystem around digital speech.
2.3 But What Is Actually Proven?
Without careful evidential separation, the entire discussion risks collapsing into either:
- conspiracy rhetoric;
- or dismissive denial.
The reality is more complicated.
Certain things are clearly documented.
Others are reasonable interpretations.
Still others remain speculative.
2.3.1 Clearly documented
The following are broadly evidenced through:
- public reporting;
- litigation disclosures;
- congressional testimony;
- policy documents;
- platform communications;
- and public institutional initiatives.
These include:
- government-platform communication channels;
- NGO moderation partnerships;
- trusted flagger systems;
- counter-disinformation programmes;
- election integrity initiatives;
- moderation escalation mechanisms;
- and significant institutional overlap.
It is also clearly true that:
- moderation systems expanded significantly after 2016;
- online harms frameworks became globally influential;
- and governments increasingly viewed digital platforms as governance infrastructure.
2.3.2 Reasonable interpretations
Several broader conclusions are plausible interpretations of these developments.
For example:
- institutional convergence clearly exists;
- mission creep likely occurred;
- national security logic influenced domestic governance;
- and professional-managerial consensus formation appears significant.
Likewise, it is reasonable to argue that:
- governments increasingly attempted to shape digital discourse;
- moderation ecosystems became politically consequential;
- and governance incentives encouraged behavioural conformity.
2.3.3 Speculative claims
However, certain claims move beyond available evidence.
These include:
- omnipotent central control;
- fully unified command structures;
- total electoral manipulation;
- or the idea that every institution acts as part of a seamless singular conspiracy.
Large systems do not function with that degree of coherence.
Institutional ecosystems are:
- fragmented;
- internally competitive;
- bureaucratically inconsistent;
- and frequently contradictory.
This distinction matters enormously.
Dismissing every concern as conspiracy theory is intellectually unserious.
Equally, treating all convergence as proof of total orchestration is analytically weak.
The challenge is learning to think systemically without collapsing into paranoia.
2.4 Why This Is Not an Argument Against Identity
Before going any further, it is worth making one point absolutely clear.
Nothing in this article should be interpreted as an argument against identity itself.
Identity has always played a fundamental role in civil society. Democracies require trusted institutions. Financial systems require customer identification. Borders require passports. Employers verify qualifications. Citizens authenticate themselves to access public services. None of this is controversial. Modern societies simply cannot function without mechanisms for establishing trust between individuals, organisations and the state.
The same is true online.
Digital identity can reduce fraud, limit account hijacking, combat organised financial crime and make many forms of abuse significantly more difficult. Age assurance, likewise, addresses a genuine societal concern. Parents, legislators and regulators are entirely justified in asking whether children should have unrestricted access to every part of the modern internet, particularly in an era of industrial-scale pornography, online grooming, synthetic media and increasingly sophisticated manipulation.
These are not imaginary problems.
Nor are they trivial ones.
Equally, the rapid growth of bots, automated influence operations, synthetic identities, and AI-generated content raises legitimate questions about authenticity, accountability, and trust. As the cost of generating convincing digital participation approaches zero, the value of distinguishing between genuine and synthetic actors inevitably increases. It would be surprising if governments, platforms and regulators were not exploring new forms of digital identity under those conditions.
Recognising these realities does not require us to ignore the broader consequences.
The argument developed throughout this series is therefore not that identity is inherently undesirable, nor that age assurance lacks legitimate public policy objectives. Rather, once identity becomes embedded in the internet’s underlying architecture, its implications extend well beyond the problems it was originally designed to solve.
- Architecture has a habit of outliving policy.
- A law can be amended.
- A regulator can be abolished.
- A government can be voted out.
- Infrastructure is different.
Once technical architectures become widely deployed, they create new assumptions, new capabilities and new incentives that future governments, organisations and platforms inherit regardless of why those systems were originally introduced.
The question, then, is not whether identity solves real problems.
It clearly does.
The more important question is what happens to the character of the internet once identity becomes part of its operating architecture rather than simply another application layered on top of it.
That is the question this article seeks to answer.
2.5 Evidence, Interpretation and Speculation
One of the difficulties with any discussion of the so-called Censorship Industrial Complex is that the debate quickly collapses into absolutes.
To some, every interaction between governments, technology companies, NGOs and regulators is evidence of a coordinated programme of censorship. To others, any suggestion of institutional influence is dismissed as a conspiracy theory before the evidence has even been examined.
Neither position is particularly helpful.
The more productive approach is to carefully distinguish among what has been documented, what can reasonably be inferred from that evidence, and what remains speculative. Those are three different standards of claim, and confusing them inevitably weakens the discussion.
The work of Mike Benz and Michael Shellenberger has established a considerable body of documentary evidence. Through the Twitter Files, Congressional testimony, public procurement records, grant funding, policy documents and extensive archival research, they demonstrate that governments, technology companies, universities, NGOs and various intermediary organisations have developed increasingly dense relationships around questions of online moderation, misinformation, election integrity and digital safety. They also demonstrate that these relationships expanded significantly following events such as the 2016 US election, Brexit and the Covid-19 pandemic.
Those observations are matters of public record.
Reasonable people may disagree about their significance, but their existence is difficult to dispute.
From that evidence, a number of broader structural inferences become reasonable.
It is reasonable to conclude that institutional networks influence one another.
It is reasonable to conclude that ideas, personnel, funding and governance frameworks move across organisational boundaries.
It is reasonable to conclude that concerns originally developed for foreign information operations can gradually migrate into domestic governance, and that temporary responses to specific crises can become permanent institutional capabilities.
Equally, it is reasonable to conclude that large organisations exposed to similar risks will often converge on similar solutions, even where no formal coordination exists.
These are interpretations grounded in observable institutional behaviour.
They remain interpretations nonetheless.
Beyond that lies speculation.
The existence of overlapping institutional networks does not, by itself, demonstrate the existence of a single directing authority. Similar policy language does not necessarily imply central command. Shared funding streams do not automatically prove coordinated intent. Nor does the emergence of comparable legislation across multiple democratic states require a hidden global plan.
Such claims may ultimately prove correct, partially correct or entirely incorrect.
The available evidence does not yet justify treating them as an established fact.
That distinction matters because intellectual credibility depends upon it.
If every similarity is treated as proof of conspiracy, genuine evidence becomes easier to dismiss. Equally, if every documented institutional relationship is dismissed as a coincidence, meaningful patterns become impossible to investigate. Both errors lead to the same destination: ideology replacing analysis.
Throughout this article I have therefore tried to maintain a simple hierarchy.
Evidence should be treated as evidence.
Structural inference should be identified as interpretation.
Speculation should remain speculation.
Only by keeping those boundaries clear can we have a serious conversation about how digital governance is actually evolving, rather than arguing over caricatures of positions that few informed observers genuinely hold.
3. Memetics, Systems and Convergence
Having established what we know, the obvious question becomes why so many apparently independent institutions have arrived at remarkably similar conclusions.
Even if the broad institutional ecosystem described by Benz and Shellenberger exists, another question immediately follows. How do so many organisations, operating across different countries, political systems and sectors, end up adopting such remarkably similar governance instincts? My own view is that the answer lies less in traditional political analysis than in systems theory, institutional evolution and the way ideas propagate through increasingly interconnected professional networks.
3.1 Institutions Do Not Copy Policies. They Copy Successful Solutions.
One of the things I think both supporters and critics of the so-called Censorship Industrial Complex sometimes underestimate is just how ordinary institutional behaviour actually is.
There is a tendency, particularly online, to imagine governments, regulators and large organisations behaving as though they were unified actors with coherent long-term strategies. They are not. Most large institutions are sprawling, internally contradictory, politically constrained and permanently short of time. Most decisions are not made by omniscient masterminds. They are made by committees, policy teams, legal departments, external advisers and civil servants trying to solve the problem immediately in front of them.
That observation might sound almost disappointingly mundane, but I think it is one of the keys to understanding how remarkably similar governance frameworks have appeared across so much of the democratic world over the past decade.
Institutions very rarely invent entirely new ideas.
What they do exceptionally well is recognise ideas that appear to have worked somewhere else.
Suppose one country introduces online harms legislation. Another government notices that it has received broadly favourable media coverage, survived judicial scrutiny and appears politically defensible. Civil servants commission a review. A parliamentary committee invites evidence. Academic researchers publish supporting papers. Think tanks organise roundtable discussions. Consultancy firms begin advising clients on implementation. Technology companies quietly build the engineering capabilities needed to comply because supporting one broadly standardised model is considerably cheaper than supporting dozens of incompatible national approaches.
Nobody has to issue instructions.
Nobody has to convene a secret meeting.
Nobody has to decide that the entire Western world should suddenly begin talking about online harms, digital resilience or age assurance.
The idea simply begins reproducing because it has demonstrated that it can survive inside institutional environments.
This is hardly a new observation. Organisational sociology has spent decades studying what is sometimes called institutional isomorphism. Faced with uncertainty, organisations tend to become more alike over time. They recruit from the same professional communities. They attend the same conferences. They consume the same research. They employ the same consultancies. They benchmark themselves against one another. Eventually they begin speaking the same language, not because somebody required them to, but because shared professional environments naturally produce shared assumptions about what competent governance looks like.
Once you begin looking through that lens, a great deal of what appears mysterious starts becoming considerably less so.
Why do regulators in different countries suddenly begin using remarkably similar terminology?
Why do different governments independently conclude that digital identity, online harms, AI safety and behavioural accountability should become policy priorities?
Why do technology companies, universities, NGOs and international organisations increasingly describe problems using almost identical conceptual frameworks?
The obvious answer is coordination, and sometimes coordination undoubtedly exists. Governments cooperate. Regulators exchange information. International organisations publish guidance. Professional bodies develop common standards. That is neither surprising nor particularly controversial.
But coordination is only part of the story.
The more interesting process is convergence.
People working inside these systems are exposed to remarkably similar informational environments. They read many of the same papers. Attend many of the same conferences. Follow many of the same researchers. Move between government, academia, consultancy, industry and the third sector throughout their careers. It would actually be surprising if they did not begin converging on similar assumptions about risk, governance and institutional responsibility.
This is one reason I think debates about the Censorship Industrial Complex often become unnecessarily polarised.
One side sees every similarity as evidence of deliberate coordination. The other dismisses every similarity as a coincidence. Neither explanation seems entirely satisfactory. Institutions do coordinate. But they also converge. Those are not the same thing.
Convergence occurs when systems operating under similar environmental pressures gradually evolve towards similar solutions without requiring detailed central direction. It is less dramatic than a conspiracy, but arguably more powerful because it becomes self-sustaining. Once enough organisations adopt a particular governance model, that model begins acquiring legitimacy simply because it has become normal. Future institutions inherit it rather than questioning it.
That is how standards emerge.
That is how best practice emerges.
And, increasingly, I suspect, that is how governance itself evolves.
3.2 Memetic Evolution and the Governance Ecosystem
If institutions explain where governance frameworks emerge, memetics helps explain why some of those frameworks spread so successfully.
Unfortunately, the word “meme” has become almost unusable.
For most people, it now means little more than a humorous image shared on social media. That is a long way from Richard Dawkins’ original idea. Dawkins used the term to describe units of cultural transmission. Ideas that replicate. Ideas that compete. Ideas that mutate. Ideas that survive because they are particularly good at surviving.
Whether an idea is true is almost incidental.
Whether it reproduces is what matters.
That distinction has profound implications for understanding modern governance.
Take phrases such as “Trust and Safety”, “Online Harms”, “Digital Resilience”, “Responsible AI” or “Platform Accountability”. None of these is simply a policy proposal. They are highly successful institutional memes. They package a problem, a moral position, and an implied solution together in a form that is immediately understandable to governments, regulators, technology companies, and the media. They reduce complexity. They provide a common language. Most importantly, they give organisations something they can actually do.
That is what makes them evolutionarily successful.
Good memes solve problems for the environments they inhabit.
In biology, an organism survives because it is well-adapted to its environment. In institutions, ideas survive because they are well adapted to institutional environments. A governance framework that reduces legal exposure, demonstrates organisational responsibility, reassures regulators and can be implemented by technology teams is simply more likely to spread than one that offers philosophical purity but little practical guidance.
Seen from that perspective, the rapid international adoption of similar governance language becomes rather less mysterious.
Ideas do not spread because somebody necessarily orders them to spread.
They spread because they are useful.
Or perhaps more accurately, because they are useful to the kinds of organisations that currently dominate digital governance.
That does not make those ideas either good or bad.
It simply explains why they reproduce.
This also helps explain why debates around censorship often feel so unsatisfactory. Critics tend to examine the political consequences of these governance frameworks. Policymakers tend to focus on the immediate problems they are trying to solve. Both are observing something real, but they are operating at different levels of abstraction.
One side sees a growing ecosystem of ideas that collectively narrow the space for anonymous participation and unconstrained speech.
The other sees a succession of practical responses to child exploitation, fraud, coordinated manipulation, synthetic media, election interference and online abuse.
Neither perspective is entirely wrong.
The difficulty is that neither fully explains the behaviour of the system.
The system behaves evolutionarily.
Governance ideas compete for adoption just as technologies do. Some disappear almost immediately. Others become embedded so deeply that within a few years they stop being debated altogether. They become assumptions. They become guidance. They become standards. Eventually, they become infrastructure.
That transition is rarely dramatic.
Most governance frameworks do not arrive through revolutionary political moments. They emerge incrementally. A report here. A consultation there. A pilot programme. A new regulator. An industry code of practice. An international working group. None of these developments appears especially significant in isolation. Taken together, however, they begin altering the assumptions upon which future policy is built.
This is one reason I find purely conspiratorial explanations ultimately unsatisfying.
Conspiracies imply that if you remove the conspirators, the system returns to equilibrium.
Evolutionary systems do not work like that.
Once an idea has become sufficiently fit for its environment, it no longer requires its original advocates. Other institutions adopt it because it has become the obvious solution. New entrants inherit it because it has become accepted practice. Critics increasingly find themselves arguing not against individual policies but against an entire ecosystem of mutually reinforcing assumptions.
That is a much harder problem to solve.
It also explains why governance frameworks can continue expanding even when governments change, regulators are replaced or political priorities shift. The underlying memes have already propagated through the wider institutional ecosystem. They have become part of its operating system.
I increasingly suspect that this is the level at which the debate ought to be taking place.
The interesting question is not simply who first proposed a particular governance framework, nor even who currently benefits from it. The more revealing question is why certain ideas repeatedly outcompete others across such a diverse range of institutional environments. What characteristics make them so evolutionarily successful, and what does that tell us about the environments in which they are competing?
Once we start asking those questions, the discussion moves beyond politics and into something much broader. We are no longer examining governments or platforms in isolation. We are examining the evolution of governance itself.
3.3 The Unbundled Web and Invisible Propagation
There is, however, another piece of the puzzle that I think receives far less attention than it deserves.
Most discussions about misinformation, online harms and institutional convergence still implicitly assume that the internet works in roughly the same way that it did fifteen or twenty years ago. We imagine ideas spreading through blogs, newspapers, public forums and social media feeds that everyone can broadly observe. We imagine that if an idea becomes influential, we should be able to trace its journey through the public domain.
Increasingly, I do not think that is how the modern internet functions at all.
In The Web Unbundled, I argued that we have quietly stopped talking about one internet and started inhabiting thousands of overlapping ones. The web has not disappeared, but it has fragmented into a vast collection of semi-private and often invisible informational environments. Slack workspaces, WhatsApp groups, Signal chats, Discord communities, Teams channels, private mailing lists, closed LinkedIn groups, industry conferences, policy workshops and invite-only roundtables have all become part of the machinery through which ideas now spread.
This matters because it fundamentally changes what we are able to observe.
Twenty years ago, if an idea gained traction, much of its propagation happened in public. Today, a significant proportion of its journey may take place inside networks that are effectively invisible to anyone outside them. By the time the idea finally appears as legislation, corporate policy or regulatory guidance, the public often sees only the final output, not the months or years of discussion that preceded it.
That absence of visibility creates an important illusion.
When people observe remarkably similar language appearing simultaneously across governments, regulators, technology companies and international organisations, they naturally begin asking who coordinated it. Sometimes the answer genuinely is coordination. Governments cooperate. International organisations publish guidance. Regulators meet. Standards bodies exist precisely to encourage consistency.
But propagation does not always require coordination.
Ideas can spread simply because people move.
Civil servants move between departments. Academics become advisers. Regulators join consultancies. Industry experts sit on government working groups. Journalists attend policy conferences. Researchers collaborate internationally. Technology companies recruit from the government. Governments recruit from industry. Professional networks overlap continuously, carrying assumptions, vocabulary and governance models with them.
Nobody needs to orchestrate that process.
The network does the work.
This is one reason I increasingly think that convergence and coordination are too often treated as though they were interchangeable. They are not. Coordination implies deliberate organisation. Convergence simply means that systems exposed to similar information, incentives, and environmental pressures gradually begin to exhibit similar behaviour. The two can coexist, but they are not the same phenomenon.
The unbundled web accelerates this process by dramatically increasing the number of available propagation pathways. An idea no longer needs to travel through one highly visible public route. It can move simultaneously through dozens of partially connected professional networks, each carrying it into a different institutional environment where it is adapted, translated and eventually normalised. By the time those separate pathways reconnect in the public sphere, the idea appears to have emerged everywhere at once.
That is precisely how memetic evolution works.
Ideas do not simply replicate. They mutate as they move between environments. A concept developed in a university research centre becomes a think tank report. The think tank report becomes a policy recommendation. The recommendation becomes regulatory guidance. The guidance becomes corporate best practice. The corporate implementation becomes an international standard. At each stage, the language changes slightly, the emphasis shifts and the justification evolves, yet the underlying idea remains recognisable.
From the outside, the process can look almost magical.
For one month, very few people are talking about a particular concept. Two years later, it seems to be everywhere. The temptation is to assume that somebody must have been directing the process behind the scenes.
Sometimes they were.
Very often they were not.
What they were doing was participating in an ecosystem that had become exceptionally efficient at selecting, refining and propagating ideas that solved the problems facing the institutions within it.
That, I think, is a much more interesting model than either coincidence or conspiracy.
It explains why governance language has become so remarkably consistent across jurisdictions without requiring us to believe that every participant is consciously collaborating. It also explains why the process has become increasingly opaque. We no longer live on a predominantly public web where the evolution of ideas can be observed in real time. We live on an unbundled web in which the propagation layer is largely hidden from view.
Ironically, that very invisibility makes conspiracy theories more attractive. When people can only see the outputs and not the transmission mechanisms, hidden coordination becomes an entirely understandable explanation. Sometimes it is even the correct one. More often, however, what looks like orchestration may simply be the natural consequence of highly connected institutional ecosystems continuously exchanging, selecting and refining the ideas most suited to their shared environment.
The irony is difficult to ignore. The internet promised radical transparency. Instead, as it matured, it became increasingly opaque. Not because information disappeared, but because the conversations that matter most increasingly migrated into places where almost nobody else is looking. That may turn out to be one of the defining characteristics of the post-LLM web. It is not simply that information has become abundant. It is that the pathways through which information evolves have become largely invisible.
3.4 Institutions as Society’s Immune System
The more I have thought about this, the less convinced I have become that the most useful analogy is conspiracy, coordination or even governance.
I increasingly think biology offers a better model.
Every complex organism develops an immune system. Its purpose is straightforward. It detects threats, distinguishes between what belongs and what does not, and attempts to preserve the integrity of the organism. Most of the time we barely notice it. It is simply part of the background machinery that allows the whole system to function.
Societies appear to do something remarkably similar.
As societies become larger, more interconnected and more dependent upon shared infrastructures, they gradually evolve institutions whose primary purpose is not producing things, but maintaining stability. Regulators, courts, public health agencies, standards bodies, central banks, intelligence services, emergency planners, trust and safety teams and increasingly digital governance organisations all perform, in different ways, an immune function. They identify anomalies, assess risk and attempt to prevent local problems becoming systemic failures.
There is nothing inherently sinister about that. In fact, one could reasonably argue that modern civilisation would be impossible without it. The difficulty arises because immune systems are not objective observers. They are adaptive systems. They respond to perceived threats. And like all adaptive systems, they sometimes overreact.
Medicine has long understood that one of the greatest dangers to a healthy organism is not infection but autoimmunity. An immune system that becomes so sensitive to potential threats that it begins attacking healthy tissue. The system, designed to preserve the organism, gradually starts degrading it instead.
I increasingly wonder whether something similar can happen within institutional societies.
Consider the sequence of events over the past fifteen years.
- Financial instability.
- Terrorism.
- Foreign influence operations.
- Brexit.
- Trump.
- Covid.
- Synthetic media.
- Generative AI.
Each event, viewed independently, presents a genuine governance challenge. Each encourages institutions to develop new mechanisms for monitoring, verification, coordination or intervention. None of those responses is irrational when viewed in isolation. Indeed, many are entirely understandable.
The problem emerges when those responses accumulate.
Every crisis leaves behind new structures. New regulators. New guidance. New reporting requirements. New partnerships. New standards. New governance frameworks. Very few of these disappear once the immediate crisis has passed. Institutions, almost by definition, accumulate rather than contract.
Over time, the immune response becomes part of the organism.
This helps explain something that has always struck me as odd about debates surrounding online censorship.
Critics often assume that the people working within these systems must know exactly what they are doing. That they are consciously constructing an apparatus of social control.
Equally, defenders often assume that because individual participants are acting in good faith, criticism of the system itself must therefore be misplaced.
Neither position feels quite right.
Most people working in these institutions almost certainly believe they are acting responsibly. They are trying to reduce fraud, protect children, defend elections, combat organised criminality, reduce harassment or prepare society for the consequences of increasingly capable artificial intelligence. These are not trivial concerns. They are real problems requiring serious responses.
The question is not whether those motivations are sincere.
The question is whether sincere institutions can collectively produce outcomes none of them intended individually.
History suggests they can.
Large systems frequently develop emergent behaviour. Markets do it. Ecosystems do it. Cities do it. Bureaucracies do it. No single participant controls the outcome, yet the system as a whole exhibits remarkably consistent patterns of behaviour that cannot easily be explained by examining individual actors in isolation.
Perhaps governance works the same way.
Perhaps what Mike Benz has documented is one manifestation of that process. Perhaps what Michael Shellenberger uncovered through the Twitter Files is another. Neither necessarily requires an omnipotent coordinating authority. Both may simply represent different perspectives on the same adaptive system responding to unprecedented informational conditions.
If I had to summarise all of this in a single concept, I would borrow one from developmental biology. Morphogenesis describes the process by which complex organisms develop coherent structure without any individual cell possessing a blueprint for the organism as a whole. Each cell responds only to local information, local chemical gradients and its immediate environment, yet highly ordered structures emerge at the scale of the organism.
I think something broadly analogous may be happening within our institutional ecosystems. Governments, regulators, NGOs, universities, technology companies and standards bodies respond to local incentives, local risks and local professional pressures. None needs to understand the system in its entirety. None needs to be directing the whole. Yet collectively they produce governance architectures that appear remarkably coherent when viewed from a distance.
The coherence is real. It does not necessarily follow that there is a single coherent designer.
If that is even broadly correct, then the debate changes quite significantly.
The central question is no longer whether there is a conspiracy.
Nor is it whether governments should regulate online platforms.
The more interesting question becomes whether modern societies have begun developing an informational immune system whose sensitivity is increasing faster than its ability to distinguish genuine threats from ordinary democratic disagreement.
That strikes me as a much more difficult question.
It also strikes me as a much more important one.
Because immune systems rarely collapse all at once.
They adapt.
They become more sophisticated.
They respond to each new challenge.
And unless they are subjected to continual scrutiny, they have a tendency to redefine more and more of the world as something requiring intervention.
Perhaps that is simply the price of maintaining complex digital civilisations.
Or perhaps, like every other immune system in nature, institutional governance occasionally needs reminding that the purpose of an immune response is not to eliminate all uncertainty.
It is to preserve the health of the organism.
The distinction is subtle.
But it may ultimately prove to be the distinction upon which the future character of the internet depends.
3.5 Why Institutions Optimise for Different Things
One of the assumptions that quietly underpins much of the public debate is that institutions should optimise for the same things that individuals value.
They rarely do.
Individuals naturally value liberty, privacy, autonomy and freedom from unnecessary interference. Institutions, by contrast, are created to deliver predictable outcomes under conditions of uncertainty. They are judged not by philosophical elegance, but by whether they can demonstrate that they have managed risk, complied with legislation and discharged their responsibilities.
Those are very different optimisation functions.
A regulator does not primarily optimise for privacy.
It optimises for compliance.
A government department does not primarily optimise for individual liberty.
It optimises for political accountability.
A multinational technology company does not primarily optimise for decentralisation.
It optimises for operational consistency across hundreds of jurisdictions.
An insurer does not optimise for anonymity.
It optimises for measurable risk.
These incentives matter because they shape the kinds of solutions institutions naturally favour.
Faced with a choice between a technically elegant system that is difficult to audit and a less elegant system that produces a clear evidential trail, institutions will almost invariably choose the latter. Faced with uncertainty, they tend to prefer solutions that can be measured, documented and defended rather than those that maximise individual discretion. Auditability becomes more valuable than privacy because auditability allows organisations to demonstrate that they have fulfilled their legal and regulatory obligations.
Liability exerts a similarly powerful influence.
Modern organisations operate within increasingly complex legal environments. When something goes wrong, whether it is child exploitation, financial fraud, terrorist content or AI-generated deception, the first question is rarely philosophical. It is operational.
Who knew?
Who was responsible?
What controls were in place?
What evidence exists?
Identity systems, logging, provenance and verification all provide answers to those questions. They reduce uncertainty. They allocate responsibility. They create defensible records. Even where they do not eliminate the underlying problem, they reduce institutional exposure to criticism and litigation.
Operational simplicity exerts an equally powerful gravitational pull.
Large organisations rarely favour the theoretically perfect solution. They favour the solution that can be deployed consistently across millions of users, audited by regulators, understood by legal teams and integrated into existing operational processes. Complexity is expensive. Simplicity scales.
Political defensibility may be the most important optimisation pressure of all.
Very few ministers lose their jobs because they introduced stronger child protection measures.
Very few regulators are criticised for taking online abuse seriously.
Very few executives are attacked for implementing additional safety controls after a public scandal.
The incentives almost always point in one direction.
Do more.
Verify more.
Record more.
Demonstrate more.
None of this requires bad faith.
Indeed, most of the individuals making these decisions are behaving entirely rationally within the incentive structures that surround them. The difficulty is that optimisation at the level of the institution does not necessarily produce optimisation at the level of society. A system that is easier to audit may also be more intrusive. A system that reduces organisational liability may simultaneously reduce personal privacy. A system that is politically defensible may gradually narrow the space for anonymous participation without anybody explicitly intending that outcome.
This, I think, helps explain why certain governance models repeatedly outcompete others.
It is not simply that they are technically superior.
Nor is it necessarily because they are politically imposed.
They are selected because they solve the optimisation problems institutions actually face.
That is why similar architectures emerge across different countries, different political systems and different regulatory environments. Institutions exposed to similar pressures naturally converge on solutions that maximise auditability, minimise liability, simplify operations and withstand political scrutiny.
The resulting architecture is not inevitable.
But given the incentives acting upon the institutions building it, it is perhaps considerably less surprising than it first appears.
3.6 Why Better Technologies Rarely Win
One of the more uncomfortable observations to emerge from studying large institutional systems is that the technically superior solution is often not the one that succeeds.
Engineers have a natural tendency to assume that better technology eventually wins. History offers many examples where that has indeed been the case. Faster processors replaced slower ones. Better compression algorithms replaced less efficient alternatives. More reliable networking protocols gradually displaced weaker predecessors.
Governance technologies behave rather differently.
Here, success is rarely determined solely by technical elegance. It is determined by whether a solution satisfies the broader needs of governments, regulators, legal systems, procurement frameworks and operational organisations. Those are very different optimisation criteria.
This is particularly apparent in digital identity.
Over the past decade, researchers and standards bodies have developed increasingly sophisticated approaches to proving identity attributes without unnecessarily disclosing personal information. Zero Knowledge Proofs allow an individual to prove possession of a fact without revealing the fact itself. A user can demonstrate they are over eighteen without disclosing their exact date of birth. Selective Disclosure allows individuals to reveal only those attributes required for a particular transaction. Verifiable Credentials provide cryptographically signed assertions that can be independently verified without requiring constant reference to a central authority. Decentralised Identity seeks to shift control away from large platforms and governments towards the individual, allowing citizens to carry and present credentials under their own control. Federated Identity reduces repeated authentication by allowing trusted organisations to recognise credentials issued elsewhere.
From a technical perspective, many of these ideas are remarkably elegant.
They minimise data collection.
They reduce unnecessary disclosure.
They strengthen privacy.
They limit centralised databases.
They embody principles that privacy advocates have argued for over many years.
Yet despite their technical sophistication, adoption has been comparatively slow.
The obvious explanation is technological immaturity.
I suspect the deeper explanation lies elsewhere.
Institutions optimise for different objectives.
A privacy-preserving identity system may be technically excellent, but if it is difficult to explain to ministers, expensive to audit, unfamiliar to procurement teams, complicated to regulate or challenging to integrate into existing operational processes, its technical advantages rapidly become secondary. Conversely, a comparatively simple system that produces clear audit logs, supports legal accountability, fits existing compliance frameworks and can be deployed consistently across millions of users becomes institutionally attractive even if it collects more information than is strictly necessary.
This is not because institutions are hostile to privacy.
Rather, privacy is only one of many competing design objectives, and it is often outweighed by concerns around liability, accountability, operational certainty and political defensibility.
The consequence is that governance technologies frequently evolve very differently from consumer technologies.
The technically best solution does not necessarily become the dominant solution.
The institutionally simplest one often does.
History provides numerous examples of this phenomenon. Superior security mechanisms have repeatedly lost to systems that were easier to administer. Open standards have been displaced by proprietary ecosystems offering stronger governance. Decentralised architectures have frequently given way to centralised platforms because centralisation simplifies procurement, support, compliance and commercial relationships. None of these outcomes were inevitable from a technical perspective. They emerged because institutions were solving administrative problems rather than engineering ones.
The same pressures are now visible in digital identity.
This does not mean privacy-enhancing technologies are irrelevant. Quite the opposite. They may ultimately prove essential if liberal democracies wish to preserve anonymity, proportionality and individual autonomy within increasingly governed digital environments. However, their success will depend upon more than cryptographic elegance. They must also satisfy the operational requirements of the institutions expected to deploy them.
That, perhaps, is the real challenge.
The future of digital identity is unlikely to be determined by whichever technology proves mathematically superior.
It will be determined by whichever architecture best reconciles privacy, governance, liability, usability, economics and political accountability.
In other words, the contest is not between good technology and bad technology.
It is between different optimisation functions.
Until privacy-enhancing technologies solve institutional problems as effectively as they solve technical ones, they will continue to find themselves competing against systems that are administratively simpler, legally safer and politically easier to defend. That may be frustrating for engineers, but it is entirely consistent with how complex institutions have always evolved.
3.7 The Missing Economics
Discussions about internet governance tend to focus on politics, technology or civil liberties.
Relatively little attention is paid to economics.
I increasingly suspect that this is a mistake.
Large institutional systems rarely evolve solely because particular ideas are politically persuasive. They evolve because they reduce uncertainty, lower costs and simplify decision making. Once a governance model begins doing those things effectively, it develops an economic momentum of its own.
That momentum is easy to underestimate.
Every organisation operating at scale faces uncertainty. Regulators worry about inconsistent enforcement. Platforms worry about legal liability. Governments worry about public criticism. Investors worry about regulatory risk. Procurement teams worry about interoperability. Lawyers worry about evidential standards. Engineers worry about implementing multiple, conflicting compliance regimes across dozens of jurisdictions.
Governance architectures reduce that uncertainty.
A common identity framework. A standardised age assurance mechanism. A recognised provenance model. A shared compliance process. These do more than satisfy legislation. They make organisations easier to run.
Standardisation has always been one of the great economic forces of industrial society.
Container shipping transformed global trade not because containers were intellectually exciting, but because standard dimensions dramatically reduced the cost and complexity of moving goods. TCP/IP became dominant because common protocols reduced the cost of connecting networks. Payment cards succeeded because merchants preferred one broadly interoperable system over hundreds of incompatible alternatives.
Digital governance exhibits similar dynamics.
Every jurisdiction with unique identity requirements imposes additional engineering effort. Every bespoke compliance framework requires separate legal interpretation, testing, deployment and operational support. Every platform-specific implementation increases maintenance costs. Conversely, once a sufficiently large number of jurisdictions begin requiring similar capabilities, the commercial incentive shifts decisively towards building one broadly reusable architecture that satisfies them all.
At that point, compliance ceases to be merely a legal obligation.
It becomes an economic optimisation.
This is one reason governance frameworks often spread more quickly than political debates suggest they should. Once one implementation has been built, the marginal cost of deploying it elsewhere becomes relatively small. Platforms begin asking not, “What does this country require?”, but “Can our existing governance stack satisfy this requirement with only minor modification?”
Increasingly, the answer is yes.
Common compliance also reduces legal exposure.
For a multinational platform, the ability to demonstrate that it has implemented recognised industry practices, adopted accepted standards and followed regulator-approved processes provides a significant degree of institutional protection. If challenged in court, questioned by regulators or criticised following a public incident, organisations can point to established governance frameworks rather than defending bespoke approaches developed in isolation.
That has real commercial value.
Seen through this lens, the relationship between economics and memetics becomes clearer.
Ideas spread because they solve institutional problems.
They spread even faster when they solve economic ones.
A governance framework that lowers implementation costs, simplifies procurement, reduces legal uncertainty and demonstrates regulatory diligence possesses exceptionally high memetic fitness. It is selected not simply because people agree with it, but because it is cheaper, safer and easier to deploy than the available alternatives.
This creates a powerful feedback loop.
The more organisations adopt a particular governance architecture, the cheaper it becomes to implement. The cheaper it becomes to implement, the more attractive it becomes commercially. The wider its adoption, the more likely regulators are to treat it as accepted practice. Eventually, what began as one possible implementation quietly becomes the default expectation.
By that stage, the architecture has acquired a form of economic gravity.
This is why I think discussions framed purely in political terms miss something important.
The internet is not being reshaped solely because governments are legislating.
It is being reshaped because legislation, commercial incentives, engineering economics and institutional optimisation are all beginning to point in broadly the same direction.
The economics reinforce the memetics.
The memetics reinforce the institutions.
The institutions reinforce the architecture.
Long before a particular governance model becomes politically inevitable, it often becomes commercially irresistible.
By the time the political debate catches up, much of the engineering has already been completed.
3.8 Identity Economics
Perhaps the single most overlooked aspect of the Age-Gated Internet is that identity is not merely becoming a policy objective.
It is becoming an economic asset.
Much of the public debate frames digital identity in political terms. Governments seek to protect children. Regulators seek to reduce fraud. Platforms seek to combat bots. Civil liberties organisations seek to preserve privacy. All of these perspectives are important.
None of them fully explains why identity infrastructure is spreading so rapidly.
Economics does.
Every large technological transition creates new markets.
Railways created signalling industries.
Electricity created metering industries.
The internet created search, cloud computing and cybersecurity.
Identity is now creating its own economic ecosystem.
Once identity becomes architectural rather than transactional, an entire supply chain begins to emerge around it.
Credential providers.
Identity verification companies.
Age assurance vendors.
Authentication platforms.
Mobile operating systems.
Cloud identity services.
Trust frameworks.
Standards bodies.
Compliance consultancies.
Digital wallet providers.
Fraud analytics.
Behavioural risk engines.
Insurance products.
Certification schemes.
Audit services.
Each provides a legitimate service.
Each solves a genuine operational problem.
Each also develops a commercial interest in the continued expansion of the underlying architecture.
This should not be interpreted cynically.
Economic incentives are neither inherently virtuous nor inherently malign.
They are simply powerful.
Once a sufficiently large market begins forming around a particular architectural model, commercial forces naturally begin reinforcing its continued adoption.
This creates a second feedback loop alongside the institutional dynamics discussed earlier.
Institutions adopt identity because it reduces uncertainty.
Markets invest in identity because institutions adopt it.
Investment produces better products.
Better products reduce implementation costs.
Lower costs encourage wider deployment.
Wider deployment expands the market further.
The architecture becomes progressively easier to justify, not simply because it addresses policy objectives, but because an increasingly mature commercial ecosystem now exists to deliver it.
The relationship is self-reinforcing.
Operating system vendors provide identity APIs because application developers require them.
Application developers use them because they already exist.
Governments reference recognised technical standards because mature commercial implementations are available.
Commercial providers build against those standards because governments increasingly reference them.
Each participant behaves rationally.
Collectively they generate powerful path dependence.
Importantly, no individual organisation needs to control this process.
Apple benefits when trusted identity capabilities become native operating system functions.
Google benefits for similar reasons.
Financial institutions benefit from reduced fraud.
Identity providers benefit from increased demand.
Cybersecurity companies benefit from stronger authentication.
Regulators benefit from more consistent compliance.
Insurers benefit from reduced uncertainty.
Every participant can pursue entirely legitimate objectives.
Yet the aggregate effect remains remarkably consistent.
Identity gradually shifts from being a niche capability into shared societal infrastructure.
This also explains why technically elegant alternatives often struggle to displace established approaches.
Once vendors have invested billions developing products, standards, expertise and operational capability around a particular architectural direction, the economic cost of adopting radically different models becomes increasingly difficult to justify. Organisations begin optimising around existing ecosystems rather than theoretical ideals.
Markets, like institutions, exhibit inertia.
This does not imply that commercial interests are driving policy.
Nor does it imply that policy is merely a disguise for commercial expansion.
The relationship is considerably more complex.
Policy creates markets.
Markets strengthen architecture.
Architecture attracts investment.
Investment accelerates adoption.
Adoption creates dependency.
Dependency reinforces policy.
By this stage, separating politics from economics becomes almost impossible because each continuously influences the other.
This is why I increasingly believe that debates framed solely around civil liberties or public safety miss one of the most powerful forces shaping the next generation of the internet.
Markets evolve.
Capital accumulates.
Supply chains mature.
Professional expertise develops.
Commercial ecosystems form.
Long before an architecture becomes politically inevitable, it often becomes economically indispensable.
That may ultimately prove to be one of the most important lessons of the Age-Gated Internet.
The future of digital identity will not be determined solely in parliaments, courts or standards bodies.
It will also be determined in procurement departments, venture capital firms, engineering roadmaps, software development kits and commercial product strategies.
Like every successful infrastructure transition before it, the architecture will spread not simply because governments require it.
But because markets increasingly reward it.
3.9 The Adoption and Lock-in Model
One of the questions that repeatedly arises throughout debates about digital identity is remarkably simple.
If these architectures represent such a significant shift, why do they emerge so gradually?
The answer lies in the way infrastructure evolves.
Large technological transitions almost never occur through a single revolutionary decision.
They occur through accumulation.
The pattern is remarkably consistent across history.
A genuine problem emerges.
Child protection.
Financial fraud.
Identity theft.
Synthetic media.
Bot networks.
Each generates legitimate political and commercial pressure to act.
Governments respond by establishing new policy objectives.
Those objectives rarely prescribe technical implementation in detail. Instead, they define broad outcomes that industry is expected to achieve.
The engineering community then begins searching for practical solutions.
Standards bodies develop specifications.
Industry groups produce guidance.
Technical working groups define interoperability.
Open-source projects mature.
Commercial vendors develop products.
Operating system developers expose new APIs.
Application developers begin consuming those APIs because they represent the simplest, cheapest and most widely supported implementation available.
Once developers begin building against those capabilities, something important changes.
Applications start depending upon them.
New products assume their existence.
Compliance frameworks begin referencing recognised implementations.
Procurement teams increasingly expect them as standard functionality.
Training materials are written.
Professional expertise develops.
Entire supply chains begin organising themselves around the emerging architecture.
At this stage, adoption accelerates.
Not because governments necessarily demand it.
Because implementation becomes progressively easier than designing alternative approaches.
What began as one possible solution gradually becomes the default solution.
Eventually the architecture reaches a critical point.
Removing it no longer affects only the original policy objective.
It affects applications.
Standards.
Commercial products.
Developer tools.
Compliance processes.
Training.
Operational procedures.
Entire industries.
The architecture has become embedded.
This is the point at which lock-in begins to emerge.
Importantly, lock-in is not primarily legal.
It is economic.
Technical.
Institutional.
Organisational.
Replacing a deeply embedded architecture requires rewriting software, retraining staff, revising procurement frameworks, updating regulations, rebuilding commercial products and persuading thousands of independent organisations to move simultaneously.
That is extraordinarily difficult.
This explains why infrastructure often survives political change.
Governments come and go.
Architectures remain.
Policies may evolve every few years.
Operating system APIs often persist for decades.
Technical standards change slowly.
Commercial ecosystems slower still.
The result is a form of institutional inertia that operates largely independently of electoral politics.
The transition therefore follows a remarkably predictable sequence.
A problem emerges.
Political demand follows.
Legislation establishes objectives.
Standards define implementation.
Technology platforms embed capabilities.
Developers adopt them.
Markets mature around them.
Dependencies accumulate.
The architecture becomes difficult to remove.
None of these individual stages appears particularly controversial.
Each represents a rational response to the stage before it.
Yet viewed collectively they reveal something much larger.
Infrastructure is not simply adopted.
It becomes normal.
That normalisation may ultimately be the most important stage of all.
People cease asking whether the architecture should exist.
They begin assuming it always has.
Future generations design systems around capabilities that previous generations regarded as optional.
The debate quietly shifts from whether identity should form part of the internet to how that identity should be implemented.
By then, the architectural decision has largely been made.
This is why I believe discussions focused solely upon individual pieces of legislation often underestimate the scale of the transition underway.
The real transformation occurs not when Parliament passes a law.
Nor when a regulator publishes guidance.
It occurs when thousands of independent engineers, architects, procurement teams, standards bodies and commercial organisations quietly begin building the same assumptions into the foundations of the next internet.
That is how infrastructures evolve.
Not through revolution.
Through adoption.
Then dependency.
Finally, lock-in.
3.10 Historical Precedents: Identity Has Changed Before
One of the easiest criticisms to make of this article is also one of the most obvious.
Identity is not new.
Governments have always needed to know who people are. Banks have always verified customers. Employers have checked qualifications. Border controls have required passports. Financial systems have relied upon trusted credentials for decades.
None of that is controversial.
Nor is it particularly interesting.
The important question is not whether identity exists.
It is where identity sits within the architecture of society.
Throughout history, identity has repeatedly evolved in response to changes in the scale and complexity of civilisation.
Small communities required little formal identification because trust was largely personal. People knew one another directly. Reputation travelled through families, neighbours and local institutions. Identity was social rather than documentary.
As populations expanded, those informal mechanisms ceased to scale.
States emerged.
Taxation emerged.
Standing armies emerged.
Trade expanded beyond local communities.
Governments required increasingly reliable methods of identifying citizens, collecting revenue and administering justice.
Writing transformed identity.
Records replaced memory.
Birth registration, land ownership, census data and legal documentation all represented successive attempts to solve increasingly complex coordination problems.
- Later came passports.
- National insurance numbers.
- Driving licences.
- Bank accounts.
- Credit reference agencies.
Each appeared initially to solve a specific operational problem.
- Travel.
- Taxation.
- Employment.
- Credit.
- Healthcare.
None was introduced as part of a comprehensive identity strategy.
Each emerged independently.
Yet together they gradually created increasingly sophisticated identity infrastructures capable of supporting modern industrial societies.
The digital era has followed a remarkably similar pattern.
Usernames solved access control.
Passwords solved authentication.
SSL certificates established trust between machines.
Domain names replaced numerical addresses.
Email addresses became persistent identifiers.
Mobile telephone numbers evolved from routing mechanisms into identity tokens.
Banking adopted Know Your Customer requirements.
Multi-factor authentication became routine.
Social login linked identity across multiple services.
Each innovation solved an immediate problem.
Very few people viewed them as components of a larger architectural transition.
Only in retrospect does the pattern become obvious.
This suggests something important.
Identity infrastructure rarely arrives fully formed.
It accumulates.
Each generation inherits the mechanisms created by the last and extends them to solve newly emerging coordination problems. The resulting architecture is rarely designed in its entirety by any single institution. It emerges incrementally through decades of technological, commercial and political adaptation.
The Age-Gated Internet should therefore be understood within this historical tradition.
Age assurance is unlikely to be the final destination.
It is simply the next attribute becoming sufficiently valuable to justify standardisation.
That is the distinction this article seeks to make.
The novelty is not identity itself.
The novelty is identity becoming part of the internet’s underlying operating environment.
Historically, identity systems operated at the edge of society.
You presented your passport when crossing a border.
Your driving licence when hiring a vehicle.
Your bank card when making a payment.
Identity was episodic.
It appeared only when a particular transaction required it.
The internet changes that relationship.
Digital platforms are persistent.
Operating systems are persistent.
Applications interact continuously rather than occasionally.
Once identity becomes embedded within those platforms, it moves from the edge of individual transactions towards the centre of the architecture itself.
Identity ceases to be something occasionally requested.
It becomes something continuously available.
That represents a qualitatively different model of digital society.
This is why comparisons with passports or bank accounts, while superficially persuasive, ultimately miss the architectural transition taking place.
A passport does not mediate every social interaction.
A digital identity layer potentially can.
A driving licence does not influence how information propagates across society.
An operating system identity service potentially does.
A bank knows about financial transactions.
A pervasive digital identity ecosystem can become relevant across education, healthcare, commerce, communications, artificial intelligence, social media, entertainment and public services simultaneously.
Scale changes character.
The historical lesson is therefore not that identity inevitably leads to authoritarianism.
History simply does not support that conclusion.
Rather, it teaches something subtler.
Every major expansion of identity infrastructure has been driven by legitimate coordination problems.
Every expansion has created new capabilities.
Those capabilities have subsequently been used in ways that were rarely envisaged when the original systems were introduced.
The challenge facing the Age-Gated Internet is therefore not unprecedented.
Civilisation has encountered this problem many times before.
What is unprecedented is the scale.
For the first time in history, identity is no longer merely documenting participation within society.
It is beginning to mediate participation itself.
That is the architectural transition this series has attempted to explain.
4. The Age-Gated Internet
If institutional convergence explains the direction of travel, we must next ask why identity rather than some other architectural response has emerged.
Up to this point, I have deliberately focused on institutions, incentives and the propagation of governance ideas. None of that, however, explains why these pressures appear to be accelerating so rapidly today. To understand that, we need to step back and consider a more fundamental shift. Artificial intelligence, synthetic media and the collapse in the cost of producing convincing information are changing the economics of legitimacy itself. Once viewed through that lens, many of the developments discussed in this article begin to look less like isolated policy decisions and more like the early stages of a profound architectural transition.
4.1 Synthetic Density and the Crisis of Legitimacy
The rise of AI changes the entire discussion.
Most debates around censorship and moderation still assume relatively human informational environments.
That assumption no longer holds.
Large language models and synthetic systems create effectively infinite informational scale.
Text.
Images.
Video.
Conversation.
Narrative.
Emotion.
Identity.
All can now be generated synthetically at industrial scale.
This transforms the economics of legitimacy.
When synthetic production becomes abundant, human authenticity becomes scarce.
This is one reason identity systems suddenly become so politically and economically important.
Age verification.
Digital identity.
Authenticity infrastructure.
Reputation systems.
Behavioural trust scoring.
These may not simply represent authoritarian ambition.
They may also represent attempts to stabilise legitimacy within synthetic informational environments.
In a world where:
- bots can simulate humans;
- AI can generate persuasive discourse;
- and informational abundance destroys trust;
institutions increasingly seek mechanisms for:
- attribution;
- verification;
- provenance;
- and behavioural accountability.
The internet is gradually transitioning from:
- anonymous informational abundance;
towards:
- authenticated behavioural governance.
That transition has profound civilisational implications.
4.2 Ontological Governance
Modern governance increasingly operates not merely through law or economics, but through:
- perception;
- timing;
- behavioural pacing;
- emotional synchronisation;
- and memetic flow.
Algorithmic systems now shape:
- attention;
- outrage cycles;
- emotional intensity;
- social coordination;
- and collective perception itself.
This creates new governance pressures.
Digitally accelerated societies become difficult to stabilise when:
- informational cycles outpace institutional adaptation;
- emotional contagion spreads virally;
- and legitimacy becomes continuously contested in real time.
Under these conditions, governance increasingly functions as a form of temporal stabilisation.
Moderation systems.
Algorithmic friction.
Content throttling.
Behavioural nudging.
Narrative management.
These mechanisms are often framed in moral or safety language.
But structurally they also function as:
- synchronisation systems for unstable networked societies.
This is why the governance question increasingly transcends traditional politics.
The issue is no longer merely:
- left versus right;
- censorship versus freedom;
- or state versus citizen.
The deeper issue concerns how digitally accelerated civilisations maintain:
- coordination;
- legitimacy;
- behavioural stability;
- and informational coherence.
4.3 The Rise of the Managerial Consensus
Since the Second World War, Western societies have gradually produced increasingly interconnected managerial systems.
These systems span:
- governments;
- multinational corporations;
- finance;
- NGOs;
- universities;
- media;
- philanthropy;
- and regulatory institutions.
This managerial layer increasingly operates transnationally.
Critics often describe this as:
- globalism;
- technocracy;
- neoliberalism;
- or elite governance.
None of these labels fully capture the phenomenon.
A more accurate description may be:
- managed technocratic capitalism.
In this system:
- states;
- regulators;
- multinational capital;
- NGOs;
- and institutional governance systems;
increasingly align around:
- stability;
- predictability;
- reputational management;
- behavioural governance;
- and risk minimisation.
This helps explain the global spread of:
- ESG frameworks;
- stakeholder capitalism;
- resilience rhetoric;
- online harms policy;
- AI governance;
- and harmonised digital regulation.
Again, none of this requires a singular conspiratorial command structure.
Shared incentives and professional-managerial convergence can produce remarkably synchronised outcomes on their own.
This is one reason contemporary governance increasingly feels culturally homogeneous across Western institutional systems.
The same language.
The same assumptions.
The same risk models.
The same governance instincts.
Convergence emerges because institutions increasingly inhabit the same memetic environment.
4.4 Habituation, Drift and Backlash
Large social transformations rarely arrive all at once.
They emerge gradually through:
- normalisation;
- incrementalism;
- adaptive behaviour;
- linguistic reframing;
- and institutional habituation.
Most people do not experience governance drift as dramatic rupture.
They experience it as:
- convenience;
- safety;
- professionalism;
- compliance;
- inevitability;
- or modernisation.
Until eventually the cumulative effect becomes visible.
At that point backlash emerges.
Brexit.
Trump.
Anti-establishment politics.
Distrust of institutions.
Digital scepticism.
Populist movements.
These reactions are not necessarily coordinated either.
They are adaptive responses to:
- perceived over-centralisation;
- institutional homogenisation;
- legitimacy erosion;
- and cultural drift.
Importantly, backlash itself becomes part of the same systemic cycle.
Institutional systems respond to instability by increasing governance.
Increased governance produces further distrust.
Distrust generates populist reaction.
Reaction produces additional stabilisation efforts.
The cycle becomes self-reinforcing.
4.5 The New Digital Settlement
The internet increasingly appears to be evolving towards identity-linked participation, age-gated access, AI moderation, behavioural reputation systems, algorithmic governance and managed authenticity architectures.
Some of this may be necessary.
Large-scale digital societies genuinely create manipulation, exploitation, synthetic propaganda, behavioural engineering and coordination problems.
The broader risk, however, is subtler.
Civilisations do not require overt dictatorship to become heavily managed. Dense institutional systems can gradually narrow acceptable discourse, behavioural possibility, informational freedom and political flexibility through entirely procedural mechanisms. Not because a dictator ordered it, but because every institution independently optimised towards similar governance instincts.
This may ultimately be the defining political transformation of the digital age. Not the rise of singular authoritarianism, but the gradual emergence of highly harmonised governance architectures that nobody fully controls, yet which become increasingly difficult to resist.
The open internet many of us remember was never inevitable. It was the product of a unique historical moment. Human participation was naturally limited, content creation was relatively expensive, identity was largely implicit and authenticity was rarely questioned. Those conditions no longer exist.
Artificial intelligence fundamentally changes the economics of legitimacy. When intelligence becomes abundant, authenticity becomes scarce. When convincing speech becomes effectively free, identity becomes valuable. When synthetic participants can operate indefinitely at almost zero cost, trust itself becomes infrastructure. This is the transition that sits beneath almost every current debate about age verification, digital identity and online governance.
The mistake, I think, is to interpret every individual policy proposal in isolation. Identity systems, provenance frameworks, age assurance, reputation mechanisms and AI moderation are usually presented as discrete responses to discrete problems. Fraud requires stronger identity. Deepfakes require provenance. Child protection requires age assurance. Bot networks require verification. Each intervention appears reasonable when considered on its own merits.
This is why these debates become so polarised. Critics tend to evaluate the cumulative trajectory of the architecture, while policymakers evaluate individual interventions. Both can therefore be internally consistent while talking past one another. One side sees an emerging system. The other sees a sequence of isolated policy decisions. Neither is necessarily wrong. They are simply observing the problem at different scales.
Once enough optimisation pressures align, the architecture begins evolving independently of the intentions of individual actors.
This is the architecture trap.
As governance problems are reframed as architectural problems, governance itself becomes embedded in the network’s infrastructure. It no longer appears political. It appears inevitable. Every additional layer solves a genuine problem, yet the cumulative effect is rarely debated because public attention focuses on individual policies rather than the direction of travel. The age-gated internet is therefore not the destination. It is simply one visible symptom of a much broader architectural transition.
Many people still assume there is an escape route. Leave the mainstream platforms. Move to decentralised services. Return to IRC. Create private Discord servers. Retreat into encrypted chat groups.
I increasingly think this misunderstands the nature of the transition.
Everything ultimately becomes a KYC internet. Not necessarily because governments demand it, but because legitimacy becomes economically scarce. Even communities that reject formal identity eventually develop persistent reputations, trusted members, behavioural norms and informal verification mechanisms. Conversely, spaces that reject every form of identity rapidly become overwhelmed by synthetic participation. There may simply be nowhere left to hide.
I increasingly suspect that “the KYC internet” is not one possible future. It is simply what the internet evolves into once synthetic participation becomes effectively free.
Seen from this perspective, this article is not really about censorship, nor is it ultimately about age verification. Those are visible manifestations of a deeper systems transition. The internet is slowly evolving from a communications network into a governance platform. That transition will shape not only online speech, but identity, commerce, citizenship, democracy and ultimately the relationship between humans and increasingly autonomous digital systems.
Whether this transition proves beneficial or deeply damaging remains an open question. The more immediate challenge is recognising that it is happening at all.
5. The Architecture Choices
If identity infrastructure is indeed emerging, the debate shifts from whether it exists to how it should be designed.
Up to this point, the focus has been explanatory. What is changing? Why are institutions converging? Why is identity becoming infrastructure? Those are important questions, but they are ultimately descriptive rather than prescriptive. If identity-mediated architectures are indeed becoming part of the internet’s future, the debate must now shift from diagnosis to design. The question is no longer simply whether identity should exist. It is what principles should govern the systems we choose to build.
5.1 Could Privacy-Preserving Identity Change This?
At this point, an obvious objection presents itself.
What if we simply build better identity systems?
What if age assurance, digital identity and online authentication could be implemented in ways that preserve anonymity, minimise data collection and prevent unnecessary surveillance? Would that alter the argument developed throughout this article?
The answer, I think, is yes.
But only partially.
Much of the public debate still assumes that digital identity requires individuals to disclose who they are every time they interact online. Increasingly, that assumption is no longer technically correct.
Modern cryptographic techniques allow something considerably more subtle.
Rather than proving identity, they allow users to prove attributes.
A person need not disclose their name to demonstrate they are over eighteen. They need not reveal their date of birth to prove eligibility for age-restricted services. Equally, they may be able to prove professional qualifications, residency or citizenship without exposing unnecessary personal information.
From a privacy perspective, this represents a profound improvement.
Zero-Knowledge Proofs allow one party to demonstrate knowledge of a fact without revealing the underlying information. Selective Disclosure enables users to reveal only those attributes required for a particular interaction. Verifiable Credentials provide cryptographically signed assertions that can be independently verified without repeatedly consulting a central authority. Decentralised Identity seeks to place those credentials under the control of the individual rather than governments or platforms.
Collectively, these approaches represent some of the most significant advances in digital privacy of the past two decades.
If implemented well, they could substantially reduce many of the surveillance risks associated with first-generation identity systems.
That matters.
It is important not to confuse criticism of particular implementations with criticism of the underlying technologies.
However, I do not think these approaches eliminate the broader architectural questions explored throughout this article.
They change how identity is implemented.
They do not fundamentally change where identity sits within the architecture.
Even where only attributes are exchanged, somebody must still issue trusted credentials. Somebody must determine the standards under which those credentials are recognised. Somebody must decide which organisations are authorised to verify them. Somebody must establish liability when credentials are compromised, revoked or fraudulently obtained. Those are governance questions rather than cryptographic ones.
Nor do privacy-enhancing technologies entirely remove the incentives that drive institutional convergence.
Governments still require regulatory assurance.
Platforms still require operational certainty.
Courts still require evidential standards.
Organisations still seek auditability, interoperability and legal defensibility.
Privacy-preserving technologies may satisfy many of these requirements more effectively than traditional identity systems, but they do not make the underlying governance problem disappear.
Indeed, they may simply move it.
The debate shifts from whether identity should exist to how trust should be established, who should issue credentials, which standards should dominate, where liability should reside and how competing identity ecosystems should interoperate.
Those are questions of institutional design rather than technical capability.
In many respects, that is where the discussion ought to be.
Too often the debate is presented as a false binary between complete anonymity and universal identification. The emerging technologies suggest a considerably richer design space in which many identity attributes can be verified without unnecessarily exposing the individual behind them.
That is unquestionably progress.
Yet it would be a mistake to assume that cryptography alone resolves the political, economic and institutional dynamics described throughout this article.
The technologies can make identity substantially more private.
They cannot, by themselves, determine how societies choose to govern identity.
Ultimately, the challenge is not simply building identity systems that are technically secure.
It is building identity architectures whose governance remains proportionate, accountable and compatible with the liberal democratic values they are intended to protect.
That, perhaps, is the harder problem.
5.2 The Architecture Is Not the Policy
One of the easiest mistakes to make when discussing internet governance is to confuse policy with architecture.
They are related.
They are not the same thing.
Policies are expressions of political intent. They are introduced by governments, debated by legislatures, challenged in courts and, at least in democratic societies, can ultimately be amended, repealed or replaced. Governments change. Ministers come and go. Political priorities evolve. A policy that appears inevitable in one Parliament may disappear entirely in the next.
Architecture behaves very differently.
Once embedded into technical infrastructure, architectural decisions acquire a degree of permanence that political decisions rarely enjoy. Software platforms are built around them. Operating systems expose APIs for them. Standards bodies codify them. Vendors incorporate them into products. Organisations redesign their operational processes around them. Entire ecosystems gradually emerge that assume the architecture already exists.
By that stage, removing the architecture is no longer equivalent to repealing the legislation that originally encouraged it.
The infrastructure has developed inertia.
History is full of examples.
The internet still carries design assumptions made during the ARPANET era. The QWERTY keyboard survives despite countless proposals for more efficient layouts. IPv4 continues to underpin much of the world’s networking despite the technical superiority of IPv6, largely because replacing infrastructure at global scale is extraordinarily difficult. Technical decisions accumulate dependencies. Every additional dependency increases the cost of reversal.
Identity infrastructure is unlikely to prove any different.
Suppose age assurance becomes widely deployed. Platforms redesign their onboarding processes. Mobile operating systems begin exposing trusted age-verification services. Identity providers emerge. Regulators develop compliance guidance. Developers build applications that assume trusted identity attributes are available. Commercial products are designed around those assumptions. Users gradually become accustomed to proving attributes rather than simply declaring them.
At that point, the architecture has become self-reinforcing.
A future government might repeal the original legislation.
It cannot simply repeal the ecosystem that has developed around it.
The platforms still possess the capability.
The APIs still exist.
The commercial incentives remain.
The operational processes have already been redesigned.
Future policymakers inherit those capabilities whether they originally wanted them or not.
This is why I think debates framed solely in terms of individual pieces of legislation often miss the more important transition taking place beneath them.
The legislation matters.
But legislation is frequently only the catalyst.
The deeper transformation occurs when policy objectives become embedded within technical infrastructure. Once that happens, future debates are no longer about whether a capability should exist. They are about how, when and by whom that capability should be exercised.
That is a fundamentally different conversation.
It also explains why seemingly modest policy proposals deserve architectural scrutiny.
Any individual measure may appear proportionate when considered in isolation. Age assurance. Identity verification for financial services. Provenance for AI-generated content. Device attestation. Reputation systems. Each can be justified on its own merits. Yet, collectively, they begin constructing a common identity and trust infrastructure that extends far beyond the original problem each was designed to solve.
This is not an argument that such developments are inherently undesirable.
It is an argument that infrastructure has memory.
Architectures persist long after the political debates that created them have faded from public consciousness.
The internet that future generations inherit will not simply reflect the policies we pass today.
It will reflect the architectures we quietly embed beneath them.
5.3 The Difference Between Architecture and Authoritarianism
One final distinction is worth making.
It is entirely possible to oppose authoritarianism whilst recognising that modern societies require governance.
Those are not contradictory positions.
Indeed, liberal democracies have always depended upon institutions capable of enforcing the rule of law, protecting individual rights, maintaining public order and creating the trust necessary for economic and civic life to flourish. Courts require evidence. Financial systems require authentication. Elections require integrity. Public services require citizens to establish who they are. None of these realities is inherently authoritarian.
Nor is digital identity.
There is a tendency within public debate to collapse every discussion of online identity into a false binary. Either identity is presented as the inevitable precursor to mass surveillance, or anonymity is treated as the only legitimate expression of digital freedom. Neither position adequately reflects the complexity of the problem.
The existence of identity infrastructure does not, in itself, determine the character of a society.
Liberal democracies issue passports.
Authoritarian states issue passports.
The document is not what distinguishes them.
The institutions governing its use do.
Exactly the same principle applies online.
The important questions are not simply whether identity exists, but how it is governed, where it is required, who controls it, how long information is retained, who has access to it and what safeguards exist against misuse. Those questions concern constitutional design as much as technological implementation.
That is why I think the debate should move beyond simplistic arguments about identity itself.
The real questions are questions of proportionality.
Is identity required only where genuinely necessary, or has it become the default response to every new problem?
They are questions of reversibility.
Can capabilities introduced for one purpose be limited, withdrawn or dismantled once that purpose has passed, or do they quietly become permanent features of the digital landscape?
They are questions of accountability.
Who decides when identity is required? Who audits those decisions? Who provides independent oversight? What remedies exist when systems fail or powers are abused? Can citizens meaningfully challenge the operation of the infrastructure itself?
These questions are considerably more difficult than simply asking whether identity is good or bad.
They are also considerably more important.
Throughout this article I have argued that the internet appears to be evolving towards increasingly identity-mediated forms of participation. That observation should not be interpreted as an argument against governance. Nor should it be interpreted as a prediction of inevitable authoritarianism.
Architectures create capabilities.
Capabilities create choices.
Political systems determine how those choices are exercised.
Healthy democracies recognise that governance is necessary, but they also recognise that governance must itself remain governed. The purpose of constitutional democracy has never been to eliminate power. It has been to constrain it, distribute it and make it answerable to the people upon whose behalf it is exercised.
That principle does not become less important as the internet evolves.
If anything, it becomes considerably more so.
The challenge, therefore, is not to prevent digital governance from emerging. That seems increasingly unrealistic. The challenge is to ensure that the architectures we build remain consistent with the liberal democratic values they are ultimately intended to protect.
That is a design problem.
Not simply a political one.
5.4 Designing Liberal Identity Infrastructure
If the central argument of this article is broadly correct, then the question is no longer whether digital identity will become more deeply embedded within the architecture of the internet.
The more important question is what kind of identity infrastructure we choose to build.
Architecture is never politically neutral.
Every technical decision embeds assumptions about trust, authority, accountability and power. Those assumptions may appear invisible while the technology is being developed, but they become increasingly difficult to change once deployed at scale. If identity is indeed becoming part of the internet’s underlying infrastructure, then the principles upon which that infrastructure is designed deserve at least as much attention as the policies that first justified its creation.
The first principle should be straightforward.
Verify attributes wherever possible, rather than identities.
In many situations, organisations do not need to know who somebody is. They simply need to know that they possess a particular characteristic. Over eighteen. Qualified to practise. Resident within a particular jurisdiction. Entitled to access a specific service. Wherever those questions can be answered without unnecessarily identifying the individual, they should be.
Closely related to this is the principle of data minimisation.
Systems should collect only the information genuinely required to complete a particular transaction and nothing more. Information that is never collected cannot be leaked, sold, misused or repurposed. The temptation to gather information simply because it may prove useful in future should be resisted wherever possible. History repeatedly demonstrates that today’s optional data collection often becomes tomorrow’s routine surveillance.
Authentication should also remain distinct from behavioural profiling.
Proving that somebody is entitled to access a service is fundamentally different from continuously observing, analysing and predicting their behaviour once they have gained access. Those capabilities are frequently presented as parts of the same technical ecosystem, but they serve very different purposes. One establishes trust. The other accumulates power. Conflating the two risks transforming identity from a mechanism of authentication into an instrument of behavioural governance.
Equally important is preserving space for anonymous and pseudonymous participation wherever the risks genuinely permit it.
The early internet demonstrated that anonymity can foster creativity, dissent, experimentation and democratic participation. It can also facilitate abuse. Neither observation invalidates the other. The challenge is therefore not to eliminate anonymity altogether, but to recognise that different environments justify different levels of assurance. Purchasing alcohol is not equivalent to participating in a public discussion forum. Accessing classified government systems is not equivalent to contributing to an open-source software project. Identity requirements should remain proportionate to the risks they are intended to address.
Good architectures should also be reversible.
One of the recurring themes throughout this article has been that infrastructure tends to outlive the political circumstances that created it. That makes reversibility a design principle rather than an afterthought. Identity capabilities should be capable of being withdrawn, reduced or redesigned without requiring the reconstruction of the entire digital ecosystem. Systems that cannot be rolled back eventually cease to be policy choices and become permanent features of the environment.
Where practical, identity infrastructure should also favour decentralisation over unnecessary concentration of authority.
No single organisation should become the unavoidable gateway to digital participation. Competition between trusted issuers, interoperable standards and open protocols is almost always healthier than dependence upon a single platform, government department or commercial provider. Concentrated power may simplify administration, but it also concentrates systemic risk.
Finally, surveillance should remain exceptional rather than becoming normal.
Exceptional powers have always existed within liberal democracies. Courts issue warrants. Police conduct investigations. Intelligence agencies operate under legal authority. These powers are justified precisely because they are exceptional, targeted and subject to oversight. The danger arises when exceptional capabilities quietly become routine features of everyday life. A society in which every interaction is potentially observable by default is not merely a more efficient version of today’s internet. It represents a qualitatively different relationship between citizens, institutions and the state.
None of these principles requires abandoning digital identity.
Nor do they require rejecting governance.
Rather, they recognise that governance itself must remain governed. Technical capability should never become its own justification. The fact that something can be built does not answer the question of whether it should become universal, nor under what conditions it should operate.
Ultimately, liberal democracies are distinguished not by the absence of power, but by the constitutional constraints placed upon its exercise. The same principle should apply to the digital infrastructures now emerging around us.
If identity is becoming part of the internet’s architecture, then the architecture itself must embody the same values we expect from the societies it is intended to serve.
Otherwise, we risk discovering too late that we designed highly trustworthy systems which gradually became considerably less free.
5.5 Remembering Is Easy. Forgetting Is Civilisation.
Every civilisation develops mechanisms for remembering.
History matters. Contracts matter. Criminal convictions matter. Property ownership matters. Democracies depend upon institutional memory because accountability is impossible without it.
But healthy societies also develop mechanisms for forgetting.
Minor offences become spent. Bankruptcy eventually ends. Juvenile records are treated differently from adult convictions. People apologise. Reputations recover. Communities forgive. Individuals are allowed to outgrow earlier versions of themselves. Liberal democracies have long recognised that justice is not simply about accountability. It is also about proportionality, rehabilitation and the possibility of redemption.
In other words, civilisation depends not merely upon memory.
It depends upon forgetting.
The internet has traditionally exhibited a curious balance between the two. Although information could persist indefinitely, much of it gradually disappeared from practical reach. Websites closed. Links decayed. Forums vanished. Search engines changed. Finding something written fifteen years earlier often required deliberate effort. Technical permanence did not necessarily imply social permanence.
Artificial intelligence changes that relationship.
Storage is effectively free.
Search is becoming increasingly semantic.
Archives that once required days of manual investigation can now be interrogated in seconds. Images, conversations, videos and documents can be indexed, summarised, correlated and retrieved almost instantaneously. Identity systems make it increasingly possible to connect those fragments across years or even decades of a person’s digital life.
The result is an internet that remembers by default.
That may appear attractive from the perspective of accountability.
It is considerably more troubling from the perspective of liberty.
Human beings change.
The opinions we held at eighteen are not necessarily those we hold at forty. Careers evolve. Beliefs mature. Mistakes are recognised. People learn. One of the defining characteristics of liberal societies has always been the assumption that individuals are capable of becoming something other than the sum of their past actions.
Architectures that never forget quietly challenge that assumption.
They encourage permanent reputation rather than earned reputation.
Permanent attribution rather than contextual judgement.
Permanent visibility rather than proportional accountability.
The consequence is not simply greater surveillance.
It is behavioural adaptation.
People become more cautious.
Less willing to experiment.
Less willing to challenge prevailing opinion.
Less willing to admit uncertainty or change their minds.
The architecture does not merely record behaviour.
It begins shaping it.
This is another reason I think discussions about digital identity are too often framed in overly simplistic terms. The question is not merely whether systems should know who we are. It is whether those systems should remember indefinitely, correlate indefinitely and preserve indefinitely. Those are separate design decisions, yet they are increasingly being treated as though they were inseparable.
I do not believe they are.
A liberal identity architecture should be capable of forgetting as well as remembering.
Information should expire unless there is a compelling reason for it not to. Identity should establish trust where trust is genuinely required, not create an immutable behavioural ledger from which individuals can never meaningfully escape. The burden should increasingly fall upon those wishing to retain information indefinitely, not upon individuals attempting to reclaim a degree of obscurity.
Perhaps this is one of the most important design principles of all.
Remembering is technologically easy.
Forgetting requires conscious architectural choice.
Civilisation has always depended upon making that choice wisely. The internet should be no different.
5.6 What Would Falsify This Model?
Every useful model should be capable of being wrong.
That is one of the distinguishing characteristics of serious analysis. A framework that explains every possible outcome ultimately explains nothing. If there is no conceivable evidence that could cause a theory to be revised, then it has ceased to be an analytical model and has become an article of faith.
The arguments developed throughout this series are no exception.
I believe the evidence increasingly supports the view that the internet is evolving towards an identity-mediated architecture, driven by a combination of technological change, institutional convergence, commercial incentives and governance pressures. However, that remains a model of how the system appears to be evolving today. It is not a claim that history has already been written.
Several developments would require this model to be reconsidered.
The first would be if identity remained permanently confined to age assurance.
If age verification proved to be a genuinely isolated intervention, limited to protecting children from age-restricted content and never expanded into broader identity, reputation or provenance systems, then many of the architectural concerns raised in this article would become considerably less significant. The infrastructure would remain narrowly scoped rather than becoming a general-purpose trust layer.
Secondly, the model would weaken if anonymous participation continued to be the default mode of internet interaction.
Anonymous and pseudonymous communication has always been one of the defining characteristics of the web. If the overwhelming majority of online participation continued to occur without identity becoming either technically or commercially advantageous, then the predicted architectural transition would simply not have occurred.
Similarly, the model would require revision if the major platforms began moving away from identity infrastructure rather than towards it.
If operating systems removed identity services rather than expanding them, if platforms dismantled trust frameworks rather than strengthening them, or if provenance systems failed to achieve meaningful adoption, then the evidence would increasingly point towards a different evolutionary trajectory.
The same would be true if privacy-preserving identity technologies became the dominant implementation model.
If attribute verification consistently displaced identity disclosure, if Zero Knowledge Proofs, Verifiable Credentials and selective disclosure became the normal means by which trust was established online, then many of the concerns surrounding surveillance, behavioural profiling and centralised identity mediation would be substantially reduced. The internet might still become more trustworthy without necessarily becoming significantly more identifiable.
Finally, the model would weaken if liability shifted away from identity and back towards enforcement.
One of the recurring themes throughout this series has been that identity architectures redistribute responsibility. Rather than attempting to detect and remove harmful behaviour after it occurs, they increasingly seek to reshape the environment in which participation takes place. If governments and platforms instead returned to prioritising conventional investigation, law enforcement, targeted intervention and post-event accountability without expanding identity infrastructure, then one of the principal drivers identified in this article would lose much of its explanatory power.
Taken together, these conditions provide a useful test.
If identity remains narrowly constrained, anonymity remains economically viable, privacy-preserving credentials become the dominant architecture and institutions increasingly favour enforcement over identity mediation, then this model should be revised accordingly.
Conversely, if identity attributes continue to accumulate, operating systems expose ever richer trust services, provenance becomes a prerequisite for participation, and liability continues migrating from enforcement towards architecture, then the model gains explanatory strength with each successive development.
That is how systems models should work.
They should not ask the reader to believe.
They should invite the reader to observe.
The purpose of this article is therefore not to predict the future with certainty, but to propose a framework against which the future can be judged. If the coming decade unfolds differently, then the model should change.
If it unfolds broadly as described here, then perhaps we are witnessing not a temporary regulatory moment, but the emergence of a fundamentally new phase in the evolution of the internet.
5.7 Liberal Identity Design Principles
If the arguments developed throughout this article are broadly correct, then arguing simply for or against digital identity is no longer sufficient.
Identity infrastructure is emerging.
The more useful question is what principles should govern its design.
Liberal democracies have always recognised that the existence of power is less important than the constraints placed upon its exercise. The same philosophy should apply to digital identity. Rather than asking whether identity should exist, we should ask what kind of identity architecture remains compatible with open societies.
Several principles appear particularly important.
The first is that systems should verify attributes wherever possible rather than identities.
In many situations, organisations do not need to know who somebody is. They simply need to know that a particular condition has been satisfied. Over eighteen. Resident within a particular jurisdiction. Professionally qualified. Entitled to receive a service. Wherever those questions can be answered without unnecessarily revealing personal identity, they should be. Authentication should disclose only what is required to establish trust and nothing more.
Secondly, systems should collect the minimum information necessary to fulfil their purpose.
Data collection has a tendency to expand over time. Information gathered for one objective frequently becomes useful for another. The simplest way to prevent inappropriate secondary use is often not to collect the information in the first place. Information that never exists cannot be breached, sold, correlated or repurposed. Data minimisation is therefore not merely a privacy principle. It is an architectural principle.
Authentication should also remain separate from behavioural profiling.
Establishing that an individual is entitled to participate is fundamentally different from continuously analysing how they behave once they have entered the system. Those two capabilities serve entirely different purposes. One establishes trust. The other accumulates behavioural knowledge. Combining them transforms identity from a mechanism of authentication into a mechanism of continuous observation.
Anonymous and pseudonymous participation should remain possible wherever the risks genuinely permit it.
Not every interaction carries the same consequences. Purchasing alcohol presents different risks from commenting on an online forum. Accessing classified government systems differs fundamentally from participating in an open-source software project. Liberal societies have always recognised that proportionality matters. Identity requirements should reflect the risks being managed rather than becoming the default solution to every problem.
Identity architectures should also avoid unnecessary centralisation.
Trust does not require monopoly. Multiple competing credential issuers, interoperable standards and open protocols are generally healthier than systems dependent upon a single commercial platform or government authority. Concentrated control simplifies administration, but it also concentrates risk. Competition, portability and interoperability should therefore be treated as constitutional characteristics of identity infrastructure rather than optional technical features.
Good architectures should preserve reversibility.
One of the recurring themes throughout this series has been that infrastructure possesses inertia. Systems introduced to solve today’s problems often remain long after those problems have changed. Identity capabilities should therefore be designed to support withdrawal, modification and replacement. An architecture that cannot be rolled back gradually ceases to be a policy choice and becomes a permanent feature of society.
Similarly, systems should be designed to forget as well as remember.
Human societies depend upon accountability, but they also depend upon rehabilitation, forgiveness and proportionality. Permanent attribution should require justification. It should not become the default operating condition of digital life. Identity systems should support expiry, data minimisation and limited retention wherever possible. A society that remembers everything may eventually discover that it has forgotten how to forgive.
Surveillance should remain exceptional rather than routine.
Liberal democracies have traditionally accepted that intrusive powers may occasionally be necessary. They have not accepted that every citizen should therefore be monitored continuously. Identity should establish trust where trust is genuinely required. It should not become the foundation for universal behavioural observation simply because the technical capability exists.
Finally, identity infrastructure should itself remain accountable.
The architecture should be independently auditable. Citizens should understand what information is collected, who controls it, how long it is retained and how decisions may be challenged. Oversight should be institutional rather than discretionary. Open standards should be preferred over opaque proprietary mechanisms. Identity systems should ultimately remain accountable to the societies they serve, not merely to the organisations that operate them.
Taken individually, none of these principles is especially radical.
Taken together, however, they describe a very different philosophy from one in which identity becomes an increasingly centralised, permanent and continuously observable feature of digital life.
That distinction matters.
The future debate should not be framed as a choice between identity and anonymity.
Nor between governance and freedom.
The real choice is between different kinds of architecture.
One treats identity as a narrowly constrained mechanism for establishing trust.
The other allows identity to become the organising principle around which digital society itself is increasingly constructed.
That choice has yet to be made.
It is also one that will shape the character of the internet for decades to come.
5.8 Counterarguments and Steelmanning
Any serious systems model should spend at least as much time engaging with its strongest critics as its strongest supporters.
The arguments presented throughout this series are no exception.
If identity infrastructure is becoming embedded within the architecture of the internet, there are good reasons why many governments, regulators, technologists and ordinary citizens support that direction. Dismissing those arguments would not merely be intellectually dishonest. It would weaken the analysis itself.
The strongest case for identity infrastructure begins with children.
The scale of online exploitation, grooming, exposure to inappropriate material and criminal abuse is real. These are not hypothetical problems invented to justify new powers. They represent genuine societal harms that technology has made significantly easier to perpetrate and considerably harder to police. Any responsible government has both a legal and moral obligation to attempt to reduce those harms.
Age assurance is therefore not an irrational response.
Nor is it necessarily a disproportionate one.
Similarly, the growth of financial fraud, organised cybercrime and identity theft creates powerful incentives to strengthen digital authentication. Modern economies increasingly depend upon remote interactions between people who have never met. Establishing trust in those environments is difficult. Stronger identity systems offer an obvious mechanism for reducing fraud, protecting consumers and increasing confidence in digital commerce.
Again, these are legitimate objectives.
Artificial intelligence introduces another powerful argument.
Synthetic media, autonomous agents and industrial-scale bot networks increasingly undermine confidence in what people see, hear and read online. If nobody can distinguish genuine human participation from synthetic participation, public trust inevitably deteriorates. Provenance systems, authenticated identities and stronger trust frameworks therefore appear attractive not because institutions necessarily seek greater control, but because authenticity itself is becoming economically scarce.
This is perhaps the strongest argument of all.
There is also a persuasive democratic argument.
Liberal societies already require identity in many areas of public life. Voting, banking, taxation, healthcare, professional regulation and criminal justice all depend upon some form of trusted identity. Extending comparable mechanisms into parts of the digital world does not necessarily represent an unprecedented expansion of state authority. It may simply reflect the increasing importance of the internet within everyday civic life.
Many people therefore conclude that identity online is not only reasonable.
It is overdue.
These arguments deserve to be taken seriously.
Indeed, much of this article implicitly accepts them.
The disagreement is not primarily about the legitimacy of the problems.
It is about the architectural consequences of the solutions.
The existence of genuine harms does not automatically imply that every identity-based intervention is proportionate.
Nor does it follow that because one identity attribute proves useful, additional attributes should naturally accumulate around the same infrastructure.
Similarly, acknowledging the need for stronger authentication in banking does not necessarily imply that social interaction, political discourse or everyday communication should become identity-mediated by default.
These are separate questions.
Throughout this series I have attempted to distinguish carefully between policy intent and architectural consequence.
A government may introduce age assurance solely to protect children.
That does not determine how the resulting infrastructure may subsequently be used.
A platform may introduce provenance to combat AI-generated misinformation.
That does not determine whether the same infrastructure later becomes useful for other forms of behavioural governance.
Likewise, recognising the genuine benefits of stronger identity does not eliminate the need to ask difficult constitutional questions.
How much identity is proportionate?
Who controls it?
Who audits it?
Can it be reversed?
Can it be challenged?
Can it be used for purposes beyond those originally envisaged?
Those questions remain regardless of how legitimate the original policy objective may have been.
Ultimately, I do not believe the debate is between those who support identity and those who oppose it.
That framing is too simplistic.
The real debate is between different conceptions of what identity should become.
One vision sees identity as a narrowly constrained trust mechanism, carefully limited to those circumstances where it delivers clear public benefit.
The other allows identity gradually to become the organising principle through which participation itself is increasingly mediated.
Both seek safer digital societies.
Both seek greater trust.
Both seek to reduce harm.
The disagreement lies not in the destination.
It lies in the architecture chosen to reach it.
That is why this article has focused less on whether identity is desirable than on how identity changes the structure of the internet itself.
The answers to those questions will shape digital society long after today’s individual policy debates have faded from memory.
6. Civilisational Implications: Looking Beyond the Age-Gated Internet
Stepping back further, these developments can be understood as part of a much broader transition affecting economics, technology and civilisation.
The preceding chapters have argued that identity infrastructure is emerging through the interaction of technology, institutions, economics and governance. Those explanations are individually persuasive, but together they point towards something larger. The Age-Gated Internet is not the destination. It is a symptom. To understand why, we need to step back once more and examine the broader forces reshaping information, intelligence and civilisation itself.
6.1 The Architecture Trap
One of the recurring patterns in the history of technology is that successful architectures rarely remain confined to the problem they were originally created to solve.
They expand.
Not because somebody necessarily planned the expansion, but because once an architectural capability exists, it becomes increasingly difficult not to use it elsewhere.
This is what I think of as the Architecture Trap.
The process is almost always incremental.
A new capability is introduced to solve a specific and generally uncontroversial problem. It may be age assurance to protect children. Provenance to identify AI-generated content. Device attestation to reduce malware. Identity verification to combat financial fraud. Viewed individually, each proposal can usually be defended on its own merits. Each addresses a genuine problem. Each appears proportionate to the risks it is intended to mitigate.
The architecture is therefore built.
Once it exists, however, new possibilities immediately emerge.
If the infrastructure can verify age, why not verify professional qualifications?
If it can verify professional qualifications, why not citizenship?
If it can establish citizenship, why not residency?
If it can establish residency, why not voting eligibility?
If it can verify identity for financial crime, why not for misinformation?
If it can distinguish between humans and bots, why not between trusted and untrusted participants?
None of these questions is inherently unreasonable.
That is precisely the point.
Each successive extension appears rational when considered in isolation.
Each solves another legitimate problem.
Each improves another aspect of governance.
Each attracts another constituency arguing that the capability already exists and that failing to use it would itself be irresponsible.
Very few architectural transitions occur through a single revolutionary decision.
Most occur through accumulation.
Capability is added.
Standards evolve.
APIs expand.
Developers build upon them.
Regulators reference them.
Commercial products depend upon them.
Users adapt to them.
The architecture quietly acquires new responsibilities that were never envisaged when the original system was designed.
This process is remarkably familiar elsewhere.
The internet itself was never originally designed to support streaming video, global social networks or industrial-scale artificial intelligence, yet each successive generation of applications built upon the capabilities inherited from the last. GPS was developed primarily for military navigation before becoming foundational to logistics, smartphones, agriculture and countless civilian services. Payment networks evolved from facilitating transactions into platforms for identity, fraud detection and behavioural analytics. Infrastructure has a habit of accumulating purpose.
Digital identity is unlikely to be an exception.
Indeed, because identity sits so close to trust itself, it may prove particularly susceptible to architectural expansion. Every new societal problem involving authenticity, accountability or legitimacy naturally creates pressure to reuse the identity capabilities that already exist rather than constructing entirely new systems.
This is where the trap lies.
At no point does any individual expansion necessarily appear disproportionate.
At no point does society consciously decide to construct a comprehensive identity-mediated internet.
Yet, after enough individually reasonable decisions, that is precisely where the architecture may arrive.
The cumulative effect is rarely debated because public discussion almost always focuses on the latest policy proposal rather than the trajectory of the architecture itself. Each new capability is evaluated against the problem immediately in front of it. Very few people step back and ask what happens when every one of those individually sensible decisions is viewed together as a single evolving system.
Architecture does not evolve by revolution.
It evolves by accretion.
Layer upon layer.
Requirement upon requirement.
Capability upon capability.
Until one day we discover that we are no longer debating individual features at all.
We are debating an entirely different internet from the one we thought we were building.
6.2 The Myth of Escape
Whenever discussions about digital identity become heated, someone inevitably proposes an escape route.
“If the mainstream internet becomes identity-mediated, people will simply move elsewhere.”
At first glance, that seems entirely plausible.
The internet has always been remarkably good at routing around obstacles. New platforms emerge. Communities migrate. Alternative technologies appear. If one environment becomes too heavily governed, surely people will simply build another.
I am no longer convinced that this remains true.
The assumption rests upon a view of the internet that increasingly belongs to the past rather than the future.
The early web was built around an implicit assumption that human participation was scarce. Creating content required time, effort and, above all, people. Anonymous participation therefore carried relatively little systemic cost because most participants were, in fact, genuine human beings. Abuse certainly existed, but it remained bounded by the economics of human attention.
Artificial intelligence changes that equation fundamentally.
The cost of generating convincing text, images, audio and video is rapidly approaching zero. More importantly, the cost of generating convincing participants is approaching zero. Synthetic engagement can now be produced at industrial scale. Entire conversations can be automated. Communities can be simulated. Consensus can be manufactured. Attention itself can be manipulated through software rather than people.
This changes the economics of every online environment.
The traditional answer to increasing governance has always been, “We’ll simply create another forum.”
But another forum solves very little if it immediately fills with bots, synthetic identities and algorithmically generated conversation.
We are already beginning to see precisely this phenomenon.
Many smaller discussion platforms, anonymous chat systems and independent communities increasingly struggle to distinguish genuine participants from automated ones. Moderation becomes harder. Trust deteriorates. Reputation systems become easier to manipulate. Communities fragment as confidence in authenticity declines.
Ironically, the spaces that once represented an escape from institutional governance may become the places where authenticity is hardest to establish.
This creates a profound architectural pressure.
Not because governments demand identity.
Because participants begin demanding provenance.
Who is speaking?
Is this person real?
Has this image been manipulated?
Did a human actually write this?
Can this account be trusted?
These questions arise regardless of legislation.
They emerge naturally from the economics of synthetic participation.
That is why I increasingly think the debate has moved beyond age verification, online harms or even digital identity in the narrow sense.
Artificial intelligence is steadily transforming authenticity into an economically valuable resource.
As authenticity becomes scarce, systems capable of establishing provenance become correspondingly valuable.
The result is that identity infrastructure ceases to be merely a regulatory requirement.
It becomes a competitive advantage.
This is why I think the idea of an internet existing permanently outside identity infrastructure is becoming increasingly difficult to sustain.
There will undoubtedly continue to be anonymous spaces.
There should.
Anonymity remains essential for whistleblowers, political dissidents, investigative journalism, vulnerable communities and countless other legitimate activities. Liberal democracies should preserve those spaces wherever possible.
The question is whether anonymous participation remains the default architecture of the internet.
I increasingly suspect it will not.
Not because governments outlaw it.
Not because platforms necessarily prefer otherwise.
But because environments incapable of establishing trust become progressively less usable as synthetic participation increases.
The future therefore may not divide into a “KYC internet” and a separate anonymous internet.
Instead, we are likely to see a continuum of assurance, with different environments demanding different levels of provenance according to the risks they face. Banking will require stronger identity than gaming. Government services stronger than discussion forums. Professional networks stronger than hobbyist communities. The architecture becomes differentiated rather than uniform.
That distinction matters.
The real question is no longer whether identity appears within the architecture of the internet.
In many respects, that transition is already underway.
The question is how that identity is governed, how proportionately it is applied, how privacy is protected, and whether the resulting architecture strengthens liberal democracy or quietly undermines it.
That, ultimately, is the negotiation that lies ahead.
6.3 The Unbundled Web
One of the reasons debates about internet governance have become so polarised is that people increasingly struggle to explain how remarkably similar ideas appear across governments, regulators, technology companies and international organisations at almost the same time.
For many observers, only two explanations seem possible.
Either somebody is coordinating everything.
Or it is all an extraordinary coincidence.
I increasingly think both explanations miss something fundamental.
The internet itself has changed.
In The Web Unbundled, I argued that we no longer inhabit a single public internet. Instead, we inhabit thousands of overlapping, semi-private networks through which ideas propagate largely beyond public view.
Slack workspaces.
Discord servers.
Signal groups.
WhatsApp communities.
Microsoft Teams.
Private LinkedIn groups.
Invite only forums.
Professional associations.
Industry conferences.
Academic workshops.
Think tank roundtables.
Government advisory groups.
Most of the conversations that shape institutional thinking no longer happen in public.
They happen inside these overlapping networks.
Ideas propagate.
They are debated.
Refined.
Rejected.
Improved.
Carried by people moving between organisations.
By consultants.
Researchers.
Civil servants.
Lawyers.
Engineers.
Policy advisers.
Executives.
Nobody necessarily coordinates the process.
The network performs that function itself.
By the time a particular idea finally appears as legislation, corporate policy or international guidance, much of its evolutionary journey has already taken place behind closed doors.
The public sees the output.
Not the propagation.
This changes how convergence appears.
Twenty years ago, if governments across several countries adopted similar language, journalists could often trace where those ideas originated. Papers were published. Debates were public. Conferences were reported. The propagation pathway remained broadly visible.
Today, much of that pathway has disappeared.
Ideas move through thousands of partially connected private spaces that few outsiders ever observe.
The internet has not become more transparent.
In many respects, it has become considerably more opaque.
Ironically, this opacity makes conspiracy theories more attractive.
When people repeatedly observe identical policy language, remarkably similar governance proposals and apparently synchronised institutional behaviour, yet cannot observe the conversations that produced them, hidden coordination becomes an understandable explanation.
Sometimes it is even correct.
Governments coordinate.
Regulators cooperate.
Standards bodies exist precisely to create consistency.
But coordination is no longer the only mechanism capable of producing convergence.
Dense professional networks can generate remarkably similar outcomes without requiring central direction.
The propagation itself becomes distributed.
The convergence emerges naturally.
Seen in this light, the modern internet has quietly inverted one of its founding promises.
The early web made information visible.
The post-LLM web increasingly obscures the pathways through which ideas themselves evolve.
The conversations shaping tomorrow’s governance architectures still happen online.
They simply no longer happen where the public can see them.
Understanding that distinction helps explain why institutional convergence increasingly resembles orchestration from the outside, even when much of it may instead be the natural consequence of highly connected professional ecosystems continuously selecting, refining and propagating the ideas that best solve the problems they collectively face.
This, perhaps, is one of the defining characteristics of the modern internet.
Not simply that information has become abundant.
But that the evolution of ideas has become progressively invisible.
6.4 Societal Evolution
Throughout this article I have argued that the Age-Gated Internet should not be understood as a collection of isolated policies. It is better understood as the visible expression of a much deeper process of societal adaptation. To understand why these architectural changes appear to be emerging almost everywhere at once, we need to zoom out much further than internet governance itself.
We need to look at civilisation.
In my Societal Evolution series, I argued that civilisations evolve not simply through political events or technological breakthroughs, but through successive transformations in how human beings coordinate with one another. Each major step in human history has fundamentally altered the mechanisms through which trust is established, knowledge is transmitted, authority is exercised and cooperation is organised.
Agriculture allowed permanent settlement.
Permanent settlement produced villages.
Villages became cities.
Cities required administration.
Administration required writing.
Writing enabled law.
Law enabled increasingly complex states.
Money transformed exchange.
Printing transformed knowledge.
The telegraph collapsed geography.
The internet collapsed communication.
Artificial intelligence is now beginning to collapse cognition itself.
None of these transitions was merely technological.
Each fundamentally altered the operating system of civilisation.
Each expanded the scale at which humans could cooperate.
Each solved existing coordination problems whilst simultaneously creating entirely new ones.
Writing preserved knowledge.
It also enabled bureaucracy.
Printing democratised information.
It also accelerated propaganda.
The telegraph connected continents.
It also centralised decision making.
The internet liberated publishing.
It also industrialised misinformation.
Artificial intelligence amplifies human capability.
It also industrialises synthetic participation.
Every coordination technology changes the environment in which society subsequently evolves.
Identity infrastructure should be viewed through precisely this lens.
It is not simply another government policy.
Nor is it merely another technology.
It is an emerging coordination mechanism.
As participation becomes increasingly synthetic, authenticity becomes increasingly valuable. As authenticity becomes increasingly valuable, mechanisms for establishing trust become increasingly important. Age assurance, provenance, behavioural reputation, identity credentials and algorithmic trust all begin to appear, not because they were necessarily conceived as parts of a single grand design, but because they represent increasingly effective solutions to the coordination problems created by the previous technological transition.
This is why I find explanations based entirely upon conspiracy increasingly unsatisfactory.
Complex societies rarely require comprehensive central planning to evolve coherent structures.
Developmental biology provides an interesting analogy.
Morphogenesis describes the process through which highly organised biological forms emerge without any individual cell possessing a complete blueprint for the organism as a whole. Each cell responds only to local signals, chemical gradients and interactions with its immediate neighbours. Yet collectively, remarkably ordered structures emerge.
Whether or not one accepts the more speculative theories surrounding morphogenetic fields is almost beside the point.
The metaphor remains extraordinarily useful.
Modern institutional societies appear to behave in remarkably similar ways.
Governments respond to domestic political pressures.
Technology companies respond to commercial incentives.
Regulators respond to legislative obligations.
Academics respond to research funding.
Standards bodies respond to interoperability problems.
Investors respond to risk.
Each actor optimises locally.
None necessarily possesses a comprehensive blueprint for the future of the internet.
Yet collectively they generate governance architectures that appear, viewed from sufficient distance, almost deliberately designed.
The coherence is real.
The central designer may not be.
That does not imply inevitability.
Evolution is not destiny.
History contains many abandoned technologies, failed institutions and evolutionary dead ends. Societies adapt. They also change direction. Political choices matter. Technological innovation matters. Public resistance matters. The future remains contingent upon decisions that have yet to be made.
What evolution suggests, however, is that environmental pressures strongly influence which solutions survive.
Artificial intelligence has changed the environment.
Synthetic participation has changed the environment.
Institutional liability has changed the environment.
The economics of governance have changed the environment.
It would therefore be surprising if the internet did not evolve in response.
The important question is not whether evolution occurs.
It always does.
The important question is which values become embedded within the architectures that evolution produces.
That, ultimately, is the question this entire series has been attempting to explore.
Not simply how the internet is changing.
But how civilisation itself is adapting to an age in which intelligence, authenticity and trust are all being fundamentally redefined.
6.5 Hard-Wired Wetware, the Asymmetric Integration Model, and the Unified Theory of Digital Evolution
By this point it should be clear that this article is about considerably more than age assurance.
The Age-Gated Internet is one manifestation of a much broader transformation that is taking place across the internet, economics, institutions and civilisation itself.
That broader transformation is explored throughout my Hard-Wired Wetware series, particularly through the Asymmetric Integration Model (AIM).
The fundamental proposition is simple.
For the first fifty years of the internet, humans were the primary producers of cognition. People wrote the articles. People held the conversations. People created the software. People generated the trust upon which digital society operated. Computers stored, transmitted and indexed that human cognition, but they did not meaningfully compete with it.
Artificial intelligence changes that assumption completely.
For the first time in history, cognition itself becomes industrialised. Machines can now generate text, software, images, music, analysis, education, companionship and increasingly sophisticated reasoning at a scale that dwarfs human production.
Human cognition ceases to be the scarce resource around which the internet is organised.
Synthetic cognition arrives.
That inversion changes everything.
When intelligence becomes abundant, authenticity becomes scarce. When content becomes effectively unlimited, legitimacy becomes economically valuable. When anyone can generate convincing information, proving that something genuinely originated from a trusted human becomes increasingly important.
Identity stops being merely an account.
It becomes infrastructure.
Trust stops being primarily social.
It becomes computational.
This is precisely what the Asymmetric Integration Model predicts.
AIM argues that humans and artificial intelligence are not converging into a single homogeneous intelligence. Instead, they occupy fundamentally different roles within the same ecosystem.
Artificial intelligence increasingly provides abundant cognition.
Human beings increasingly provide legitimacy, accountability, consent, values and trust.
The relationship is therefore asymmetric.
The more capable synthetic cognition becomes, the more valuable verified humanity becomes.
Viewed through that lens, many of the developments discussed throughout this article cease to appear disconnected.
Age assurance is not simply about protecting children.
It is one of the first large-scale attempts to build legitimacy into an internet where identity can no longer be assumed.
Similarly, the architectural changes explored elsewhere fit together naturally.
The Age-Gated Internet explains what institutions are building.
The Web Unbundled explains how ideas, standards and architectures propagate through increasingly decentralised digital ecosystems.
Societal Evolution explains why civilisations repeatedly reorganise themselves when technological environments fundamentally change.
Hard-Wired Wetware explains what artificial intelligence changes, and why those changes force every other layer to evolve.
These are not four independent theories.
They are one model observed at four different scales.
At the technological scale, we observe intelligence becoming abundant. At the network scale, we observe information flows reorganising. At the institutional scale, we observe new mechanisms for identity, trust and governance emerging. At the civilisational scale, we observe society adapting to a new evolutionary environment.
Each explains a different layer of the same phenomenon.
Taken together they describe a single transition.
The internet is evolving from an ecosystem organised around information scarcity into one organised around authenticity scarcity.
Civilisation is evolving from systems designed to distribute knowledge into systems designed to establish legitimacy.
Artificial intelligence is not replacing humanity.
It is changing what humanity is economically and socially valuable for.
That, ultimately, is the central thesis running through all four bodies of work.
Not four theories.
One theory.
Viewed through four different lenses.
6.6 Scarcity and the Authenticity Economy
If I had to reduce this entire trilogy to a single idea, it would not be age assurance.
It would be scarcity.
Every major phase of economic and civilisational development has been defined by the resource that society regarded as scarce. Markets emerge to allocate scarce resources efficiently. Institutions evolve to govern them. Technologies emerge to exploit them. Civilisation reorganises itself around them.
Scarcity is the engine.
Everything else is adaptation.
The Industrial Revolution was organised around energy.
Coal.
Steam.
Electricity.
Oil.
The Information Age shifted that scarcity.
Information became valuable because it was difficult to create, distribute and retrieve. The internet dramatically reduced those costs. Search engines, databases and digital networks transformed information from something physically constrained into something globally accessible.
For a time, information itself became abundant.
Attention then became the scarce resource.
Social media platforms did not create this scarcity.
They simply recognised it.
When everyone could publish, the limiting factor ceased to be information.
It became human attention.
An entire digital economy emerged around capturing, measuring, monetising and retaining it.
Advertising.
Recommendation algorithms.
Engagement optimisation.
Influencer economies.
Subscription platforms.
All were responses to the same underlying scarcity.
Artificial intelligence changes the equation once again.
For the first time, cognition itself is becoming abundant.
Machines can increasingly generate software, images, analysis, music, research, education, conversation and reasoning at costs approaching zero. Tasks that once required hours of skilled human effort can now be completed in seconds.
This is not simply automation.
It is the industrialisation of cognition.
That changes what becomes scarce.
If anyone can generate convincing text, then text loses much of its value.
If anyone can generate convincing images, images become less trustworthy.
If anyone can simulate expertise, expertise becomes more difficult to verify.
If synthetic participation becomes effectively unlimited, genuine human participation becomes increasingly valuable.
Authenticity becomes scarce.
This is the transition that I believe sits beneath every argument developed throughout this series.
Age assurance.
Digital identity.
Provenance.
Trust frameworks.
Behavioural reputation.
Verified credentials.
AI watermarking.
Device attestation.
These are often discussed as independent technologies responding to independent policy problems.
I increasingly think they are responses to the same economic transition.
They are attempts to manage authenticity scarcity.
This is also why identity infrastructure should not be viewed primarily as a regulatory phenomenon.
Markets are already responding.
Identity providers emerge because authenticity has value.
Age assurance companies emerge because legitimacy has value.
Credential wallets emerge because provenance has value.
Verification services emerge because trust has value.
The commercial ecosystem is responding to the same scarcity that institutions are attempting to govern.
Economics and governance begin reinforcing one another.
This observation also connects the broader body of work that I have developed over recent years.
The Age-Gated Internet examines how institutions respond once authenticity becomes economically valuable.
The Web Unbundled explains how information itself has fragmented into increasingly opaque networks through which ideas evolve beyond public visibility.
Societal Evolution explores how civilisations repeatedly reorganise themselves whenever new coordination technologies fundamentally alter the environment.
Hard-Wired Wetware examines what artificial intelligence changes when cognition itself becomes abundant through the Asymmetric Integration Model.
These are not separate research projects.
They are successive layers of the same explanatory framework.
At the technological layer, artificial intelligence industrialises cognition.
At the economic layer, authenticity becomes scarce.
At the network layer, information propagation reorganises.
At the institutional layer, governance architectures evolve.
At the civilisational layer, society adapts.
The consequence is profound.
For most of human history, trust was largely a by-product of human interaction.
Increasingly, trust becomes something that must itself be engineered.
Not because societies suddenly desire more control.
But because the underlying economics of authenticity have fundamentally changed.
This is why I believe the debate surrounding digital identity is often framed too narrowly.
The question is not whether age assurance is desirable.
Nor whether digital identity is inevitable.
The deeper question is what happens to civilisation when authenticity becomes the scarcest resource in the digital economy. Everything else follows from the answer. That may ultimately prove to be the defining economic transition of the twenty-first century. Not the automation of labour. Not the digitisation of commerce. But the emergence of authenticity as the most valuable commodity in an age of unlimited synthetic cognition.
7. Wrapping Up: Design Principles for the Next Internet
If there is one conclusion I have reached while researching and writing this series, it is that governance itself is not the problem.
Every successful civilisation develops mechanisms for establishing trust, resolving disputes, protecting the vulnerable and coordinating collective action. The internet was never going to remain permanently exempt from those pressures. As it became central to commerce, education, politics, finance and everyday life, some degree of governance was not only predictable, it was probably unavoidable.
Governance, in that sense, is inevitable.
What is not inevitable is the form that governance takes.
There is an important distinction between governance and centralisation, yet they are too often treated as though they were synonymous. A society can establish trust through diverse, interoperable and decentralised institutions just as readily as it can through a single central authority. Open standards, competing identity providers, cryptographic credentials and distributed trust models all demonstrate that coordination does not necessarily require concentration of power.
Centralisation is a design choice.
Not an unavoidable consequence.
The same applies to identity itself.
Throughout this series I have argued that digital identity is becoming an increasingly important component of internet architecture. That should not be mistaken for opposition to identity. Identity has genuine value. It enables trust. It reduces fraud. It protects critical services. It supports commerce. It allows institutions to function. Used proportionately and transparently, it is an entirely legitimate part of a modern digital society.
Surveillance is something altogether different.
Knowing that somebody satisfies the conditions required to access a service is not the same as continuously observing, recording, analysing and predicting every aspect of their behaviour. Liberal democracies have traditionally recognised that distinction. Authentication establishes trust. Surveillance accumulates power. Conflating the two risks transforming systems designed to enable participation into systems that increasingly shape, monitor and constrain it.
If identity is becoming infrastructure, then that infrastructure should also preserve the possibility of change.
One of the recurring themes throughout this article has been that architectures possess inertia. They outlive governments, survive legislative cycles and gradually become embedded within the assumptions of the societies that use them. For precisely that reason, they should be designed to remain reversible wherever possible. Capabilities introduced to solve today’s problems should not become permanent features simply because removing them later proves inconvenient. Good architecture preserves options. Poor architecture quietly removes them.
Ultimately, the challenge facing us is not whether we build an identity-mediated internet.
I increasingly suspect that process is already underway.
The challenge is ensuring that the architectures we construct remain compatible with the values of the societies they are intended to serve. Liberal democracies should never assume that today’s governments, today’s regulators or today’s commercial incentives will necessarily resemble those of twenty or fifty years from now. Institutions change. Political priorities change. Technologies certainly change.
Architecture persists.
That is why constitutional principles matter just as much in software as they do in government.
If we design systems that assume every future institution will act wisely and proportionately, we will almost certainly be disappointed. If, instead, we design systems that constrain power, minimise unnecessary disclosure, preserve reversibility, distribute trust and remain accountable to the societies they serve, then identity infrastructure can strengthen democratic institutions without quietly becoming something they were never intended to be.
The future of the internet will not be determined solely by the technologies we invent.
It will be determined by the principles we choose to embed within them.
8. Conclusion: Surviving the Convergence
The overlaps documented by Mike Benz and Michael Shellenberger deserve serious attention.
Institutional coordination exists.
Governance convergence exists.
Speech-governance infrastructure clearly expanded after 2016.
The relationship between governments, platforms, NGOs and institutional actors became significantly more integrated.
At the same time, the strongest explanation may not be:
- omnipotent conspiracy;
- or random coincidence.
It may instead be:
- institutional convergence;
- memetic propagation;
- adaptive governance behaviour;
- legitimacy preservation;
- and systems drifting towards stability-oriented consensus.
Modern societies increasingly resemble self-regulating informational networks in which:
- governments;
- regulators;
- corporations;
- NGOs;
- platforms;
- media systems;
- and governance actors;
continuously adapt to one another.
The danger is not merely censorship.
The danger is gradual harmonisation.
A narrowing of behavioural possibilities.
A convergence of governance instincts.
The emergence of managed legitimacy systems.
And digital architectures that evolve organically towards behavioural control without requiring singular authoritarian intent.
That possibility is considerably more difficult to confront because it lacks a singular villain.
No smoke-filled room.
No omnipotent mastermind.
No simple revolution capable of resetting the system.
Only institutions under pressure.
Networks adapting to instability.
And societies are gradually reorganising themselves around governance architectures designed to preserve coherence amid accelerating informational complexity.
Perhaps this is simply what mature infrastructures become. Roads become regulated. Financial systems become regulated. Airspace becomes regulated. Electricity grids become regulated. Perhaps sufficiently important information networks always evolve towards governance because civilisation itself ultimately depends upon them. If so, the real question is not whether governance emerges, but how much freedom survives once it does.
The real question is no longer whether someone is redesigning the internet. The real question is whether sufficiently large digital civilisations inevitably redesign themselves.
Every civilisation builds mechanisms for establishing trust between strangers.
- Markets required contracts.
- Industrial society required institutions.
- The internet required cryptography.
- The AI era increasingly demands authenticity.
The question is no longer whether digital identity will become foundational. The question is what principles will govern it, who will control it, and how liberal democratic values can be preserved as identity becomes part of the internet’s core architecture.
This article is probably best read alongside The Age-Gated Internet, The Web Unbundled, Societal Evolution and Hard-Wired Wetware, all of which examine different aspects of the same underlying transition from an open communications network to an increasingly governed socio-technical infrastructure.
Author’s note: This essay is a systems analysis rather than an allegation of coordinated wrongdoing. It distinguishes between documented evidence, reasonable inference, and speculation throughout. Readers are encouraged to consult the primary sources referenced and reach their own conclusions.
9. References
9.1 Primary Investigations and Key Commentators
9.1.1 Mike Benz
Foundation for Freedom Online. https://foundationforfreedomonline.com/
X: @MikeBenzCyber. https://x.com/MikeBenzCyber
Key topics covered across Benz’s work:
- Twitter Files and government-platform coordination
- Global Engagement Center (U.S. State Department)
- Election Integrity Partnership
- Internet freedom and democracy-promotion programmes
- CISA and domestic disinformation infrastructure
- Atlantic Council and related networks
9.1.2 Michael Shellenberger
Public. https://public.news/
X: @shellenberger
Books:
- San Fransicko: Why Progressives Ruin Cities (2021)
- Apocalypse Never: Why Environmental Alarmism Hurts Us All (2020)
Congressional testimony: Shellenberger, Michael. Testimony before the House Judiciary Select Subcommittee on the Weaponization of the Federal Government, March 9, 2023.
9.2 Twitter Files (Primary Releases)
Matt Taibbi
Twitter Files archive: https://twitterfiles.substack.com/
Michael Shellenberger
Public (Twitter Files contributions): https://public.news/
Bari Weiss
The Free Press: https://www.thefp.com/
Lee Fang
David Zweig
The Free Press: https://www.thefp.com/
Major Twitter Files releases (2022–2023) document government requests for content moderation, visibility filtering, trusted flagger systems, and coordination involving the FBI, DHS, State Department Global Engagement Center, and external partners.
9.3 Government and Institutional Sources
- CISA (Cybersecurity and Infrastructure Security Agency). Election Security. https://www.cisa.gov/topics/election-security
- U.S. Department of State. Global Engagement Center. https://www.state.gov/bureaus-offices/under-secretary-for-public-diplomacy-and-public-affairs/global-engagement-center/
- Stanford Internet Observatory. https://cyber.fsi.stanford.edu/io
- Election Integrity Partnership. https://www.eipartnership.net/
- Graphika. https://graphika.com/
- NewsGuard. https://www.newsguardtech.com/
- Atlantic Council. Digital Forensic Research Lab (DFRLab). https://www.atlanticcouncil.org/programs/digital-forensic-research-lab/
9.4 Legislation and Regulation
Age verification and online safety legislation have accelerated globally since 2023–2025, driven by concerns over child protection, but with significant variation in scope, method, and enforcement. The United States relies on a state-level patchwork (with Texas as the constitutional test case), while the UK, EU, and Australia have pursued more centralized regulatory models. Brazil and others are now following with their own frameworks.
This creates a fragmented but converging global trend toward embedding age (and eventually broader identity) attributes into internet infrastructure.
9.4.1 United States
9.4.1.1 Federal Level
No comprehensive federal age-verification or online-safety law has been enacted as of July 2026. Several bills have been introduced (including app store age verification and parental consent requirements), but none have passed into law.
9.4.1.2 State Level – Pornography / Adult Content Age Verification
As of mid-2026, approximately 25 states have enacted laws requiring age verification for websites where a significant portion of content is deemed “harmful to minors” or sexually explicit. These laws typically mandate commercial age verification (government ID, transactional data, or approved third-party methods).
Key examples and status:
- Texas HB 1181 (2023) — Upheld by the U.S. Supreme Court on June 27, 2025 in Free Speech Coalition, Inc. v. Paxton. The Court ruled that states may require age verification for adult content without violating the First Amendment (intermediate scrutiny applied). This is the most significant ruling to date and has influenced other states.
- Louisiana (first state, 2022/2023)
- Arkansas, Virginia, Utah, Montana, North Carolina, Florida, Indiana, Idaho, Kentucky, Nebraska, Georgia, Alabama, Kansas, Oklahoma, Mississippi, South Carolina, South Dakota, Wyoming, North Dakota, Missouri, Arizona, Ohio (active laws as of 2025–2026)
Many of these laws have led platforms (e.g., Pornhub/Aylo) to block access in those states rather than implement verification.
9.4.1.3 State Level – Broader App Store and Social Media Age Assurance
- Texas SB 2420 (App Store Accountability Act) — Requires age verification and parental consent for app downloads and in-app purchases. Allowed to take effect by the U.S. Supreme Court in July 2026 (litigation ongoing on the merits).
- Utah — Similar app store age verification requirements.
- California AB 1043 (Digital Age Assurance Act) — Requires operating systems to collect age during setup and share age-range signals with apps (effective January 1, 2027).
- Multiple states have also passed or are advancing social media age-appropriate design codes, parental consent requirements, and restrictions on algorithmic feeds for minors.
The U.S. landscape remains a patchwork of state laws with ongoing litigation.
9.4.2 United Kingdom
- Online Safety Act 2023 https://www.legislation.gov.uk/ukpga/2023/50/contents
- Ofcom guidance on “highly effective age assurance” (2025) — Applies to pornography and other high-risk content. Methods include facial age estimation, open banking, photo-ID matching, mobile network checks, and digital identity services. Enforcement began July 2025 for pornographic content.
9.4.3 European Union
- Digital Services Act (DSA) — Especially Article 28 on protection of minors https://digital-strategy.ec.europa.eu/en/policies/digital-services-act-package
- European Commission Age Verification Blueprint (July 2025; enhanced version April 2026) — Privacy-preserving solution using selective disclosure and aligned with the EU Digital Identity Wallet.
- EU Digital Identity (eIDAS 2.0) Regulation and European Digital Identity Wallet rollout (target: end of 2026) https://digital-strategy.ec.europa.eu/en/policies/european-digital-identity
Several Member States (France, Germany, Spain, etc.) have implemented or are strengthening national rules for adult content age verification, often backed by the DSA.
9.4.5 Australia
- Online Safety Act 2021 (as amended 2024) — Social Media Minimum Age framework (under-16 account restrictions) effective 10 December 2025.
- eSafety Commissioner regulatory guidance on Social Media Minimum Age obligation (September 2025) and Age-Restricted Material Codes.
- Platforms must take “reasonable steps” to prevent under-16s from having accounts. Layered age assurance is encouraged; government ID cannot be the sole method.
Australia currently operates one of the most ambitious minimum-age frameworks for social media globally.
9.4.6 Other Jurisdictions (Selected)
Canada — Proposed Digital Safety / Online Harms legislation (Bill C-34, introduced 2026) includes age verification and social media access restrictions for minors.
Brazil — Digital Statute of Children and Adolescents (Estatuto Digital da Criança e do Adolescente, 2025). Effective March 2026. Requires effective age verification and parental/guardian linking for users under 16 on social media and certain platforms. Significant fines for non-compliance.
France — Strengthened age verification requirements for adult content websites (with ISP blocking for non-compliance). Proposals for tighter social media restrictions for under-15s under discussion.
Germany — Long-standing youth protection rules; enforcement tightened in late 2025, including pressure on payment processors for non-compliant platforms.
Malaysia — Online Safety Act and Child Protection Code (effective 2026) — Requires verification against government records for major platforms.
9.5 Technical Standards and Privacy-Preserving Technologies
- W3C. Verifiable Credentials Data Model v2.0. https://www.w3.org/TR/vc-data-model-2.0/
- OpenID Foundation. https://openid.net/
- NIST. Digital Identity Guidelines (SP 800-63-4). https://pages.nist.gov/800-63-4/
- Matthew Green. Cryptography Engineering (blog on zero-knowledge proofs and related primitives). https://blog.cryptographyengineering.com/
- IETF CFRG (Crypto Forum Research Group) documents. https://datatracker.ietf.org/wg/cfrg/documents/
9.6 Academic Literature
Institutional Isomorphism and Systems Theory (Core Theoretical Foundation) DiMaggio, Paul J., and Walter W. Powell. “The Iron Cage Revisited: Institutional Isomorphism and Collective Rationality in Organizational Fields.” American Sociological Review 48, no. 2 (1983): 147–160.
Memetics Dawkins, Richard. The Selfish Gene. Oxford: Oxford University Press, 1976 (Chapter 11).
New Institutionalism and Institutional Change March, James G., and Johan P. Olsen. “The New Institutionalism: Organizational Factors in Political Life.” American Political Science Review 78, no. 3 (1984): 734–749. North, Douglass C. Institutions, Institutional Change and Economic Performance. Cambridge: Cambridge University Press, 1990.
Governance and Collective Action Ostrom, Elinor. Governing the Commons: The Evolution of Institutions for Collective Action. Cambridge: Cambridge University Press, 1990.
Philosophy of Science and Paradigm Shifts Kuhn, Thomas S. The Structure of Scientific Revolutions. Chicago: University of Chicago Press, 1962 (50th anniversary edition, 2012).