A (13:57)

Good to be with you again, Dave.

B (13:59)

So we've got a trial kicking off here in California, your home state.

A (14:05)

Go Cali. Yep.

B (14:06)

Yeah, in Los Angeles. And not to be breathless here, but some of the folks involved with this case are saying that they're putting the Internet on trial. What's going on here, Ben?

A (14:17)

Yeah, so this is a big one. A plaintiff who is not named in the suit because it's somebody who is underage has filed suit in California Superior Court against basically all of the big tech players. So Meta TikTok and YouTube through Google and we're going to have a jury trial here. So this is really the first time that social media companies will have to go in front of a jury and defend some of their practices and consider claims that their algorithms and their way of doing business is harming the mental health of young people. So the allegation is that in the way these products are designed, they produce these sort of addictive features. So Infinite scroll, autoplay, persistent notifications, et cetera. They've pointed to some literature saying that these tools in social media have caused or worsened depression, eating disorders, self harm, in the most extreme cases, suicide. And they're going to go through the discovery process to try and prove that these companies knew or should have known about harms to minors but failed to act. This is going to be a very difficult lawsuit for the plaintiff. It's going to be very difficult for them to prevail on the merits here. This is being considered under a products liability framework. Most products liability framework, there's some design defect and it's very clear how and when a person was injured by that design defect. So there's a law professor in this article who's like, they're trying to analogize this to the Coke bottle that explodes in your face. And if that doesn't make sense to you, that shows you why using this sort of products liability theory is going to be problematic here. But I think the trial itself, even if the plaintiff ultimately doesn't prevail, is going to be eye opening for a couple of reasons. One, you're going to have some high profile people who are going to be forced to take the stand to testify, including Mark Zuckerberg, who I don't know about you, Dave, but I've seen him testify in front of Congress and it has not gone well.

B (16:23)

No, no, not. He's not at his best in those situations.

A (16:27)

It seems to me that is not his strength. And I wonder if that will have some impact on the jury or just kind of on the public's view of this trial. And then the other big deal here is the discovery process. For the first time, the plaintiffs and their attorneys are going to be able to look through decades worth of documents on how they've developed some of these tools and algorithms. And that could be really eye opening. That's where people are drawing these parallels to the lawsuits against big tobacco companies in the 1990s where they looked back at this 50 year horizon on strategies these companies use to get young people addicted to their products. And we could certainly see the same thing here. I think from the company's perspective, they're saying that this lawsuit just mis portrays their work, that they have taken steps to improve online safety for young people with things like parental controls and other safety features. But it's certainly there's the potential, if the plaintiff prevails, that we could see major industry wide changes that rival some of the changes that came to the tobacco industry after those big lawsuits in the 90s.

B (17:36)

Hmm. I'm looking at some of the reporting here from NPR on this story. And they note that the judge in this case has already struck some of the plaintiff's claims on the grounds that their third party content and they're covered by section 230 of the Communications Decency Act. What do you make of that, Ben?

A (17:58)

Right. So section 230 says that the platforms themselves are not liable for content posted on on their platforms. Very controversial. But I think that does cover a lot of the claims here. If you're making a direct allegation of injury based on a particular post or a particular series of posts, I do think that Section 230 is going to immunize these companies, at least the way the law is structured. Now they can always change the law and there have been discussions about doing that, but really you can only be liable in terms of the products that they themselves have created, not the users. So what are those products that they themselves have created, these big tech companies? It is the algorithms, it is the scrolling features, that sort of thing. So when you start to base allegations on particular content, that's where the plaintiffs are going to run into these 230 issues where parts of the case are going to be dismissed.

B (18:56)

Do you suppose this could head in direction or maybe bolster the arguments of folks who say that these social media platforms should be treated like pornography in that under a certain age you're not permitted to interact with them?

A (19:12)

Yeah, I mean, I think there's the chance that we go down a path like that. They're asserting a First Amendment interest, which they definitely have. I mean they have the right to freedom of expression and that includes the way they build out these platforms. They do have a protected First Amendment interest, as do pornographers, by the way. But I think the law understands things differently when we're talking about non consenting or young people who are just not capable of consenting to seeing this type of content.

B (19:42)

I see.

A (19:42)

Or for understanding how these algorithms work and how they're being driven to certain pieces of information. Again, I'm not sure that this case is going to be the vehicle to do that, but it might start a long process that ends up with some sort of resolution as to whether these companies can be held responsible for psychological harm, which would force them to make major design changes to further enhance protections for the safety of children in ways that they've been reluctant to do in the past, both for cost reasons. And also they don't want to restrict access for adults to certain content. So.

B (20:22)

Yeah, you know, I gotta ask Ben, what kind of timeline does this put us on to actually get any results?

A (20:29)

It's never one of those things, Dave, where it's like, oh, well, we'll know in a couple of weeks. Yeah, I mean, this is going to be a long trial. Luckily, we're getting close to the actual trial itself, which is good because we've gone through months and years of dueling motions. And you know, the, as you mentioned, the petition to narrow the case based on issues that the plaintiff's not going to win. So things that are protected by section 230. But I think the litigation itself could take a long time, potentially up to a month and then several more months after that for a decision from this judge. And then you have to consider the appeals process through the California court system, which. Which could take a long time.

B (21:12)

Yeah.

A (21:12)

And it's unlikely that this case, because it's a state based case, would be on a direct path to the Supreme Court. But you never know. It could happen.

B (21:22)

Ben Yellen is from the University of Maryland center for Cyber Health and Hazard Strategies and also my co host on the Caveat podcast. Ben, thanks so much for joining us.

A (21:32)

Good to be with you, Dave.

B (21:46)

The world moves fast. Your workday even faster. Pitching products, drafting reports, analyzing data. Microsoft 365 Copilot is your AI assistant for work built into Word, Excel, PowerPoint, and other Microsoft 365 apps you use, helping you quickly write, analyze, create and summarize so you can cut through clutter and clear a path to your best work. Learn more@Microsoft.com N365 Copilot this episode is.

A (22:16)

Brought to you by Indeed. Stop waiting around for the perfect candidate. Instead, use Indeed sponsored Jobs to find the right place people with the right skills fast. It's a simple way to make sure your listing is the first candidate. C According to Indeed data, sponsored jobs have four times more applicants than non sponsored jobs. So go build your dream team today with Indeed. Get a $75 sponsored job credit@ Indeed.com podcast. Terms and conditions apply.

B (22:49)

And finally, in the beautiful coastal town of San in northwestern sp, the city council has learned that ransomware does not respect coastal charm. Hackers broke into the town hall's systems on January 26, encrypting thousands of administrative documents and knocking internal operations offline. The attackers then made their $5,000 in Bitcoin, a ransom so small it raised questions about whether this was cybercrime or a clearance sale, or maybe a practical joke. City officials were unimpressed. They refused to pay, notified Spain's Civil Guard and began restoring systems from daily backups. Some services never went down at all, including the online Citizen portal and two municipal companies operating on separate networks. Recovery is ongoing, though slower than initially hoped. The attack is part of a wider surge in ransomware hitting Spanish municipalities, but Sansensho's case stands out for its unusually low ransom demand, more of a nuisance than anything else. Too small to negotiate, too annoying to ignore. And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing@thecyberwire.com we'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwiren. A tip of the hat to our T Minus Space Daily team, who are on site in Florida covering Space Week. I had the pleasure of filling in for Maria Vermazes yesterday on T Minus, so if you want to check that out, we've got a link in the show notes N2K senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes. We're mixed by Trey Hester with original music by Elliot Peltzman. Our executive producer is Jennifer Ibin. Peter Kilpe is our publisher and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.

A (25:37)

Foreign.

B (25:45)

If you only attend one cybersecurity conference this year, make it RSAC 2026. It's happening March 23rd through the 26th in San Francisco, bringing together the global security community for four days of expert insights, hands on learning, and real innovation. I'll say this plainly. I never miss this conference. The ideas and conversations stay with me all year. Join thousands of practitioners and leaders tackling today's toughest challenges and shaping what comes next. Register today@rsaconference.com cyberwire26 I'll see you in San Francisco. Attackers don't go through your tools, they go around them. In our interview with Jared Atkinson, CTO at Spectrops, he reveals how attackers look to exploit our identities, steal tokens, and quietly snowball their access across active Directory, cloud apps and GitHub. We talk through attack paths, why least privilege keeps failing, and how one misconfiguration can hand over the keys to your organization want to see risk as attackers do, then check out the full interview now on TheCyberWire.com Spectrops.