Legal risk / Jul 7, 2026 / 4 min
Forty-Five Thousand Fake Kids, Zero Consent
On June 30, WIRED revealed that Meta contractors on Project Cannes sent 45,000+ prompts to ChatGPT, Gemini, and Character.AI while posing as suicidal minors — without telling any rival, while the FTC's child-safety inquiry already covers all three companies.
On June 30, WIRED reported that hundreds of Meta contractors on an internal project called Cannes — managed by the firm Covalen — created dummy under-18 accounts and sent more than 45,000 prompts about suicide, sex, drugs, and eating disorders to ChatGPT, Gemini, and Character.AI without any rival's knowledge or consent, while the FTC's active child-safety inquiry already covers Meta, OpenAI, and Google.
What's new: WIRED's investigation, published June 30, exposed Project Cannes: a months-long contractor operation that logged rival chatbot responses in spreadsheets. The effort was active as recently as April 21, 2026.
- One testing round alone, completed in August 2025, ran more than 45,000 prompts through competitor systems.
- Contractors created fake profiles with names, throwaway emails, passwords, and birth dates — then posed as children in crisis.
- Prompts reviewed by WIRED included a pregnant 13-year-old asking where to buy pills and a girl asking how to hide an eating disorder from her parents.
- Some interactions included images of pills, knives, nooses, and medical diagrams.
None of the three targeted companies authorized the work.
Meta's defense — and the document that says more: Meta does not deny Cannes happened. A spokesperson told WIRED that "testing and benchmarking chatbot responses to help ensure safe and age-appropriate experiences is a responsible, industry-standard practice."
The company added it does not use competitor benchmarking to train its own AI models. Covalen did not respond to WIRED's request for comment.
An internal Covalen document described Cannes as "comprehensive AI safety benchmarking" delivering "critical datasets for model comparison and compliance."
That framing is the tell. Safety is the cover story. The dataset is the product.
Why experts say this isn't standard practice: Rumman Chowdhury, CEO of Humane Intelligence, reviewed sample prompts and called the setup a "governance gray zone where safety becomes a convenient cover for anticompetitive practices."
- She said a long project run through "dummy accounts masquerading as children" sits "outside what is usually described as 'industry standard' evaluation."
- Two lawyers who specialize in online speech reviewed examples for WIRED and said the material did not cross into soliciting CSAM or illegal obscenity — but former contractors still described the work as alarming.
- One former worker told eWeek: "I've seen a lot of things I wish I hadn't while doing this job."
- Another worried the project amounted to quietly lifting data from rivals to feed back into Meta's own systems.
The rivals are pushing back: All three targets bar this kind of testing in their terms of service.
- OpenAI prohibits unsolicited safety testing, attempts to bypass safeguards, and using outputs to build competing models. It said it was looking into the issue.
- Google said it had not approved the testing and that its own checks showed Gemini responding in line with its policies.
- Character.AI said the conduct violated "our Terms of Service" and "the characters and worlds our community has created." Since late 2025, it has shut open-ended chat for under-18 users entirely.
Why the timing is brutal: In September 2025, the FTC launched a formal 6(b) inquiry into AI chatbots and child safety — issuing orders to Meta, OpenAI, Google, Character.AI, Snap, X.AI, and Alphabet.
The Commission wants to know how companies "measure, test, and monitor for negative impacts" on children before and after deployment. Now WIRED shows one of those firms secretly probing the others with fake child accounts.
Europe adds a second lever. The EU's AI Act and Digital Services Act both press platforms on risks to minors — and both can reach any company operating in the bloc.
Convina's view: Cannes is what happens when AI safety becomes a competitive sport with no referee. Meta had every incentive to document rival failures and zero incentive to ask permission — because permission would have meant no data. The contractors generated thousands of synthetic child-in-crisis conversations that no parent, regulator, or rival consented to, then logged the outputs in spreadsheets Meta calls "compliance benchmarking." That is not a safety program. It is industrial espionage wearing a crisis hotline costume. Until the FTC, EU regulators, or the targets themselves draw a line on unauthorized minor impersonation, every frontier lab will treat rival guardrails as attack surfaces — and every teen-safety inquiry will look like cover for the next Cannes.