Skip to content
wiki.fftac.org

Grey Hat AI - Source Excerpt 03 - Legal and Regulatory Status (US, EU, UK, China, India)

Back to Grey Hat AI

Summary

This source excerpt begins near Legal and Regulatory Status (US, EU, UK, China, India) and preserves the surrounding evidence from 2IA.org/agent-file-handoff/Archive/2026-05-16-home-psychological-warfare-improvement/Improvement/Grey-hat AI.md.

**Source path:** 2IA.org/agent-file-handoff/Archive/2026-05-16-home-psychological-warfare-improvement/Improvement/Grey-hat AI.md

**4. Authors vs OpenAI Copyright Disputes (2023–2025)**  
- *Timeline:* Lawsuit filed Jan 2023; key ruling Oct 28, 2025.  
- *Actors:* Coalition of authors and publishers (including George R.R. Martin, John Grisham, Penguin Random House, Hachette) vs. OpenAI/Microsoft.  
- *Techniques:* Legal argument. Plaintiffs claim ChatGPT’s outputs infringe their copyrighted text. OpenAI’s training of GPT models allegedly included copyrighted books without permission. OpenAI argued fair use. In Oct 2025, Judge Sidney Stein allowed the lawsuit to proceed, ruling that ChatGPT’s reproduction of protected elements (e.g. specific “Game of Thrones” plot/characters) could be infringing【27†L209-L218】【30†L167-L176】. The decision focused on the output (not training data legality): “A more discerning observer could reasonably conclude… the ChatGPT-generated summaries… are attempts at abridgement or condensation of central copyrightable elements”【30†L167-L176】. (A parallel Anthropic lawsuit settled in Aug 2025 for $1.5B【27†L231-L239】.)  
- *Outcome:* Legal. No AI crash or hack happened, but the dispute highlights AI training practices. OpenAI must defend (or settle) these claims.  
- *Analysis:* This case illustrates a grey zone in IP law, raising questions on data scraping for AI. It’s **ambiguous** ethically: open scraping advances AI but infringes individual creators. The outcome will shape norms (fair use vs commercial use). The case also spurred policy discussions on licensing and transparency for AI datasets.

**5. AI Vulnerability Scanning (Apr 2026)**  
- *Timeline:* April 2026.  
- *Actors:* Palo Alto Networks research team (Project Glasswing).  
- *Techniques:* The team built an AI-driven scanning harness combining multiple frontier models (Claude Mythos, GPT-5.5 Cyber) to automatically analyze enterprise software. Over a few months, this system discovered 26 previously unknown software vulnerabilities (CVEs) across common products – about five times their normal finding rate【23†L89-L97】. They fed software source code and binaries into LLM prompts, analyzed outputs, and triaged by hand. The technique illustrates *predictive vulnerability analysis* using generative AI.  
- *Outcome:* 26 CVEs were responsibly disclosed to vendors on Patch Tuesday (May 2026)【23†L89-L97】. Palo Alto warned this greatly compresses the vulnerability “storm” and that defenders must adapt.  
- *Analysis:* A **white-hat** application: using AI to boost security research. It also shows how similar tools could be used by black hats to find exploits quickly. Google separately noted AI was being used to develop a zero-day exploit【23†L109-L113】. Thus, technical methods are symmetric.  

*(Table: See end for a summary comparison of these case studies.)*  

## Legal and Regulatory Status (US, EU, UK, China, India)  
**United States:** No AI-specific federal law yet. The U.S. relies on general statutes (fraud, IP, computer crime, FTC consumer protection) to address AI misuse. However, several developments stand out: a 2026 House bill proposes that large platforms (revenue >$50M or >25M users) **label AI-generated text**, with violations treated as unfair/deceptive acts under the FTC Act【58†L19-L28】. Notably, it mandates NIST to issue labeling guidelines for AI text【58†L31-L33】 (but does *not* require audio/video labeling). California leads at the state level: e.g. AB2655 (2023) would ban unclaimed AI election interference (deepfakes) and require disclaimers. Many states have also enacted laws against non-consensual sexual deepfakes and election-related AI disinfo. Courts are active: U.S. judges have allowed copyright suits against OpenAI to proceed【27†L209-L218】. The FTC has warned companies against untested AI (viewed as deception) and in 2023 launched enforcement on dangerous AI claims.  

**European Union:** The EU is enacting the comprehensive **AI Act** (officially adopted in late 2024, to take effect ~2026). It classifies AI uses by risk: banning or restricting high-risk categories (biometric ID, critical infra, legal prediction, etc.). Importantly, Article 50 mandates **transparency measures**: providers of generative AI must ensure machine-readable watermarking/marking of synthetic content and enable detection, and deployers must clearly disclose to users when content is AI-generated or manipulated【54†L104-L113】. In practice, this means deepfakes (even lawful ones) must carry labels or watermarks, except minimal disclosure for art/satire. The Digital Services Act (2022) also forces platforms to moderate illegal content, including deepfakes under hate/terror/disinfo categories. The EU’s Code of Practice on Generative AI (2024) further recommends voluntary watermarking/metadata of synthetic media【54†L50-L58】. Overall, the EU demands **accountability and transparency** for AI content, backed by heavy fines for non-compliance.  

**United Kingdom:** The UK has no dedicated AI law yet but is moving fast. In January 2026, the UK government announced an explicit ban on AI “nudification” tools that create non-consensual synthetic nudes. This will be enacted via amendments to the Crime and Policing Bill【60†L36-L44】. The existing Online Safety Act (2023) broadly requires platforms to mitigate illegal and harmful content, which applies to AI-generated abuse. The UK has also proposed a voluntary “AI Code of Practice” and planned a white paper on AI regulation (though in early 2026, the government opted not to immediately legislate general generative AI). Data Protection law (UK GDPR) can penalize deepfakes that misuse personal data (face/voice likenesses). In practice, the UK is prioritizing **targeted bans** (e.g. deepfake porn) and adapting existing online safety frameworks rather than a single AI statute.  

**China:** China issued strict rules on “deep synthesis” (深度合成) technology effective Jan 2023【50†L67-L75】. These **“Deep Synthesis Provisions”** regulate AI-generated text, audio, images, video, etc. Key mandates: deepfake providers must register users, conduct real-name verification, establish internal review processes, and label or watermark AI-generated content【50†L142-L151】. They must also promptly remove or “dispel” false information on notice and report it to authorities. The law requires technical security audits of generative tools (especially if national security is involved)【50†L152-L158】. Essentially, all synthetic media must be explicitly tagged and providers held responsible. China also tightly regulates online content via censorship laws, which implicitly cover AI disinfo. Additionally, China’s Personal Information Protection and Data Security laws limit use of sensitive data for AI training. Overall, **generative AI is highly regulated** in China: compliance, traceability, and content controls are mandatory.  

**India:** In Feb 2026 India’s IT Rules were amended to introduce stringent deepfake/AI content obligations. The rules now define “deepfake” explicitly and require platforms to apply **technical markers or metadata** to AI-generated media, enabling traceability【52†L315-L323】. Crucially, intermediaries must remove illegal deepfakes within **3 hours** of notice (down from 36 hours)【52†L291-L300】. These rules apply to large social media and gaming platforms (not private individuals). There are also stipulations for child safety and preservation of evidence. The focus is on **speed and accountability**: content is monitored, flagged algorithmically, and takedown deadlines are very short. The draft rules expressly balance free expression under Article 19(1)(a) vs. preventing “disinformation”【52†L337-L347】. India’s approach is technocratic: watermarking/marking plus strict timetables【52†L315-L323】. As of 2026, AI model regulations are emerging but not yet codified (some industry guidelines by MeitY). In summary: **fast enforcement and traceability** are central to India’s stance.