Snapshot: The developments that made waves
AI governance
Two European Parliament committees have formed a joint working group to oversee the implementation of the AI Act. The AI Act officially came into force on 1 August 2024. It will be fully applicable 24 months after its entry into force, except for bans on prohibited practises, which will apply 6 months after the entry into force date; codes of practise (9 months after entry into force); general-purpose AI rules including governance (12 months after entry into force); and obligations for high-risk systems (36 months).
Top competition authorities from the EU, the UK, and the USA have issued a joint statement emphasising the importance of fair, open, and competitive markets in developing and deploying generative AI.
Serbia unveiled a new AI Development Strategy 2024–2030, aiming to nurture a vibrant AI ecosystem in the country. Government agencies in Australia must disclose their use of AI within six months under a new policy effective from 1 September.
OpenAI and Anthropic have agreed to collaborate with the US Artificial Intelligence Safety Institute on research, testing, and evaluating their advanced AI models. Elon Musk revived his lawsuit against OpenAI and Sam Altman, alleging that the company shifted its focus from advancing AI for humanity to commercial gain.
Technologies
Researchers at the University of California Davis Health have developed a highly accurate brain-computer interface (BCI) that can translate brain signals into speech with 97% accuracy.
Neuralink, the brain-computer interface company owned by Elon Musk, has successfully implanted its BCI in a second patient. Neuralink reported that the device allows the patient to control digital devices with their mind, for example, playing video games and using computer-aided design (CAD) software.
Infrastructure
Sri Lanka’s parliament amended its telecommunications law to permit Elon Musk’s Starlink to commence operations there. Nokia and Telecom Egypt have announced a new partnership to introduce 5G technology in Egypt. The Nigerian Communications Commission (NCC) has introduced regulations to enhance telecom service quality in Nigeria, setting key performance indicators (KPIs) for 2G, 3G, and 4G networks.
The South African telecoms industry is intensifying its push for digital content and service providers to contribute financially to expanding and maintaining the country’s network infrastructure.
Cybersecurity
NATO has announced the establishment of the NATO Integrated Cyber Defence Centre (NICC), aimed at bolstering the alliance’s cyber defence capabilities.
The UK and France will launch a consultation to address the proliferation and irresponsible use of commercial cyber intrusion tools.
Kaspersky Lab closed its US offices following a ban by the US Commerce Department, which prohibits the firm from selling its software to US customers.
An undisclosed victim paid $75 million to the Dark Angels ransomware group, setting a record for the largest ransomware payout.Halliburton, a major US oilfield services company, suffered a cyberattack on 21 August. The company acknowledged that data was accessed and removed but stated that the incident is not expected to impact its operations significantly.
Digital rights
Türkiye restored access to Instagram after a nine-day ban, which had been imposed due to the platform’s failure to comply with local laws and sensitivities. The restriction was lifted after Instagram’s parent company, Meta, agreed to cooperate with Turkish authorities.
On 22 August, Nepal lifted its ban on TikTok more than nine months after blocking the platform due to the disruption of social harmony and goodwill caused by the misuse of the app.
Iran’s Supreme Council of Cyberspace issued a directive endorsed by Supreme Leader Ayatollah Ali Khamenei that prohibits the use of virtual private networks (VPNs) unless authorised by authorities.
Legal
Meta Platforms agreed to a USD 1.4 billion settlement with the US state of Texas over allegations of illegally using facial-recognition technology to collect biometric data without consent. Nigeria imposed a USD 220 million fine on Meta for ‘multiple and repeated’ breaches of local consumer data protection laws in a move to enforce data privacy regulations. A federal judge in Brazil has issued a ruling forcing WhatsApp to limit data sharing with other companies in the Meta group.
A US appeals court has reinstated a lawsuit against Google, allowing Chrome users to pursue claims that the company collected their data without permission. The case centres on users who chose not to synchronise their Chrome browsers with their Google accounts, yet allege that Google still gathered their information.
California is codifying AI protections for performers into law: California’s state Senate passed two bills: AB 2602, requiring explicit consent from performers for creating digital replicas in various media, and AB 1836, mandating consent from deceased performers’ estates for similar digital recreations.
Internet economy
Antitrust regulators had a busy summer. A US judge ruled that Google violated antitrust law by spending billions to establish an illegal monopoly as the world’s default search engine. The company lost its case against Epic Games, and a US judge ordered Google to provide Android users with more ways to download apps outside of its Play Store. Google is set to face a critical antitrust trial as the US Department of Justice targets the tech giant’s advertising practices, accusing the company of using its dominance to stifle competition and harm news publishers. Across the pond, the UK’s antitrust watchdog is examining Google parent Alphabet’s partnership with AI startup Anthropic to assess its impact on market competition.
Google is not the only company in the crosshairs of the antitrust regulators. Apple’s App Store is being investigated by Spain’s antitrust regulator, the CNMC, for alleged imposition of unequal commercial conditions on developers of mobile applications sold through its platform. The French competition authority has officially launched an investigation into chipmaker Nvidia for suspected anti-competitive behaviour.
UNCTAD published the Digital Economy Report 2024, which stresses the need for sustainable and inclusive digitalisation strategies. It highlights the growing environmental impact of the digital economy, including increased energy use and digital waste.
Development
The EU’s Ecodesign for Sustainable Products Regulation (ESPR) came into force on 18 July, mandating Digital Product Passports (DPPs) for most products (excluding food and medicine) by 2030.
The G20 Task Force 05 on Digital Transformation has unveiled a policy brief titled ‘Advocating an International Decade for Data under G20 Sponsorship’, highlighting the fundamental role of accessible and responsibly re-used data in driving social and economic development, particularly in the context of emerging technologies like AI.
Sociocultural
A coalition of 21 states and over 50 US lawmakers has supported the US Justice Department’s mandate requiring ByteDance to sell TikTok’s US assets by 19 January 2025 or face a ban. Meta’s Oversight Board has issued a decision on how to moderate posts about armed groups in Venezuela amid ongoing violence and protests. The Malaysian government will collaborate with Worldcoin to enhance national digital ID verification.
The end of the illusion of cyberspace?
Tech CEOs are finding out the hard way that no matter how powerful their platforms are, there’s no dodging the law.
The Durov case. At the end of August, Pavel Durov, the founder of Telegram, a messaging app known for its strong encryption and commitment to user privacy, was detained by French authorities.
There’s a long list of charges: of complicity in operating an illegal online platform; possessing and distributing child pornography; drug trafficking; organised fraud; and criminal association. Additional charges involve laundering proceeds from criminal activities and the unauthorised provision of cryptology services.
Durov has since been granted bail, but the investigation continues. The case could answer the question: Does a platform owner hold any responsibility for what is published on their sites/apps? The outcome of the case could have significant implications for social media platforms’ compliance with various regulatory requirements, as well as the future of digital communication and free speech.
X banned in Brazil. Free speech on social media is the crux of another legal case in which a tech oligarch is battling a country. Musk’s feud with Brazil’s Supreme Court started in April this year when Justice Alexandre de Moraes ordered that X block certain accounts accused of spreading misinformation and hate speech – orders which X initially refused to follow, but later complied with.
Mid-August, X announced that it would cease operations in Brazil immediately, claiming that Moraes threatened to arrest X’s legal representative in the county if X did not comply with orders to remove certain content from the platform. Moraes did not comment on this, but he then gave X 24 hours to appoint a new local representative, as Brazilian law requires companies to have representation in the country. The deadline passed, and X company did not name a representative. The outcome: X is blocked in Brazil.
The ban will last until X complies with all court orders, names a legal representative, and pays all fines. The local accounts for Starlink, another company owned by Musk, are also blocked until X pays the fines, a decision that has been criticised because Starlink has nothing to do with the X case. Meanwhile, Brazilians are joining Bluesky (started by Twitter’s founder Jack Dorsey) in troves.
These developments highlight the core tension between cyberspace and real space. Once, there was a belief that the virtual world – the home of bits and bytes and endless data streams – was somehow distinct from the tangible world we inhabit. In the early days of the internet, the virtual world felt like a vast, uncharted frontier – a place where the rules of the physical world didn’t seem to apply.
But this so-called cyberspace was never a separate reality; it was an augmentation, a different layer of the same world we already knew. The concept of punishment in the digital world was, and remains, a legal reality. Those who are accused of cybercrimes or do not comply with national laws are not sent to some virtual holding cell; they face real-world justice systems, real-world courts, and real-world fines and prisons.
UN approves landmark cybercrime convention
After years of negotiations, the UN member states at the Ad Hoc Committee (AHC) adopted the draft of the first globally binding legal instrument on cybercrime.
The convention’s adoption has proceeded despite significant opposition from civil society and tech companies, who have raised concerns about the potential risks of increased surveillance. Stakeholders emphasised the urgent need for a treaty focused on core cybercrime offences, strengthened by robust safeguards. It was also hard to imagine that states would reach a consensus given how many issues they disagreed on earlier. A snapshot of the debates at the last session of the AHC follows.
Debates about the convention’s title, scope, and terminology. The majority of delegations advocated for a succinct title, suggesting ‘United Nations Convention Against Cybercrime’ for clarity’s sake. However, the term cybercrime has not been agreed upon by all states in the use of terms. The title ‘Draft United Nations convention against cybercrime’ was adopted with a subtitle: ‘Strengthening international cooperation for combatting certain crimes committed by means of information and communications technology and for the sharing of evidence in electronic form of serious crimes’.
Negotiations on the conventions’s scope resulted in the adoption of Article 4, which says:
1. In giving effect to other applicable United Nations conventions and protocols to which they are Parties, States Parties shall ensure that criminal offences established in accordance with such conventions and protocols are also considered criminal offences under domestic law when committed through the use of information and communications technology systems.
2. Nothing in this article shall be interpreted as establishing criminal offences in accordance with this Convention.
Human rights protections and safeguards. States held differing views to the chair’s proposal for Article 6.2, which suggested adding the phrase ‘and in a manner consistent with applicable international human rights law’ to address concerns about human rights safeguards. Negotiations resulted in the adoption of Article 6, which says:
1. States Parties shall ensure that the implementation of their obligations under this Convention is consistent with their obligations under international human rights law.
2. Nothing in this Convention shall be interpreted as permitting suppression of human rights or fundamental freedoms, including the rights related to freedom of expression, conscience, opinion, religion or belief, peaceful assembly and association, in accordance with applicable international human rights law.
A significant portion of the session was dedicated to debating Articles 14 and 16 on child sexual exploitation material and the dissemination of intimate images, respectively. Concerns were raised about the phrase without right in these articles, which some member states felt could potentially legitimise access to such material. In the end, both articles were adopted containing the phrase without right.
Ratification and following steps. After exchanging different views, states agreed on the threshold of 40 ratifications. They also adopted Article 61, which stipulates that the convention may be supplemented by one or more protocols. Article 62 specifies that at least 60 signatory parties shall be required before any supplementary protocol is considered for adoption by the Conference of the States Parties. If consensus on the protocol isn’t reached, the protocol can still be adopted if it receives a two-thirds majority vote from the states parties present and voting at the meeting of the Conference of the States Parties.
Reservations. Some countries announced reservations. For example, Russia highlighted that it dissociates itself from the consensus on the title of the convention and intends to make an interpretive statement when signing or ratifying this instrument. Nigeria also dissociated itself from specific provisions, particularly those in Article 14, arguing that they were inconsistent with its domestic laws and cultural norms.
Explore the convention’s contents with our AI assistant, and read our detailed analysis of the last round of the negotiations.
How was the first UN cybercrime convention adopted? What was the last round of negotiations about?
Major trade agreement unveiled at WTO
The co-conveners of the World Trade Organization (WTO) Joint Initiative (JI) on Electronic Commerce – Australia, Japan, and Singapore – have published a stabilised text of an Agreement on Electronic Commerce, a significant milestone after almost seven years of discussions and negotiations.
Why is the agreement significant? So far, e-commerce and digital trade regulations have been handled mainly through preferential trade agreements (PTAs) among countries. Creating a specific WTO agreement on e-commerce would help standardise e-commerce rules globally, making it easier for everyone to do business in the digital age.
What’s in the Agreement on Electronic Commerce? The text contains provisions to:
- Promote the facilitation of digital trade within and between countries, including by fostering the adoption of electronic signatures and invoices.
- Make international digital trade more reliable and affordable by working together on cybersecurity risks.
- Ban customs duties on digital content among participating countries.
- Protect online consumers from misleading and fraudulent activities.
- Protect the personal data of consumers.
- Help consumers and companies from developing countries participate in digital trade.
- Encourage competition in the telecommunications sector by ensuring independent regulators, better access to infrastructure, and market-based frequency band assignments.
What’s missing from the text? Negotiations on crucial digital issues like data flows and source code hit a roadblock when the USA pulled its support so it could maintain domestic policy flexibility. The co-conveners simply state that ‘participants recognise that some issues of importance to digital trade have not been addressed in this text. Participants will discuss the inclusion of these issues in future negotiations.’
Who’s missing from the deal? The latest draft text represents 82 out of 91 JI members. However, Brazil, Colombia, El Salvador, Guatemala, Indonesia, Paraguay, the Separate Customs Territory of Taiwan, Penghu, Kinmen and Matsu, Türkiye, and the USA are still reviewing the text domestically.
What are the next steps? To become the foundation for global rules on digital trade among WTO members, the text must be integrated into the WTO legal framework. However, all JIs at the WTO ran into opposition from several WTO members who hold that JIs do not have any legal status because they were not launched based on consensus.
Similarly, these countries claim that the outcomes of JIs are not based on consensus and are neither multilateral agreements nor plurilateral agreements as defined in Article IV of the agreement that established the WTO – the Marrakesh Agreement.
If the Agreement on Electronic Commerce comes into force, much work will be needed. Five changes in the global landscape are important to consider in its implementation. Firstly, there has been a rise in digital inequality, which will need to be tackled. Secondly, there has been a shift eastwards in digital trade rule-making. Thirdly, digital economy agreements (DEAs) are increasingly important, perpetuating the normative patchwork. Fourth, global value chains have been rewired because of the global COVID-19 pandemic and geopolitical considerations, leading to uncertain trade consequences. Finally, the systemic nature of challenges to multilateralism has also been felt at the WTO, jeopardising the organisation’s negotiating and dispute-settlement functions.
Read more in the blog post The WTO Joint Initiative stabilised ‘Agreement on Electronic commerce’: Looking at the broader picture.
The WTO Joint Initiative stabilised ‘Agreement on Electronic Commerce’ must contend with five changes that took place in the global landscape that are important to consider in its implementation.
The CrowdStrike update that triggered a USD 5 billion outage, lawsuits, and congressional scrutiny
A routine update turned catastrophic when CrowdStrike’s Falcon Sensor kernel-level driver, designed to safeguard Windows systems, triggered a massive tech outage on 19 July. The disruption reverberated across industries globally, affecting sectors like air travel, healthcare, finance, and media.
The problem began when CrowdStrike released a content configuration update for the Windows sensor to collect telemetry on potential new threat techniques. These updates are a regular aspect of the Falcon platform’s dynamic protection system, sometimes occurring daily.
However, this particular update contained a logic error that resulted in a system crash, causing the notorious blue screen of death (BSOD) on 8.5 million Windows devices.
The issue was traced back to a bug in CrowdStrike’s Content Validator, which allowed the problematic update to pass validation despite containing problematic content data.
The consequences. Financially, the impact of this incident is staggering. According to cyber insurer Parametrix, the faulty update could result in losses of up to USD 5.4 billion for companies like Microsoft, major airlines, banks, and healthcare providers.
However, the insured losses from the CrowdStrike incident are estimated at between USD 1.5 billion and USD 10 billion.
CrowdStrike announced that it will give customers about USD 60 million in credits to remain with the company. At the end of August, the company had a 98% customer retention rate after the outage.
However, CrowdStrike is not remotely out of the woods. On 23 September, Adam Meyers, senior vice president of counter-adversary operations at CrowdStrike, will testify before the US House Homeland Security cybersecurity subcommittee. Meyers will be expected to explain in detail how this incident happened and the mitigation steps CrowdStrike is taking.
The company is also facing a flurry of lawsuits. Delta plans to sue CrowdStrike and Microsoft for USD 500 million over significant losses related to the update. Law firm Labaton Keller Sucharow has filed a class action lawsuit on behalf of CrowdStrike shareholders, alleging they were misled about software testing. Gibbs Law Group is also considering a class action for small businesses impacted by the outage.
What did we learn from this case? Numerous organisations are overreliant on single-point IT solutions. Should tech companies bear responsibility for cyber risks associated with their products and services?
Defining supplier responsibility (and liability) for the security and stability of digital products through legal instruments is essential for ensuring accountability and safety. This would incentivise companies to invest more in robust security measures, thorough testing protocols, and fail-safe mechanisms.
Moreover, it would foster a culture of responsibility within the tech industry, where the potential real-world impacts of digital failures, their solutions, and their broader implications for society are given the serious consideration they deserve.
The Summit of the Future
The upcoming Summit of the Future is being hailed as a ‘once-in-a-generation opportunity’ to reaffirm core principles and adapt multilateral frameworks to meet the challenges of tomorrow.
Scheduled for 22–23 September 2024, this high-level UN event will bring together various stakeholders, under the theme, ‘Summit of the Future: Multilateral Solutions for a Better Tomorrow’.
The summit will be preceded by a preparatory ministerial meeting on 18 September and Action Days on 20–21 September.
The ‘Digital Future for All’ track of the Action Days aims to harness innovation, science, and data to promote a more inclusive, safe, and sustainable digital world. Early sessions will focus on how digital technologies can foster a sustainable and responsible future, while later sessions will celebrate commitments and explore the foundations needed for an open, secure digital landscape. Stakeholders will also discuss the Global Digital Compact and practical applications of AI.
An interactive dialogue entitled ‘Towards a Common Digital Future: Strengthening inclusive innovation and cooperation to bridge the digital divides’ will be held during the summit.
The summit’s immediate outcome will be a final version of the Pact for the Future, the much-anticipated Global Digital Compact (GDC) and the Declaration for Future Generations, all expected to be adopted by member states during the summit.
We’ve written about the GDC at length. The GDC looks at the full gamut of digital, technological, and AI developments, and is expected to maximise the benefits of new technologies and minimise the risks. It will focus on (1) closing all digital divides and accelerating progress across the SDGs; (2) expanding inclusion in and benefits from the digital economy for all; (3) fostering an inclusive, open, safe and secure digital space that respects, protects and promote human rights; (4) advancing responsible, equitable and interoperable data governance approaches; and (5) enhancing international governance of AI for the benefit of humanity.
The GDC is being negotiated separately and it will be annexed to the pact. The document has gone through various revisions. Most recently, co-facilitators shared the fourth revision of the draft under silence procedure (tacit consent) with UN member states. The silence could be broken until Thursday, 29 August, signalling (a) state(s) dissatisfaction with the text. It appears that the silence has been broken this time. Discussions about the next steps of the negotiations are now ongoing.
Consult Diplo’s analysis and chat with AI assistants on the Pact for the Future and the Global Digital Compact. Here, you can follow just-in-time reporting from the Summit of the Future on 22 and 23 September 2024.
