net.wars

Banned

Some policies are popular until people examine the details. This may be happening with social media bans like the one UK prime minister Keir Starmer announced this week. It will prohibit under-16s from using the main social media platforms or livestreaming, ban under-18s from using “romantic simulation” chatbots, and limit strangers’ ability to contact under-16s via direct messaging on gaming platforms. More detail will come in July; the government will also consider imposing a nightly curfew and requiring breaks in scrolling for under-18s. As so often, it’s possible to support the goals of policy proposals while disagreeing with the proposals themselves.

The BBC reports that 90% of the parents who responded to the recent consultation backed the ban (although the panel survey report is less clear-cut). Yet Ofcom’s May 2026 report shows more nuance: more than half of parents agree that the benefits of being online outweigh the risks. Narrowing that to social media use, 46% of parents still think the benefits outweigh the risks, dropping to 33% for parents of eight to 12-year-olds.

The move has been met with some skepticism from Cambridge psychologists, and even from some veteran child safety campaigners such as Jim Gamble.

The BBC reports that Ian Russell, the father of Molly Russell, a 14-year-old whose suicide in 2017 was attributed to viewing harmful content online, has called the ban a blunt instrument that will merely cause more problems. Russell argues for more thought, less haste.

At his blog, Lewis Goodall connects the haste to Starmer’s government’s precarity, which he thinks may doom the policy despite widespread concern about children online. Goodall, too, isn’t sure it’s the right policy. As we’ve also noted here before, this government is simultaneously pushing to lower the voting age to 16. At ConservativeHome, John Oxley points out the absurdity of banning these new voters from accessing social media to look up candidates’ policies. The teens the Guardian interviewed varied in their views.

It’s also true that today’s teens have less independence and fewer options for offline socializing than older generations did. As Alec Muffett writes on Bluesky, you cannot force 2020s children into 1980s childhoods because so much infrastructure is gone. When you take away online interaction, what’s left?

The Open Rights Group recaps 13 years of online child safety measures, beginning with ISP and mobile network filters in 2013 and ending with this week’s announcements. ORG argues that taking a systems view shows that these escalating online safety measures leave the underlying problem untouched: the feedback loop that ought to drive users away when they encounter awful content is broken.

Because Australia was the first country to implement a social media ban, it’s the model everyone looks at. There’s been a lot of discussion about whether the ban “works”, based on how well it’s keeping teens off social media. A survey of Australian parents found that two-thirds of teens still have social media accounts. Other research says that of those who’ve lost their accounts, half say the ban limits their access to news.

But is that what we should mean by “work”? By that standard, testing someone for allergies by eliminating specific foods would “work” if the person didn’t consume them. But what we want to know is whether the person is actually allergic to those foods, or, by analogy, whether the ban remediates the harms – depression, anxiety, and other mental health issues – that politicians claim to be worried about. A social media ban sounds simple; addressing climate change, the state of the economy, the cost of education, and the fear that there will be no jobs is hard.

ORG contends that enabling people to move between social networks at will, improving competition, and breaking up the platforms would do more to counter online harms than the present approach. This week also provided an example of how not to do this.

The newly launched, fully European social network “W Social” is based on the AT protocol that powers Bluesky, and limited to identified humans. Per Euronews, W Social is a privately owned Swedish startup whose investors are other European companies. In order to apply for an account, you must first provide to W Identity, a separate entity, your name, date of birth, phone number, address, passport, and photo. You then give permission to W Identity to give W Social your account number, date of birth, and passport country. You can only have one account.

Although Anna Zeiter, the Swiss CEO of W, which is a subsidiary of Sweden-based climate action platform We Don’t Have Time, is described as a “privacy expert”, the amount and sensitivity of the information being demanded is disproportionate, especially as there is barely any declining, especially among young people. What if they created a ban and nobody came?

Illustrations: Children swimming in the summer, by Japanese artist Ando Hiroshige, 1797-1858 (via Smithsonian collection.

Wendy M. Grossman is an award-winning journalist. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. She is a contributing editor for the Plutopia News Network podcast. Follow on Mastodon or Bluesky.

Technology distinguishable from magic

This week, a regional court in Munich issued what may be a landmark decision: it ruled that Google is liable for the content of its “AI Overviews”. The court was careful to distinguish between these, which Google’s algorithms generate, and search results, which link to content on third-party websites Google does not control. In other words, Google owns its own mistakes. The court awarded 80% of costs to the plaintiffs, two Munich-based publishers who claimed that the company spread damaging false information about them by linking them to scams in these AI-generated summaries.

As Max Bastian writes at Decoder, the ruling could set precedents for other companies. Google has yet to comment, but presumably will appeal. Away from AI is certainly not the direction the company wants to go; it’s spent the last couple of years building generative AI more and more deeply into its search, hoping to keep users locked in instead of chasing off to other sites. (Ironically, bouncing users off to other sites was the reason Yahoo refused to buy it in 1998, when the received business model was keeping users on your own site as long as possible.)

Google tried to argue that users should do their own fact-checking. But, as the court seems to have understood, where search results send you to the source page, AI Overviews look complete and don’t always offer sourcing to check. A study conducted for the New York Times found in an analysis of more than 4,000 searches that AI Overviews produced using the Gemini 2 model were accurate 85% of the time, rising to 91% when using Gemini 3 – about average for these systems. Enter the Law of Truly Large Numbers: 91% only sounds pretty good until you multiply the remaining 9% by billions to calculate the millions of wrong answers being disseminated every single day. Oumi, the startup that performed the analysis, found the AI Overviews included sources such as Facebook and Reddit posts, drew incorrect information even from authoritative sources, and are prone to manipulation. The article notes that Google disputes the analysis, saying that the benchmarks were developed by OpenAI and themselves contain inaccuracies.

The Munich court ordered Google to stop repeating the claims about the publishers, and awarded the publishers 80% of costs. It also rejected Google’s attempt to frame the issue as one of freedom of speech, calling the AI Overviews, “above all an expression of Google’s business activities”.

One reason the judge’s ruling is so significant is that most approaches for dealing with misinformation that have been mooted to date are at human, instead of computer, scale. Fact-checking, for example, while valuable, moves very, very slowly, one claim at a time. If the ruling stands, it will help tackle this type of misinformation at source.

***

Politicians like to talk as if the moon they want is available if the industry would just stop being obstructive. With AI’s capabilities in headlines everywhere, they are now demanding that phones should block children from taking, viewing, or sharing nude photos. This is the policy Keir Starmer announced this week in a speech, based on claims from the British company SafetoNet. The government has since provided more detail. Mic Wright has a round-up of press reactions. At the Daily Telegraph, Big Brother Watch director Silkie Carlo provides a strong civil liberties objection.

So far, neither Apple nor Google has said much. At New Scientist, Chris Stokel-Walker notes that both companies already have some controls in place, but spreading them through third-party apps poses challenges, especially as some phones’ operating systems aren’t recent enough to have the more sophisticated parental controls in the first place.

The moral may be: if you tell people your technology is magic, don’t be surprised when they expect it to *be* magic.

***

This week I had to verify my identity for Companies House. This is supposed to be a straightforward matter of creating a Gov One login, entering some details of a government-issued ID, and uploading a photo. The website was discontented: it couldn’t find my address, (is my century-old home too old to be in the database?), and didn’t accept the details I entered. Eventually, it offered two alternatives: use a phone app, or present myself in person at a preselected post office.

The app balked. It couldn’t open its links even though I’d authorized it. So, in this year of two thousand and twenty-six I got on a train to go to the nearest remaining post office that could perform the necessary rituals to show them first a QR code to access my application and then the ID, whose information is digitally held but had to be retyped on the post office tablet, and finally pose for a photo for the system – not the post office human – to compare and match. Some of those steps took several tries to mollify the system. Naturally, they don’t report whether you’ve passed until after you’ve gone home.

These are the people who want to create a digital ID infrastructure. I can only assume that if they ever get that system up and running actually using it will involve faxing things because by then all the post offices will be gone.

Illustrations: “The Magic Lantern”, by Auguste Edouart, circa 1835 (via The Met); at one time we thought that technology was magic.

Also this week:
At the Plutopia podcast, we talk to about her new book, Bad Influence.
The TechGrumps podcast episode, 3.41: The KardashElons of AI.

The Sutton effect

One of the enduring questions in cybersecurity is how much failures cost and who pays. Many companies see cybersecurity as a cost with no return; as in housekeeping only the failures are noticeable.

Certainly, a data breach, bungled software update, or ransomware attack can ding a company’s share price in the short term – but a year later, often they seem to have fully recovered. Meanwhile, the company’s customers may have spent hours monitoring credit reports, replacing credit cards, and other admin to remediate the effects.

Take, for example, Crowdstrike. In July 2024, it rolled out a buggy software update to all its 29,000 clients, many of them large businesses. One of those was Microsoft, which automagically incorporated it into Windows. Result: widespread paralysis. Crowdstrike fixed the error in 79 minutes; it took the rest of the world days to fully recover as each affected machine had to be manually restarted.

The company’s shares soon recovered. In November 2024, Matt Kapko reported at Cybersecurity Dive that the company had retained almost all its customers (which could just be a sign of dangerous market concentration). Similarly, the 2017 Equifax breach didn’t move it out of the heart of consumer credit scoring.

Soon after the Crowdstrike outage, David Jones reported at Cybersecurity Drive estimates that it had cost Fortune 500 companies a collective $5.4 billion, and that only 10% to 20% of that was covered by insurance. At the same time, at Bank Info Security, Matthew J. Schwartz estimated the cost to cyberinsurers at $1.5 billion.

But what about the patients unable to book doctors’ appointments, the airline crews who lost work, the train passengers stuck on platforms? Or, in a data breach, the years-long worry about where the data is now and how it’s being used.

Cyberattacks on companies leave us with what Ryan Calo and Veronica Paternolli called “shadow work” at We Robot a couple of months ago. They proposed that agentic AI might be able to reverse 30 years of companies offloading work onto us. You might – though I doubt it – be able to trust agentic AI to automate generating requests for refunds and new credit cards or rebooking canceled airline flights. But no way will it enable you to recoup the lost hours in an airport, the stress of being unsure what happened, or the ongoing consequences of identity theft.

At this week’s Workshop on the Economics of Information Security, University of Michigan researchers Lina Alkarmi, Armin Sarabi, and Mingyan Liu called these imposed indirect costs the “social cost” of data breaches and noted that typically none of it is measured. In two of the three breaches they studied, their math indicated that the eventual settlements the companies paid to consumers was below their estimate of the lower bound of the actual cost.

An odd finding from their study of three major breaches is that the social cost dropped over the period they studied, 2008-2021. They suggest that the 2015 introduction (in the US) of chip and PIN helped lower the utility of the stolen data. They also surmise that the later breaches added less to an already-saturated black market for data. There is doubtless a lot more work to do on this. Nonetheless, they estimate the national social cost at $7 billion in 2021, for an average per victim of nearly $300.

In a second paper, University of Tulsa researchers Teyyub Mutallimov, Dana Itzhaki, and Tyler Moore examined the long-term impact on corporate results following cyber attacks, looking at financial statements rather than share prices There, it seems that companies don’t recover as fully as you might think. Depending on the type of attack – data breaches trigger financing and investment; ransomware attacks are operationally disruptive. Both involve ongoing costs: remediation, system upgrades, external advice, potentially legal settlements.

In the meantime, it remains unclear whether generative AI will be a net win or a net loss for cybersecurity – finding vulnerabilities, as Anthropic claims Claude Mythos does, exposes them to attackers, although it also offers developers an opportunity to close them (I recall a similar panic in 1995 when Dan Farmer released SATAN). A 2025 report from the Turing Institute found that AI had begun to accelerate crime by enabling it to scale more effectively and exploit personal vulnerabilities. In January, Carly Page reported at The Register that the cost to criminals of renting AI infrastructure was as cheap as a Netflix subscription, based on a paper from researchers at Group-IB. Self-hosted “dark LLMs” are optimized for creating scams and deepfakes for as little as $30 a month.

However, at WEIS, in another paper, Ben Collier, Jack Hughes, and Daniel Thomas studied vibe coding’s early impact on the cybercrime business. So far, they found, it doesn’t seem to be making much change; it’s not yet time to fear “vibercriminals”. One could even imagine that over time generative AI could disrupt the junior-level pipeline that produces senior, skilled workers, as it’s doing in other industries. On the other hand, there’s already long been a lot of automation at the lower levels. So, wash? But if something works, crime will adopt it. Cue Willie Sutton, whose name was invoked at WEIS several times to explain why people pursue cybercrime: “That’s where the money is.”

Illustrations: Willie Sutton (via FBI).