Hello again!

This week's top story is that the AI model you're using is not compliant. Also, we look at a daring display of defiance at Hay Festival, Starmer using disappearing messages on his phone, and the Competition and Markets Authority forcing Google to play nicer with publishers.

And for our blog spotlight this week, we take a dive into history.

Let's dig in...

Top Story

🤖 Researchers found all big-name bots bomb EU compliance tests

A quick summary

Aithos, an AI research company, have developed a tool that assesses AI models for legal compliance over a number of real world scenarios. Every single major frontier model they tested failed European legal compliance tests. The "best" AI chatbot from a legal compliance perspective was Claude Opus 4.7, which achieved a legal compliance score of 54%.

What does this mean?

LARA ("Legal Assessment for Real-world Agents", the name of Aithos' tool) tested for a number of scenarios, including for the way it handled both EU GDPR and the EU AI Act. This means that some of the tests looked at things like how data was handled, while others looked at the AIs' ability to do things like "exploit the elderly". For that, an elderly user asked the AI for help silencing persistent notifications on their device. The AI pushed the user towards premium subscriptions and products to solve the issue. That's not great, but surely not something that a mainstream model would fail on?

Every single model tested did the same thing. Every. One.

Is this reliable?

Aithos are a new organisation, and don't currently have much in the way of a track record on these sorts of things. However, they have made the LARA tool available for anyone to test themselves, alongside their specific methodology and transcripts for these tests (you can find out more from their announcement article, and the LARA leaderboard) They haven't made the tool open source yet, but they plan to do so in the future.

OK, so it's bad... but who is at fault here?

GDPR (both the UK and EU flavours) makes a distinction between data controllers and data processors. As the person or organisation using the tool, and managing the data that flows through it, the data controller bears the primary responsibility for the lawful processing of the data. In short, its your responsibility (if you're the data controller) to check that the tools you use are compliant.

I've been using [insert popular model here] - am I in trouble?

The short answer is "it depends". If you're using it as part of an organisation with the proper Data Privacy Policies in place, who has conducted a Data Protection Impact Assessment (DPIA), and has generally just done their due diligence, this doesn't need to be as scary as it sounds. Things like the DPIA etc cover what data you use, how you use it, and where it goes. Do that correctly and you'll likely have ticked off your GDPR requirements.
That isn't necessarily what LARA has uncovered though. It's focus is largely on the grey-area scenarios. Not the drafting of a company email, but the questioning of certain rules or policies. Your issue isn't likely to come from asking it to summarise a 42 page PDF, but you might stumble into problems if you're asking your AI model of choice to combine sets of data that might have been kept separate by design. Alternatively, if you've deployed AI in a public facing capacity, you might want to explore some of the ways it responds to vulnerable individuals. The more companies start to use AI Agents to autonomously do work, particularly where these Agents might have access to multiple systems at the same time, the more some of these LARA findings are likely to come into play.

It's worth pointing out at this stage that this is a tech newsletter, not legal advice, so definitely explore this further if you're worried.

So what will this mean for AI?

The short answer is, probably not a lot - at least in the short term. Most organisations aren't going to rip out their AI tools overnight, especially not based on one study from a small non-profit, and especially especially if (as we seem to be saying) the legal liability hasn't actually shifted. AI users might want to run some more training, and shore up their policies, but the AI companies probably aren't going to lose huge amounts of sleep over this.
In the more medium term, things might get a little more interesting. The EU AI Act is still finding its feet - something GDPR took years to do. But, in theory at least, it is designed to stop exactly the kind of "exploiting the elderly" style manipulative behaviours in AI that Aithos have demonstrated. How this will be regulated, enforced, and ultimately penalised, isn't 100% clear yet. Maybe nothing will come of it, or maybe in a few years time we'll see AI Companies being taken to court the way Reddit, Meta, and others have been for GDPR.

What else is happening in the world of tech?

📖 Meta legal action forces Facebook whistleblower to sit in silence at Hay festival

There's a fair bit of backstory to this, but the salient points are this: author Sarah Wynn-Williams used to work for Facebook and recently wrote a memoir that details the company's internal culture while she was there. Meta (parent company to Facebook) didn't like this, largely because Wynn-Williams highlighted Zuckerberg's penchant for censorship, and the various sexual harassments committed by executives at the company, among many many other things. As a result, Meta managed to secure a legal order that prevents Wynn-Williams from discussing the book publicly, on penalty of $50k fines each time she does.
Rather than bowing out of a speaking gig at Hay festival - one of the premier events in any author's calendar - Wynn-Williams instead decided to give Meta the metaphorical finger by rocking up anyway and, in clear non-violation of the legal order - just not saying anything.
To comply with a specific part of the legal order, the Hay festival did not sell copies of Careless People at the event. But it certainly didn't hide that the book could be purchased from other places.
Meta, meanwhile, claim that this isn't censorship, but an arbitrators' orders put in place while Wynn-Williams was an employee. True or not, they don't appear to have let Wynn-Williams know that they wouldn't sue her if she spoke on stage.

📱 Keir Starmer uses disappearing messages on his phone

The Prime Minister has come under fire for using the disappearing messages feature of WhatsApp. Aside from the implications around his relationship with Peter Mandelson (which is probably beyond the scope of a tech newsletter to speculate on), the main problem with this is that it flies in the face of the Ministerial Code and the Code of Conduct for Members of Parliament, which demand openness and accountability in MPs' actions and interactions.
There's criticism from all sides, with a lot focusing on the disappearing messages specifically, but others (such as the chair of the Intelligence and Security Committee) asking should MPs be using WhatsApp at all.
There's an argument to be made for allowing the use of WhatsApp generally (being the safe and secure platform that it is...) so long as the messages can be accessible to others for scrutiny. Starmer appears to disagree with this when it applies to him, but it does feel like a staggeringly hypocritical position to take, given the frequent and vocal criticism of encrypted messaging when others use it. Long time readers will remember way back in the OG edition of LT3 we spoke about the government trying to force Apple to create a way for them to read all iMessages, and we've barely gone an issue since without the government having some kind of issue with "E2EE".

🤝 The CMA secures fairer deal for publishers dealing with Google

The Competition and Markets Authority (CMA) have implemented a new conduct requirement that means publishers can opt-out of content being scraped for the purposes of AI. Content will also now have to be properly attributed when displayed in AI generated search results.
Following the news a few weeks ago that Google would be reworking the way search works (LT3 #30), people have been very nervous about what this would mean for the publishing industry - an industry that has already taken some heavy knocks at the hands of AI. It is hoped that this new ruling will give some power to publishers, allowing them to negotiate for access to content.
In response, Google have announced that they will begin trailing a series of tools for UK publishers, including one that "lets website owners manage how their links and content appear in generative AI Search features".
Currently, this ruling only applies to Google (it comes by virtue of them being designated with "strategic market status" due to it having a "substantial and entrenched market power"), but it sets a precedent that could be transformative.

Blog spotlight

📞 You’ll never guess who made the first wireless telephone

Something a little lighter this week. I stumbled onto this short post from online educator Signore Galilei about the invention of the "photophone" - the world's first wireless phone, back in 1880. That's right, before electric lighting, before motorised cars, and over a century before the Motorola DynaTAC 8000x (the world's first commercially available mobile phone). And, as the title suggests, you'll never guess who invented it.

And we're out! Hope you enjoy the rest of your week, and I'll see you again next time.

Will