This week marked a significant milestone in the legislative journey concerning the digital landscape, as the Senate Judiciary Committee unanimously approved the Nurture Originals, Foster Art and Keep Entertainment Safe (NO FAKES) Act. This legislation aims to establish robust federal protections against unauthorized AI-generated replicas, an initiative poised to transform both individual privacy rights and corporate security frameworks.
The implications of deepfake technology extend far beyond the realm of celebrity culture. This issue now presents a substantial risk for enterprises, with malicious actors increasingly capable of cloning the voice of a Chief Financial Officer (CFO) to authorize fraudulent wire transfers or impersonating a Chief Executive Officer (CEO) during video calls to acquire sensitive information. Such enterprise threats could lead to catastrophic repercussions, both in terms of reputation and financial stability.
What is the NO FAKES Act?
The NO FAKES Act is designed to safeguard Americans from unwarranted use of AI-generated video and audio replicas, effectively allowing individuals to retain control over their digital identities. The aim is to provide legal recourse in situations where deepfakes are misused. Introduced in the House of Representatives in 2024 by Representatives Maria Salazar (R-Fla.) and Madeleine Dean (D-Pa.), along with bipartisan backing from Senators Marsha Blackburn (R-Tenn.) and Chris Coons (D-Del.), the legislation has quickly garnered a broad coalition of support. Key endorsements have come from labor unions such as the AFL-CIO, major tech firms including IBM and OpenAI, as well as organizations from the entertainment sector, like SAG-AFTRA and the Motion Picture Association.
In a statement following the Senate Judiciary Committee’s unanimous vote, Salazar expressed optimism, stating that this legislative action represents a major breakthrough for Americans who deserve assurance that their images, voices, and likenesses cannot be exploited without consent. She emphasized the rapid advancements in AI technology and the potential risks that individuals face as a result, asserting that no person should live in fear of their likeness being manipulated to deceive others.
Should the NO FAKES Act become law, it will have substantial consequences for digital identity rights in the AI era. Specifically, the legislation would confer nearly exclusive rights to individuals over their digital AI replicas, rights that could transition to heirs and estates for at least 70 years after an individual’s death. Those who opt to license their likenesses for AI-generated purposes would be able to do so through contracts—set at ten years for adults and five for minors.
Additionally, the Act proposes significant legal remedies for unauthorized use of AI-generated images, including statutory damages reaching up to $750,000 for each violation. Liability would extend to both individuals and companies producing unauthorized digital replicas, with certain scenarios also holding platforms accountable for hosting such likenesses.
What NO FAKES Means for Enterprises
While the primary focus of the NO FAKES Act lies in protecting public figures, it is essential to acknowledge that the distinctions between public and corporate personas are increasingly ambiguous. A deepfake impersonating a corporate executive directly falls into the realm of Chief Information Security Officers (CISOs) and their growing responsibilities.
If the legislation successfully passes, it would likely extend protections to all individuals, thereby introducing new liability considerations for companies whose platforms distribute or host AI-generated content. Organizations would be compelled to implement more comprehensive verification systems to ensure they are not inadvertently facilitating unauthorized likenesses in both internal and external communications.
Theresa Lanowitz, an analyst at Omdia, cautioned that the technology behind deepfakes has become increasingly sophisticated and accessible. Voice cloning, for example, can realistically mimic an individual’s voice using merely a few seconds of authentic audio, while advancements in video realism heighten the stakes for potential corporate impersonations. The rapidly evolving landscape of AI has not only increased the credibility of scams but also expanded their frequency and speed.
According to a study by McAfee, Americans encounter an average of 2.6 deepfakes daily, translating to mounting financial risks for enterprises. A notable case that underscores these dangers occurred in 2024 when a finance employee at the engineering firm Arup was tricked into transferring $25 million to cybercriminals during a video conference with what he believed to be the CFO.
To mitigate these rising threats, Lanowitz provided several strategic recommendations for enterprises:
-
Cultivate a Security-First Culture: Establish strong leadership priorities centered around security.
-
Employee Training: Equip employees with the knowledge to recognize deepfake and social engineering threats.
-
Implement Safeguards: Adopt measures like multi-factor authentication and real-time detection tools to intercept potential deepfake threats.
-
Exploit Advanced Technologies: Use biometric authentication and encryption to validate media sources.
- Engage External Experts: Collaborate with third-party cybersecurity professionals to bolster defenses against social engineering attacks.
The progression of the NO FAKES Act through the Senate Judiciary Committee clears a pathway for its consideration on the Senate floor, although a vote has yet to be scheduled. If enacted, the act would establish a pioneering federal framework for the rights associated with digital identity.
Vikram Desai, an analyst at Accenture, commented on the growing sophistication of synthetic voice and video technologies in enabling the impersonation of executives, which has significant ramifications for businesses worldwide. He pointed out that boardrooms must implement stringent verification controls to avert deepfake-related disruptions.
As the legislative process unfolds, security leaders will not only need to bolster defenses against increasingly advanced deepfake attacks but also prepare for new compliance responsibilities should the NO FAKES Act become law. This proposed legislation is emblematic of the ongoing endeavors to navigate the challenges the digital age presents.