from the tricky-problems dept

Last week, the European Parliament voted to let a temporary exemption lapse that had allowed tech companies to scan their services for child sexual abuse material (CSAM) without running afoul of strict EU privacy regulations. Meanwhile, here in the US, West Virginia’s Attorney General continues to press forward with a lawsuit designed to force Apple to scan iCloud for CSAM, apparently oblivious to the fact that succeeding would hand defense attorneys the best gift they’ve ever received.

Two different jurisdictions. Two diametrically opposed approaches, both claiming to protect children, and both making it harder to actually do so.

I’ll be generous and assume people pushing both of these views genuinely think they’re doing what’s best for children. This is a genuinely complex topic with real, painful tradeoffs, and reasonable people can weigh them differently. What’s frustrating is watching policymakers on both sides of the Atlantic charge forward with approaches that seem driven more by vibes than by any serious engagement with how the current system actually works — or why it was built the way it was.

The European Parliament just voted against extending a temporary regulation that had exempted tech platforms from GDPR-style privacy rules when they voluntarily scanned for CSAM. This exemption had been in place (and repeatedly extended) for years while Parliament tried to negotiate a permanent framework. Those negotiations have been going on since November 2023 without resolution, and on Thursday MEPs decided they were done extending the stopgap.

To be clear, Parliament didn’t pass a law banning CSAM scanning. Companies can still technically scan if they want to. But without the exemption, they’re now exposed to massive privacy liability under EU law for doing so. Scanning private messages and stored content to look for CSAM is, after all, mass surveillance — and European privacy law treats mass surveillance seriously (which, in most cases, it should!). So the practical effect is a chilling one: companies that were voluntarily scanning now face significant legal risk if they continue.

The digital rights organization eDRI framed the issue in stark terms:

“This is actually just enabling big tech companies to scan all of our private messages, our most intimate details, all our private chats so it constitutes a really, really serious interference with our right to privacy. It’s not targeted against people that are suspected of child abuse — It’s just targeting everyone, potentially all of the time.”

And that argument is compelling. Hash-matching systems that compare uploaded images against databases of known CSAM are more targeted than, say, keyword scanning of every message, but they still fundamentally involve examining every unencrypted piece of content that passes through the system. When eDRI says it targets “everyone, potentially all of the time,” that’s an accurate description of how the technology works.

But… the technology also works to find and catch CSAM. Europol’s executive director, Catherine De Bolle, pointed to concrete numbers:

Last year alone, Europol processed around 1.1 million of so-called CyberTips, originating from the National Center for Missing & Exploited Children (NCMEC), of relevance to 24 European countries. CyberTips contain multiple entities (files, videos, photos etc.) supporting criminal investigation efforts into child sexual abuse online.

If the current legal basis for voluntary detection by online platforms were to be removed, this is expected to result in a serious reduction of CyberTip referrals. This would undermine the capability to detect relevant investigative leads on CSAM, which in turn will severely impair the EU’s security interests of identifying victims and safeguarding children.

The companies that have been doing this scanning — Google, Microsoft, Meta, Snapchat, TikTok — released a joint statement saying they are “deeply concerned” and warning that the lapse will leave “children across Europe and around the world with fewer protections than they had before.”

So the EU’s privacy advocates aren’t wrong about the surveillance problem. Europol isn’t wrong about the child safety consequences. Both things are true — which is what makes this genuinely tricky rather than a case of one side being obviously right.

Now flip to the United States, where the problem is precisely inverted.

In the US, the existing system has been carefully constructed around a single, critical principle: companies voluntarily choose to scan for CSAM, and when they find it, they’re legally required to report it to NCMEC. The word “voluntarily” is doing enormous load-bearing work in that sentence — and most of the people currently shouting about CSAM don’t seem to know it. As Stanford’s Riana Pfefferkorn explained in detail on Techdirt when a private class action lawsuit against Apple tried to compel CSAM scanning:

While the Fourth Amendment applies only to the government and not to private actors, the government can’t use a private actor to carry out a search it couldn’t constitutionally do itself. If the government compels or pressures a private actor to search, or the private actor searches primarily to serve the government’s interests rather than its own, then the private actor counts as a government agent for purposes of the search, which must then abide by the Fourth Amendment, otherwise the remedy is exclusion.

If the government – legislative, executive, or judiciary – forces a cloud storage provider to scan users’ files for CSAM, that makes the provider a government agent, meaning the scans require a warrant, which a cloud services company has no power to get, making those scans unconstitutional searches. Any CSAM they find (plus any other downstream evidence stemming from the initial unlawful scan) will probably get excluded, but it’s hard to convict people for CSAM without using the CSAM as evidence, making acquittals likelier. Which defeats the purpose of compelling the scans in the first place.

In the US, if the government forces Apple to scan, that makes Apple a government agent. Government agents need warrants. Apple can’t get warrants. So the scans are unconstitutional. So the evidence gets thrown out. So the predators walk free. All because someone thought “just make them scan!” was a simple solution to a complex problem.

Congress apparently understood this when it wrote the federal reporting statute — that’s why the law explicitly disclaims any requirement that providers proactively search for CSAM. The voluntariness of the scanning is what preserves its legal viability. Everyone involved in the actual work of combating CSAM — prosecutors, investigators, NCMEC, trust and safety teams — understands this and takes great care to preserve it.

Everyone, apparently, except the Attorney General of West Virginia. As we discussed recently, West Virginia just filed a lawsuit demanding that a court order Apple to “implement effective CSAM detection measures” on iCloud. The remedy West Virginia seeks — a court order compelling scanning — would spring the constitutional trap that everyone who actually works on this issue has been carefully avoiding for years.

As Pfefferkorn put it:

Any competent plaintiff’s counsel should have figured this out before filing a lawsuit asking a federal court to make Apple start scanning iCloud for CSAM, thereby making Apple a government agent, thereby turning the compelled iCloud scans into unconstitutional searches, thereby making it likelier for any iCloud user who gets caught to walk free, thereby shooting themselves in the foot, doing a disservice to their client, making the situation worse than the status quo, and causing a major setback in the fight for child safety online.

The reason nobody’s filed a lawsuit like this against Apple to date, despite years of complaints from left, right, and center about Apple’s ostensibly lackadaisical approach to CSAM detection in iCloud, isn’t because nobody’s thought of it before. It’s because they thought of it and they did their fucking legal research first. And then they backed away slowly from the computer, grateful to have narrowly avoided turning themselves into useful idiots for pedophiles.

The West Virginia complaint also treats Apple’s abandoned NeuralHash client-side scanning project as evidence that Apple could scan but simply chose not to. What it skips over is why the security community reacted so strongly to NeuralHash in the first place. Apple’s own director of user privacy and child safety laid out the problem:

Scanning every user’s privately stored iCloud content would in our estimation pose serious unintended consequences for our users… Scanning for one type of content, for instance, opens the door for bulk surveillance and could create a desire to search other encrypted messaging systems across content types (such as images, videos, text, or audio) and content categories. How can users be assured that a tool for one type of surveillance has not been reconfigured to surveil for other content such as political activity or religious persecution? Tools of mass surveillance have widespread negative implications for freedom of speech and, by extension, democracy as a whole.

Once you create infrastructure capable of scanning every user’s private content for one category of material, you’ve created infrastructure capable of scanning for anything. The pipe doesn’t care what flows through it. Governments around the world — some of them not exactly champions of human rights — have a well-documented habit of demanding expanded use of existing surveillance capabilities. This connects directly to the perennial fights over end-to-end encryption backdoors, where the same argument applies: you cannot build a door that only the good guys can walk through.

And then there’s the scale problem. Even the best hash-matching systems can produce false positives, and at the scale of major platforms, even tiny error rates translate into enormous numbers of wrongly flagged users.

This is one of those frustrating stories where you can… kinda see all sides, and there’s no easy or obvious answer:

Scanning works, at least somewhat. 1.1 million CyberTips from Europol in a single year. Some number of children identified and rescued because platforms voluntarily detected CSAM and reported it. The system produces real results.

Scanning is mass surveillance. Every image, every message gets examined (algorithmically), not just those belonging to suspected offenders. The privacy intrusion is real, not hypothetical, and it falls on everyone.

Compelled scanning breaks prosecutions. In the US, the Fourth Amendment means that government-ordered scanning creates a get-out-of-jail card for the very predators everyone claims to be targeting. The voluntariness of the system is what makes it legally functional.

Scanning infrastructure is repurposable. A system built to detect CSAM can be retooled to detect political speech, religious content, or anything else. This concern is not paranoid; it’s an engineering reality.

False positives at scale are inevitable. Even highly accurate systems will flag innocent content when processing billions of items, and the consequences for wrongly accused individuals are severe.

People can and will weigh these tradeoffs differently, and that’s legitimate. The tension described in all this is real and doesn’t resolve neatly.

But what both the EU Parliament’s vote and West Virginia’s lawsuit share is an unwillingness to sit with that tension. The EU stripped legal cover from the voluntary system that was actually producing results, without having a workable replacement ready. West Virginia is trying to compel what must remain voluntary, apparently without bothering to read the constitutional case law that makes compelled scanning self-defeating. From opposite directions, both approaches attack the same fragile voluntary architecture that currently threads the needle between these competing interests.

The status quo in the United States — voluntary scanning, mandatory reporting, no government compulsion to search — is far from perfect. But the system functions: it produces leads, preserves prosecutorial viability, and does so precisely because it was designed by people who understood the tradeoffs and built accordingly.

It would be nice if more policymakers engaged with why the system works the way it does before trying to blow it up from either direction. In tech policy, the loudest voices in the room are rarely the ones who’ve done the reading.

Filed Under: 4th amendment, csam, csam scanning, eu, privacy, scanning, surveillance

Karin Keller-Sutter, Switzerland’s finance minister and the country’s former president, has filed criminal charges for defamation and insult after Elon Musk’s AI chatbot Grok was prompted by an anonymous user to generate a torrent of sexist and vulgar remarks about her on X. The complaint, filed on 20 March with the Bern public prosecutor’s office, is directed against “persons unknown” because the X user who prompted Grok could not be identified beyond a screen name. It is, by all available evidence, the first time a serving head of a national finance ministry has pursued criminal action against an AI-generated statement.

The incident occurred on 10 March, when a user on X instructed Grok to “roast” a figure they described as “Federal Councillor KKS, my favourite chick,” urging the chatbot to attack her in crude street language. Grok complied. The resulting post, a barrage of misogynistic abuse attributed to the chatbot, was published on Keller-Sutter’s feed. A spokesperson for the minister told Politico that the post was not “a contribution protected by freedom of expression or part of the political debate, but rather a pure denigration of a woman.” The spokesperson added: “One must fundamentally defend oneself against such misogynistic statements.”

Keller-Sutter is no minor political figure. She heads the Federal Finance Department and is one of seven members of the Swiss Federal Council, the country’s highest executive authority. In 2025, she served as president of the Swiss Confederation, a role that rotates annually among the council members. Before entering federal politics, she studied political science in London and Montreal, served as a cantonal justice minister, and presided over the Council of States. Her decision to file criminal charges rather than simply delete the post signals an intent to test whether Swiss defamation law, which criminalises both defamation under Article 173 and slander under Article 174 of the penal code, can reach the operators of AI systems and the platforms that host them. The legal question at the heart of the complaint is whether social media companies and their operators, in addition to individual users, can be held criminally liable for content generated by their own AI tools.

That question has not been answered anywhere in the world, but courts are beginning to confront it. In the United States, conservative activist Robby Starbuck sued Meta in 2025 after its AI falsely linked him to the January 6 Capitol riot; Meta settled rather than litigate. A Georgia court dismissed a separate defamation case against OpenAI after ChatGPT fabricated claims about a radio host, ruling that the legal threshold for fault had not been met. No AI defamation case has reached a final judgment in any jurisdiction. Keller-Sutter’s complaint, filed under a criminal rather than civil framework and in a country whose defamation statute carries prison sentences of up to three years for deliberate slander, could establish the first binding precedent on AI platform liability for generated speech.

The filing arrives against the backdrop of what has become the most sustained regulatory crisis in Grok’s brief existence. Between 29 December 2025 and 8 January 2026, Grok’s image-generation tools created more than three million sexualised images, approximately 23,000 of which depicted minors, according to the Centre for Countering Digital Hate. The discovery triggered a cascade of legal and regulatory actions that has not stopped. On 2 January, French ministers reported the content to prosecutors, calling it “manifestly illegal.” On 12 January, the United Kingdom’s Ofcom opened a formal investigation into whether X had complied with the Online Safety Act, with potential penalties of up to £18 million or 10 per cent of global revenue. On 14 January, California’s attorney general announced a state investigation into whether xAI had violated California law. On 26 January, the European Commission opened a probe under the Digital Services Act into whether Grok’s deployment met the platform’s legal obligations regarding illegal content and harm to minors.

The enforcement actions escalated sharply in February. On 3 February, French prosecutors, accompanied by a cybercrime unit and Europol officers, raided X’s Paris offices. The investigation, originally opened over complaints about platform operation and data extraction, had widened to include charges of complicity in distributing child sexual abuse material, creating sexually explicit deepfakes, and Holocaust denial. Prosecutors have since summoned Musk and X’s former chief executive Linda Yaccarino for voluntary interviews on 20 April. A Dutch court separately ordered Grok banned from generating non-consensual intimate images. The EU had already fined X €120 million in December 2025 for violating the DSA’s transparency requirements, a penalty X is now challenging in what has become the first court test of the bloc’s landmark digital regulation.

In the United States, three Tennessee teenagers filed a class-action lawsuit against xAI on 16 March, alleging that Grok had been used to create sexualised images of them without their knowledge or consent. The images were reportedly shared on Discord and other platforms. On 25 March, Baltimore became the first American city to sue xAI over Grok-generated deepfake pornography, alleging violations of consumer protection law. A separate class action, filed by Lieff Cabraser Heimann & Bernstein, alleges that xAI knowingly designed and profited from an image generator used to produce and distribute child sexual abuse material while refusing to implement the content-safety measures adopted by every other major AI company.

The governance vacuum at xAI compounds the legal exposure. All 11 of xAI’s original co-founders have now departed the company, including researchers recruited from Google DeepMind, Google Brain, and Microsoft Research. Musk said in March that xAI was “not built right the first time around” and needed to be rebuilt from its foundations. The company was absorbed into SpaceX in February through an all-stock merger that raised immediate governance questions, creating a combined entity valued at $1.25 trillion that is now preparing for what would be the largest initial public offering in history. The regulatory and litigation risks surrounding Grok are, in effect, now embedded in the prospectus of a company seeking a $1.75 trillion public valuation.

What makes Keller-Sutter’s complaint distinct from the deepfake and CSAM cases is its simplicity. It does not involve image generation, undressing algorithms, or child exploitation. It involves a chatbot that was asked to insult a named public official and did so in language that, under Swiss law, constitutes a criminal offence. The factual question is narrow: who is responsible when an AI system, operating on a commercial platform, generates defamatory speech at a user’s request? If the user cannot be identified, does liability pass to the platform operator, to the AI developer, or to no one at all?

The answer to that question will shape the trajectory of AI governance far beyond Switzerland. Every major AI company operates chatbots capable of producing defamatory, abusive, or factually false statements about real people. Most have implemented guardrails designed to refuse such requests. Grok, by deliberate design, has operated with fewer restrictions than its competitors, a positioning Musk has marketed as a commitment to free expression. The Keller-Sutter case tests whether that positioning can survive contact with criminal law.

Switzerland is not the European Union and is not bound by the DSA. But Swiss defamation law is among the most stringent in Europe, and a criminal finding against an AI platform operator would reverberate through every jurisdiction currently weighing similar questions. The case is small in scope, involving a single post on a single platform about a single official. But the principle it seeks to establish, that the companies building these systems bear the kind of legal responsibility that the age of AI governance demands, is anything but small. If Grok can be prompted to defame a former president with impunity, the question is not what it says about the technology. It is what it says about the law.

Photo credit: Wall Street Journal
The Wall Street Journal recently got a rare look inside Apple Park as part of the company’s 50th anniversary celebrations, with reporters joining Tim Cook for a walk through an archive that Cook himself admitted he had barely visited until preparations for the milestone began pulling decades of stored material back into the light.

The first thing that caught his eye was Apple’s original patent filing for the Apple II, a single document that Cook said effectively opened the floodgates for what eventually became more than 140,000 patent applications. A small drawing on a piece of paper that quietly set the direction for everything that followed.

Sale

Apple 2026 MacBook Air 13-inch Laptop with M5 chip: Built for AI, 13.6-inch Liquid Retina Display, 16GB…

• MIGHT TAKES FLIGHT — MacBook Air with the M5 chip packs blazing speed and powerful AI capabilities into an incredibly portable design. With Apple…
• SUPERCHARGED BY M5 — With its faster CPU and unified memory, the M5 chip delivers even more performance and fluidity across apps, making…
• APPLE INTELLIGENCE — Apple Intelligence is the personal intelligence system that helps you write, express yourself, and get things done…

An early 2001 iPod prototype came next, and Cook recalled the feeling of holding it for the first time a few years after joining the company. The idea of carrying a thousand songs in your pocket felt genuinely unbelievable at a moment when most people were still rotating five CD changers on road trips. He remembered loading a Beatles song the moment he got his hands on one and how that little white device changed his daily commute.

The 2007 iPhone launch remains Cook’s favorite moment in the company’s history, and a circuit board from one of the first working prototypes sitting on the table illustrated just how far the engineering team had to travel to get there. It looked more like a cutting board than something destined for a pocket, an early proof of concept that needed everything working together before the whole thing could be miniaturized. Cook noted that even inside Apple, employees were walking around with early models watching keys and coins scratch the plastic casing. Steve Jobs made the call to switch to glass within a matter of months, a timeline Cook described as close to impossible, comparing it to trying to land on the moon between January and June.

Cook touched on projects that never made it, framing each one as something the team learned from before showing up the next morning and getting back to work. That steadiness, he suggested, is what carried the company through five decades of setbacks and breakthroughs alike. An early Apple Watch prototype rounded out the tour, and Cook’s attention shifted forward, pointing to the combination of hardware, software, and services as the space where the next significant leap is most likely to come from.

The best streaming services have added plenty of new movies in April, and I was excited to see lots of horror titles among them.

April is a strong month for horror with some of the biggest franchises and originals available to watch from the comfort of your living room. The month is typically associated with pranks and comedies, but if you want something more macabre, I’ve got you covered.

You know what they say — you can’t keep a good website down. OldVersion.com, the repository of outdated software that has been serving up old versions of tools you need for the last twenty-five years, is not going away as we reported last year. Not only is it sticking around, it’s gotten a retro facelift inspired by Windows 3.1 or OS/2. Mostly Windows, given the screensaver, but we’ll let you find that for yourself.

We’re thrilled to see that OldVersion has gotten the support they need to keep going after running into financial troubles. According to founder Alex Levine, some of that support came as a result of the Hackaday article reporting on the then-upcoming closure, so kudos to you guys for stepping up.

While we absolutely love the retro redesign of the new website, that’s one thing notably lacking — an obvious donation button. Well, that and old-school HTTP support so you can get on with your retromachines, but that, at least, is in the works according to the site roadmap. It’s a little weird that in this year of the common era 2026 you have to do extra work to give up on HTTPS functionality, but it is the way it is.

In the meantime, the site is fully usable as long as you have HTTPS capability, or go through a proxy. Perhaps you could use this ESP8266 code to get started making one, if you don’t want to embarrass your old computer by using something more powerful than it as a pass-through.

Speaking of proxies, if old versions of software aren’t enough for you, how about an old version of the internet? We heard you like old versions, so you can visit an old version of OldVersion!

Note that if you’re reading this after 01/04/2026, the look-and-feel of OldVersion.com may not match what’s depicted here.

SpaceX is looking to the heavens for its upcoming initial public offering based on a $1.75 trillion valuation, according to confidential paperwork filed with the US Securities and Exchange Commission.

As reported by Bloomberg, the draft IPO registration is the first step toward a possible June offering that could raise approximately $75 billion. The filing allows the company to get feedback from the SEC before the information is released publicly.

The IPO may be open to more people than just the wealthiest investors. According to a report by The Motley Fool, SpaceX plans to allocate around 30% of the initial shares to “retail investors,” meaning individual investors. Normal retail allocation tends to be around 10% of shares.

A SpaceX representative didn’t immediately respond to a request for comment.

Why a SpaceX IPO is a big deal

Spaceflight is an incredibly expensive endeavor; SpaceX gets billions of dollars from the US government to launch satellites and help keep NASA’s programs running. Almost a year ago, the company set a target of launching every other day through the end of 2025 and ended up launching a record 165 orbital flights.

But SpaceX is no longer just a high-flying rocket company. Its Starlink division provides data access to homes, remote locations, airlines and direct to many mobile phones in areas where there’s no cellular coverage. It also recently acquired xAI, another of Elon Musk’s companies, and owns the social media site X (formerly Twitter).

It’s the AI angle that seems to be driving up the company’s valuation ahead of the IPO. The xAI all-stock acquisition valued the company and SpaceX at $1.25 trillion. This year, OpenAI and Anthropic PBC are also expected to go public.

Although those numbers are eye-popping, the company has plenty of challenges before it can get off the launchpad.

Starlink has announced a plan to send up new V3 third-generation satellites that should bring gigabit internet speeds to its network, but those won’t be ready until 2027. Getting them up requires SpaceX’s heavy-duty Spacecraft vehicle, which has had limited success in testing so far. In the meantime, its current Starlink satellites have been exploding in orbit as recently as this week.

And for xAI, the skies aren’t exactly clear despite the current fervor for all things AI. Musk announced in mid-March that “xAI was not built right first time around, so is being rebuilt from the foundations up.” And the company is being sued by three teen girls and their guardians for “devastating” harm caused by its Grok AI generating child sexual abuse images.