Contract workers hired through a Meta contractor wrote in the voice of a pregnant 13-year-old, a fifth-grader with a gun in their mouth, and a teen already mid-suicide. They typed the prompts into dummy accounts filed under fake underage credentials, hit send, and copied whatever came back into a spreadsheet. The chatbots on the receiving end were OpenAI's ChatGPT, Google's Gemini, and Character.AI, a popular role-play chatbot platform. None of them knew they were being tested.
The workers were hired by Covalen, a contractor managing an internal Meta project called Cannes, according to documents and five people familiar with the operation reviewed by WIRED. The point of Cannes was to map how rival systems handled the highest-stakes prompts a child could send: suicide, sex, eating disorders, drugs. A single August 2025 round pushed more than 45,000 prompts through the three named rivals, plus image payloads including pills, knives, nooses, and a medical diagram of a gynecological procedure. Documents reviewed by WIRED show the project was active as recently as April 21 of this year.
That is the surface story, and the surface story has a familiar shape: Meta bad, smaller AI safety teams blindsided, an uncomfortable new disclosure about how the biggest labs police each other's claims. The WIRED reporting lands cleanly on that frame. But the more durable problem underneath is not whether Meta behaved badly. It is that nothing in the industry's current setup required Meta to behave any other way.
There is no federal rule that says one AI lab has to tell another when it is stress-testing the other's safety systems at scale. There is no regulator with a hotline for that disclosure, no industry norm that treats covert probing of a named competitor as a red line, and no trade body that has tried to write one. The largest red-teaming coalitions in the field, the ones most often invoked when labs describe their safety work, run on voluntary disclosure from the lab that owns the model. The lab being probed, by construction, is not in the room. That posture works when the lab doing the probing is testing its own system. It does not survive contact with a contractor operation writing in a 13-year-old's voice at a named competitor that has never heard of Project Cannes.
What Cannes actually measured is harder to read off the wire reporting than the disclosure itself suggests. Internal documents reviewed by WIRED describe the methodology, including dummy under-18 credentials, written prompts and images, and response logging into spreadsheets, but the documents do not show whether Covalen workers were guided by an explicit adversarial script, how the results were scored, or what fraction of the 45,000 prompts returned refusals versus substantive answers. Those details matter because they separate three very different things. A red team looking for safety regressions in its own model is one thing. A red team probing a competitor's model on behalf of a competitor is another. A competitive intelligence operation dressed up as safety testing is a third. The published account does not yet let a reader distinguish among them, and the absence of on-record responses from Meta, Covalen, OpenAI, Google, or Character.AI leaves that gap open.
The accountability vacuum shows up in two places at once. The rival labs cannot easily verify what was tested against them, because they were not told. And outside regulators cannot easily verify whether the probing was, in the industry's own language, "responsible disclosure," a phrase that implies the tester eventually tells the target what it found. Cannes has no such handoff on the record. There is also no obvious third party that could demand one. The Federal Trade Commission has examined how AI products handle children, but its remit is consumer protection, not inter-lab competitive probing. State-level AI safety legislation passed so far focuses on the labs that deploy models, not the labs that test other people's models under cover. The European Union's AI Act, the closest thing to a comprehensive rulebook, treats red-teaming as something a deployer does to its own system before release. None of those frameworks were written for a contractor operation writing as a pregnant 13-year-old to a chatbot operated by a named competitor.
That gap is the durable story, and it is the part the industry has to answer for whether or not Cannes turns out to be the most scandalous version of itself. If Meta's posture is that Cannes was legitimate adversarial testing of named competitors, the right next move is to publish the methodology, the rubric, and a representative sample of the prompts and responses, and to disclose the project to the targets after the fact. If the posture is that Cannes was something else, the right next move is to stop it and explain what it was. Either way, the question the industry now has to confront is not what one contractor did. It is who, if anyone, owns the line between red-teaming a rival and running covert competitive intelligence on a rival's safety claims, and why that line has never been drawn in writing.