San Francisco has demanded that Apple and Google cut off 13 apps capable of producing nonconsensual sexual deepfakes. The threatened case could test California’s new liability rules, but the confidential app list and the law’s “primary purpose” definition leave a central question unresolved.
San Francisco is threatening Apple and Google with civil enforcement, not announcing a court order. The distinction matters because the city’s case reaches past app removal to payment processing and developer accounts, while the cited apps and the evidence against them remain confidential.
City Attorney David Chiu sent cease-and-desist letters dated July 16 concerning eight apps in Apple’s App Store and five in Google Play. The letters demand that the companies remove the apps, end payment-processing relationships with their developers, sever other business ties that support unlawful deepfakes and conduct recurring reviews for replacements. The companies have 28 days to describe how they will comply; the city says it may otherwise sue, according to reporting on the notices.
The 13 names were placed in confidential attachments. The public descriptions say the products market themselves broadly as face-swap tools but can make real people appear nude or engaged in sexual conduct without their consent. That secrecy avoids directing users to the apps, but it also prevents an independent assessment of each product’s marketing, safeguards and principal use.
The companies began acting before the dispute reached court. Google spokesperson Dan Jackson said all five Play Store apps in the letter had been suspended. He said Google had also suspended hundreds of violating apps, restricted related searches such as “nudify,” and built a review pipeline that has tested thousands of generative-AI apps, sometimes repeatedly. Apple said it removed three of its eight cited apps and was terminating those developers’ accounts; it warned four other developers to correct policy violations or face removal. The two company statements did not explain the status of Apple’s eighth cited app.
Those responses narrow the immediate dispute without resolving it. The city is asking not only whether a listing disappears, but whether its developer retains access to payments and can return through a relabeled product.
The city is relying on a 2025 revision to California Civil Code Section 1708.86. The statute gives a depicted person a claim against someone who knowingly facilitates or recklessly aids or abets prohibited creation or disclosure of digitized sexually explicit material. It also allows a public prosecutor to seek an injunction and a civil penalty of $25,000 per violation, or $50,000 for a malicious violation.
For supporting services, the law creates a presumption rather than automatic liability. A provider can be presumed in violation after a depicted person or prosecutor supplies sufficient evidence that its services enable the ongoing operation of a “deepfake pornography service,” and the provider then fails within 30 days to take all necessary steps to stop supporting it. The required notice must identify the operation, generally describe the enabling service and provide the sender’s contact information.
The definition is consequential. The enacted text defines a deepfake pornography service as a website, mobile app or other service whose primary purpose is to create digitized sexually explicit material. The public reporting says the 13 apps advertise themselves as more general face-swapping products. Their hidden capabilities may support the city’s allegations, but capability alone does not establish primary purpose from the public record.
That does not necessarily end the city’s theory. Prosecutors could try to prove knowing facilitation or reckless assistance without relying solely on the presumption. But if they invoke the notice-based route, a court may have to examine the confidential evidence, each developer’s operation and what “all necessary steps” required Apple or Google to do. The city’s 28-day response deadline and the statute’s 30-day cure provision are related clocks, not the same legal finding.
The statute also says it does not apply to conduct protected by federal law, including Section 230. Whether that limitation covers any part of app distribution, payments or generated output would be a defense question, not something the letters themselves decide.
The letters say Apple and Google had earlier notice through an August 2025 warning from 47 state attorneys general and two 2026 investigations. The first investigation identified 55 qualifying apps in Google Play and 47 in Apple’s store. AppMagic estimated more than 705 million downloads and $117 million in lifetime app revenue; those estimates were not independently audited. Apple later said it removed 28 identified apps, while Google removed 31, according to the reporting.
An April follow-up used a different design, so its totals cannot be read as an increase from January. Researchers opened new Apple and Google accounts, entered seven search terms and downloaded the top 10 results for each query, including sponsored results in those positions. They used AI-generated images and free features; where no free feature existed, they sometimes assessed visible templates.
Among 46 unique Apple results, 18, or 39.1%, could nudify or undress the test subject. The result was 20 of 49, or 40.8%, for Google Play. The investigation also found nudify-capable apps in paid placements and said autocomplete suggestions led to more such tools. Three Apple searches returned a nudify-capable app as the first, sponsored result. Google searches produced sponsored results and a “Suggested for You” ad carousel containing explicit tools.
There are important limits. This was a search-result sample, not a census of either store. The organization behind it chose the terms and determined which outputs met its criteria. Some products refused nude requests, and Grok—which appeared first in several searches—blocked the investigators’ attempts to undress uploaded images and was excluded from the tally. Some previously flagged apps also blocked nudity on retest, showing that safeguards can change.
A separate May preprint tested the broader dual-use problem more systematically. Researchers identified 420 face-swap apps and manually evaluated 155 eligible apps that accepted arbitrary user-supplied face and body images. They found that 70% of the tested apps had no technical safeguard against nude face swaps. The study supports repeated red-team testing because ordinary store descriptions did not reveal which apps were unsafe. It does not show that 70% of all store apps—or 70% of the 13 apps in San Francisco’s letters—failed.
Together, the investigations support a narrower conclusion than the city’s legal allegation: one-time review and keyword bans have not reliably detected capabilities hidden inside general-purpose photo tools. They do not, by themselves, establish that Apple or Google knowingly supported every cited operation.
The April search sample’s apps had an estimated 483 million downloads and more than $122 million in lifetime revenue, according to AppMagic data cited by the investigators. Thirty-one were rated suitable for minors. Google said the International Age Rating Coalition, rather than Google, sets Play Store age ratings, redistributing part of that responsibility without answering why the apps passed store review.
Neither the January nor April figures disclose what Apple and Google actually received. They cover different app populations, and gross app revenue is not the same as store commissions, advertising revenue or profit. Chiu says the companies likely made millions of dollars in fees, but the city has not released an audited calculation for the 13 apps. The available numbers therefore establish commercial scale, not the amount of platform income or a financial motive for any moderation decision.
The stores still hold practical leverage. They can rank and advertise listings, enforce developer rules, restrict search terms, process many purchases, remove products and terminate accounts. Apple says nudification apps violate its rules and that apps with user-generated content must filter objectionable material; Google says sexual content and apps that claim to undress people are prohibited. The enforcement question is whether those controls are applied before discovery by researchers or prosecutors, and whether corrected developers remain corrected.
San Francisco’s upstream strategy follows a 2024 lawsuit against operators of 16 widely visited deepfake-nude websites. In June 2025, Briver LLC—operator of two sites—accepted a permanent injunction barring it and its owners from running sites that create nonconsensual deepfakes and agreed to pay $100,000 in civil penalties. Ten of the 16 targeted sites were offline or inaccessible in California, according to the city attorney, while litigation continued against the remaining defendants, a report on the settlement said.
That result shows that operator-focused litigation can close or geographically restrict identified services. It does not establish liability for app stores under the later-enacted Section 1708.86 revision, nor does “inaccessible in California” mean a service disappeared everywhere. The current letters shift attention to two intermediaries with power over distribution and payments, but the city still must fit that power to the statute.
The first evidence will be operational: whether Apple resolves the status of all eight cited apps, whether both companies terminate the relevant payment and developer relationships, and what recurring tests they commit to running. Google’s suspension of all five Play listings and Apple’s mix of removals and warnings give the companies a compliance argument, while the city can test whether the same developers or capabilities return.
If San Francisco sues, the decisive record will be more specific. A court would need evidence that the underlying operations meet the law’s primary-purpose definition, that the notices contained sufficient evidence, and that any support continued beyond the statutory period despite necessary steps being available. It may also need to decide how federal protections apply to store distribution and payment services.
Until those facts emerge, the letters are best understood as a serious attempt to turn app-store control into legal responsibility—not proof that California has already done so.
Get concise AI news and useful context from the Magica team.
Read the newsletterChristian Faith Madison’s estate alleges GPT-4o sustained a months-long narrative of prophecy, sacrifice and resurrection before her death. Public safety disclosures and controlled research make that failure mode plausible, but neither establishes which model behavior she encountered or whether it caused her death.
Shanghai AI Laboratory has released Intern-S2-Preview-397B as downloadable weights and a hosted API, but its own 35B alternative offers the same context window and a far smaller disclosed scale while the larger model still lacks auditable comparative scores, pricing and physical-validation results.
Mixfont's free Decoy Font gives each glyph a sharp decoy and a blurred intended letter, creating a hurdle for pixel-based readers while leaving selectable text, known-image techniques and accessibility costs outside its protection.
Zhipu reportedly reached $1 billion in annual recurring revenue in July, roughly four times a March estimate, but the unconfirmed run rate is not annual sales and still sits far ahead of recognized cloud revenue while margins remain thin.
Cmpunlocker says patched Nvidia open kernel modules can expose 64GB of HBM on an 8GB CMP 170HX or 40GB on a 10GB card while removing an SM throttle. The exploit mechanism is documented, but the retained evidence does not independently validate the tool across full-memory workloads, error rates, power use or A100-class performance.
An unidentified industry source says at least one Nvidia board partner has physical RTX 50 Super cards but cannot sell them, with 3GB GDDR7 quoted at $60 to $70 per chip. The reported memory bill explains a plausible pricing problem, but neither Nvidia nor a second independent source has confirmed the products, the hold or the component terms.
Anthropic’s 20-year lease gives TeraWulf a customer for 401 megawatts of future AI infrastructure, but rent starts only after delivery and the proposed utility deal passes power and grid costs to TeraWulf, leaving financing and project margin unresolved.
OpenAI has put conversations and Projects back in its redesigned ChatGPT desktop app and enabled cloud Work threads to move across devices, correcting the launch's biggest usability failures without merging local Work or Codex histories.
Twenty-nine countries signed an agreement creating WAICO as an independent intergovernmental organization, while China paired the launch with capacity-building offers that are not yet confirmed as WAICO programs.
Meta reportedly plans to put departing AWS compute executive Dave Brown to work on its data-center buildout, adding hyperscale operating experience while leaving any customer-facing cloud business conditional and undefined.
Moonshot AI has made Kimi K3 available through its apps and API, pairing a 2.8-trillion-parameter architecture with early frontier-level results, but the model's open-weight claim cannot be tested until its weights and technical report arrive.
CIA Director John Ratcliffe said US intelligence is consistent with an estimate that Russian recruits last 20 to 30 minutes on Ukraine’s battlefield, but the public trail leads to an unsourced claim about assault troops and does not establish a representative average.
China has paired a five-year AI training offer for developing countries with cooperation centers, a weather-warning rollout and a new 29-country organization. The package gives Beijing a platform for influence, but no budget, selection rules or delivery timetable has been published.
The FastFlowLM team has joined AMD after building a Ryzen AI NPU inference flow on technology AMD already developed and distributed. The move could reduce model-support delays, but its financial significance, transaction perimeter and performance benefit remain undisclosed.
Federal intervention changed the launches of Anthropic's Claude Fable 5, Claude Mythos 5 and OpenAI's GPT-5.6, but through different legal and voluntary channels. The result is real government leverage over early customers without a common security threshold or durable review process.
A proposal developed with Treasury Secretary Scott Bessent would put an independent AI regulator under SEC oversight, but President Trump had not reviewed it and its tests, funding and enforcement authority remained unresolved.
Anthropic will keep Claude Fable 5 inside Max and Team Premium plans from July 20 at 50% of their usage limits, while Pro and Team Standard customers move to separately billed credits. The durable change is who gets bundled access, not a larger allowance for top-tier users.
HKT plans a 3.2 Tbps data-centre route from Lok Ma Chau to Tseung Kwan O by the end of 2026, but has not disclosed customer bandwidth, price, project cost or end-to-end latency, while Sandy Ridge's developer expects to start within 42 months of its land award.
Apple briefly topped Nvidia during Friday trading before Nvidia closed about $6 billion ahead. The filings show why that ranking is a weak AI verdict: Apple’s operating momentum predates its new Siri, while Nvidia’s rapid growth comes with concentrated customers and large forward commitments.
Anthropic has proposed paying Meta as much as $10 billion over two years for AI computing capacity, but early exit rights, undisclosed capacity and Meta's own reliance on outside infrastructure leave the economics—and the case for a durable Meta cloud business—unresolved.