California Governor Gavin Newsom has signed legislation that institutes penalties for nonconsensual, sexually explicit digital videos, tagged deep fakes.
The legislation, Assembly Bill 602, targets companies and individuals who create and distribute the videos in California without the consent of the individual being depicted.
The issue is particularly pertinent in California as Hollywood and US TV stars are very much those targeted by the deep fakers.
The Screen Actors Guild-American Federation of Television and Radio Artists (SAG-AFTRA) is a union representing many of the film and TV stars.
SAG-AFTRA has commended California Newsom for signing the legislation into law. The group said that the legislation was meaningful recourse for the victims, many of whom are members of SAG-AFTRA. The group's president Gabrielle Carteris said:
We are absolutely thrilled that Gov. Newsom stood by the victims, most of whom are women, of nonconsensual pornography by signing AB 602 into law. I want to thank the governor; the bill's authors, Assembly member Marc Berman and Sen. Connie
Leyva; and all the California lawmakers who unanimously voted for this legislation. AB 602 is a victory for all Californians. Deepfake technology can be weaponized against any person. Every person deserves the basic human right to live free from
image-based sexual abuse.
Update: A second deep fake bill protects politicians from having words put in their mouths
Governor Gavin Newsom in fact signed two bills into law that limit what people can do with deep fakes. The second law makes it illegal to make and distribute a malicious deep fake of a politician within two months of an election.
Presumably the lawmakers are worrying that politicians can be depicted as saying thing that they did not in fact say.
However this bill seems a little ahead of its time as deep fakes are not really being used for this reason so far. A new report by DeepTrace, a company that builds tools to spot synthetic media. The company says that it has identified 14,678
deepfakes on the internet but most of them weren't created to mess with elections. In fact 96% of the deepfakes were still plain old fake porn.
Facebook has quietly rescinded a policy banning false claims in advertising, creating a specific exemption that leaves political adverts unconstrained regarding how they could mislead or deceive.
Facebook had previously banned adverts containing deceptive, false or misleading content, a much stronger restriction than its general rules around Facebook posts. But, as reported by the journalist Judd Legum , in the last week the rules have
narrowed considerably, only banning adverts that include claims debunked by third-party fact-checkers, or, in certain circumstances, claims debunked by organisations with particular expertise.
A separate policy introduced by the social network recently declared opinion pieces and satire ineligible for verification, including any website or page with the primary purpose of expressing the opinion or agenda of a political figure. The end
result is that any direct statement from a candidate or campaign cannot be fact-checked and so is automatically exempted from policies designed to prevent misinformation. (After the publication of this story, Facebook clarified that only
politicians currently in office or running for office, and political parties, are exempt: other political adverts still need to be true.)
Home Secretary Priti Patel has signed an historic agreement that will enable British law enforcement agencies to directly demand electronic data relating to terrorists, child sexual abusers and other serious criminals from US tech firms.
The world-first UK-US Bilateral Data Access Agreement will dramatically speed up investigations and prosecutions by enabling law enforcement, with appropriate authorisation, to go directly to the tech companies to access data, rather than through
governments, which can take years.
The Agreement was signed with US Attorney General William P. Barr in Washington DC, where the Home Secretary also met security partners to discuss the two countries' ever deeper cooperation and global leadership on security.
The current process, which see requests for communications data from law enforcement agencies submitted and approved by central governments via Mutual Legal Assistance (MLA), can often take anywhere from six months to two years. Once in place,
the Agreement will see the process reduced to a matter of weeks or even days.
The US will have reciprocal access, under a US court order, to data from UK communication service providers. The UK has obtained assurances which are in line with the government's continued opposition to the death penalty in all circumstances.
Any request for data must be made under an authorisation in accordance with the legislation of the country making the request and will be subject to independent oversight or review by a court, judge, magistrate or other independent authority.
The Agreement does not change anything about the way companies can use encryption and does not stop companies from encrypting data.
It gives effect to the Crime (Overseas Production Orders) Act 2019, which received Royal Assent in February this year and was facilitated by the CLOUD Act in America, passed last year.
Letter to Mark Zuckerberg asking him not to keep his internet users safe through encrypted messages
The Home Secretary has also published an open letter to Facebook, co-signed with US Attorney General William P. Barr, Acting US Homeland Security Secretary Kevin McAleenan and Australia's Minister for Home Affairs Peter Dutton, outlining serious
concerns with the company's plans to implement end-to-end encryption across its messaging services. The letter reads:
Dear Mr. Zuckerberg,
We are writing to request that Facebook does not proceed with its plan to implement end-to-end encryption across its messaging services without ensuring that there is no reduction to user safety and without including a means for lawful access to
the content of communications to protect our citizens.
In your post of 6 March 2019, 'A Privacy-Focused Vision for Social Networking', you acknowledged that "there are real safety concerns to address before we can implement end-to-end encryption across all our messaging services." You
stated that "we have a responsibility to work with law enforcement and to help prevent" the use of Facebook for things like child sexual exploitation, terrorism, and extortion. We welcome this commitment to consultation. As you know,
our governments have engaged with Facebook on this issue, and some of us have written to you to express our views. Unfortunately, Facebook has not committed to address our serious concerns about the impact its proposals could have on protecting
our most vulnerable citizens.
We support strong encryption, which is used by billions of people every day for services such as banking, commerce, and communications. We also respect promises made by technology companies to protect users' data. Law abiding citizens have a
legitimate expectation that their privacy will be protected. However, as your March blog post recognized, we must ensure that technology companies protect their users and others affected by their users' online activities. Security enhancements
to the virtual world should not make us more vulnerable in the physical world. We must find a way to balance the need to secure data with public safety and the need for law enforcement to access the information they need to safeguard the public,
investigate crimes, and prevent future criminal activity. Not doing so hinders our law enforcement agencies' ability to stop criminals and abusers in their tracks.
Companies should not deliberately design their systems to preclude any form of access to content, even for preventing or investigating the most serious crimes. This puts our citizens and societies at risk by severely eroding a company's ability
to detect and respond to illegal content and activity, such as child sexual exploitation and abuse, terrorism, and foreign adversaries' attempts to undermine democratic values and institutions, preventing the prosecution of offenders and
safeguarding of victims. It also impedes law enforcement's ability to investigate these and other serious crimes.
Risks to public safety from Facebook's proposals are exacerbated in the context of a single platform that would combine inaccessible messaging services with open profiles, providing unique routes for prospective offenders to identify and groom
Facebook currently undertakes significant work to identify and tackle the most serious illegal content and activity by enforcing your community standards. In 2018, Facebook made 16.8 million reports to the US National Center for Missing &
Exploited Children (NCMEC) -- more than 90% of the 18.4 million total reports that year. As well as child abuse imagery, these referrals include more than 8,000 reports related to attempts by offenders to meet children online and groom or entice
them into sharing indecent imagery or meeting in real life. The UK National Crime Agency (NCA) estimates that, last year, NCMEC reporting from Facebook will have resulted in more than 2,500 arrests by UK law enforcement and almost 3,000 children
safeguarded in the UK. Your transparency reports show that Facebook also acted against 26 million pieces of terrorist content between October 2017 and March 2019. More than 99% of the content Facebook takes action against -- both for child
sexual exploitation and terrorism -- is identified by your safety systems, rather than by reports from users.
While these statistics are remarkable, mere numbers cannot capture the significance of the harm to children. To take one example, Facebook sent a priority report to NCMEC, having identified a child who had sent self-produced child sexual abuse
material to an adult male. Facebook located multiple chats between the two that indicated historical and ongoing sexual abuse. When investigators were able to locate and interview the child, she reported that the adult had sexually abused her
hundreds of times over the course of four years, starting when she was 11. He also regularly demanded that she send him sexually explicit imagery of herself. The offender, who had held a position of trust with the child, was sentenced to 18
years in prison. Without the information from Facebook, abuse of this girl might be continuing to this day.
Our understanding is that much of this activity, which is critical to protecting children and fighting terrorism, will no longer be possible if Facebook implements its proposals as planned. NCMEC estimates that 70% of Facebook's reporting -- 12
million reports globally -- would be lost. This would significantly increase the risk of child sexual exploitation or other serious harms. You have said yourself that "we face an inherent tradeoff because we will never find all of the
potential harm we do today when our security systems can see the messages themselves". While this trade-off has not been quantified, we are very concerned that the right balance is not being struck, which would make your platform an unsafe
space, including for children.
Equally important to Facebook's own work to act against illegal activity, law enforcement rely on obtaining the content of communications, under appropriate legal authorisation, to save lives, enable criminals to be brought to justice, and
exonerate the innocent.
We therefore call on Facebook and other companies to take the following steps:
embed the safety of the public in system designs, thereby enabling you to continue to act against illegal content effectively with no reduction to safety, and facilitating the prosecution of offenders and safeguarding of victims
enable law enforcement to obtain lawful access to content in a readable and usable format
engage in consultation with governments to facilitate this in a way that is substantive and genuinely influences your design decisions
not implement the proposed changes until you can ensure that the systems you would apply to maintain the safety of your users are fully tested and operational
We are committed to working with you to focus on reasonable proposals that will allow Facebook and our governments to protect your users and the public, while protecting their privacy. Our technical experts are confident that we can do so while
defending cyber security and supporting technological innovation. We will take an open and balanced approach in line with the joint statement of principles signed by the governments of the US, UK, Australia, New Zealand, and Canada in August
2018 and the subsequent communique agreed in July this year .
As you have recognised, it is critical to get this right for the future of the internet. Children's safety and law enforcement's ability to bring criminals to justice must not be the ultimate cost of Facebook taking forward these proposals.
Rt Hon Priti Patel MP, United Kingdom Secretary of State for the Home Department
William P. Barr, United States Attorney General
Kevin K. McAleenan, United States Secretary of Homeland Security (Acting)
Hon Peter Dutton MP, Australian Minister for Home Affairs
This is a staggering attempt to undermine the security and privacy of communications tools used by billions of people. Facebook should not comply. The letter comes in concert with the signing of a new agreement between the US and UK to provide
access to allow law enforcement in one jurisdiction to more easily obtain electronic data stored in the other jurisdiction. But the letter to Facebook goes much further: law enforcement and national security agencies in these three countries are
asking for nothing less than access to every conversation that crosses every digital device.
The letter focuses on the challenges of investigating the most serious crimes committed using digital tools, including child exploitation, but it ignores the severe risks that introducing encryption backdoors would create. Many people--including
journalists, human rights activists, and those at risk of abuse by intimate partners--use encryption to stay safe in the physical world as well as the online one. And encryption is central to preventing criminals and even corporations from spying
on our private conversations, and to ensure that the communications infrastructure we rely on
is truly working as intended . What's more, the backdoors into encrypted communications sought by these governments would be available not just to governments with a supposedly functional rule of law. Facebook and others would face immense
pressure to also provide them to authoritarian regimes, who might seek to spy on dissidents in the name of combatting terrorism or civil unrest, for example.
We would like to bring to your attention an issue that is of concern to all our organizations. Google is beginning to implement encrypted Domain Name System lookups into its Chrome browser and Android operating system through a new protocol for
wireline and wireless service, known as DNS over HTTPS (DoH). If not coordinated with others in the internet ecosystem, this could interfere on a mass scale with critical internet functions, as well as raise data competition issues. We ask that
the Committee seek detailed information from Google about its current and future plans and timetable for implementing encrypted DNS lookups, as well as a commitment not to centralize DNS lookups by default in Chrome or Android without first
meeting with others in the internet ecosystem, addressing the implications of browser- and operating-system-based DNS lookups, and reaching consensus on implementation issues surrounding encrypted DNS.
Google is unilaterally moving forward with centralizing encrypted domain name requests within Chrome and Android, rather than having DNS queries dispersed amongst hundreds of providers. When a consumer or enterprise uses Google's Android phones
or Chrome web browser, Android or Chrome would make Google the encrypted DNS lookup provider by default and most consumers would have limited practical knowledge or ability to detect or reject that choice. Because the majority of worldwide
internet traffic (both wired and wireless) runs through the Chrome browser or the Android operating system, Google could become the overwhelmingly predominant DNS lookup provider.
While we recognize the potential positive effects of encryption, we are concerned about the potential for default, centralized resolution of DNS queries, and the collection of the majority of worldwide DNS data by a single, global internet
company. By interposing itself between DNS providers and the users of the Chrome browser (> 60% worldwide share) and Android phones (> 80% worldwide share of mobile operating systems), Google would acquire greater control over user data
across networks and devices around the world. This could inhibit competitors and possibly foreclose competition in advertising and other industries
Moreover, the centralized control of encrypted DNS threatens to harm consumers by interfering with a wide range of services provided by ISPs (both enterprise and public-facing) and others. Over the last several decades, DNS has been used to build
other critical internet features and functionality including: (a) the provision of parental controls and IoT management for end users; (b) connecting end users to the nearest content delivery networks, thus ensuring the delivery of content in the
fastest, cheapest, and most reliable manner; and (c) assisting rights holders' and law enforcement's efforts in enforcing judicial orders in combatting online piracy, as well as law enforcement's efforts in enforcing judicial orders in combatting
the exploitation of minors. Google's centralization of DNS would bypass these critical features, undermining important consumer services and protections, and likely resulting in confusion because consumers will not understand why these features
are no longer working. This centralization also raises serious cybersecurity risks and creates a single point of failure for global Internet services that is fundamentally at odds with the decentralized architecture of the internet. By limiting
the ability to spot network threat indicators, it would also undermine federal government and private sector efforts to use DNS information to mitigate cybersecurity risks.
For these reasons, we ask that the Committee call upon Google not to impose centralized, encrypted DNS as a default standard in Chrome and Android. Instead, Google should follow the Internet Engineering Task Force best practice of fully vetting
internet standards, and the internet community should work together to build consensus to ensure that encrypted DNS is implemented in a decentralized way that maximizes consumer welfare and avoids the disruption to essential services identified
The Internet & Television Association
The Broadband Association