Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Data Privacy. Show all posts
Privacy Risks
Car Data Data collection Data Privacy Data protection Data Safety User Data data security Data Surveillance Mozilla Foundation Privacy Privacy Risks

Connected Car Privacy Risks: How Modern Vehicles Secretly Track and Sell Driver Data

 

The thrill of a smooth drive—the roar of the engine, the grip of the tires, and the comfort of a high-end cabin—often hides a quieter, more unsettling reality. Modern cars are no longer just machines; they’re data-collecting devices on wheels. While you enjoy the luxury and performance, your vehicle’s sensors silently record your weight, listen through cabin microphones, track your every route, and log detailed driving behavior. This constant surveillance has turned cars into one of the most privacy-invasive consumer products ever made. 

The Mozilla Foundation recently reviewed 25 major car brands and declared that modern vehicles are “the worst product category we have ever reviewed for privacy.” Not a single automaker met even basic standards for protecting user data. The organization found that cars collect massive amounts of information—from location and driving patterns to biometric data—often without explicit user consent or transparency about where that data ends up. 

The Federal Trade Commission (FTC) has already taken notice. The agency recently pursued General Motors (GM) and its subsidiary OnStar for collecting and selling drivers’ precise location and behavioral data without obtaining clear consent. Investigations revealed that data from vehicles could be gathered as frequently as every three seconds, offering an extraordinarily detailed picture of a driver’s habits, destinations, and lifestyle. 

That information doesn’t stay within the automaker’s servers. Instead, it’s often shared or sold to data brokers, insurers, and marketing agencies. Driver behavior, acceleration patterns, late-night trips, or frequent stops at specific locations could be used to adjust insurance premiums, evaluate credit risk, or profile consumers in ways few drivers fully understand. 

Inside the car, the illusion of comfort and control masks a network of tracking systems. Voice assistants that adjust your seat or temperature remember your commands. Smartphone apps that unlock the vehicle transmit telemetry data back to corporate servers. Even infotainment systems and microphones quietly collect information that could identify you and your routines. The same technology that powers convenience features also enables invasive data collection at an unprecedented scale. 

For consumers, awareness is the first defense. Before buying a new vehicle, it’s worth asking the dealer what kind of data the car collects and how it’s used. If they cannot answer directly, it’s a strong indication of a lack of transparency. After purchase, disabling unnecessary connectivity or data-sharing features can help protect privacy. Declining participation in “driver score” programs or telematics-based insurance offerings is another step toward reclaiming control. 

As automakers continue to blend luxury with technology, the line between innovation and intrusion grows thinner. Every drive leaves behind a digital footprint that tells a story—where you live, work, shop, and even who rides with you. The true cost of modern convenience isn’t just monetary—it’s the surrender of privacy. The quiet hum of the engine as you pull into your driveway should represent freedom, not another connection to a data-hungry network.
Read more »
Privacy Concerns
ai agents AI technology Copilot Data Privacy data security Microsoft Microsoft Copilot Privacy Privacy Concerns

Microsoft’s Copilot Actions in Windows 11 Sparks Privacy and Security Concerns

When it comes to computer security, every decision ultimately depends on trust. Users constantly weigh whether to download unfamiliar software, share personal details online, or trust that their emails reach the intended recipient securely. Now, with Microsoft’s latest feature in Windows 11, that question extends further — should users trust an AI assistant to access their files and perform actions across their apps? 


Microsoft’s new Copilot Actions feature introduces a significant shift in how users interact with AI on their PCs. The company describes it as an AI agent capable of completing tasks by interacting with your apps and files — using reasoning, vision, and automation to click, type, and scroll just like a human. This turns the traditional digital assistant into an active AI collaborator, capable of managing documents, organizing folders, booking tickets, or sending emails once user permission is granted.  

However, giving an AI that level of control raises serious privacy and security questions. Granting access to personal files and allowing it to act on behalf of a user requires substantial confidence in Microsoft’s safeguards. The company seems aware of the potential risks and has built multiple protective layers to address them. 

The feature is currently available only in experimental mode through the Windows Insider Program for pre-release users. It remains disabled by default until manually turned on from Settings > System > AI components > Agent tools by activating the “Experimental agentic features” option. 

To maintain strict oversight, only digitally signed agents from trusted sources can integrate with Windows. This allows Microsoft to revoke or block malicious agents if needed. Furthermore, Copilot Actions operates within a separate standard account created when the feature is enabled. By default, the AI can only access known folders such as Documents, Downloads, Desktop, and Pictures, and requires explicit user permission to reach other locations. 

These interactions occur inside a controlled Agent workspace, isolated from the user’s desktop, much like Windows Sandbox. According to Dana Huang, Corporate Vice President of Windows Security, each AI agent begins with limited permissions, gains access only to explicitly approved resources, and cannot modify the system without user consent. 

Adding to this, Microsoft’s Peter Waxman confirmed in an interview that the company’s security team is actively “red-teaming” the feature — conducting simulated attacks to identify vulnerabilities. While he did not disclose test details, Microsoft noted that more granular privacy and security controls will roll out during the experimental phase before the feature’s public release. 

Even with these assurances, skepticism remains. The security research community — known for its vigilance and caution — will undoubtedly test whether Microsoft’s new agentic AI model can truly deliver on its promise of safety and transparency. As the preview continues, users and experts alike will be watching closely to see whether Copilot Actions earns their trust.
Read more »
VMO Incident
cyber resilience Cybersecurity Breach Data Privacy Data protection Digital Infrastructure Hong Kong Security Network Security Privacy Ransomware attack VMO Incident

Mobdro Pro VPN Under Fire for Compromising User Privacy

 


A disturbing revelation that highlights the persistent threat that malicious software poses to Android users has been brought to the attention of cybersecurity researchers, who have raised concerns over a deceptive application masquerading as a legitimate streaming and VPN application. Despite the app's promise that it offers free access to online television channels and virtual private networking features—as well as the name Modpro IPTV Plus VPN—it hides a much more dangerous purpose.

It is known as Mobdro Pro IPTV Plus VPN. Cleafy conducted an in-depth analysis of this software program and found that, as well as functioning as a sophisticated Trojan horse laced with Klopatra malware, it is also able to compromise users' financial data, infiltrating devices, securing remote controls, and infecting devices with Klopatra malware. 

Even though it is not listed in Google Play, it has spread through sideloaded installations that appeal to users with the lure of free services, causing users to download it. There is a serious concern among experts that those who install this app may unknowingly expose their devices, bank accounts, and other financial assets to severe security risks. At first glance, the application appears to be an enticing gateway to free, high-quality IPTV channels and VPN services, and many Android users find the offer hard to refuse. 

It is important to note, however, that beneath its polished interface lies a sophisticated banking Trojan with a remote-access toolkit that allows cybercriminals to control almost completely infected devices through a remote access toolkit. When the malware was installed on the device, Klopatra, the malware, exploiting Android's accessibility features, impersonated the user and accessed banking apps, which allowed for the malicious activity to go unnoticed.

Analysts have described the infection chain in a way that is both deliberate and deceptive, using social engineering techniques to deceive users into downloading an app from an unverified source, resulting in a sideload process of the app. Once installed, what appears to be a harmless setup process is, in fact, a mechanism to give the attacker full control of the system. 

In analyzing Mobdro Pro IPTV Plus VPN further, the researchers have discovered that it has been misusing the popularity of the once popular streaming service Mobdro (previously taken down by Spanish authorities) to mislead users and gain credibility, by using the reputation of the once popular streaming service Mobdro. 

There are over 3,000 Android devices that have already been compromised by Klopatra malware, most of which have been in Italy and Spain regions, according to Cleafy, and the operation was attributed to a Turkish-based threat group. A group of hackers continue to refine their tactics and exploit public frustration with content restrictions and digital surveillance by using trending services, such as free VPNs and IPTV apps. 

The findings of Cleafy are supported by Kaspersky's note that there is a broader trend of malicious VPN services masquerading as legitimate tools. For example, there are apps such as MaskVPN, PaladinVPN, ShineVPN, ShieldVPN, DewVPN, and ProxyGate previously linked to similar attacks. In an effort to safeguard privacy and circumvent geo-restrictions online, the popularity of Klopatra may inspire an uproar among imitators, making it more critical than ever for users to verify the legitimacy of free VPNs and streaming apps before installing them. Virtual Private Networks (VPNs) have been portrayed for some time as a vital tool for safeguarding privacy and circumventing geo-restrictions. 

There are millions of internet users around the world who use them as a way to protect themselves from online threats — masking their IP addresses, encrypting their data traffic, and making sure their intercepted communications remain unreadable. But security experts are warning that this perception of safety can sometimes be false.

In recent years, it has become increasingly difficult to select a trustworthy VPN, even when downloading it directly from official sites, such as the Google Play Store, since many apps are allegedly compromising the very privacy they claim to protect, which has made the selection process increasingly difficult. In the VPN Transparency Report 2025, published by the Open Technology Fund, significant security and transparency issues were highlighted among several VPN applications that are widely used around the world. 

During the study, 32 major VPN services collectively used by over a billion people were examined, and the findings revealed opaque ownership structures, questionable operational practices, and the misuse of insecure tunnelling technologies. Several VPN services, which boasted over 100 million downloads each, were flagged as particularly worrying, including Turbo VPN, VPN Proxy Master, XY VPN, and 3X VPN – Smooth Browsing. 

Several providers utilised the Shadowsocks tunnelling protocol, which was never intended to be private or confidential, and yet was marketed as a secure VPN solution by researchers. It emphasises the importance of doing users' due diligence before choosing a VPN provider, urging users to understand who operates the service, how it is designed, and how their information is handled before making a decision. 

It is also strongly advised by cybersecurity experts to have cautious digital habits, including downloading apps from verified sources, carefully reviewing permission requests, installing up-to-date antivirus software, and staying informed on the latest cybersecurity developments through trusted cybersecurity publications. As malicious VPNs and fake streaming platforms become increasingly important gateways to malware such as Klopatra, awareness and vigilance have become increasingly important defensive tools in the rapidly evolving online security landscape. 

As Clearafy uncovered in its analysis of the Klopatra malware, the malware represents a new level of sophistication in Android cyberattacks, utilising several sophisticated mechanisms to help evade detection and resist reverse engineering. As opposed to typical smartphone malware, Klopatra permits its operators to fully control an infected device remotely—essentially enabling them to do whatever the legitimate user is able to do on the device. 

It has a hidden VNC mode, which allows attackers to access the device while keeping the screen black, making them completely unaware of any active activities going on in the device. This is one of the most insidious features of this malware. If malicious actors have access to such a level of access, they could open banking applications without any visible signs of compromise, initiate transfers, and manipulate device settings without anyone noticing.

A malware like Klopatra has strong defensive capabilities that make it very resilient. It maintains an internal watchlist of popular Android security applications and automatically attempts to uninstall them once it detects them, ensuring that it stays hidden from its victim. Whenever a victim attempts to uninstall a malicious application manually, they may be forced to trigger the system's "back" action, which prevents them from doing so. 

The code analysis and internal operator comments—primarily written in Turkish—led investigators to trace the malware’s origins to a coordinated threat group based in Turkey, where most of their activities were directed towards targeting Italian and Spanish financial institutions. Cleafy's findings also revealed that the third server infrastructure is carrying out test campaigns in other countries, indicating an expansion of the business into other countries in the future. 

With Klopatra, users can launch legitimate financial apps and a convincing fake login screen is presented to them. The screen gives the user the appearance of a legitimate login page, securing their credentials via direct operator intervention. The campaign evolved from a prototype created in early 2025 to its current advanced form in 2035. This information is collected and then used by the attackers in order to access accounts, often during the night when the device is idle, making suspicions less likely. 

A few documented examples illustrate that operators have left internal notes in the app's code in reference to failed transactions and victims' unlock patterns, which highlights the hands-on nature of these attacks. Cybersecurity experts warn that the best defence against malware is prevention - avoiding downloading apps from unverified sources, especially those that offer free IPTV or VPN services. Although Google Play Protect is able to identify and block many threats, it cannot detect every emerging threat. 

Whenever an app asks for deep system permissions or attempts to install secondary software, users are advised to be extremely cautious. According to Cleafy's research, curiosity about "free" streaming services or privacy services can all too easily serve as a gateway for full-scale digital compromise, so consumers need to be vigilant about these practices. In a time when convenience usually outweighs caution, threats such as Klopatra are becoming increasingly sophisticated.

A growing number of cybercriminals are exploiting popular trends such as free streaming and VPN services to ensnare unsuspecting users into ensnaring them. As a result, it is becoming increasingly essential for each individual to take steps to protect themselves. Experts recommend that users adopt a multi-layered security approach – pairing a trusted VPN with an anti-malware tool and enabling multi-factor authentication on their financial accounts to minimise damage should their account be compromised. 

The regular review of system activity and app permissions can also assist in detecting anomalies before they occur. Additionally, users should cultivate a sense of scepticism when it comes to offers that seem too good to be true, particularly when they promise unrestricted access and “premium” services without charge. In addition, organisations need to increase awareness campaigns so consumers are able to recognise the warning signs of fraudulent apps. 

The cybersecurity incidents serve as a reminder that cybersecurity is not a one-time safeguard, but must remain constant through vigilance and informed decisions throughout the evolving field of mobile security. Awareness of threats remains the first and most formidable line of defence as the mobile security battlefield continues to evolve.
Read more »
privacy laws
AI Security AI technology Browser Browser Security Chrome Cyber Security Data Privacy Data Privacy Laws privacy laws

Chrome vs Comet: Security Concerns Rise as AI Browsers Face Major Vulnerability Reports

 

The era of AI browsers is inevitable — the question is not if, but when everyone will use one. While Chrome continues to dominate across desktops and mobiles, the emerging AI-powered browser Comet has been making waves. However, growing concerns about privacy and cybersecurity have placed these new AI browsers under intense scrutiny. 

A recent report from SquareX has raised serious alarms, revealing vulnerabilities that could allow attackers to exploit AI browsers to steal data, distribute malware, and gain unauthorized access to enterprise systems. According to the findings, Comet was particularly affected, falling victim to an OAuth-based attack that granted hackers full access to users’ Gmail and Google Drive accounts. Sensitive files and shared documents could be exfiltrated without the user’s knowledge. 

The report further revealed that Comet’s automation features, which allow the AI to complete tasks within a user’s inbox, were exploited to distribute malicious links through calendar invites. These findings echo an earlier warning from LayerX, which stated that even a single malicious URL could compromise an AI browser like Comet, exposing sensitive user data with minimal effort.  
Experts agree that AI browsers are still in their infancy and must significantly strengthen their defenses. SquareX CEO Vivek Ramachandran emphasized that autonomous AI agents operating with full user privileges lack human judgment and can unknowingly execute harmful actions. This raises new security challenges for enterprises relying on AI for productivity. 

Meanwhile, adoption of AI browsers continues to grow. Venn CEO David Matalon noted a 14% year-over-year increase in the use of non-traditional browsers among remote employees and contractors, driven by the appeal of AI-enhanced performance. However, Menlo Security’s Pejman Roshan cautioned that browsers remain one of the most critical points of vulnerability in modern computing — making the switch to AI browsers a risk that must be carefully weighed. 

The debate between Chrome and Comet reflects a broader shift. Traditional browsers like Chrome are beginning to integrate AI features to stay competitive, blurring the line between old and new. As LayerX CEO Or Eshed put it, AI browsers are poised to become the primary interface for interacting with AI, even as they grapple with foundational security issues. 

Responding to the report, Perplexity’s Kyle Polley argued that the vulnerabilities described stem from human error rather than AI flaws. He explained that the attack relied on users instructing the AI to perform risky actions — an age-old phishing problem repackaged for a new generation of technology. 

As the competition between Chrome and Comet intensifies, one thing is clear: the AI browser revolution is coming fast, but it must first earn users’ trust in security and privacy.
Read more »
Workplace Compliance
AI governance Corporate Security cybersecurity risk Data Breach Data Privacy Generative AI Information Protection Shadow AI Workplace Compliance

Unauthorized Use of AI Tools by Employees Exposes Sensitive Corporate Data


 

Artificial intelligence has rapidly revolutionised the modern workplace, creating both unprecedented opportunities and presenting complex challenges at the same time. Despite the fact that AI was initially conceived to improve productivity, it has quickly evolved into a transformational force that has changed the way employees think, work, and communicate. 

Despite the rapid rise in technology, many organisations are still ill-prepared to deal with the unchecked use of artificial intelligence. With the advent of generative AI, which can produce text, images, videos, and audio in a variety of ways, employees have increasingly adopted it for drafting emails, preparing reports, analysing data, and even creating creative content. 

The ability of advanced language models, which have been trained based on vast datasets, to mimic the language of humans with remarkable fluency can enable workers to perform tasks that once took hours to complete. According to some surveys, a majority of American employees rely on AI tools, often without formal approval or oversight, which are freely accessible with a little more than an email address to use. 

Platforms such as ChatGPT, where all you need is an email address if you wish to use the tool, are inspiring examples of this fast-growing trend. Nonetheless, this widespread use of unregulated artificial intelligence tools raises many concerns about privacy, data protection, and corporate governance—a concern employers must address with clear policies, robust safeguards, and a better understanding of the evolving digital landscape to prevent these concerns from becoming unfounded. 

Cybernews has recently found out that the surge in unapproved AI use in the workplace is a concerning phenomenon. While digital risks are on the rise, a staggering 75 per cent of employees who use so-called “shadow artificial intelligence” tools admit to having shared sensitive or confidential information through them.

Information that could easily compromise their organisations. However, what is more troubling is that the trend is not restricted to junior staff; it is actually a trend led by the leadership at the organisation. With approximately 93 per cent of executives and senior managers admitting to using unauthorised AI tools, it is clear that executives and senior managers are the most frequent users. Management accounts for 73 per cent, followed by professionals who account for 62 per cent. 

In other words, it seems that unauthorised AI tools are not isolated, but rather a systemic problem. In addition to employee records and customer information, internal documents, financial and legal records, and proprietary code, these categories of sensitive information are among the most commonly exposed categories, each of which can lead to serious security breaches each of which has the potential to be a major vulnerability. 

However, despite nearly nine out of ten workers admitting that utilising AI entails significant risks, this continues to happen. It has been found that 64 per cent of respondents recognise the possibility of data leaks as a result of unapproved artificial intelligence tools, and more than half say they will stop using those tools if such a situation occurs. However, proactive measures remain rare in the industry. As a result, there is a growing disconnect between awareness and action in corporate data governance, one that could have profound consequences if not addressed. 

There is also an interesting paradox within corporate hierarchies revealed by the survey: even though senior management is often responsible for setting data governance standards, they are the most frequent infringers on those standards. According to a recent study, 93 per cent of executives and senior managers use unapproved AI tools, outpacing all other job levels by a wide margin.

There is also a significant increase in engagement with unauthorised platforms by managers and team leaders, who are responsible for ensuring compliance and modelling best practices within the organisation. This pattern, researchers suggest, reflects a worrying disconnect between policy enforcement and actual behaviour, one that erodes accountability from the top down. Žilvinas GirÄ—nas, head of product at Nexos.ai, warns that the implications of such unchecked behaviour extend far beyond simple misuse. 

The truth is that it is impossible to determine where sensitive data will end up if it is pasted into unapproved AI tools. "It might be stored, used to train another model, exposed in logs, or even sold to third parties," he explained. It could be possible to slip confidential contracts, customer details, or internal records quietly into external systems without detection through such actions, he added.

A study conducted by IBM underscores the seriousness of this issue by estimating that shadow artificial intelligence can result in an average data breach cost of up to $670,000, an expense that few companies are able to afford. Even so, the Cybernews study found that almost one out of four employers does not have formal policies in place governing artificial intelligence use in the workplace. 

Experts believe that awareness alone will not be enough to prevent these risks from occurring. As Sabeckis noted, “It would be a shame if the only way to stop employees from using unapproved AI tools was through the hard lesson of a data breach. For many companies, even a single breach can be catastrophic. GirÄ—nas echoed this sentiment, emphasising that shadow AI “thrives in silence” when leadership fails to act decisively. 

The speaker warned that employees will continue to rely on whatever tools seem convenient to them if clear guidelines and sanctioned alternatives are not provided, leading to efficiency shortcuts becoming potential security breaches without clear guidelines and sanctioned alternatives. Experts emphasise that organisations must adopt comprehensive internal governance strategies to mitigate the growing risks associated with the use of unregulated artificial intelligence, beyond technical safeguards. 

There are a number of factors that go into establishing a well-structured artificial intelligence framework, including establishing a formal AI policy. This policy should clearly state the acceptable uses for AI, prohibit the unauthorised download of free AI tools, and limit the sharing of personal, proprietary, and confidential information through these platforms. 

Businesses are also advised to revise and update existing IT, network security, and procurement policies in order to keep up with the rapidly changing AI environment. Additionally, proactive employee engagement continues to be a crucial part of addressing AI-related risks. Training programs can provide workers with the information and skills needed to understand potential risks, identify sensitive information, and follow best practices for safe, responsible use of AI. 

Also essential is the development of a robust data classification strategy that enables employees to recognise and handle confidential or sensitive information before interacting with AI systems in a proper manner. 

The implementation of formal authorisation processes for AI tools may also benefit organisations by limiting access to the tools to qualified personnel, along with documentation protocols that document inputs and outputs so that compliance and intellectual property issues can be tracked. Further safeguarding the reputation of your brand can be accomplished by periodic reviews of AI-generated content for bias, accuracy, and appropriateness. 

By continuously monitoring AI tools, including reviewing their evolving terms of service, organisations can ensure ongoing compliance with their company's standards, as well. Finally, it is important to put in place a clearly defined incident response plan, which includes designated points of contact for potential data exposure or misuse. This will help organisations respond more quickly to any AI-related incident. 

Combined, these measures represent a significant step forward in the adoption of structured, responsible artificial intelligence that balances innovation and accountability. Although internal governance is the cornerstone of responsible AI usage, external partnerships and vendor relationships are equally important when it comes to protecting organisational data. 

According to experts, organisation leaders need to be vigilant not just about internal compliance, but also about third-party contracts and data processing agreements. Data privacy, retention, and usage provisions should be explicitly included in any agreement with an external AI provider. These provisions are meant to protect confidential information from being exploited or stored in ways that are outside of the intended use of the information.

Business leaders, particularly CEOs and senior executives, must examine vendor agreements carefully in order to ensure that they are aligned with international data protection frameworks, such as the General Data Protection Regulation and California Consumer Privacy Act (CCPA). In order to improve their overall security posture, organisations can ensure that sensitive data is handled with the same rigour and integrity as their internal privacy standards by incorporating these safeguards into the contract terms. 

In the current state of artificial intelligence, which has been redefining the limits of workplace efficiency, its responsible integration has become an important factor in enhancing organisational trust and resilience as it continues to redefine the boundaries of workplace efficiency. Getting AI to work effectively in business requires not only innovation but also a mature set of governance frameworks that accompany its use. 

Companies that adopt a proactive approach, such as by enforcing clear internal policies, establishing transparency with vendors, and cultivating a culture of accountability, will be able to gain more than simply security. They will also gain credibility with clients and employees, as well as regulators. Although internal governance is the cornerstone of responsible AI usage, external partnerships and vendor relationships are equally important when it comes to protecting organisational data. 

According to experts, organisation leaders need to be vigilant not just about internal compliance, but also about third-party contracts and data processing agreements. Data privacy, retention, and usage provisions should be explicitly included in any agreement with an external AI provider. 

These provisions are meant to protect confidential information from being exploited or stored in ways that are outside of the intended use of the information. Business leaders, particularly CEOs and senior executives, must examine vendor agreements carefully in order to ensure that they are aligned with international data protection frameworks, such as the General Data Protection Regulation and California Consumer Privacy Act (CCPA). 

In order to improve their overall security posture, organisations can ensure that sensitive data is handled with the same rigour and integrity as their internal privacy standards by incorporating these safeguards into the contract terms. In the current state of artificial intelligence, which has been redefining the limits of workplace efficiency, its responsible integration has become an important factor in enhancing organisational trust and resilience as it continues to redefine the boundaries of workplace efficiency. 

Getting AI to work effectively in business requires not only innovation but also a mature set of governance frameworks that accompany its use. Companies that adopt a proactive approach, such as by enforcing clear internal policies, establishing transparency with vendors, and cultivating a culture of accountability, will be able to gain more than simply security. They will also gain credibility with clients and employees, as well as regulators.

In addition to ensuring compliance, responsible AI adoption can improve operational efficiency, increase employee confidence, and strengthen brand loyalty in an increasingly data-conscious market. According to experts, artificial intelligence should not be viewed merely as a risk to be controlled, but as a powerful tool to be harnessed under strong ethical and strategic guidelines. 

It is becoming increasingly apparent that in today's business climate, every prompt, every dataset can potentially create a vulnerability, so organisations that thrive will be those that integrate technological ambition with a disciplined governance framework - trying to transform AI from being a source of uncertainty to being a tool for innovation that is as sustainable and secure as possible.
Read more »
Privacy
ChatGPT Data Exposure Data Privacy data security Legal challeges Open AI Privacy

Sam Altman Pushes for Legal Privacy Protections for ChatGPT Conversations

 

Sam Altman, CEO of OpenAI, has reiterated his call for legal privacy protections for ChatGPT conversations, arguing they should be treated with the same confidentiality as discussions with doctors or lawyers. “If you talk to a doctor about your medical history or a lawyer about a legal situation, that information is privileged,” Altman said. “We believe that the same level of protection needs to apply to conversations with AI.”  

Currently, no such legal safeguards exist for chatbot users. In a July interview, Altman warned that courts could compel OpenAI to hand over private chat data, noting that a federal court has already ordered the company to preserve all ChatGPT logs, including deleted ones. This ruling has raised concerns about user trust and OpenAI’s exposure to legal risks. 

Experts are divided on whether Altman’s vision could become reality. Peter Swire, a privacy and cybersecurity law professor at Georgia Tech, explained that while companies seek liability protection, advocates want access to data for accountability. He noted that full privacy privileges for AI may only apply in “limited circumstances,” such as when chatbots explicitly act as doctors or lawyers. 

Mayu Tobin-Miyaji, a law fellow at the Electronic Privacy Information Center, echoed that view, suggesting that protections might be extended to vetted AI systems operating under licensed professionals. However, she warned that today’s general-purpose chatbots are unlikely to receive such privileges soon. Mental health experts, meanwhile, are urging lawmakers to ban AI systems from misrepresenting themselves as therapists and to require clear disclosure when users are interacting with bots.  

Privacy advocates argue that transparency, not secrecy, should guide AI policy. Tobin-Miyaji emphasized the need for public awareness of how user data is collected, stored, and shared. She cautioned that confidentiality alone will not address the broader safety and accountability issues tied to generative AI. 

Concerns about data misuse are already affecting user behavior. After a May court order requiring OpenAI to retain ChatGPT logs indefinitely, many users voiced privacy fears online. Reddit discussions reflected growing unease, with some advising others to “assume everything you post online is public.” While most ChatGPT conversations currently center on writing or practical queries, OpenAI’s research shows an increase in emotionally sensitive exchanges. 

Without formal legal protections, users may hesitate to share private details, undermining the trust Altman views as essential to AI’s future. As the debate over AI confidentiality continues, OpenAI’s push for privacy may determine how freely people engage with chatbots in the years to come.
Read more »
Security Focused Tools
Cloud Security Cybersecurity Data Privacy Digital Security Encrypted Email Online Safety Privacy ransomware protection Secure Collaboration Security Focused Tools

The Spectrum of Google Product Alternatives


 

It is becoming increasingly evident that as digital technologies are woven deeper into our everyday lives, questions about how personal data is collected, used, and protected are increasingly at the forefront of public discussion. 

There is no greater symbol of this tension than the vast ecosystem of Google products, whose products have become nearly inseparable from the entire online world. It's important to understand that, despite the convenience of this service, the business model that lies behind it is fundamentally based on collecting user data and monetising attention with targeted advertising. 

In the past year alone, this model has generated over $230 billion in advertising revenue – a model that has driven extraordinary profits — but it has also heightened the debate over what is the right balance between privacy and utility.'

In recent years, Google users have begun to reconsider their dependence on Google and instead turn to platforms that pledge to prioritise user privacy and minimise data exploitation rather than relying solely on Google's services. Over the last few decades, Google has built a business empire based on data collection, using Google's search engine, Android operating system, Play Store, Chrome browser, Gmail, Google Maps, and YouTube, among others, to collect vast amounts of personal information. 

Even though tools such as virtual private networks (VPNs) can offer some protection by encrypting online activity, they do not address the root cause of the problem: these platforms require accounts to be accessible, so they ultimately feed more information into Google's ecosystem for use there. 

As users become increasingly concerned about protecting their privacy, choosing alternatives developed by companies that are committed to minimising surveillance and respecting personal information is a more sustainable approach to protecting their privacy. In the past few years, it has been the case that an ever-growing market of privacy-focused competitors has emerged, offering users comparable functionality while not compromising their trust in these companies. 

 As an example, let's take the example of Google Chrome, which is a browser that is extremely popular worldwide, but often criticised for its aggressive data collection practices, which are highly controversial. According to a 2019 investigation published by The Washington Post, Chrome has been characterised as "spy software," as it has been able to install thousands of tracking cookies each week on devices. This has only fueled the demand for alternatives, and privacy-centric browsers are now positioning themselves as viable alternatives that combine performance with stronger privacy protection.

In the past decade, Google has become an integral part of the digital world for many internet users, providing tools such as search, email, video streaming, cloud storage, mobile operating systems, and web browsing that have become indispensable to them as the default gateways to the Internet. 

It has been a strategy that has seen the company dominate multiple sectors at the same time - a strategy that has been described as building a protective moat of services around their core business of search, data, and advertising. However, this dominance has included a cost. 

The company has created a system that monetises virtually every aspect of online behaviour by collecting and interfacing massive amounts of personal usage data across all its platforms, generating billions of dollars in advertising revenue while causing growing concern about the abuse of user privacy in the process. 

There is a growing awareness that, despite the convenience of Google's ecosystem, there are risks associated with it that are encouraging individuals and organisations to seek alternatives that better respect digital rights. For instance, Purism, a privacy-focused company that offers services designed to help users take control of their own information, tries to challenge this imbalance. However, experts warn that protecting the data requires a more proactive approach as a whole. 

The maintenance of secure offline backups is a crucial step that organisations should take, especially in the event of cyberattacks. Offline backups provide a reliable safeguard, unlike online backups, which are compromised by ransomware, allowing organisations to restore systems from clean data with minimal disruption and providing a reliable safeguard against malicious software and attacks. 

There is a growing tendency for users to shift away from default reliance on Google and other Big Tech companies, in favour of more secure, transparent, and user-centric solutions based on these strategies. Users are becoming increasingly concerned about privacy concerns, and they prefer platforms that prioritise security and transparency over Google's core services. 

As an alternative to Gmail, DuckDuckGo provides privacy-focused search results without tracking or profiling, whereas ProtonMail is a secure alternative to Gmail with end-to-end encrypted email. When it comes to encrypted event management, Proton Calendar replaces Google Calendar, and browsers such as Brave and LibreWolf minimise tracking and telemetry when compared to Chrome. 

It has been widely reported that the majority of apps are distributed by F-Droid, which offers free and open-source apps that do not rely on tracking, while note-taking and file storage are mainly handled by Simple Notes and Proton Drive, which protect the user's data. There are functional alternatives such as Todoist and HERE WeGo, which provide functionality without sacrificing privacy. 

There has even been a shift in video consumption, in which users use YouTube anonymously or subscribe to streaming platforms such as Netflix and Prime Video. Overall, these shifts highlight a trend toward digital tools that emphasise user control, data protection, and trust over convenience. As digital privacy and data security issues gain more and more attention, people and organisations are reevaluating their reliance on Google's extensive productivity and collaboration tools, as well as their dependency on the service. 

In spite of the immense convenience that these platforms offer, their pervasive data collection practices have raised serious questions about privacy and user autonomy. Consequently, alternatives to these platforms have evolved and were developed to maintain comparable functionality—including messaging, file sharing, project management, and task management—while emphasizing enhanced privacy, security, and operational control while maintaining comparable functionality. 

Continuing with the above theme, it is worthwhile to briefly examine some of the leading platforms that provide robust, privacy-conscious alternatives to Google's dominant ecosystem, as described in this analysis. Microsoft Teams.  In addition to Google's collaboration suite, Microsoft Teams is also a well-established alternative. 

It is a cloud-based platform that integrates seamlessly with Microsoft 365 applications such as Microsoft Word, Excel, PowerPoint, and SharePoint, among others. As a central hub for enterprise collaboration, it offers instant messaging, video conferencing, file sharing, and workflow management, which makes it an ideal alternative to Google's suite of tools. 

Several advanced features, such as APIs, assistant bots, conversation search, multi-factor authentication, and open APIs, further enhance its utility. There are, however, some downsides to Teams as well, such as the steep learning curve and the absence of a pre-call audio test option, which can cause interruptions during meetings, unlike some competitors. 

Zoho Workplace

A new tool from Zoho called Workplace is being positioned as a cost-effective and comprehensive digital workspace offering tools such as Zoho Mail, Cliq, WorkDrive, Writer, Sheet, and Meeting, which are integrated into one dashboard. 

The AI-assisted assistant, Zia, provides users with the ability to easily find files and information, while the mobile app ensures connectivity at all times. However, it has a relatively low price point, making it attractive for smaller businesses, although the customer support may be slow, and Zoho Meeting offers limited customisation options that may not satisfy users who need more advanced features. 

Bitrix24 

Among the many services provided by Bitrix24, there are project management, CRM, telephony, analytics, and video calls that are combined in an online unified workspace that simplifies collaboration. Designed to integrate multiple workflows seamlessly, the platform is accessible from a desktop, laptop, or mobile device. 

While it is used by businesses to simplify accountability and task assignment, users have reported some glitches and delays with customer support, which can hinder the smooth running of operations, causing organisations to look for other solutions. 

 Slack 

With its ability to offer flexible communication tools such as public channels, private groups, and direct messaging, Slack has become one of the most popular collaboration tools across industries because of its easy integration with social media and the ability to share files efficiently. 

Slack has all of the benefits associated with real-time communication, with notifications being sent in real-time, and thematic channels providing participants with the ability to have focused discussions. However, due to its limited storage capacity and complex interface, Slack can be challenging for new users, especially those who are managing large amounts of data. 

ClickUp 

This software helps simplify the management of projects and tasks with its drag-and-drop capabilities, collaborative document creation, and visual workflows. With ClickUp, you'll be able to customise the workflow using drag-and-drop functionality.

Incorporating tools like Zapier or Make into the processes enhances automation, while their flexibility makes it possible for people's business to tailor their processes precisely to their requirements. Even so, ClickUp's extensive feature set involves a steep learning curve. The software may slow down their productivity occasionally due to performance lags, but that does not affect its appeal. 

Zoom 

With Zoom, a global leader in video conferencing, remote communication becomes easier than ever before. It enables large-scale meetings, webinars, and breakout sessions, while providing features such as call recording, screen sharing, and attendance tracking, making it ideal for remote work. 

It is a popular choice because of its reliability and ease of use for both businesses and educational institutions, but also because its free version limits meetings to around 40 minutes, and its extensive capabilities can be a bit confusing for those who have never used it before. As digital tools with a strong focus on privacy are becoming increasingly popular, they are also part of a wider reevaluation of how data is managed in a modern digital ecosystem, both personally and professionally. 

By switching from default reliance on Google's services, not only are people reducing their exposure to extensive data collection, but they are also encouraging people to adopt platforms that emphasise security, transparency, and user autonomy. Individuals can greatly reduce the risks associated with online tracking, targeted advertising, and potential data breaches by implementing alternatives such as encrypted e-mail, secure calendars, and privacy-oriented browsers. 

Among the collaboration and productivity solutions that organisations can incorporate are Microsoft Teams, Zoho Workplace, ClickUp, and Slack. These products can enhance workflow efficiency and allow them to maintain a greater level of control over sensitive information while reducing the risk of security breaches.

In addition to offline backups and encrypted cloud storage, complementary measures, such as ensuring app permissions are audited carefully, strengthen data resilience and continuity in the face of cyber threats. In addition to providing greater levels of security, these alternative software solutions are typically more flexible, interoperable, and user-centred, making them more effective for teams to streamline communication and project management. 

With digital dependence continuing to grow, deciding to choose privacy-first solutions is more than simply a precaution; rather, it is a strategic choice that safeguards both an individual's digital assets as well as an organisation's in order to cultivate a more secure, responsible, and informed online presence as a whole.
Read more »
Regulatory Compliance
AIL Hack Customer Data Theft Cybersecurity Breach Data Leak Data Privacy Identity Theft Risks Insurance Cyberattack Insurance Fraud Privacy Regulatory Compliance

Hackers Claim Data on 150000 AIL Users Stolen


It has been reported that American Income Life, one of the world's largest supplemental insurance providers, is now under close scrutiny following reports of a massive cyberattack that may have compromised the personal and insurance records of hundreds of thousands of the company's customers. It has been claimed that a post that has appeared on a well-known underground data leak forum contains sensitive data that was stolen directly from the website of the company. 

It is said to be a platform frequently used by cybercriminals for trading and selling stolen information. According to the person behind the post, there is extensive customer information involved in the breach, which raises concerns over the increasing frequency of large-scale attacks aimed at the financial and insurance industries. 

AIL, a Fortune 1000 company with its headquarters in Texas, generates over $5.7 billion in annual revenue. It is a subsidiary of Globe Life Inc., a Fortune 1000 financial services holding company. It is considered to be an incident that has the potential to cause a significant loss for one of the country's most prominent supplemental insurance companies. 

In the breach, which first came to light through a post on a well-trafficked hacking forum, it is alleged that approximately 150,000 personal records were compromised. The threat actor claimed that the exposed dataset included unique record identifiers, personal information such as names, phone numbers, addresses, email addresses, dates of birth, genders, as well as confidential information regarding insurance policies, including the type of policy and its status, among other details. 

According to Cybernews security researchers who examined some of the leaked data, the data seemed largely authentic, but they noted it was unclear whether the records were current or whether they represented old, outdated information. 

In their analysis, cybersecurity researchers at Cybernews concluded that delays in breach notification could have a substantial negative impact on a company's financial as well as reputational position. It has been noted by Alexa Vold, a regulatory lawyer and partner at BakerHostetler, that organisations often spend months or even years manually reviewing enormous volumes of compromised documents, when available reports are far more efficient in determining the identity of the victim than they could do by manually reviewing vast quantities of compromised documents. 

Aside from driving up costs, she cautioned that slow disclosures increase the likelihood of regulatory scrutiny, which in turn can lead to consumer backlash if they are not made sooner. A company such as Alera Group was found to be experiencing suspicious activity in its systems in August 2024, so the company immediately started an internal investigation into the matter. 

It was confirmed by the company on April 28, 202,5, that unauthorised access to its network between July 19 and August 4, 2024, may have resulted in the removal of sensitive personal data. It is important to note that the amount of information that has been compromised differs from person to person. 

However, this information could include highly confidential information such as names, addresses, dates of birth, Social Security numbers, driver's licenses, marriage certificates and birth certificates, passport information, financial details, credit card information, as well as other forms of identification issued by the government. 

A rather surprising fact about the breach is that it appears that the individual behind it is willing to offer the records for free, a move that will increase the risk to victims in a huge way. As a general rule, such information is sold on underground markets to a very small number of cybercriminals, but by making it freely available, it opens the door for widespread abuse and increases the likelihood that secondary attacks will take place. 

According to experts, certain personal identifiers like names, dates of birth, addresses, and phone numbers can be highly valuable for nabbing identity theft victims and securing loans on their behalf through fraudulent accounts or securing loans in the name of the victims. There is a further level of concern ensuing from the exposure of policy-related details, including policy status and types of plans, since this type of information could be used in convincing phishing campaigns designed to trick policyholders into providing additional credentials or authorising unauthorised payments.

There is a possibility of using the leaked records to commit medical fraud or insurance fraud in more severe scenarios, such as submitting false claims or applying for healthcare benefits under stolen identities in order to access healthcare benefits. The HIPAA breach notification requirements do not allow for much time to be slowed down, according to regulatory experts and healthcare experts. 

The rule permits reporting beyond the 60-day deadline only in rare cases, such as when a law enforcement agency or a government agency requests a longer period of time, so as not to interfere with an ongoing investigation or jeopardise national security. In spite of the difficulty in determining the whole scope of compromised electronic health information, regulators do not consider the difficulty in identifying it to be a valid reason, and they expect entities to disclose information breaches based on initial findings and provide updates as inquiries progress. 

There are situations where extreme circumstances, such as ongoing containment efforts or multijurisdictional coordination, may be operationally understandable, but they are not legally recognised as grounds for postponing a problem. In accordance with HHS OCR, the U.S. Department of Health and Human Services' “without unreasonable delay” standard is applied, and penalties may be imposed where it perceives excessive procrastination on the part of the public. 

According to experts, if the breach is expected to affect 500 or more individuals, a preliminary notice should be submitted, and supplemental updates should be provided as details emerge. This is a practice observed in major incidents such as the Change Healthcare breach. The consequences of delayed disclosures are often not only regulatory, but also expose organisations to litigation, which can be seen in Alera Group's case, where several proposed class actions accuse Alera Group of failing to promptly notify affected individuals of the incident. 

The attorneys at my firm advise that firms must strike a balance between timeliness and accuracy: prolonged document-by-document reviews can be wasteful, exacerbate regulatory and consumer backlash, and thereby lead to wasteful expenses and unnecessary risks, whereas efficient methods of analysis can accomplish the same tasks more quickly and without the need for additional resources. American Income Life's ongoing situation serves as a good example of how quickly an underground forum post may escalate to a problem that affects corporate authorities, regulators, and consumers if the incident is not dealt with promptly. 

In the insurance and financial sectors, this episode serves as a reminder that it is not only the effectiveness of a computer security system that determines the level of customer trust, but also how transparent and timely the organisation is in addressing breaches when they occur. 

According to industry observers, proactive monitoring, clear incident response protocols, and regular third-party security audits are no longer optional measures, but rather essential in mitigating both direct and indirect damages, both in the short run and in the long term, following a data breach event. Likewise, a breach notification system must strike the right balance between speed and accuracy so that individuals can safeguard their financial accounts, monitor their credit activity, and keep an eye out for fraudulent claims as early as possible.

It is unlikely that cyberattacks will slow down in frequency or sophistication in the foreseeable future. However, companies that are well prepared and accountable can significantly minimise the fallout when incidents occur. It is clear from the AIL case that the true test of any institution cannot be found in whether it can prevent every breach, but rather what it can do when it fails to prevent it from happening. 

There is a need for firms to strike a delicate balance between timeliness and accuracy, according to attorneys. The long-term review of documents can waste valuable resources and increase consumer and regulatory backlash, whereas efficient analysis methods allow for the same outcome much more quickly and with less risk than extended document-by-document reviews. 

American Income Life's ongoing situation illustrates how quickly a cyber incident can escalate from being a post on an underground forum to becoming a matter of regulatory concern and a matter that involves companies, regulators, and consumers in a significant way. There is no doubt that the episode serves as a reminder for companies in the insurance and financial sectors of the importance of customer trust. 

While on one hand, customer trust depends on how well systems are protected, on the other hand, customer trust is based on how promptly breaches are resolved. It is widely understood that proactive monitoring, clear incident response protocols, and regular third-party security audits are no longer optional measures. Rather, they have become essential components, minimising both short-term and long-term damage from cyberattacks. 

As crucial as ensuring the right balance is struck between speed and accuracy when it comes to breach notification is giving individuals the earliest possible chance of safeguarding their financial accounts, monitoring their credit activity, and looking for fraudulent claims when they happen. 

Although cyberattacks are unlikely to slow down in frequency or sophistication, companies that prioritise readiness and accountability can reduce the severity of incidents significantly if they occur. AIL's case highlights that what really counts for a company is not whether it can prevent every breach, but how effectively it is able to deal with the consequences when preventative measures fail.
Read more »
protecting sensitive data
Cyber Security Data Loss Data Privacy Data protection Data Recovery data security protecting sensitive data

Why CEOs Must Go Beyond Backups and Build Strong Data Recovery Plans

 

We are living in an era where fast and effective solutions for data challenges are crucial. Relying solely on backups is no longer enough to guarantee business continuity in the face of cyberattacks, hardware failures, human error, or natural disasters. Every CEO must take responsibility for ensuring that their organization has a comprehensive data recovery plan that extends far beyond simple backups. 

Backups are not foolproof. They can fail, be misconfigured, or become corrupted, leaving organizations exposed at critical moments. Modern attackers are also increasingly targeting backup systems directly, making it impossible to restore data when needed. Even when functioning correctly, traditional backups are usually scheduled once a day and do not run in real time, putting businesses at risk of losing hours of valuable work. Recovery time is equally critical, as lengthy downtime caused by delays in data restoration can severely damage both reputation and revenue.  

Businesses often overestimate the security that traditional backups provide, only to discover their shortcomings when disaster strikes. A strong recovery plan should include proactive measures such as regular testing, simulated ransomware scenarios, and disaster recovery drills to ensure preparedness. Without this, the organization risks significant disruption and financial losses. 

The consequences of poor planning extend beyond operational setbacks. For companies handling sensitive personal or financial data, legal and compliance requirements demand advanced protection and recovery systems. Failure to comply can lead to legal penalties and fines in addition to reputational harm. To counter modern threats, organizations should adopt solutions like immutable backups, air-gapped storage, and secure cloud-based systems. While migrating to cloud storage may seem time-consuming, it offers resilience against physical damage and ensures that data cannot be lost through hardware failures alone. 

An effective recovery plan must be multi-layered. Following the 3-2-1 backup rule—keeping three copies of data, on two different media, with one offline—is widely recognized as best practice. Cloud-based disaster recovery platforms such as Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform (GCP) should also be considered to provide automated failover and minimize downtime. Beyond technology, employee awareness is essential. IT and support staff should be well-trained and recovery protocols tested quarterly to confirm readiness. 

Communication plays a vital role in data recovery planning. How an organization communicates a disruption to clients can directly influence how much trust is retained. While some customers may inevitably be lost, a clear and transparent communication strategy can help preserve the majority. CEOs should also evaluate cyber insurance options to mitigate financial risks tied to recovery costs. 

Ultimately, backups are just snapshots of data, while a recovery plan acts as a comprehensive playbook for survival when disaster strikes. CEOs who neglect this responsibility risk severe financial losses, regulatory penalties, and even business closure. A well-designed, thoroughly tested recovery plan not only minimizes downtime but also protects revenue, client trust, and the long-term future of the organization.
Read more »
Privacy
Amazon Cloud Data cloud data security Data Privacy data sovereignty Google Cloud Microsoft Privacy

CLOUD Act Extends US Jurisdiction Over Global Cloud Data Across Microsoft, Google, and Amazon

 

That Frankfurt data center storing your business files or the Singapore server holding your personal photos may not be as secure from U.S. oversight as you think. If the provider is Microsoft, Amazon, Google, or another U.S.-based tech giant, physical geography does little to shield information once American authorities seek access. The Clarifying Lawful Overseas Use of Data (CLOUD) Act, enacted in March 2018, gives U.S. law enforcement broad authority to demand data from American companies no matter where that information is located. Many organizations and individuals who once assumed that hosting data in Europe or Asia provided protection from U.S. jurisdiction now face an overlooked vulnerability.  

The law applies to every major cloud provider headquartered in the United States, including Microsoft, Amazon, Google, Apple, Meta, and Salesforce. This means data hosted in Microsoft’s European facilities, Google’s Asian networks, or Amazon’s servers in regions worldwide can be accessed through proper legal orders. An organization running Office 365 in London or an individual storing iCloud photos in Berlin could have their data obtained by U.S. investigators with little visibility into the process. Even companies promoting themselves as “foreign hosted” may not be immune if they have American subsidiaries or offices. Jurisdiction extends to entities connected to the United States, meaning that promises of sovereignty can be undercut by corporate structure. 

The framework obligates companies to comply quickly with data requests, leaving limited room for delay. Providers may challenge orders if they conflict with local privacy protections, but the proceedings typically occur without the knowledge of the customer whose data is involved. As a result, users may never know their information has been disclosed, since notification is not required. This dynamic has raised significant concerns about transparency, privacy, and the balance of international legal obligations. 

There are alternatives for those seeking stronger guarantees of independence. Providers such as Hetzner in Germany, OVHcloud in France, and Proton in Switzerland operate strictly under European laws and maintain distance from U.S. corporate ties. These companies cannot be compelled to share data with American authorities unless they enter into agreements that extend jurisdiction. However, relying on such providers can involve trade-offs, such as limited integration with mainstream platforms or reduced global reach. Some U.S. firms have responded by offering “sovereign cloud regions” managed locally, but questions remain about whether ultimate control still rests with the parent corporation and therefore remains vulnerable to U.S. legal demands. 

The implications are clear: the choice of cloud provider is not only a technical or financial decision but a geopolitical one. In a world where information represents both power and liability, each upload is effectively a decision about which country’s laws govern your digital life. For businesses and individuals alike, data location may matter less than corporate origin, and the CLOUD Act ensures that U.S. jurisdiction extends far beyond its borders.
Read more »
Privacy Lawsuit
Alexa Amazon Customer Data Data collection Data Privacy Data Privacy Laws Data Safety User Data Personal Data Privacy privacy laws Privacy Lawsuit

Federal Judge Allows Amazon Alexa Users’ Privacy Lawsuit to Proceed Nationwide

 

A federal judge in Seattle has ruled that Amazon must face a nationwide lawsuit involving tens of millions of Alexa users. The case alleges that the company improperly recorded and stored private conversations without user consent. U.S. District Judge Robert Lasnik determined that Alexa owners met the legal requirements to pursue collective legal action for damages and an injunction to halt the alleged practices. 

The lawsuit claims Amazon violated Washington state law by failing to disclose that it retained and potentially used voice recordings for commercial purposes. Plaintiffs argue that Alexa was intentionally designed to secretly capture billions of private conversations, not just the voice commands directed at the device. According to their claim, these recordings may have been stored and repurposed without permission, raising serious privacy concerns. Amazon strongly disputes the allegations. 

The company insists that Alexa includes multiple safeguards to prevent accidental activation and denies evidence exists showing it recorded conversations belonging to any of the plaintiffs. Despite Amazon’s defense, Judge Lasnik stated that millions of users may have been impacted in a similar manner, allowing the case to move forward. Plaintiffs are also seeking an order requiring Amazon to delete any recordings and related data it may still hold. The broader issue at stake in this case centers on privacy rights within the home.

If proven, the claims suggest that sensitive conversations could have been intercepted and stored without explicit approval from users. Privacy experts caution that voice data, if mishandled or exposed, can lead to identity risks, unauthorized information sharing, and long-term security threats. Critics further argue that the lawsuit highlights the growing power imbalance between consumers and large technology companies. Amazon has previously faced scrutiny over its corporate practices, including its environmental footprint. 

A 2023 report revealed that the company’s expanding data centers in Virginia would consume more energy than the entire city of Seattle, fueling additional criticism about the company’s long-term sustainability and accountability. The case against Amazon underscores the increasing tension between technological convenience and personal privacy. 

As voice-activated assistants become commonplace in homes, courts will likely play a decisive role in determining the boundaries of data collection and consumer protection. The outcome of this lawsuit could set a precedent for how tech companies handle user data and whether customers can trust that private conversations remain private.
Read more »
Privacy
AI Chatbot AI Platform AI Privacy AI technology Chatbots ChatGPT ChatGPT risks Data Privacy data security Privacy

Think Twice Before Uploading Personal Photos to AI Chatbots

 

Artificial intelligence chatbots are increasingly being used for fun, from generating quirky captions to transforming personal photos into cartoon characters. While the appeal of uploading images to see creative outputs is undeniable, the risks tied to sharing private photos with AI platforms are often overlooked. A recent incident at a family gathering highlighted just how easy it is for these photos to be exposed without much thought. What might seem like harmless fun could actually open the door to serious privacy concerns. 

The central issue is unawareness. Most users do not stop to consider where their photos are going once uploaded to a chatbot, whether those images could be stored for AI training, or if they contain personal details such as house numbers, street signs, or other identifying information. Even more concerning is the lack of consent—especially when it comes to children. Uploading photos of kids to chatbots, without their ability to approve or refuse, creates ethical and security challenges that should not be ignored.  

Photos contain far more than just the visible image. Hidden metadata, including timestamps, location details, and device information, can be embedded within every upload. This information, if mishandled, could become a goldmine for malicious actors. Worse still, once a photo is uploaded, users lose control over its journey. It may be stored on servers, used for moderation, or even retained for training AI models without the user’s explicit knowledge. Just because an image disappears from the chat interface does not mean it is gone from the system.  

One of the most troubling risks is the possibility of misuse, including deepfakes. A simple selfie, once in the wrong hands, can be manipulated to create highly convincing fake content, which could lead to reputational damage or exploitation. 

There are steps individuals can take to minimize exposure. Reviewing a platform’s privacy policy is a strong starting point, as it provides clarity on how data is collected, stored, and used. Some platforms, including OpenAI, allow users to disable chat history to limit training data collection. Additionally, photos can be stripped of metadata using tools like ExifTool or by taking a screenshot before uploading. 

Consent should also remain central to responsible AI use. Children cannot give informed permission, making it inappropriate to share their images. Beyond privacy, AI-altered photos can distort self-image, particularly among younger users, leading to long-term effects on confidence and mental health. 

Safer alternatives include experimenting with stock images or synthetic faces generated by tools like This Person Does Not Exist. These provide the creative fun of AI tools without compromising personal data. 

Ultimately, while AI chatbots can be entertaining and useful, users must remain cautious. They are not friends, and their cheerful tone should not distract from the risks. Practicing restraint, verifying privacy settings, and thinking critically before uploading personal photos is essential for protecting both privacy and security in the digital age.
Read more »
User Security
Data Privacy Facial Recognition System Regulation Bill Technology User Security

Facial Recognition's False Promise: More Sham Than Security

 

Despite the rapid integration of facial recognition technology (FRT) into daily life, its effectiveness is often overstated, creating a misleading picture of its true capabilities. While developers frequently tout accuracy rates as high as 99.95%, these figures are typically achieved in controlled laboratory settings and fail to reflect the system's performance in the real world.

The discrepancy between lab testing and practical application has led to significant failures with severe consequences. A prominent example is the wrongful arrest of Robert Williams, a Black man from Detroit who was misidentified by police facial recognition software based on a low-quality image.

This is not an isolated incident; there have been at least seven confirmed cases of misidentification from FRT, six of which involved Black individuals. Similarly, an independent review of the London Metropolitan Police's use of live facial recognition found that out of 42 matches, only eight were definitively accurate.

These real-world failures stem from flawed evaluation methods. The benchmarks used to legitimize the technology, such as the US National Institute of Standards and Technology's (NIST) Facial Recognition Technology Evaluation (FRTE), do not adequately account for real-world conditions like blurred images, poor lighting, or varied camera angles. Furthermore, the datasets used for training these systems are often not representative of diverse demographics, which leads to significant biases .

The inaccuracies of FRT are not evenly distributed across the population. Research consistently shows that the technology has higher error rates for people of color, women, and individuals with disabilities. For example, one of Microsoft’s early models had a 20.8% error rate for dark-skinned women but a 0% error rate for light-skinned men . This systemic bias means the technology is most likely to fail the very communities that are already vulnerable to over-policing and surveillance.

Despite these well-documented issues, FRT is being widely deployed in sensitive areas such as law enforcement, airports, and retail stores. This raises profound ethical concerns about privacy, civil rights, and due process, prompting companies like IBM, Amazon, and Microsoft to restrict or halt the sale of their facial recognition systems to police departments. The continued rollout of this flawed technology suggests that its use is more of a "sham" than a reliable security solution, creating a false sense of safety while perpetuating harmful biases.
Read more »
Ransomware
Data Breach Data Privacy Digital Personal Double extortion Healthcare cybersecurity Misconfiguration Patient Ransomware

Over a Million Healthcare Devices Hit by Cyberattack

 


Despite the swell of cyberattacks changing the global threat landscape, Indian healthcare has become one of the most vulnerable targets as a result of these cyberattacks. There are currently 8,614 cyberattacks per week on healthcare institutions in the country, a figure that is more than four times the global average and nearly twice that of any other industry in the country. 

In addition to the immense value that patient data possesses and the difficulties in safeguarding sprawling healthcare networks, the relentless targeting of patients reflects the challenges that healthcare providers continue to face healthcare providers. With the emergence of sophisticated hacktivist operations, ransomware, hacking attacks, and large-scale data theft, these breaches are becoming more sophisticated and are not simply disruptions. 

The cybercriminal business is rapidly moving from traditional encryption-based extortion to aggressive methods of "double extortion" that involve stealing and then encrypting data, or in some cases abandoning encryption altogether in order to concentrate exclusively on exfiltrating data. This evolution can be seen in groups like Hunters International, recently rebranded as World Leaks, that are exploiting a declining ransom payment system and thriving underground market for stolen data to exploit its gains. 

A breach in the Healthcare Delivery Organisations' system risks exposing vast amounts of personal and medical information, which underscores why the sector remains a target for hackers today, as it is one of the most attractive sectors for attackers, and is also continually targeted by them. Modat, a cybersecurity firm that uncovered 1.2 million internet-connected medical systems that are misconfigured and exposed online in August 2025, is a separate revelation that emphasises the sector's vulnerabilities. 

Several critical devices in the system were available, including imaging scanners, X-ray machines, DICOM viewers, laboratory testing platforms, and hospital management systems, all of which could be accessed by an attacker. Experts warned that the exposure posed a direct threat to patient safety, in addition to posing a direct threat to privacy. 

In Modat's investigation, sensitive data categories, including highly detailed medical imaging, such as brain scans, lung MRIs, and dental X-rays, were uncovered, along with clinical documentation, complete medical histories and complete medical records. Personal information, including names, addresses and contact details, as well as blood test results, biometrics, and treatment records, all of which can be used to identify the individual.

A significant amount of information was exposed in an era of intensifying cyber threats, which highlights the profound consequences of poorly configured healthcare infrastructure. There has been an increasing number of breaches that illustrate the magnitude of the problem. BlackCat/ALPHV ransomware group has claimed responsibility for a devastating attack on Change Healthcare, where Optum, the parent company of UnitedHealth Group, has reportedly paid $22 million in ransom in exchange for the promise of deleting stolen data.

There was a twist in the crime ecosystem when BlackCat abruptly shut down, retaining none of the payments, but sending the data to an affiliate of the RansomHub ransomware group, which demanded a second ransom for the data in an attempt to secure payment. No second payment was received, and the breach grew in magnitude as each disclosure was made. Initially logged with the U.S. Health and Human Services (HHS) officials had initially estimated that the infection affected 500 people, but by July 2025, it had reached 100 million, then 190 million, and finally 192.7 million individuals.

These staggering figures highlight why healthcare remains a prime target for ransomware operators: if critical hospital systems fail to function correctly, downtime threatens not only revenue and reputations, but the lives of patients as well. Several other vulnerabilities compound the risk, including ransomware, since medical IoT devices are already vulnerable to compromise, which poses a threat to life-sustaining systems like heart monitors and infusion pumps. 

Telehealth platforms, on the other hand, extend the attack surface by routing sensitive consultations over the internet, thereby increasing the scope of potential attacks. In India, these global pressures are matched by local challenges, including outdated legacy systems, a lack of cybersecurity expertise, and a still-developing regulatory framework. 

Healthcare providers rely on a patchwork of frameworks in order to protect themselves from cybersecurity threats since there is no unified national healthcare cybersecurity law, including the Information Technology Act, SPDI Rules, and the Digital Personal Data Protection Act, which has not been enforced yet.

In their view, this lack of cohesion leaves organisations ill-equipped for future threats, particularly smaller companies with limited budgets and under-resourced security departments. In order to address these gaps, there is a partnership between the Data Security Council of India and the Healthcare Information and Management Systems Society (HIMSS) that aims to conduct a national cybersecurity assessment. As a result of the number of potentially exposed pieces of information that were uncovered as a result of the Serviceaide breach, it was particularly troubling. 

Depending on the individual, the data could include information such as their name, Social Security number, birth date, medical records, insurance details, prescription and treatment information, clinical notes, provider identifications, email usernames, and passwords. This information would vary by individual. As a response, Serviceaide announced that it had strengthened its security controls and was offering 12 months of complimentary credit and identity monitoring to affected individuals. 

There was an incident at Catholic Health that resulted in the disclosure that limited patient data was exposed by one of its vendors. According to the organisation's website, a formal notification letter is now being sent to potentially affected patients, and a link to the Serviceaide notice can be found on the website. No response has been received from either organisation regarding further information. 

While regulatory authorities and courts have shown little leniency in similar cases, in 2019, Puerto Rico-based Inmediata Health Group was fined $250,000 by the HHS' Office for Civil Rights (OCR) and later settled a lawsuit for more than $2.5 million with the state attorneys general and class actions plaintiffs after a misconfiguration resulted in 1.6 million patient records being exposed. As recently as last week, OCR penalised Vision Upright MRI, a small California imaging provider, for leaving medical images, including X-rays, CT scans, and MRIs, available online through an unsecured PACS server. 

A $5,000 fine and an action plan were awarded in this case, making the agency's 14th HIPAA enforcement action in 2025. The cumulative effect of these precedents illustrates that failing to secure patient information can lead to significant financial, regulatory, and reputational consequences for healthcare organisations. It has become increasingly evident that the regulatory consequences of failing to safeguard patient data are increasing as time goes on. 

Specifically, under the Health Insurance Portability and Accountability Act (HIPAA), fines can rise to millions of dollars for prolonged violations of the law, and systemic non-compliance with the law can result. For healthcare organisations, adhering to the regulations is both a financial and ethical imperative. 

Data from the U.S. As shown by the Department of Health and Human Services' Office for Civil Rights (OCR), enforcement activity has been steadily increasing over the past decade, with the year 2022 marking a record number of penalties imposed. OCR's Right of Access Initiative, launched in 2019, aims to curb providers who fail to provide patients with timely access to their medical records in a timely manner. 

It has contributed a great deal to the increase in penalties. There were 46 penalties issued for such violations between September 2019 and December 2023 as a result of enforcement activity. Enforcement activity continued high in 2024, as OCR closed 22 investigations with fines, even though only 16 of those were formally announced during that year. The momentum continues into 2025, bolstered by an increased enforcement focus on the HIPAA Security Rule's risk analysis provision, traditionally the most common cause of noncompliance. 

 Almost ten investigations have already been closed by OCR with financial penalties due to risk analysis failures as of May 31, 2025, indicating the agency's sharpened effort to reduce the backlog of data breach cases while holding covered entities accountable for their failures. It is a stark reminder that the healthcare sector stands at a crossroads between technology, patient care, and national security right now as a result of the increasing wave of cyberattacks that have been perpetrated against healthcare organisations. 

 Hospitals and medical networks are increasingly becoming increasingly dependent on the use of digital technologies, which means every exposed database, misconfigured system, or compromised vendor creates a greater opportunity for adversaries with ever greater resources, organisation, and determination to attack them. In the absence of decisive investments in cybersecurity infrastructure, workforce training, and stronger regulatory frameworks, experts warn that breaches will not only persist but will intensify in the future. 

A growing digitisation of healthcare in India makes the stakes even higher: the ability to preserve patient trust, ensure continuity of care, and safeguard sensitive health data is what will determine if digital innovation becomes a valuable asset or a liability, particularly in this country. In the big picture, it is also obvious that cybersecurity is no longer a technical afterthought but has evolved into a pillar of healthcare resilience, where failure has a cost that goes far beyond fines and penalties, and concerns involving patient safety as well as the lives of people involved.
Read more »
Subscribe to: Comments (Atom)