Parting glances

So Britain will soon wave off yet another prime minister; they’ve been dropping like flies ever since the 2016 Brexit vote. At the Guardian, John Crace snarks that come Remembrance Sunday they’ll need more space around the Cenotaph for all the former prime ministers (nine, plus whoever’s next).

I had hoped for two things from the Labour government elected in 2024: 1) an end to the Conservative psychodrama, and 2) that as a former human rights lawyer. Starmer would modulate the government’s approach to surveillance, AI, and Internet regulation. Instead, he has continued seamlessly the line taken by the Conservative governments before him – and reinvented failed policies from the Labour government of the 1990s.

The last almost-two years have seen Starmer’s government plan digital IDs, pursue implementing the 2023 Online Safety Act including age verification, continue awarding contracts to Palantir, embrace AI for government services despite known flaws undermining fairness and accuracy, increase the hostility in the immigration system, tolerate the spread of police use of live facial recognition without public discussion, and continue adding restrictions on protest. With his premiership under threat, last week he announced the social media ban. It obviously didn’t save him, if that was the purpose. Now, we wait to see if it is taken up by whoever’s next.

At Index on Censorship, Sally Gimson says the ban, “bypasses the benefits of the Internet for children without actually tackling the risks”. She goes on to note that many teens, having grown up with this technology, are more privacy-conscious than their parents and less likely to spread scams than their grandparents.

The UK government’s relationship with technology needs a rethink, preferably away from former prime minister Tony Blair and his AI advocacy. We could start where Starmer could have: with rights-based values. And by recognizing that if you can’t solve tough social and economic problems by randomly throwing new technologies at them, you can’t solve them with random restrictions either.

While Starmer was resigning, Dan Robinson reports at The Register, the Department for Culture, Media, and Sport issued a green paper proposing to require social media and video platforms to promote trustworthy media over other sources. In “trustworthy”, the paper includes the UK’s traditional public service broadcasters, plus…well, who?

The green paper says the criteria will be “decided in an open and transparent manner with regard to protecting media freedom”. It then suggests that the definition of news publishers in the Online Safety Act provides a useful starting point: “both broadcasters and UK based entities whose primary purpose is publishing news-related material, created by different persons, subject to editorial control, a standards code, and with a mechanism for resolving complaints”.

Under that definition, it seems like the Daily Mail, which Wikipedia editors deem unreliable, is in, and personal blogs are out. Probably so are independent sites like LondonCentric, which is run by a single highly experienced journalist but pays freelances and does prize-winning investigative work. News podcasts can just wonder if they exist. In the reactions summarized at Nieman Lab, public service broadcasters love it, publishers like it if they’re included, and platforms say it’s unfair. Public comments are open.

Two things are interesting about the Wikipedia list. First, it is an ongoing collaborative effort. Second, the record of its construction shows that the contributors understand that an outlet may be trustworthy on some subjects and not others, deserve reevaluation over time, and vary according to topic and means of creation (see for example the comment about BusinessInsider’s AI-generated and syndicated content). Of course, Wikipedia is different. DCMS wants to improve the nation’s information diet. Wikipedia is merely trying to ensure that the sources cited for facts in the encyclopedia are reliable.

While I understand the dangers of a world choked with misinformation and disinformation, this definition sounds like an attempt to return to the old world of gatekeepers who, even if they couldn’t be trusted to keep the government’s secrets, were *familiar*. The Internet and other technologies have brought, for good and ill, the ability to publish and distribute to people who were previously unheard.

As the 2024 report from the Reuters Insitute says, news has no single trust problem (and therefore no single solution). Misinformation and disinformation are only a part.

For its report, Reuters convened 41 focus groups across Brazil, India, the UK, and the US, drawing participants from audiences who have been historically underserved, marginalized, or harmed by reporting. Previous work had already found generalized suspicion of all news media; the focus groups showed that these participants’r distrust was based in their history and the price was personal.

In last week’s 2026 report Reuters found that use of all media for news, even online news and social media, is declining, but at different rates – newspapers are fading faster than TV, for example. Reuters also found that in every country a “small but significant” minority say they use no news sources at all.

Starmer did some good things, as Jonathan Freedland writes at the Guardian, and none of this is what brought him down. But it’s an opportunity for the next guy.

Illustrations: Keir Starmer, passing the photographs of former prime ministers he is about to join (via Wikimedia.

Wendy M. Grossman is an award-winning journalist. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. She is a contributing editor for the Plutopia News Network podcast. Follow on Mastodon or Bluesky.

Banned

Some policies are popular until people examine the details. This may be happening with social media bans like the one UK prime minister Keir Starmer announced this week. It will prohibit under-16s from using the main social media platforms or livestreaming, ban under-18s from using “romantic simulation” chatbots, and limit strangers’ ability to contact under-16s via direct messaging on gaming platforms. More detail will come in July; the government will also consider imposing a nightly curfew and requiring breaks in scrolling for under-18s. As so often, it’s possible to support the goals of policy proposals while disagreeing with the proposals themselves.

The BBC reports that 90% of the parents who responded to the recent consultation backed the ban (although the panel survey report is less clear-cut). Yet Ofcom’s May 2026 report shows more nuance: more than half of parents agree that the benefits of being online outweigh the risks. Narrowing that to social media use, 46% of parents still think the benefits outweigh the risks, dropping to 33% for parents of eight to 12-year-olds.

The move has been met with some skepticism from Cambridge psychologists, and even from some veteran child safety campaigners such as Jim Gamble.

The BBC reports that Ian Russell, the father of Molly Russell, a 14-year-old whose suicide in 2017 was attributed to viewing harmful content online, has called the ban a blunt instrument that will merely cause more problems. Russell argues for more thought, less haste.

At his blog, Lewis Goodall connects the haste to Starmer’s government’s precarity, which he thinks may doom the policy despite widespread concern about children online. Goodall, too, isn’t sure it’s the right policy. As we’ve also noted here before, this government is simultaneously pushing to lower the voting age to 16. At ConservativeHome, John Oxley points out the absurdity of banning these new voters from accessing social media to look up candidates’ policies. The teens the Guardian interviewed varied in their views.

It’s also true that today’s teens have less independence and fewer options for offline socializing than older generations did. As Alec Muffett writes on Bluesky, you cannot force 2020s children into 1980s childhoods because so much infrastructure is gone. When you take away online interaction, what’s left?

The Open Rights Group recaps 13 years of online child safety measures, beginning with ISP and mobile network filters in 2013 and ending with this week’s announcements. ORG argues that taking a systems view shows that these escalating online safety measures leave the underlying problem untouched: the feedback loop that ought to drive users away when they encounter awful content is broken.

Because Australia was the first country to implement a social media ban, it’s the model everyone looks at. There’s been a lot of discussion about whether the ban “works”, based on how well it’s keeping teens off social media. A survey of Australian parents found that two-thirds of teens still have social media accounts. Other research says that of those who’ve lost their accounts, half say the ban limits their access to news.

But is that what we should mean by “work”? By that standard, testing someone for allergies by eliminating specific foods would “work” if the person didn’t consume them. But what we want to know is whether the person is actually allergic to those foods, or, by analogy, whether the ban remediates the harms – depression, anxiety, and other mental health issues – that politicians claim to be worried about. A social media ban sounds simple; addressing climate change, the state of the economy, the cost of education, and the fear that there will be no jobs is hard.

ORG contends that enabling people to move between social networks at will, improving competition, and breaking up the platforms would do more to counter online harms than the present approach. This week also provided an example of how not to do this.

The newly launched, fully European social network “W Social” is based on the AT protocol that powers Bluesky, and limited to identified humans. Per Euronews, W Social is a privately owned Swedish startup whose investors are other European companies. In order to apply for an account, you must first provide to W Identity, a separate entity, your name, date of birth, phone number, address, passport, and photo. You then give permission to W Identity to give W Social your account number, date of birth, and passport country. You can only have one account.

Although Anna Zeiter, the Swiss CEO of W, which is a subsidiary of Sweden-based climate action platform We Don’t Have Time, is described as a “privacy expert”, the amount and sensitivity of the information being demanded is disproportionate, especially as there is barely any declining, especially among young people. What if they created a ban and nobody came?

Illustrations: Children swimming in the summer, by Japanese artist Ando Hiroshige, 1797-1858 (via Smithsonian collection.

Wendy M. Grossman is an award-winning journalist. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. She is a contributing editor for the Plutopia News Network podcast. Follow on Mastodon or Bluesky.

Technology distinguishable from magic

This week, a regional court in Munich issued what may be a landmark decision: it ruled that Google is liable for the content of its “AI Overviews”. The court was careful to distinguish between these, which Google’s algorithms generate, and search results, which link to content on third-party websites Google does not control. In other words, Google owns its own mistakes. The court awarded 80% of costs to the plaintiffs, two Munich-based publishers who claimed that the company spread damaging false information about them by linking them to scams in these AI-generated summaries.

As Max Bastian writes at Decoder, the ruling could set precedents for other companies. Google has yet to comment, but presumably will appeal. Away from AI is certainly not the direction the company wants to go; it’s spent the last couple of years building generative AI more and more deeply into its search, hoping to keep users locked in instead of chasing off to other sites. (Ironically, bouncing users off to other sites was the reason Yahoo refused to buy it in 1998, when the received business model was keeping users on your own site as long as possible.)

Google tried to argue that users should do their own fact-checking. But, as the court seems to have understood, where search results send you to the source page, AI Overviews look complete and don’t always offer sourcing to check. A study conducted for the New York Times found in an analysis of more than 4,000 searches that AI Overviews produced using the Gemini 2 model were accurate 85% of the time, rising to 91% when using Gemini 3 – about average for these systems. Enter the Law of Truly Large Numbers: 91% only sounds pretty good until you multiply the remaining 9% by billions to calculate the millions of wrong answers being disseminated every single day. Oumi, the startup that performed the analysis, found the AI Overviews included sources such as Facebook and Reddit posts, drew incorrect information even from authoritative sources, and are prone to manipulation. The article notes that Google disputes the analysis, saying that the benchmarks were developed by OpenAI and themselves contain inaccuracies.

The Munich court ordered Google to stop repeating the claims about the publishers, and awarded the publishers 80% of costs. It also rejected Google’s attempt to frame the issue as one of freedom of speech, calling the AI Overviews, “above all an expression of Google’s business activities”.

One reason the judge’s ruling is so significant is that most approaches for dealing with misinformation that have been mooted to date are at human, instead of computer, scale. Fact-checking, for example, while valuable, moves very, very slowly, one claim at a time. If the ruling stands, it will help tackle this type of misinformation at source.

***

Politicians like to talk as if the moon they want is available if the industry would just stop being obstructive. With AI’s capabilities in headlines everywhere, they are now demanding that phones should block children from taking, viewing, or sharing nude photos. This is the policy Keir Starmer announced this week in a speech, based on claims from the British company SafetoNet. The government has since provided more detail. Mic Wright has a round-up of press reactions. At the Daily Telegraph, Big Brother Watch director Silkie Carlo provides a strong civil liberties objection.

So far, neither Apple nor Google has said much. At New Scientist, Chris Stokel-Walker notes that both companies already have some controls in place, but spreading them through third-party apps poses challenges, especially as some phones’ operating systems aren’t recent enough to have the more sophisticated parental controls in the first place.

The moral may be: if you tell people your technology is magic, don’t be surprised when they expect it to *be* magic.

***

This week I had to verify my identity for Companies House. This is supposed to be a straightforward matter of creating a Gov One login, entering some details of a government-issued ID, and uploading a photo. The website was discontented: it couldn’t find my address, (is my century-old home too old to be in the database?), and didn’t accept the details I entered. Eventually, it offered two alternatives: use a phone app, or present myself in person at a preselected post office.

The app balked. It couldn’t open its links even though I’d authorized it. So, in this year of two thousand and twenty-six I got on a train to go to the nearest remaining post office that could perform the necessary rituals to show them first a QR code to access my application and then the ID, whose information is digitally held but had to be retyped on the post office tablet, and finally pose for a photo for the system – not the post office human – to compare and match. Some of those steps took several tries to mollify the system. Naturally, they don’t report whether you’ve passed until after you’ve gone home.

These are the people who want to create a digital ID infrastructure. I can only assume that if they ever get that system up and running actually using it will involve faxing things because by then all the post offices will be gone.

Illustrations: “The Magic Lantern”, by Auguste Edouart, circa 1835 (via The Met); at one time we thought that technology was magic.

Also this week:
At the Plutopia podcast, we talk to about her new book, Bad Influence.
The TechGrumps podcast episode, 3.41: The KardashElons of AI.

Wendy M. Grossman is an award-winning journalist. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. She is a contributing editor for the Plutopia News Network podcast. Follow on Mastodon or Bluesky.

The Sutton effect

One of the enduring questions in cybersecurity is how much failures cost and who pays. Many companies see cybersecurity as a cost with no return; as in housekeeping only the failures are noticeable.

Certainly, a data breach, bungled software update, or ransomware attack can ding a company’s share price in the short term – but a year later, often they seem to have fully recovered. Meanwhile, the company’s customers may have spent hours monitoring credit reports, replacing credit cards, and other admin to remediate the effects.

Take, for example, Crowdstrike. In July 2024, it rolled out a buggy software update to all its 29,000 clients, many of them large businesses. One of those was Microsoft, which automagically incorporated it into Windows. Result: widespread paralysis. Crowdstrike fixed the error in 79 minutes; it took the rest of the world days to fully recover as each affected machine had to be manually restarted.

The company’s shares soon recovered. In November 2024, Matt Kapko reported at Cybersecurity Dive that the company had retained almost all its customers (which could just be a sign of dangerous market concentration). Similarly, the 2017 Equifax breach didn’t move it out of the heart of consumer credit scoring.

Soon after the Crowdstrike outage, David Jones reported at Cybersecurity Drive estimates that it had cost Fortune 500 companies a collective $5.4 billion, and that only 10% to 20% of that was covered by insurance. At the same time, at Bank Info Security, Matthew J. Schwartz estimated the cost to cyberinsurers at $1.5 billion.

But what about the patients unable to book doctors’ appointments, the airline crews who lost work, the train passengers stuck on platforms? Or, in a data breach, the years-long worry about where the data is now and how it’s being used.

Cyberattacks on companies leave us with what Ryan Calo and Veronica Paternolli called “shadow work” at We Robot a couple of months ago. They proposed that agentic AI might be able to reverse 30 years of companies offloading work onto us. You might – though I doubt it – be able to trust agentic AI to automate generating requests for refunds and new credit cards or rebooking canceled airline flights. But no way will it enable you to recoup the lost hours in an airport, the stress of being unsure what happened, or the ongoing consequences of identity theft.

At this week’s Workshop on the Economics of Information Security, University of Michigan researchers Lina Alkarmi, Armin Sarabi, and Mingyan Liu called these imposed indirect costs the “social cost” of data breaches and noted that typically none of it is measured. In two of the three breaches they studied, their math indicated that the eventual settlements the companies paid to consumers was below their estimate of the lower bound of the actual cost.

An odd finding from their study of three major breaches is that the social cost dropped over the period they studied, 2008-2021. They suggest that the 2015 introduction (in the US) of chip and PIN helped lower the utility of the stolen data. They also surmise that the later breaches added less to an already-saturated black market for data. There is doubtless a lot more work to do on this. Nonetheless, they estimate the national social cost at $7 billion in 2021, for an average per victim of nearly $300.

In a second paper, University of Tulsa researchers Teyyub Mutallimov, Dana Itzhaki, and Tyler Moore examined the long-term impact on corporate results following cyber attacks, looking at financial statements rather than share prices There, it seems that companies don’t recover as fully as you might think. Depending on the type of attack – data breaches trigger financing and investment; ransomware attacks are operationally disruptive. Both involve ongoing costs: remediation, system upgrades, external advice, potentially legal settlements.

In the meantime, it remains unclear whether generative AI will be a net win or a net loss for cybersecurity – finding vulnerabilities, as Anthropic claims Claude Mythos does, exposes them to attackers, although it also offers developers an opportunity to close them (I recall a similar panic in 1995 when Dan Farmer released SATAN). A 2025 report from the Turing Institute found that AI had begun to accelerate crime by enabling it to scale more effectively and exploit personal vulnerabilities. In January, Carly Page reported at The Register that the cost to criminals of renting AI infrastructure was as cheap as a Netflix subscription, based on a paper from researchers at Group-IB. Self-hosted “dark LLMs” are optimized for creating scams and deepfakes for as little as $30 a month.

However, at WEIS, in another paper, Ben Collier, Jack Hughes, and Daniel Thomas studied vibe coding’s early impact on the cybercrime business. So far, they found, it doesn’t seem to be making much change; it’s not yet time to fear “vibercriminals”. One could even imagine that over time generative AI could disrupt the junior-level pipeline that produces senior, skilled workers, as it’s doing in other industries. On the other hand, there’s already long been a lot of automation at the lower levels. So, wash? But if something works, crime will adopt it. Cue Willie Sutton, whose name was invoked at WEIS several times to explain why people pursue cybercrime: “That’s where the money is.”

Illustrations: Willie Sutton (via FBI).

Wendy M. Grossman is an award-winning journalist. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. She is a contributing editor for the Plutopia News Network podcast. Follow on Mastodon or Bluesky.