Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Artificial Intelligence

Europe Reaches a Deal on the World’s First Comprehensive AI Rules

Researchers have warned that powerful AI models could be used to supercharge online disinformation, cyberattacks or creation of bioweapons.

NIST Adversarial Machine Learning

European Union negotiators clinched a deal Friday on the world’s first comprehensive artificial intelligence rules, paving the way for legal oversight of AI technology that has promised to transform everyday life and spurred warnings of existential dangers to humanity.

Negotiators from the European Parliament and the bloc’s 27 member countries overcame big differences on controversial points including generative AI and police use of face recognition surveillance to sign a tentative political agreement for the Artificial Intelligence Act.

“Deal!” tweeted European Commissioner Thierry Breton just before midnight. “The EU becomes the very first continent to set clear rules for the use of AI.”

The result came after marathon closed-door talks this week, with the initial session lasting 22 hours before a second round kicked off Friday morning.

Officials were under the gun to secure a political victory for the flagship legislation. Civil society groups, however, gave it a cool reception as they wait for technical details that will need to be ironed out in the coming weeks. They said the deal didn’t go far enough in protecting people from harm caused by AI systems.

“Today’s political deal marks the beginning of important and necessary technical work on crucial details of the AI Act, which are still missing,” said Daniel Friedlaender, head of the European office of the Computer and Communications Industry Association, a tech industry lobby group.

The EU took an early lead in the global race to draw up AI guardrails when it unveiled the first draft of its rulebook in 2021. The recent boom in generative AI, however, sent European officials scrambling to update a proposal poised to serve as a blueprint for the world.

The European Parliament will still need to vote on the act early next year, but with the deal done that’s a formality, Brando Benifei, an Italian lawmaker co-leading the body’s negotiating efforts, told The Associated Press late Friday.

Advertisement. Scroll to continue reading.

“It’s very very good,” he said by text message after being asked if it included everything he wanted. “Obviously we had to accept some compromises but overall very good.” The eventual law wouldn’t fully take effect until 2025 at the earliest, and threatens stiff financial penalties for violations of up to 35 million euros ($38 million) or 7% of a company’s global turnover.

Generative AI systems like OpenAI’s ChatGPT have exploded into the world’s consciousness, dazzling users with the ability to produce human-like text, photos and songs but raising fears about the risks the rapidly developing technology poses to jobs, privacy and copyright protection and even human life itself.

Now, the U.S., U.K., China and global coalitions like the Group of 7 major democracies have jumped in with their own proposals to regulate AI, though they’re still catching up to Europe.

Strong and comprehensive rules from the EU “can set a powerful example for many governments considering regulation,” said Anu Bradford, a Columbia Law School professor who’s an expert on EU law and digital regulation. Other countries “may not copy every provision but will likely emulate many aspects of it.”

AI companies subject to the EU’s rules will also likely extend some of those obligations outside the continent, she said. “After all, it is not efficient to re-train separate models for different markets,” she said.

The AI Act was originally designed to mitigate the dangers from specific AI functions based on their level of risk, from low to unacceptable. But lawmakers pushed to expand it to foundation models, the advanced systems that underpin general purpose AI services like ChatGPT and Google’s Bard chatbot.

Foundation models looked set to be one of the biggest sticking points for Europe. However, negotiators managed to reach a tentative compromise early in the talks, despite opposition led by France, which called instead for self-regulation to help homegrown European generative AI companies competing with big U.S rivals, including OpenAI’s backer Microsoft.

Also known as large language models, these systems are trained on vast troves of written works and images scraped off the internet. They give generative AI systems the ability to create something new, unlike traditional AI, which processes data and completes tasks using predetermined rules.

The companies building foundation models will have to draw up technical documentation, comply with EU copyright law and detail the content used for training. The most advanced foundation models that pose “systemic risks” will face extra scrutiny, including assessing and mitigating those risks, reporting serious incidents, putting cybersecurity measures in place and reporting their energy efficiency.

Researchers have warned that powerful foundation models, built by a handful of big tech companies, could be used to supercharge online disinformation and manipulation, cyberattacks or creation of bioweapons.

Rights groups also caution that the lack of transparency about data used to train the models poses risks to daily life because they act as basic structures for software developers building AI-powered services.

What became the thorniest topic was AI-powered face recognition surveillance systems, and negotiators found a compromise after intensive bargaining.

European lawmakers wanted a full ban on public use of face scanning and other “remote biometric identification” systems because of privacy concerns. But governments of member countries succeeded in negotiating exemptions so law enforcement could use them to tackle serious crimes like child sexual exploitation or terrorist attacks.

Rights groups said they were concerned about the exemptions and other big loopholes in the AI Act, including lack of protection for AI systems used in migration and border control, and the option for developers to opt-out of having their systems classified as high risk.

“Whatever the victories may have been in these final negotiations, the fact remains that huge flaws will remain in this final text,” said Daniel Leufer, a senior policy analyst at the digital rights group Access Now.

Related: AI’s Future Could be Open-Source or Closed. Tech Giants Are Divided as They Lobby Regulators

Written By

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cloud Security

Cloud security researcher warns that stolen Microsoft signing key was more powerful and not limited to Outlook.com and Exchange Online.

Artificial Intelligence

ChatGPT is increasingly integrated into cybersecurity products and services as the industry is testing its capabilities and limitations.

Artificial Intelligence

The degree of danger that may be introduced when adversaries start to use AI as an effective weapon of attack rather than a tool...

Artificial Intelligence

Two of humanity’s greatest drivers, greed and curiosity, will push AI development forward. Our only hope is that we can control it.

Artificial Intelligence

Microsoft and Mitre release Arsenal plugin to help cybersecurity professionals emulate attacks on machine learning (ML) systems.

Funding/M&A

Private equity giant plans to buy Forcepoint’s Global Governments and Critical Infrastructure (G2CI) business unit for $2.5 billion.