Cyber Week in Review: April 5, 2024

Ron DeSantis signs bill restricting teen social media accounts

Florida Governor Ron DeSantis signed bill HB3 into law earlier this week, which prohibits children thirteen and younger from using social media and requires users aged fourteen to fifteen to obtain parental consent before creating social media accounts. The bill also contains a provision that could allow lawmakers to fully ban those under sixteen from social media platforms if courts conclude the platforms pose a harm to minors. Last month, Desantis vetoed a similar bill that would have entirely banned children sixteen and under from creating social media and required anyone joining social media to submit a valid ID, reportedly due to privacy concerns and lack of parental control over children's ability to join social media. Under HB3, if platforms refuse to delete a minor’s account at the request of a parent or guardian, the platform could be fined $10,000 in damages per violation. Supporters of the bill claim that increased parental control over children’s platform usage will minimize online risks to mental health. The effectiveness of the new bill remains unclear, as state regulators claim that millions of underage children can still sign up for social media accounts by lying about their birth dates. Though the bill claims it will “protect the ability of Floridians to remain anonymous online,” critics argue that it violates the First Amendment by blocking access to speech online and would jeopardize sensitive personal data due to the bill’s mandate for social media platforms to collect data to verify age. NetChoice, an industry group representing Meta, TikTok, X, and other social media platforms, has threatened to sue the state to block the law, citing free speech concerns. Supporters of the bill claim that increased parental control over children’s platform usage will minimize online risks to mental health. The effectiveness of the new bill remains unclear, as state regulators claim that millions of underage children can still sign up for social media accounts by lying about their birth dates. Though the bill claims it will “protect the ability of Floridians to remain anonymous online,” critics argue that it violates the First Amendment by blocking access to speech online and would jeopardize sensitive personal data due to the bill’s mandate for social media platforms to collect data to verify age. NetChoice, an industry group representing Meta, TikTok, X, and other social media platforms, has threatened to sue the state to block the law, citing free speech concerns.

Cyber Safety Review Board releases report on Microsoft hack

The U.S. Cyber Safety Review Board (CSRB) released a report on China’s hack of Microsoft’s Exchange email service in May 2023, which led to the compromise of several U.S. federal agencies and organizations in the United Kingdom. The report describes “the cascade of Microsoft's avoidable errors that allowed this intrusion to succeed,” including a failure to properly close off a security key associated with a Microsoft Services Account that allowed the threat actors to expand the compromise. Microsoft moved quickly to shut down the intrusion once it was detected, however, the CSRB found that Microsoft’s security culture was lacking in the lead up to the attack. Microsoft failed to detect the attack itself and instead relied on the reporting of its customers, and also failed to correct misleading statements it made in the aftermath of the attack. The CSRB report also pushes for Microsoft to better prioritize security, writing, “the Board identified a series of operational and strategic decisions that collectively point to a corporate culture in Microsoft that deprioritized both enterprise security investments and rigorous risk management.” The 2023 attack the board was investigating had wide-ranging consequences, with Chinese hackers compromising the unclassified email accounts of Commerce Secretary Gina Raimondo and U.S. Ambassador to China Nicholas Burns, among others. The hackers had access to the compromised email inboxes for at least six week and stole nearly sixty thousand emails from the State Department alone.

Center for Countering Digital Hate (CCDH) and MSI Reproductive Choices release report claiming Meta and Google promote abortion disinformation

The Center for Countering Digital Hate (CCDH) and MSI Reproductive Choices (formerly Marie Stopes International) released a report claiming that Meta and Google are restricting reproductive healthcare information in the Global South and failing to curb misinformation on reproductive health topics on their advertising platforms. MSI – a reproductive healthcare provider in thirty-seven countries – gathered evidence through interviews from their local teams in Bangladesh, Ghana, Kenya, Mexico, Nepal, Nigeria, South Africa, and Vietnam. The researchers claim that Meta-approved ads from anti-choice groups fuel conspiracy theories, such as the claim that abortion decriminalization efforts are financed by global powers to “eliminate” local populations.  Imran Ahmed, the CEO and Founder at CCDH, stated, “Social media companies mine users’ personal data in the Global South but take little care to protect local human rights and civil liberties.” The report recommends that platforms work with healthcare providers and provide actionable pathways to address misleading anti-choice rhetoric. Whitney Chinogwenya, MSI’s global marketing manager, emphasized that Facebook is the main place African women search for reproductive health information. Swift action from the identified platforms is critical to address these alleged issues, as the targeted communities already suffer from high maternal mortality rates. 

OpenAI discloses new voice engine model

OpenAI has announced a new text-to-voice software called Voice Engine. This new model, developed for two years and trained on publicly available data, requires only a fifteen-second voice clip to generate a synthetic copy of a voice, and can translate speech into many different languages, including English, Spanish, Swahili, and Sheng, a language commonly spoken in Kenya. OpenAI hopes the new model will provide myriad benefits, such as reading assistance to non-readers and children, translating content like videos and podcasts to expand businesses' and creators' reach globally, and helping patients suffering from degenerative speech conditions recover their voice. However, OpenAI does not plan to release the model publicly, citing concerns over the risk of deepfakes in synthetic technology during a major global election year. Additionally, the company is wary about the model’s potential misuse in accessing online banking accounts. OpenAI said it will implement voice authentication and safeguards to ensure deepfakes made with Voice Engine will be flagged before their release to the public. The company also suggested that implementing policies to protect people’s voices in AI, increased education on AI deepfakes, and decreased voice-based authentication access would bolster “societal resilience” against the potential consequences of the model. OpenAI's concerns about deepfakes perpetuating election disinformation follow an incident during the New Hampshire 2024 primary when voters received a deepfake of President Biden's voice urging residents not to vote. 

Google pledges to destroy incognito mode browsing data, settling a four-year lawsuit.

Google has agreed to destroy billions of records collected from Chrome browser users in incognito mode as part of a class-action lawsuit settlement. Chasom Brown, et al. v. Google, the original complaint, was brought against Google in 2020. The plaintiffs sought $5 billion in damages from Google for allegedly “misleading users by tracking their online activity in Chrome’s Incognito mode.” Class members will not receive any monetary compensation for damages. However, individuals may file claims for damage to Google in California state court, pending approval from Judge Yvonne Gonzalez Rogers of the U.S. District Court for the Northern District of California. Currently, fifty claims have been filed for damages. In addition to deleting browser data, Google has made changes to the incognito browser homepage and now discloses that users’ activity may be visible to websites visited, employers or schools, and their internet service providers. Google will also allow users to block third-party cookies for five years on incognito mode to prevent potential data collection on external websites.

Cecilia Marrinan is the intern for the Digital and Cyberspace Policy Program.