Campaigns

Dear readers,

The sense of urgency surrounding AI regulations that marked the start of the month continues unabated. The European Commission is advocating for a global framework (including an IPCC for AI to govern it), while the USA is deliberating over who should take the lead in regulating AI. And we haven’t even started Q4, which will accelerate things even more. Let’s get started.

Stephanie and the Digital Watch team

// HIGHLIGHT //

European Commission calls for an IPCC for AI (the concept’s not new though)

European Commission President Ursula Von der Leyen’s State of the EU speech (read or watch) last week, wouldn’t have been complete without a deep-dive into how to govern AI. 

The EU’s way ahead of the rest in developing AI regulations: The draft AI Act has reached the final stages of its legislative journey, although it will take years before the rules come into effect. And yet, the EU is not quite finished. It wants to do more – this time, on a global scale – by transposing the effectiveness of the Intergovernmental Panel on Climate Change (IPCC) to the AI realm.

The context: A global framework for AI

The EU is acutely aware that without similar rules in other major economies, the impact of its rules remains limited. It, therefore, wants others to align their policies and collaborate towards a collective goal. That goal is a new global framework on AI built on three pillars – guardrails, governance, and guiding innovation.

What it means in practice is that Von der Leyen wants to see the EU’s upcoming AI Act exported to other countries. She proudly asserts, ‘Our AI Act serves as a global blueprint’, hence positioning it as the ideal guardrail.

How to get there: An IPCC for AI

The goal of a global framework is to cultivate a shared understanding of the profound impact AI has on our societies. The way this would be achieved (von der Leyen’s second pillar) is through a body similar to the Intergovernmental Panel on Climate Change (IPCC), whose reports establish scientific consensus on climate change. 

Von der Leyen explains: ‘Think about the invaluable contribution of the IPCC for climate, a global panel that provides the latest science to policymakers. I believe we need a similar body for AI.’ Its aim would be to develop ‘a fast and globally coordinated response – building on the work done by the Hiroshima Process and others.’

In reality, the IPCC for AI is not a new proposal. The concept goes back to (at least) 2018, when French President Emmanuel Macron told the Internet Governance Forum (held in Paris that year) of his intention to create ‘an equivalent of the renowned IPCC for artificial intelligence’. 

At the time, Macron’s vision was ahead of its time. ‘I believe this “IPCC” should have a large scope. It should naturally work with civil society, top scientists, all the innovators here today […] there can be no artificial intelligence and no genuine “artificial intelligence IPCC” if reflection with an ethical dimension is not conducted.’

One could say that the idea of creating an exact replica of the original IPCC, refined for application to AI, was sidelined with the establishment of the Global Partnership on Artificial Intelligence (GPAI), an international forum for collaborating on AI policies. Nevertheless, the current surge in interest and concerns surrounding generative AI has generated enough momentum to revive the original concept.

Who to rope in: The industry

Von der Leyen’s third pillar, ‘guiding innovation in a responsible way’, is the European Commission’s way of saying that until rules come into effect, the industry needs to agree on voluntary commitments.

Arguably, the EU is doing a good job at this through the AI Pact, a voluntary set of rules that will act as a precursor to the AI Act. European Commission Thierry Breton has advocated heavily among Big Tech companies to adopt these guidelines.

But more needs to be done locally: The EU needs to foster a homegrown AI industry, which is still lagging behind. In its latest initiative, the EU will launch an AI Start-Up Initiative, which, according to Breton, will give start-ups access to public high-performance computing infrastructure (and ‘help them lead the development and scale-up of AI responsibly and in line with European values’.)

Reality check

The EU has several feathers in its cap (see our recent article on the Brussels effect), but its global ambitions might be a tad premature in AI. First, the AI Act is not yet law. Second, the EU knows that many other countries do not share the same willingness for binding rules (see Japan’s update below).

At most, the EU can aim to export its values of human centricity and transparency to other countries, and advocate for them to become minimum global standards for the safe and ethical use of AI. It’s worth the effort.

// AI GOVERNANCE //

US Senate judiciary hearings and closed-door meetings: AI debates continue

We’ve heard it all before: AI can be leveraged for good. But AI risks must be curbed. Governments must step in. 

US Senate hearing: All this (and more) was discussed during the US Senate Judiciary Subcommittee’s latest meeting, led by Chairman Richard Blumenthal (D-CT) and Ranking Member Josh Hawley (R-MO), which was attended by Boston University Law Professor Woodrow Hartzog, NVIDIA Chief Scientist William Dally, and Microsoft President Brad Smith. The hearing emphasised the need to curb the misuse of AI-generated deceptive practices in content used during electoral campaigns, and AI’s misuse for other criminal purposes such as scams.

AI Insight Forum: Lawmakers and tech industry leaders also gathered at Senate Majority Leader Chuck Schumer’s inaugural AI Insight Forum last week. The meeting was held behind closed doors, so we’ve had to rely on reports by journalists gathered outside the building. The main topic was how to address the pressing requirement for AI regulation given that, according to X’s (formerly Twitter) Elon Musk, ‘AI development is potentially harmful to all humans everywhere’. Musk also floated the idea of a federal department on AI. The unanimous agreement among the tech leaders was that the government needs to intervene. 

Why is it relevant? Despite the USA’s traditional laissez-faire approach, the outcomes from these discussions suggest a bipartisan willingness to legislate. But disagreements over how to do this run (too?) deep. At least, there is convergence around the need for a new regulator – either through the creation of a new agency or by mandating an existing government entity such as the National Institute of Standards and Technology (NIST). The general election is looming around the corner, so if there are any developments to be initiated, now’s the time.

Japan publishes draft AI transparency guidelines 

Japan, the current chair of the G7, has unveiled new draft guidelines on AI transparency. The voluntary guidelines, which Tokyo will finalise by the end of the year, will urge AI platform developers to disclose vital information about the purpose of their algorithms and what they see to be the potential risks. Additionally, companies involved in AI training will be asked to disclose the data they’re utilising to train their models. 

These guidelines were outlined during a government AI strategy meeting, where it was also revealed that the government intends to earmark 164 billion yen (USD1.11 billion) for AI next year. That’s an increase of over 40% compared to this year’s allocation.

Why is it relevant? Although Japan’s AI spending shows how serious the country is in a homegrown AI industry, it re-confirms the country’s preference for non-binding rules and, therefore, indicates that there is still a split in how G7 countries choose to approach AI governance. As the current G7 chair, Japan’s preference for a softer approach puts a damper on the EU efforts to establish its upcoming AI Act as a global benchmark. But it’s not all bad: At least the Japan-led G7 AI Hiroshima Process will try to find common denominators among these widely differing approaches (see more below on what to expect in the coming weeks).

// ANTITRUST //

Legal battle against Google’s search monopoly abuse kicks off 

The trial of the US Justice Department’s (DOJ) major antitrust case against Google kicked off last week, signalling the start of a months-long legal battle that could potentially reshape the entire tech industry. The DOJ had filed the civil antitrust suit against Google in late 2020 after examining the company’s business for more than a year.

The lawsuit concerns Google’s search business, which the DOJ and state attorneys-general consider ‘anticompetitive and exclusionary’ sustaining its monopoly on the digital advertising market. The case revolves around Google’s agreements with smartphone manufacturers and other firms, which allegedly strengthen its search monopoly.

Google has argued that users have plenty of choices and opt for Google due to its superior product.

Why is it relevant? It’s the first major tech antitrust trial since Microsoft’s 1998 case. If Google is found to have breached antitrust law, the judge could simply order Google to refrain from these practices or, more seriously for Google, order the company to sell assets. If the DOJ loses, it would undermine years of effort by the agency to challenge Big Tech’s power.

Case details: USA v Google LLC, District Court, District of Columbia, 1:20-cv-03010

// PRIVACY //

TikTok fined millions for breaching GDPR on children’s data

TikTok has been fined EUR345 million (USD370 million) for breaching privacy laws on the processing of children’s personal data in the EU, the Irish Data Protection Commissioner (DPC) confirmed. The DPC gave TikTok three months to bring all of its processing into compliance where infringements were found.

TikTok was found to have allowed specific profile settings to pose severe risks to underaged users. For instance, some settings were set to public by default (anyone could view the child’s content), while another setting allowed any public user to pair their account to a child’s user account and, therefore, to direct message them.

Why is it relevant? First, the DPC’s final decision is another blow to TikTok’s woes in Europe (there’s another ongoing case in the EU). Second, it’s among the largest fines imposed on a tech company under the GDPR.

// COPYRIGHT //

Two new lawsuits allege copyright infringement in AI-model training

A group of writers have initiated legal action against Meta and separately against OpenAI, alleging that the tech giants inappropriately used their literary creations to train their AI models.

In Meta’s case, the writers say their copyrighted books appear in the dataset that Meta has admitted to using to train LLaMA, the company’s large language model. In OpenAI’s case, ChatGPT generates in-depth analyses of the themes in the plaintiffs’ copyrighted works, which the authors say is possible only if the underlying GPT model was trained using their works.

Why is it relevant? First, the lawsuits add to the growing number of cases against AI companies over copyright infringement, broadening the legal minefield surrounding AI training. Second, it adds pressure on regulators to bring intellectual property rules up to speed with developments in generative AI. The USA is already mulling new rules, pending a public call for comment. 

Case details: Chabon et al v OpenAI et al, California Northern District Court, 3:2023cv04625; Chabon et al v Meta Platforms, California Northern District Court, 3:23-cv-04663

11 September–13 October: The digital policy issues to be tackled during the 54th session of the Human Rights Council (HRC) include cyberbullying and digital literacy. 

18 September: The Commonwealth Artificial Intelligence Consortium (CAIC) is meeting in New York to endorse a new AI action plan for sustainable development.

18–19 September: The SDG Summit in New York will mark ‘the beginning of a new phase of accelerated progress towards the Sustainable Development Goals’. It’s very much needed, considering that, with only seven years left to go, none of the 17 SDGs have been fully met.

19–26 September: The high-level debate of the UN General Assembly’s 78th session kicks off this week. The theme may well be about accelerating progress on sustainable development goals, but we can expect several countries to explain how they view AI developments and AI regulation. As usual, our team will analyse each and every country statement and tell us what’s weighing the most on governments’ minds. Subscribe for just-in-time updates.

20–21 September: The 8th session of the WIPO Conversation, a multistakeholder forum which attracts thousands of stakeholders, will be about generative AI and intellectual property.

21 September: The President of the UN General Assembly will convene a prep ministerial meeting in New York ahead of the 2024 Summit of the Future.

24 September: The EU’s Data Governance Act becomes enforceable.

Was this newsletter forwarded to you, and you’d like to see more?

Was this newsletter forwarded to you, and you’d like to see more?

Dear all,

The recently approved EU-US Data Privacy Framework is about to undergo the same legal battle as its predecessors starting in September. In other news, OpenAI filed a trademark application for GPT-5 (we raised our eyebrows too), and Zoom is under fire for data processing practices related to training AI models and use of user content. Google’s antitrust case in Italy over data portability has been settled, but the US Justice Department’s case will go to trial next month (we’ll cover this one in upcoming digests).    

Let’s get started.
Stephanie and the Digital Watch team
PS. We’re taking a short break next week; expect us back in a fortnight.

// HIGHLIGHT //

Schrems III: EU-US privacy framework to be challenged in court in September

A legal challenge to the recently approved EU-US Trans-Atlantic Data Privacy Framework (TADPF) is expected to be filed by Austrian privacy activist Max Schrems, chairman of NOYB (European Center for Digital Rights, called NOYB for None Of Your Business) in September. 

The new framework, which governs the transfer of European citizens’ personal data across the Atlantic, was finalised by the European Commission and the US government last month. Known as the TADPF on Twit…sorry, X, the framework is actually the third of its kind, succeeding the invalidated Safe Harbour in October 2015 and the Privacy Shield in July 2020. Notably, it was Max Schrems who played a significant role in invalidating both frameworks, earning the distinctive labels Schrems I and Schrems II for each case.
NOYB had already announced its plans to challenge the new framework a few weeks ago, which it says is essentially a copy of the failed Privacy Shield.

Issue #1: Surveillance on non-US individuals

The fundamental problem with the new framework, much like the previous versions, has to do largely with a US law: Section 702 of the Foreign Intelligence Surveillance Act (FISA), which allows for surveillance against non-US individuals. Although the US 4th Amendment protects the privacy of American citizens, European citizens have no constitutional rights in the USA. Therefore they cannot defend themselves from FISA 702 in the same way. 

At the same time, in the EU, personal data may only leave the EU if adequate protection is ensured. So what the USA and EU agreed to, for the EU to green-light data transfers under the new framework, was to limit bulk surveillance to ‘what is necessary and proportionate’ and share a common understanding of what ‘proportionate’ means without actually undermining the powers that US authorities wield.

Issue #2: The redress mechanism

The previous framework for citizens seeking redress through the ombudsperson did not align with European law. The new agreement introduces changes by establishing a Civil Liberties Protection Officer and a body referred to as a court (which NOYB thinks is simply a semi-independent executive entity).

Although there are some minor enhancements compared to the ombudsperson, individuals will probably have no direct interaction with the new bodies, so the outcomes of seeking redress will be similar to those that the former Ombudsperson could have reached.

On the path to Schrems III

The system needs to be implemented by companies, so that it can be challenged by a person whose data is transferred under the new instrument. Schrems indicated the lawsuit will be filed in Austria, his home country. 

Then, it is hoped that the Austrian court will quickly decide to accept or reject, this challenge, and send it to the Court of Justice of the European Union (CJEU).

Is there any chance that this trajectory might be avoided? Yes, but it’s unlikely. FISA 702 has a sunset clause, which means that it needs to be re-authorised by the US Congress by the end of 2023. The new litigation will add further pressure to existing calls for reforming FISA 702, but Schrems himself thinks the US government may not be willing to reauthorise or reform FISA 702, since the framework has now been agreed. 

As the Schrems III litigation unfolds, it is increasingly probable that the case will end up before the CJEU, where Schrems has strong confidence in the outcome: ‘Just announcing that something is “new”, “robust” or “effective” does not cut it before the Court of Justice.’

// AI GOVERNANCE //

OpenAI files trademark application for GPT-5

OpenAI has filed a trademark application for GPT-5 at the US Patent and Trademark Office, aiming to cover various aspects such as AI-generated text, neural network software, and related services. While the filing was spotted by a trademark attorney (who tweeted about it), there has been no official confirmation from OpenAI about GPT-5. 

A trademark application doesn’t always mean a working product is in the making. Often, companies file trademarks to stay ahead of competitors or protect their intellectual property. 

Why is it relevant? OpenAI CEO Sam Altman recently denied that the company was working on GPT-5. During an event at MIT, Altman reacted to an open letter requesting a pause in the development of AI systems more powerful than GPT-4. Altman clarified that the letter lacked technical nuance and mistakenly stated that OpenAI is currently training GPT-5, deeming it ‘sort of silly’. (Jump to minute 16’00 to listen to the recording). Time will tell.

Zoom under fire for training AI models with user data without opt-out option

Zoom’s latest update to its Terms of Service will allow it to leverage user data for machine learning and AI, without providing users the possibility of opting out.

In addition, Section 10.4 of the updated terms also grants Zoom a ‘perpetual, worldwide, non-exclusive, royalty-free, sublicensable, and transferable license’ to use customer content in any way it likes.

Why is it relevant? First, it gives Zoom a sweeping range of powers over people’s content (the argument that users should read the terms and conditions will not earn Zoom any kudos from users nor alleviate their concerns). Second, the Zoom case echoes one of the earliest legal challenges that OpenAI faced when the Italian data protection authority banned ChatGPT from Italy, and later allowed it to operate after OpenAI ‘granted all individuals in Europe, including non-users, the right to opt-out from processing of their data for training of algorithms also by way of an online, easily accessible ad-hoc form’. But there was one main difference: OpenAI uses legitimate interest as a basis for using data to train its models, which means it needs an opt-out form. Zoom users can enable generative AI features, but as yet, there is no clear way to opt out.

UPDATE (8 August 2023): Zoom updated its terms of service in the evening of 7 August (right after this issue was published) to say that ‘Notwithstanding the above, Zoom will not use audio, video or chat Customer Content to train our artificial intelligence models without your consent’. However, it’s unlikely that this will alleviate concerns: First, the term ‘customer content’ does not cover all the content that Zoom will use to train its AI models; second, it’s still unclear whether Zoom is seeking to obtain users’ consent (in Europe) in accordance with GDPR requirements; third, there’s still no possibility to opt out – at least, not a straightforward one; fourth, there’s no change to the sweeping powers Zoom has given itself over user content (Section 10.4).

Are labels for AI-generated content around the corner?

Alessandro Paluzzi, a mobile developer and self-proclaimed leaker, has disclosed that Instagram is developing a label specifically for AI-generated content. As companies vie for dominance in generative AI technology, the introduction of content labels thrusts them into a race on combating misinformation. The tool that successfully and accurately labels AI content could earn the trust of users and governments.

UK labels AI as chronic risk

AI has now been officially classified, for the first time, as a security threat to the UK, as stated in the recently published National Risk Register 2023. This level of risk falls into the category of chronic risks, different from acute risks because they present ongoing challenges that gradually undermine our economy, community, way of life, and national security. While chronic risks typically unfold over an extended time, they are not limited to such.

The advancements in AI systems and their capabilities entail various implications, including both chronic and acute risks. For instance, they could facilitate the proliferation of harmful misinformation and disinformation. If mishandled, these risks could have significant consequences.

Why is this relevant? The UK recently announced it will host the first global summit on AI Safety, bringing together key countries, leading tech companies, and researchers to agree (hopefully) safety measures to evaluate and monitor risks from AI. The UK also recently chaired the UN Security Council’s first-ever debate on AI.

Was this newsletter forwarded to you, and you’d like to see more?

// CRYPTO-BIOMETRICS //

WorldCoin wants to attract governments; Kenya suspends project

Tools For Humanity, the San Francisco and Berlin-based company behind WorldCoin, the new crypto-biometric project we wrote about last week, hopes it will attract governments to use it. 

Ricardo Macieira, general manager for Europe at Tools For Humanity, said the company’s idea is to build the infrastructure for others to use it.

Why is this relevant? The project is already shrouded in controversy over Worldcoin’s data collection processes, not least because of the crypto-for-iris scans method of encouraging sign-ups. Kenya is the latest country to investigate the project, and has suspended local activities of WorldCoin in the meantime.

// KIDS //

China proposes screen time limits for kids

The Cyberspace Administration of China (CAC) released draft guidelines for the introduction of screen time software to curb the problem of smartphone addiction among minors and the impact the government says screen time has on children’s academic performance, social skills, and overall well-being. The regulations mandate curfew and time limits by age, as well as age-appropriate content. 

The draft rules also provide for anti-bypass functions, such as restoring factory settings if the device is not used according to the rules. 

Why is it relevant? The guidelines, which are an add-on to previous regulations that restrict the amount of time under-18s spend online, give parents much of the management responsibility. This makes the widespread enforcement of the rules questionable – which we’re pretty sure is what kids in China are hoping for.

// COMPETITION //

Italian consumer watchdog closes Google’s data portability investigation

Italy’s Autorità Garante della Concorrenza e del Mercato (AGCM) has accepted commitments proposed by Google, ending its investigation over the alleged abuse of its dominant position in the user data portability market. Data portability, governed by the GDPR, allows users to move their data between services, creating competition for companies like Google. 

Google presented three commitments: The first two offer supplementary solutions to Takeout, which helps users backup their data, making it easier to export to third-party operators. The third commitment allows testing of a new solution that enables direct data portability between services, with authorisation from users. This aims to improve interoperability within the Google ecosystem.

Why is it relevant? First, amid the multitude of antitrust cases faced by the company worldwide, this particular one had the potential to escalate further, but reached its resolution here. Second, the benefits of this outcome extend beyond just Italian users.

More as a reminder, since we covered these events last week. It will be a quiet month. Happy August! 

10–13 Aug: DEF CON 31 is the Las Vegas event which will show, among other workshops, training, and contests, the White House-backed red-teaming of OpenAI’s models.

21 August–1 September: The Ad Hoc Committee on Cybercrime meets in New York for its 6th session.

25 August: Very large online platforms and search engines must start abiding by the DSA’s obligations.

WSJ: How Binance transacts billions in Chinese market despite ban

It seems that cryptocurrency exchange Binance continues to operate in China despite the country’s ban on cryptocurrencies. Binance reportedly does around $90 billion worth of business in China, one of its largest markets. An investigative article from the Wall Street Journal explores how Binance is able to operate in China despite the ban and the potential risks associated with doing so.

Was this newsletter forwarded to you, and you’d like to see more?

Dear readers,

A new biometric-cryptocurrency project has diverted everyone’s attention from AI developments to iris patterns and privacy issues. Still, over at the regulators in charge of competition, no fewer than four new cases against Big Tech emerged, with two of them outlined below.

Let’s get started.

Stephanie and the Digital Watch team

// HIGHLIGHT //

There’s a new device in town, 
and it’s coming for your iris

Nowadays, people are happily sharing biometric data through their trendy smartwatches. The allure of profiting from cryptocurrency is as tantalising as Bitcoin’s early days. And Sam Altman has garnered a considerable following of techno-enthusiasts since the launch of ChatGPT.

So the timing couldn’t be better for Sam Altman to relaunch his Worldcoin project, a cryptocurrency-cum-identity network that functions by verifying that someone is both a human being and a unique person. The verification is carried out by a custom-built spherical device called an Orb. (Read about Worldcoin’s history.)

Are you unique? The uniqueness requirement is why verification is based on an iris scan: Since the structure of our irises is both individually identifiable and stays more or less the same over time, iris biometrics are much more accurate and reliable.

Privacy safeguards: WorldCoin also provides some privacy features. Iris scans are processed locally on each Orb, and turned into a set of numbers. The original scan is then deleted (unless the user prefers to have it stored on Worldcoin’s servers ‘to reduce the number of times you may need to go back to an Orb’).

Regulators stepping in: Despite the safeguards, European regulators have been quick to react. France’s privacy watchdog said it had reservations about the legality of the biometric data collection, and how it’s being stored. The UK said it was reviewing the project. 

Germany is way ahead: Its data protection regulator in Bavaria – the lead EU authority investigating Worldcoin due to the company’s German subsidiary in the region – has been investigating the project’s biometric data processing since November last year.

Why the iris scanning project is more than a headache

As the investigations unfold, there are several challenges that are raising alarm bells about the iris project.

1. The massive database. Regardless of all the noble purposes (mostly) behind the Worldcoin project, the fact is that a massive biometric database is being built. And we all know the risks that come with that – from breaches to data misuse. 

2. The Orb operators. Let’s say your iris pattern is deleted immediately. There are still plenty of risks associated with how that data is collected. The company emphasises that the orb operators – the people entrusted with the shiny spheres – are independent contractors over whom ‘we have no control over and disclaim all liability for what they say or how they conduct themselves’. 

3. The money pitch. Worldcoin is providing people with an incentive to have their irises scanned: the prospect of making money. ‘Eligible verified users’, that is, anyone who’s had their iris scanned, ‘can claim one free WLD token per week with no maximum.’ On the one hand, a company is finally paying users for their data, but on the other hand, that data is sensitive biometric information. Are users on an equal footing with the company in this exchange? Should the sale of sensitive biometric information be permitted? It’s a transaction that warrants closer scrutiny.

Beyond the boundaries of what is acceptable or prohibited, projects that involve large-scale collection of biometric data are undoubtedly contributing to society’s changing attitudes towards privacy. It’s probably time to reassess the essence of what users are actually trading, and more than that, whether users have the power to defend their rights and position in this negotiation.

// AI //

Industry leaders partner to establish forum for responsible development of frontier AI 

Four companies developing AI – Anthropic, Google, Microsoft, and OpenAI – have launched a new industry body to focus on the safe and responsible development of frontier AI models, that is, models that exceed the capabilities of what’s currently available.

The Frontier Model Forum will focus on identifying best practices for safety standards, advancing AI safety research by coordinating efforts on areas like adversarial robustness and interpretability, and facilitating secure information sharing between companies and governments on AI safety and risks.

Why is this relevant? Beyond the AI models we see today, over 350 AI experts recently raised concerns on the potential for future AI to bring about human extinction and other global perils, such as pandemics and nuclear warfare. The list of signatories comprised the leaders of the very AI companies driving the Frontier Model Forum forward. 

// CONTENT POLICY //

Biden administration challenges social media censorship order

The Biden administration has criticised a recent court order restricting government officials’ communications with social media companies as overly broad. Appealing the court order, the government said the order hampers its ability to fight misinformation, and must be lifted. 

How it started. In May 2022, the attorneys general of Missouri and Louisiana sued the government for demanding that social media platforms remove content that the government deemed misinformation. On 4 July 2023, the Louisiana court ordered government agencies to refrain from communicating with social media companies for the purpose of moderating content. In other words, the court said the government was only allowed to contact social media companies on content related to national security threats, criminal activity, and cyberattacks.

The government’s counter-argument. It’s one thing to try to persuade platforms, and quite another to coerce them. ‘The district court’s ruling ignored that fundamental distinction… [it] equated the government’s legitimate efforts to identify truthful information with illicit efforts to “‘silenc[e] the voice of opposition’… and… to coerce.’

Why is this case relevant? First, this places a wedge between the US government and social media companies by setting a precedent for how the US government can interact with social media companies. Second, it affects the way misinformation is tackled by undermining the credibility of public authorities as trustworthy providers of information. Third, the idea that social media giants such as Facebook and Twitter can be easily coerced into compliance is not exactly the image we all have of them…

Case numbers: District Court, W.D. Louisiana, 3:22-cv-01213; Court of Appeals, 5th Circuit, 23-30445

Breton tells NGOs: Shutdowns only in far-reaching situations; courts will have final say

You could say that Internal Market Commissioner Thierry Breton rocked the boat a little when he recently suggested on France Info that online platforms could be shut down if they don’t remove illegal content immediately, especially when riots and violent protests are involved. Over 60 civil rights NGOs immediately asked him to clarify that the Digital Services Act (DSA) would not be used as a censorship tool.

Breton has now clarified his comment: The possibility of a temporary suspension is a last resort if a platform fails to take necessary and effective actions in far-reaching situations, such as systemic failure to terminate infringements linked to calls for violence or manslaughter. In any case, the courts will have the final say.

Why is this relevant? The exchange between the European Commission and the NGOs served to clarify what type of last-resort measures against infringement can be ordered by authorities. The DSA’s obligations for very large online platforms and search engines come into effect on 25 August. 

// ANTITRUST //

EU confirms antitrust investigation against Microsoft for bundling Teams with Office

It didn’t take long for the European Commission to confirm our hunch from last week. Just days after Alfaview’s anti-competition complaint against Microsoft, the commission launched formal proceedings against Microsoft for bundling the communication software Teams with its Office 365. 

A long time coming. At the height of the COVID-19 pandemic in 2020, Zoom soared to success while Teams emerged as a formidable competitor. It was during this time that Microsoft decided to bundle Teams with Office. The move faced backlash from Slack, a rival company (that was subsequently acquired by Salesforce in 2021), which complained to the commission that Microsoft’s bundling constituted an abuse of its dominant position.

Why is this case relevant? This makes it the first investigation by the European Commission against Microsoft since the Internet Explorer bundling case concluded in 2009 (Microsoft was fined a few years later for breaching its commitments). This case also highlights the limited effectiveness of antitrust laws and enforcement in deterring dominant companies. Even if Microsoft were to lose the case, Teams would remain firmly established as one of the leading meeting software apps, making any findings of anti-competitive behaviour ineffective in displacing it.

Case number: AT.40721

French competition authority to investigate Apple’s app tracking policy 

The French competition authority has launched an investigation into Apple’s practices for allegedly abusing its dominant market position. Advertisers have complained that while Apple imposes its App Tracking Transparency (ATT) policy upon them, it exempts itself from the same regulations, resulting in self-preferential treatment.

The issues with Apple’s tracking policy. Apple’s ATT policy, first announced in 2020, triggers a privacy pop-up to iPhone and iPad users during the installation of third-party apps attempting to track them. That’s very much welcomed by privacy advocates. However, app developers say that this policy does not extend to Apple’s own apps, creating hesitation among users to allow third-party tracking, leading them to favour Apple’s apps. This also means that Apple has access to more complex device and advertising data than third-party developers, allowing it to more accurately target its ads to users in ways that third-party developers cannot.

Apple says its apps do not track users via third-party apps, and hence, do not require the ATT prompt. But competition authorities aren’t so sure anymore that this isn’t an abusive self-preferencing practice.

Why is this case relevant? First, this case has been gaining momentum since 2020. At that time, the French Competition Authority was approached by advertising associations with a complaint against the ATT policy and a request for interim measures against Apple. A year later, the French authority concluded that there was nothing wrong with providing users additional possibilities for deciding whether they wished to be tracked, and after all, at that time, the French authority did not have any proof that Apple was subjecting third-party app developers to stricter measures than those it imposed on itself for comparable purposes. And this is precisely what the French authority will now be looking at. Second, because multiple jurisdictions are looking into the same issue, including the UK, Italy, Germany, and California.

Was this newsletter forwarded to you, and you’d like to see more?

Since it’s a relatively quiet month, we’re looking ahead at the next 4-5 weeks:

10–13 August: DEF CON 31 is the Las Vegas event which will show, among other workshops, training, and contests, the White House-backed red-teaming of OpenAI’s models.

21 August–1 September: The Ad Hoc Committee on Cybercrime meets in New York for its 6th session.

25 August: Very large online platforms and search engines must start abiding by the DSA’s obligations as of this date. 

Was this newsletter forwarded to you, and you’d like to see more?

Dear readers,

It’s more AI governance this week: The US White House is inching towards AI regulation, marking a significant shift from the laissez-faire approach of previous years. At the UN, the Secretary-General is also shaking (some) things up.
Elsewhere, cybercrime is rearing its ugly head, bolstered by generative AI. Antitrust regulators gear up for new battles while letting go of others. And in case you haven’t heard, Twitter’s iconic blue bird logo is no more.

Let’s get started.

Stephanie and the Digital Watch team

// HIGHLIGHT //

Voluntary measures a precursor to White House regulations on AI

There’s more than meets the eye in last week’s announcement that seven leading AI companies in the USA – Amazon, Anthropic, Google, Inflection, Meta, Microsoft, and OpenAI – agreed to implement voluntary safeguards. The announcement made it crystal clear that executive action on AI is imminent, indicating a shift to a higher gear towards AI regulation within the White House.

AI laws on the horizon

In comments after his meeting with AI companies, President Joe Biden spoke of plans for new rules: ‘In the weeks ahead, I’m going to continue to take executive action to help America lead the way toward responsible innovation.’ The White House also confirmed that it ‘is currently developing an executive order and bipartisan legislation to position America as a leader in responsible innovation’. In addition, the voluntary commitments state that they ‘are intended to remain in effect until regulations covering similar issues are officially enacted’. 

In June, officials revealed they were already laying the groundwork for several policy actions, including executive orders, set to be unveiled this summer. Their work involved creating a comprehensive inventory of government regulations applicable to AI, and identifying areas where new regulations are needed to fill the gaps.

The extent of the White House’s shift in focus will be revealed when the executive order(s) are announced. One possibility is that they will focus on the same safety, security and trust aspects that the voluntary safeguards reflect on, mandating new rules to fill in the gaps. Another possibility, though less likely, is for the executive action to focus on tackling China’s growth in the AI race. 

The voluntary measures

While the voluntary commitments address some of the main risks, they mostly encompass practices that companies are either already implementing or have announced, making them less impressive. In a way, the commitments appear reminiscent of the AI Pact announced by European Commissioner Thierry Breton as a preparatory step for the EU’s AI Act – a way for companies to get ready for impending regulations. In addition, these commitments apply primarily to generative models that surpass the current industry frontier in terms of power and scope.

The safeguards revolve around three crucial principles that should underpin the future of AI: Safety, security, and trust.

1. Safety: Companies have pledged to conduct security testing of their AI systems before release, employing internal and external experts to mitigate risks related to biosecurity, cybersecurity, and societal impacts. The White House previously endorsed a red-teaming event at DEFCON 31 (taking place in August), aimed at identifying vulnerabilities in popular generative AI tools through the collaboration of experts, researchers, and students.

2. Security: Companies have committed to invest in cybersecurity and insider threat safeguards, ensuring proprietary model weights (numeric parameters that machine learning models learn from data during training to make accurate predictions) are released only under intended circumstances and after assessing security risks. They have also agreed to facilitate third-party discovery and reporting of AI system vulnerabilities to support prompt action on any post-release challenges.

3. Trust: Companies have committed to developing technical mechanisms, such as watermarking, to indicate AI-generated content, promoting creativity while reducing fraud and deception. OpenAI is already exploring watermarking. Companies have also pledged to publicly disclose AI system capabilities, limitations, and appropriate/inappropriate use. They will also address security and societal risks, including fairness, bias, and privacy – again, a practice some companies already implement. 

The industry’s response

Companies have welcomed the White House’s lead in bringing them together to agree on voluntary commitments (emphasis on voluntary). While they have advocated for future AI regulation in their testimonies and public remarks, the industry generally leans towards self-regulation as the preferred approach.

For instance, Meta’s Nick Clegg said the company was pleased to commit these voluntary commitments alongside others in the sector, which ‘create a model for other governments to follow’. (We’re unsure what he meant, given that other countries have already introduced new laws or draft rules on AI.) Microsoft’s Brad Smith’s comment went a step further, noting that the company is not only already implementing the commitments, but is going beyond them (see infographic).

Minimal impact on the international front 

The White House said that its current work seeks to support and complement ongoing initiatives, including Japan’s leadership of the G7 Hiroshima Process, the UK’s leadership in hosting a Summit on AI Safety, India’s leadership in the Global Partnership on AI, and ongoing talks at the UN (no mention of the Council of Europe negotiations on AI though). 

In practice, we all know how intergovernmental processes operate, along with the pace at which things generally unfold. So no immediate changes are expected. 

Plus, the USA may well contemplate the regulation of AI companies within its own borders, but opening the doors to international regulation of its domestic enterprises is an entirely separate issue.

// AI //

UN Security Council holds first-ever AI debate; Secretary-General announces initiatives

The UN Security Council held its first-ever debate on AI (18 July), delving into the technology’s opportunities and risks for global peace and security. A few experts were also invited to participate in the debate chaired by Britain’s Foreign Secretary James Cleverly. (Read an AI-generated summary of country positions, prepared by DiploGPT).

In his briefing to the 15-member council, UN Secretary-General Antonio Guterres promoted a risk-based approach to regulating AI, and backed calls for a new UN entity on AI, akin to models such as the International Atomic Energy Agency, the International Civil Aviation Organization, and the Intergovernmental Panel on Climate Change.

Why is it relevant? In addition to the debate, Guterres announced that a high-level advisory group will begin exploring AI governance options by late 2023. He also said that his latest policy brief (published 21 July) recommends that countries develop national AI strategies and establish global rules for military AI applications, and urges them to ban lethal autonomous weapons systems (LAWS) that function without human control by 2026. Given that a global agreement on AI principles is already a big challenge in itself, agreement on a ban on LAWS (negotiations have been ongoing within the dedicated Group of Governmental Experts since 2016) is an even greater challenge.

Cybercriminals using generative AI for phishing and producing child sexual abuse content

Canada’s leading cybersecurity official, Sami Khoury, warned that cybercriminals are now exploiting AI for hacking and spreading misinformation by developing harmful software, creating convincing phishing emails, and propagating false information online, all generated by AI. 

In separate news, the International Watch Foundation (IWF) reported it has looked into 29 reported cases of URLs potentially housing AI-generated child sexual abuse imagery. From these reports, it has been confirmed that 7 URLs did indeed contain such content. In addition, during their analysis, IWF experts also discovered an online manual that teaches offenders how to refine prompts and train AI systems to produce increasingly realistic outcomes.

Why is it relevant? Reports from law enforcement and cybersecurity authorities (such as Europol) have previously warned about the potential risks of generative AI. Real-world instances of suspected AI-generated undesirable content are now being documented, marking a transition from perceiving it as a possible threat to acknowledging it as a current risk.

// ANTITRUST //

FTC suspends competition case in Microsoft’s Activision takeover

The US Federal Trade Commission (FTC) has suspended its competition case against Microsoft’s takeover of Activision Blizzard, which was scheduled for a hearing in an administrative court in early August. 

Since then, Microsoft and Activision Blizzard agreed to extend the deadline for closing the acquisition deal by 3 months to 18 October. 

Why is it relevant? This indicates that the deal is close to being approved everywhere, especially since Microsoft and Sony have also reached agreements ensuring the availability of the Call of Duty franchise on PlayStation – commitments which are appeasing the concerns raised by regulators who were initially opposed to the deal.

Microsoft faces EU antitrust complaint over bundling Teams with Office 

Microsoft is facing a new EU antitrust complaint lodged by German company alfaview, centering on Microsoft’s practice of bundling its video app, Teams, with its Office product suite. Alfaview says the bundling gives Teams an unfair competitive advantage, putting rivals at a disadvantage.

The European Commission has confirmed receipt of the antitrust complaint, which was first announced by alfaview, and is said to be preparing to launch a formal investigation into Microsoft’s actions since the company’s remedies so far were deemed insufficient. Microsoft has been undergoing an informal investigation by the European Commission. 

Why is it relevant? This is not the first complaint against Microsoft’s Teams-Office bundling: Salesforce lodged a similar complaint in 2020. The Commission doesn’t take lightly to anti-competitive practices, so we can expect it to come out against Microsoft’s practices in full force.

// DSA //

TikTok: Almost, but not quite

TikTok, a social media platform owned by a Chinese company, appears to be making progress towards complying with the EU’s Digital Services Act. It willingly subjected itself to a stress test, indicating its commitment to meeting the necessary requirements.

After a debrief with TikTok CEO Shou Zi Chew, European Commissioner for the Internal Market Thierry Breton tweeted that the meeting was constructive, and that it was now time for the company ‘to accelerate to be fully compliant’.

Why is it relevant? TikTok is trying very hard to convince European policymakers of its commitment to protecting people’s data and to implementing other safety measures. Countries have been viewing the company as a security concern, prompting the company to double and triple its efforts at proving its trustworthiness. Compliance with the EU’s Digital Services Act (DSA) could help restore the company’s standing in Europe.

// CYBERSECURITY //

Chinese hackers targeted US high-ranking diplomats

The US ambassador to China, Terry Branstad, was hacked by a Chinese government-linked spying operation in 2019, according to a report by the Wall Street Journal. The operation targeted Branstad’s private email account and was part of a broader effort by Chinese hackers to target US officials and their families. 

Daniel Kritenbrink, the assistant secretary of state for East Asia, was among those targeted in the cyber-espionage attack. These two diplomats are considered to be the highest-ranking State Department officials affected by the alleged spying campaign. 

The Chinese government has denied any involvement in the hacking.

Why is it relevant? The news of the breach comes amid ongoing tensions between the USA and China; the fact that the diplomats’ email accounts had been monitored for months could further strain relations between the two countries. It also highlights the ongoing issue of state-sponsored cyber espionage.

Was this newsletter forwarded to you, and you’d like to see more?

22–28 July: The 117th meeting of the Internet Engineering Task Force (IETF) continues this week in San Francisco and online.

24–28 July: The Open-Ended Working Group (OEWG) is holding its 5th substantive session this week in New York. Bookmark our observatory for updates.

Was this newsletter forwarded to you, and you’d like to see more?