Everything I have argued across this series — that age checks inspect the messenger, that circumvention follows the cheapest door, that the harm lives in functions the law doesn't name — has been, technically, a prediction. Predictions are cheap. So let me spend this instalment on something dearer: evidence.
Because we do not have to imagine how a national age-verification regime performs against real teenagers and real demand. We built one. On 25 July 2025 the Online Safety Act's age checks for pornography came into force, and a year of data has now accumulated. The spring's social media rules will run on the same machinery, against the same adversary, obeying the same economics. So the honest question is not "will it work?" but "what did it already do?"
The answer is genuinely mixed, and I want to give every part of it its due — including the parts that cut against my own scepticism.
What it did do
Let me lead with the case for the prosecution's opponents, because it is real. The checks were not ignored. Age-verification providers reported 5.7 million age checks in the first weekend alone; one identity provider counted seven million people through its system within weeks. Traffic to the large compliant sites fell off a cliff — Pornhub's owner reported UK traffic down seventy-seven per cent. If your measure of success is "fewer visits to the big regulated platforms", the gate unquestionably moved the number.
And the strongest version of the defenders' argument deserves stating plainly, because it is not stupid: even leaky friction has a floor effect. A curious eleven-year-old who hits a wall, and doesn't yet know about VPNs or proxies or borrowed IDs, may simply stop — and that child was worth protecting, and arguably was. The age-verification industry's line is that the VPN surge only matters "if it was a lot of eight-year-olds", and there is a real point buried in the glibness: the youngest and least technical children are exactly the ones a crude gate does deter. I have argued all series that defaults and friction work on the unmotivated. This is that principle collecting its honest win.
Where the traffic actually went
Now the case for the prosecution — which is, unfortunately, the larger pile of evidence.
That seventy-seven per cent did not vanish into abstinence. Pornhub's own people were blunt about it: the users "are just going to other websites." A Washington Post investigation in August 2025 found that of the ninety largest adult sites reaching the UK, fourteen simply ignored the law — and those non-compliant sites saw their traffic surge as the compliant ones bled. Read that carefully, because it is the whole series in one statistic: the law moved traffic from the sites that take child-safety seriously to the sites that don't. The regulated platform with a trust-and-safety team lost, and the offshore site that never answered a letter won. That is the enforcement inversion from part three, no longer as a prediction but as measured market share.
Then the VPNs, which part one opened with: a 1,400% overnight surge in signups, sustained. And Ofcom's own finding that roughly a third of UK users opted out of verification altogether — a third, walking around the gate on day one. The demand did not fall. It relocated, exactly as the cheapest-door economics said it would, to VPNs, to the fourteen sites that shrugged, and to every route this series has catalogued.
So the gate deterred the youngest and least determined — a real gain — while redirecting everyone else toward the least accountable corners of the internet. Both things are true. A serious policy has to hold both, and most of the debate holds only whichever one flatters its side.
The cost nobody put on the invoice
But here is the part that turns a mixed verdict into, for me, a losing one — and it is the part the social media debate has barely begun to reckon with.
To check an age, you must collect an identity. A face, a government ID, a credit record — something that proves the human is old enough. Multiply that across a nation and you have built something new: a vast, permanent, centralised store of exactly the data that ruins lives when it leaks. An identity honeypot.
This is not hypothetical either. In October 2025, a third-party vendor handling age checks for Discord suffered a breach that exposed around 70,000 government ID photographs. Sit with the specifics. Not usernames. Not passwords. Photographs of passports and driving licences, handed over by people trying to comply, sitting in a supply-chain vendor most of them had never heard of, now in the hands of whoever wanted them.
And a face, unlike a password, does not reset. The line security people keep repeating about this is the truest sentence in the whole debate: a breached password can be changed; a breached faceprint is compromised forever. We spent two decades teaching people that their identity documents are precious and should be surrendered rarely and carefully. Age verification asks them to hand those documents to a shifting cast of third-party vendors as the routine price of using the internet — and the teenagers, meanwhile, are buying pre-verified accounts on Telegram and holding video-game faces up to the camera. We are collecting the crown jewels of the compliant majority to inconvenience a determined minority who have already moved on.
As a security architect, I assess a control by weighing what it prevents against what it introduces. A gate that deters some young children, redirects everyone else to worse places, and builds a nationwide identity-breach waiting to happen is not obviously a control at all. It may be a net increase in harm, wearing the costume of protection.
What this predicts for the spring
The social media age checks arriving next spring are the pornography gate's machinery, pointed at a larger population and a stickier product. Every mechanism this series has described — VPNs, proxies, the browser-in-a-browser, the federated and offshore platforms with nobody to serve — is already in the hands of exactly the teenagers the rules will target, because they have spent a year practising on the porn gate. We are not running the experiment. We are running the sequel, having declined to read the reviews of the first film.
The youngest children will be deterred somewhat, which matters. The determined majority will relocate, as they already have. And a fresh identity honeypot will be assembled — larger this time, because social media dwarfs pornography in reach. If the first gate is the guide, spring will deliver a modest, real protection for the very young, purchased at the price of pushing older teenagers toward less accountable spaces and building a data breach the size of the country.
What to do tonight, regardless
The porn gate carries one precise lesson for parents, and it is not about pornography. It is this: do not mistake a compliant platform for a safe one, or a walled platform for an inaccessible one. The child who cannot reach Pornhub can reach the fourteen sites that ignored the law — and the same will be true, in the spring, of every banned app and the unregulated places it displaces users toward.
Two things follow. First, when you are asked to verify your own age online — and you increasingly will be — treat your identity documents as the precious things they are: prefer providers that check and delete over those that check and keep, and understand that every upload is a small deposit into somebody's honeypot. Second, keep doing the unglamorous thing this whole series keeps returning to: the device-level controls that travel with the child, and the conversation about why that travels with them further still. The gate the government builds will leak. The habits you build won't.
Next in the series: what would actually work — the version of this I would build if someone handed me the pen instead of the critique.