Welcome to the CAVEAT Weekly Newsletter, where we break down some of the major developments and happenings occurring worldwide when discussing cybersecurity, privacy, digital surveillance, and technology policy.

At 1,650 words, this briefing is about a 7-minute read.

At a Glance.

• Pressure grows amongst European lawmakers to pass a new updated Chips Act.
• 23andMe bankruptcy raises privacy concerns.

European Parliament members urge increased support for AI investment.

The News.

On Monday, several members of the European Parliament urged the European Commission to increase the region’s support for artificial intelligence (AI) investments. In their letter, fifty-four European lawmakers wrote to the Commission, stating that “recent geopolitical developments have shown that Europe cannot take continued access to advanced technologies for granted.” The letter continued, stating that “we must take active steps to make the [European Union (EU)] attractive as an R&D, production, and investment location.” Furthermore, lawmakers criticized the previous 2023 Chips Act as “too slow.” The letter was addressed to the Commission’s Digital Chief, Henna Virkkunen.

While the Commission has not detailed its various semiconductor plans, it has stated that it intends to launch five new “packages” this year to help spur European AI investment.

The Knowledge.

The EU’s 2023 Chips Act was passed to reinforce the region’s semiconductor ecosystem. In this act, there were five strategic objectives.

1. Strengthening research and technological leadership.
2. Building and reinforcing Europe’s capacity to innovate in the design, manufacturing, and packaging of advanced chips.
3. Putting in place an adequate framework to increase production by 2030.
4. Addressing the skills shortage and ways to attract new talent.
5. Develop an in-depth understanding of global semiconductor supply chains.

While originally passed, this act was seen as a key step to outline Europe’s semiconductor chip strategy. However, in recent months, lawmakers have changed their consensus on European AI development, looking to attract investment opportunities from major developers to increase domestic production efforts and ensure Europe’s competitiveness in this economic sector for the foreseeable future. This tone change was most present in the recent Paris AI summit, where European leaders spoke on this goal. For example, the French government announced Current AI along with a $400 million initial investment. With this investment, French President Macron stated, “at the national and European scale, it is very clear that we have to resynchronize with the rest of the world.” Furthermore, President Macron stated that “if we regulate before we innovate, we won’t have any innovation of our own.”

As the European Commission plans to readjust its AI goals, the five new packages will be critical when executing these efforts. For example, one of these packages will be aimed at addressing existing overlaps between the EU’s AI act, the Digital Marketing act, and the EU’s General Data Protection Regulation to streamline regulation efforts and reduce overhead efforts for companies. Other packages will be designed with similar goals in mind to ease regulation efforts across numerous sectors, such as those impacting sustainability and small companies.

The Impact.

The EU’s sudden shift on AI policy comes with the region looking to accelerate dramatically its influence over the emerging technology markets. While this stance change will not yield overnight impacts on the EU’s AI markets, these efforts to reduce regulations and boost funding initiatives will have tangible benefits over the coming months and years. For EU businesses and citizens, these changes will likely lead to expanded markets and new career opportunities as many look to both develop new AI systems and further implement AI into everyday routines. 

However, while these initiatives will likely lead to increased growth, the potential relaxing of regulations could also cause associated risks to become more impactful. For those looking to develop or deploy AI systems within the EU, people should be aware of their responsibilities under EU law and what changes are currently being made and how future packages may or may not change these requirements before making significant decisions. Lastly, for EU citizens, people should understand how these changing regulations may increase their exposure to risk when using AI systems and the implications these risks may have on them.

California Attorney General issues “Consumer Alert” on 23andMe.

The News.

On Monday, 23andMe declared bankruptcy as the company plans to head to court and sell its assets. While the company undergoes its bankruptcy processes, it did state that it “intends to continue operating its business in the ordinary course throughout the sale process.” After declaring bankruptcy, California Attorney General Rob Bonta issued a “consumer alert” regarding privacy concerns for how the company will handle its sensitive customer information. In his statement, Attorney General Bonta said, “I remind Californians to consider their rights and direct 23andMe to delete their data and destroy any samples of genetic material held by the company.”

The company did respond to these concerns, stating that there would be “no changes” in how it protects information while it is in court.

The Knowledge.

While it may be unclear how the company plans to handle its stores of sensitive information after the bankruptcy process, this is not the first time that the company has had concerns related to its data management systems. In 2023, the company was breached, which caused nearly seven million of its customers to have their personal data exposed over a five-month period. This breach was eventually resolved and resulted in the company settling a lawsuit for $30 million. More specifically, the hackers were able to access 5.5 million DNA profiles and another 1.4 million customers who used the “Family Tree” feature.

Outside of this previous data breach, security experts have also expressed concerns about how these bankruptcy proceedings could impact data security. One of the key concerns revolves around how customer data could be sold to a new company, which could use it for entirely new purposes. Experts have pointed to 23andMe’s privacy statement, which reads, “if we are involved in a bankruptcy, merger, acquisition, reorganization, or sale of assets, your Personal Information may be accessed, sold or transferred as part of that transaction.” 

Furthermore, experts have also pointed out that under new ownership, the company may also potentially change its practices and policies for handling this data. Ginny Fahs, the Director of Product R&D for Consumer Reports’ Innovation Lab, commented on this, stating that “the DNA data could be used to discern your relatives and ancestry, unearth family secrets, and reveal clues about diseases you have or could be predisposed to.” Fahs continued, stating that “if [that] data makes its way to certain insurers, they may deny you coverage or charge you more for life, disability, or long-term care insurance because of your genetics.”

The Impact.

With 23andMe’s sudden bankruptcy, people who have utilized the service should take time to understand the case and the implications that a sale may have on their data. While bankruptcy proceedings will likely take some time to be resolved, by staying informed on how these proceedings are progressing, people will be able to understand who is aiming to buy 23andMe’s assets and the associated implications.

If a person has utilized this service and wishes to have their collected data deleted, they can follow these steps:

1. Log in to your 23andMe account.
2. Go to your Profile, then tap Settings.
3. Scroll to the “23andMe Data” section at the bottom of the page and click View.
4. Scroll to the “Delete Data” section and click Permanently Delete Data.
5. Confirm your request, and you will receive an email confirmation.

Highlighting key conversations.

In this week’s Caveat Podcast, our team meets with Tara Wisniewski, the Executive Vice President for Advocacy, Global Markets, and Member Engagement at ISC2. During this conversation, our team discussed the role of cybersecurity as the world sees significant political leadership changes. Additionally, our team also discusses the recent incident where top White House officials were using Signal to discuss sensitive war plans.

Like what you read and curious about the conversation? Head over to the Caveat Podcast for the full scoop and additional compelling insights. Our Caveat Podcast is a weekly show where we discuss topics related to surveillance, digital privacy, cybersecurity law, and policy. Got a question you'd like us to answer on our show? You can send your audio file to caveat@thecyberwire.com. Hope to hear from you.

Other noteworthy stories.

US offers $15M reward for people accused of smuggling technology to Iran.

What: The State Department offers a $15 million reward for information on drone technology smugglers.

Why: Last Thursday, the State Department announced this reward with the hopes of gathering information linked to four Chinese nationals who allegedly helped Iran get United States (US) military equipment and drone technology.

The four individuals are Liu Baoxia, Li Yongxin, Yung Yiu Wa, and Zhong Yanlai. US officials claimed that Iran would transport this technology to companies that would use it to develop and create unmanned aerial vehicles, advanced weapon systems, and weapons.

Trump team using Signal to share war plans.

What: Several top Trump officials were using Signal, a messaging application, to share war plans in a potential security breach.

Why: On Monday, screenshots were released from a journalist who was mistakenly added to a Signal group chat with several top White House officials. These screenshots included conversations between Secretary of Defense Pete Hegseth, Vice President JD Vance, Secretary of State Marco Rubio, and Director of National Intelligence Tulsi Gabbard as they discussed Yemen military actions. 

With these leaks, Congress officials have called for an investigation to see if classified intelligence is being shared on unsecured and unverified channels. Senate Democratic leader Chuck Schumer called for a full investigation, stating that the incident was “one of the most stunning breaches of military intelligence [he has] read about in a very, very long time.” Republican Congressmembers also expressed concerns with Senator Roger Wicker, stating that they are “very concerned about it and we’ll be looking into it on a bipartisan basis.”