When the people who could fix a problem never learn it's broken, the feedback loop is severed. Voluntary coordination mechanisms rarely repair it. The rare cases where they did close share specific conditions worth examining.
The clearest case is HTTPS adoption, and what stands out is how slowly the chokepoint was applied.
In 2015, roughly 40% of Chrome's page loads used HTTPS. Certificates cost around $100 each. The security community had been advocating for encrypted connections for years. Two things changed the trajectory.
Let's Encrypt launched its public beta in December 2015 and began issuing free certificates at scale. By September 2018, a million certificates a day. This removed the cost of compliance, a necessary precondition. But the adoption curve barely moved until Chrome started using its chokepoint.
Chrome 56 in January 2017 marked HTTP pages collecting passwords as "Not Secure." Chrome 62 extended this to any page with input fields. Chrome 68, in July 2018, marked every HTTP page "Not Secure." The Chrome security team had proposed specific adoption thresholds years earlier: when secure origins exceed 75%, start marking non-secure pages. They waited until the numbers supported each escalation. By 2020, HTTPS usage was above 95%.
Each step was calibrated so the warning would feel like a nudge rather than a disruption. Chrome held 57% of desktop browser share. A blanket "Not Secure" label in 2016 would have been too disruptive; by mid-2018, enough of the web had already migrated that the remaining operators faced a clear signal through a channel they could not ignore. A site operator who skipped HTTPS saw their visitors confronted with a warning label. No working group convened.
GDPR enforcement tells a messier story, but the mess is revealing. Total fines have exceeded €7.1 billion since 2018, with over 60% issued after January 2023. Meta received a record €1.2 billion fine in May 2023 for data transfers to the United States.
What followed was compliance and defiance simultaneously. Meta changed its legal basis for behavioral advertising from "Legitimate Interests" to "Consent" and adopted the EU-U.S. Data Privacy Framework. It also appealed the fine, sought to annul the EDPB's authority to overrule the Irish regulator, and continued operating its advertising business throughout. A DLA Piper chair described the fines as:
"In effect a 'data tax' when doing business in Europe."
For a company with Meta's advertising revenue, even a billion-euro penalty is absorbable.
What seems to have produced actual behavioral change was the accumulation: the €1.2 billion fine, plus Norway's threatened €100,000 daily escalating penalty, plus the prospect of a transfer suspension order. Fines calibrated to global turnover. Daily compounding. Operational disruption on the horizon. Any single mechanism was absorbable. In combination, they bent the loop enough to force structural adaptation, even from a company with resources to litigate indefinitely.
The conditions that closed these loops share a specific shape. Someone occupied a chokepoint and was willing to use it. The cost of compliance was reduced beforehand. And consequences escalated, arriving as a sequence of increasing pressure rather than a single event that could be absorbed and forgotten. These conditions are rare. They require institutional actors with both the leverage and the willingness to impose costs on parties who would prefer to remain insulated. Browsers had that leverage. European regulators, imperfectly, had it too. For most severed feedback loops, no such actor exists. The coordination frame persists because the alternative requires an institution willing to make powerful parties uncomfortable. Most institutions would rather convene a working group.