The Proton Blog

What is the App Store Accountability Act?

Edward Komenda — Wed, 11 Mar 2026 17:23:43 GMT

Lawmakers in the United States are considering new legislation that would change how app stores verify users’ ages and manage parental consent. The App Store Accountability Act would require major app stores to verify users’ age categories and obtain parental approval before minors can download apps or make in-app purchases.

Supporters say the measure would help parents better understand and control the apps their children use. Critics argue it could introduce new privacy and security risks by requiring companies to collect and store sensitive personal information.

What the App Store Accountability Act would do

The App Store Accountability Act (H.R. 3149) was introduced in the U.S. House of Representatives in May 2025 by Representatives John James (R-MI) and Gus Bilirakis (R-FL). The bill aims to safeguard children online by giving parents clearer information about apps and requiring parental consent for minors.

The proposal would apply to large app store providers with more than five million users in the United States.

If enacted, the law would require app stores to:

Request age information and verify a user’s age category when an account is created.
Place users into age categories, including under 13, 13–15, 16–17, and adults.
Link minors to a verified parental account before they can download apps or make purchases.
Obtain verifiable parental consent before minors access apps or make in-app purchases.
Share age-category signals with app developers so apps can determine whether a user is a minor and whether parental consent has been granted.

The bill would also require app developers to notify app stores if their apps undergo significant changes, such as new data collection practices or monetization features. If those changes affect minors, app stores would need to notify the parent linked to the account and obtain new parental consent.

The Federal Trade Commission would enforce the law, and state attorneys general could also bring legal actions against companies that fail to comply.

How age verification would work

Under the proposed law, users would provide age information when creating an app store account. App stores would then verify that information using a commercially available age-verification method designed to reasonably ensure accuracy.

If a user is identified as a minor, the account must be connected to a verified parental account. Parents would then provide verifiable parental consent before the child could download apps or make purchases.

App stores would send an age-category signal to app developers indicating whether a user is a child, teenager, or adult, and whether parental consent has been obtained.

State laws and the Texas App Store Accountability Act

Several states, including Utah, Texas, Louisiana, and Alabama, have passed similar app store age-verification laws.

Some of these laws have faced legal challenges. For example, a federal court blocked enforcement of a Texas law requiring app stores to verify the age of all users at the app-store level, with a judge comparing the requirement to forcing bookstores to check every customer’s ID before allowing entry.

Privacy and security concerns about the App Store Accountability Act

While many policymakers support stronger protections for children online, critics have raised privacy concerns about the approach taken in the App Store Accountability Act.

One concern is that all users—including adults—would need to verify their age, even if they only want to download apps that do not require age restrictions. This could require users to provide identifying information such as government-issued IDs or biometric data.

Some privacy advocates also warn that centralized age-verification systems could create new databases containing sensitive personal information, which may become targets for hackers or data breaches.

Others argue that the system could be easy to bypass, since users could access many online services through web browsers instead of downloading apps through app stores.

What happens next

The bill recently advanced out of the House Energy and Commerce Committee. The next step would be a vote in the full House of Representatives.

However, the bill still faces hurdles before becoming law, including potential revisions in the Senate and ongoing debates over privacy, security, and the most effective ways to protect children online.

Business continuity strategies: why backups alone are not enough

Kate Menzies — Wed, 11 Mar 2026 13:28:58 GMT

Most teams start their business continuity strategies with the same assumption: If we have backups, we can recover. Backups are important, but they’re only one piece of continuity, and often not the element that fails first.

In modern, cloud-heavy environments, the fastest path to downtime is often loss of access: stolen credentials, locked-out administrators, misconfigured identity settings, or an incident that forces you to revoke access faster than you can restore systems. If your team can’t sign in, approve changes, rotate secrets, or coordinate response securely, having clean backups won’t get operations back online.

This article explains what business continuity strategies are (and how they connect to disaster recovery planning), why backups alone create blind spots, and which security-focused controls strengthen a business continuity plan in practice—especially around access and credential security.

It also shows where a business password manager like Proton Pass for Business fits into business networks: helping teams reduce credential risk and keep access controls usable, auditable, and resilient.

What are business continuity strategies?

Why backups alone are not enough

What is the role of access and credential security in continuity planning?

Which measures strengthen business continuity beyond backups?

How does Proton Pass for Business support continuity strategies?

What are business continuity strategies?

Business continuity is the set of plans, processes, and procedures an organization uses to keep essential functions running during and after disruptions. It typically includes risk assessment, emergency response procedures, communication plans, backup and recovery, staff training, as well as a regular schedule for testing and updating that plan.

A business continuity plan is where these strategies become operational: who does what, in what order, with which tools, and what “acceptable service” looks like under pressure.

Business continuity vs. disaster recovery planning

Business continuity strategies often get conflated with disaster recovery planning, and both are sometimes confused with incident response. They work together, but they solve different problems.

Incident response focuses on the security event itself: detecting what’s happening, containing the threat, removing it from affected systems, and investigating impact so you can prevent recurrence.
Disaster recovery focuses on restoring IT systems and data after disruption — for example, infrastructure failure, corrupted databases, or a cloud region outage.
Business continuity planning focuses on keeping essential operations running during disruption, even when technology is degraded. It covers people, processes, vendors, communications, and decision-making — and defines how the business continues to deliver critical services while recovery is underway.

This distinction is important. The FFIEC’s Business Continuity Management booklet (written for financial institutions but broadly applicable) emphasizes that business continuity planning is about maintaining, resuming, and recovering the business, not only the technology.

Why having a continuity strategy matters

A continuity plan that lives in a folder and hasn’t been tested isn’t a strategy; it’s just a document. An actual strategy is something you can run:

You know which functions are truly critical.
You’ve defined what “downtime” means in measurable terms.
You’ve rehearsed scenarios that stress the whole organization, not just the IT team.
You can prove controls work and improve them over time.

That’s why business continuity overlaps with governance and compliance. Many frameworks (such as ISO 22301 for business continuity management, sector rules, customer questionnaires) want evidence that continuity is repeatable, owned, and tested, not improvised.

Why backups alone are not enough

Backups solve a specific problem: data restoration. However, incidents rarely arrive as a neat “data lost” event. In the real world, disruptions create multiple constraints at once, and backups don’t address several of the most common failure modes.

Backups don’t help if you can’t access the systems that restore them

A continuity plan often assumes your administrators can sign in, elevate privileges, and execute recovery workflows. But many incidents begin with credential compromise, identity provider lockouts, or account takeover. If attackers get in first, they may change passwords, rotate keys, add new admin accounts, or disrupt your identity stack. Recovery then becomes a race for control, not a restore-from-backup task.

This is one reason incident response planning belongs next to business continuity planning, not as a separate security document. Proton’s incident response guide stresses that incident response starts with understanding threats and defining actions you’ll take when affected, which directly impacts how quickly you recover access.

Backups don’t prevent downtime caused by everything else

Backups won’t stop the kinds of disruptions that shut teams down before any data restore even begins, for example:

A widespread SaaS outage that blocks access to core tools.
A credential phishing campaign that forces mass password resets and account lockdowns.
A malicious configuration change that breaks permissions or sharing.
Ransomware that disrupts endpoints and authentication.
A vendor incident that requires urgent access revocation and customer communication.

In all of these scenarios, the immediate continuity question is the same: Can we keep operating safely while we fix this? Backups may help later, but they don’t solve the first-hour problem.

Backups don’t reduce legal and compliance exposure from data access

Backups restore data; they don’t undo unauthorized access. If sensitive information was accessed or exfiltrated, you may still face contractual obligations, regulatory reporting, or customer trust impacts, even if you restore systems perfectly.

This is where continuity strategies should include preventive controls and detection — and needs tight alignment with security and incident response — because recoverable is not the same as acceptable.

Backups can fail, and attackers know it

Backup failure isn’t always technical. Common issues include:

Incomplete coverage (critical SaaS data wasn’t backed up)
Stale backups (recovery point objective is worse than assumed)
Untested restores (the backup exists but cannot be restored quickly)
Unavailability of required credentials and keys in an incident.

According to the FFIEC booklet, the effectiveness of a business continuity plan can only be validated through testing or practical application. If you haven’t tested restoring workflows under realistic constraints (limited staff, stressed systems, uncertain scope, access restrictions), you don’t know your real recovery time.

Backups don’t address the human continuity problem

Continuity is also about coordination: who approves emergency actions, how you communicate internally, how you avoid unsafe workarounds, and how you maintain accountability. If your only plan is to restore from backup, you’re underestimating the operational complexity of incidents.

This is why business continuity strategies are increasingly security-focused: the same weaknesses that cause breaches (weak access control, inconsistent credential hygiene, unclear ownership) also provoke extended downtime.

What is the role of access and credential security in continuity planning?

If backups are the recovery layer, access and credential security are the control layer, the part that determines whether you can act quickly and safely during disruption.

In practical continuity terms, credentials matter because they control:

Who can execute recovery actions (restore, rotate, revoke, isolate).
How fast you can contain the incident (disable accounts, cut access, reset keys).
How confident you are in your environment (audit trails, verified changes, least privilege).
Whether people can keep working securely (without copying secrets into chats or personal notes).

This is why the best business continuity strategies treat credential governance as a continuity requirement, not just an IT hygiene item.

A technology risk management program can help you formalize this. Proton’s technology risk management plan article explicitly frames risk management as a way to prevent major incidents, which includes creating incident response plans and reducing the spread of sensitive data by using secure password managers and secure storage.

Which measures strengthen business continuity beyond backups?

Below, you’ll find seven security-focused measures that strengthen continuity in modern environments. You don’t need to implement them all at once. The goal is to reduce your most likely downtime drivers and to make recovery actions feasible under stress.

1. Define continuity requirements around critical workflows

Start with the question: What needs to keep working for us to deliver essential services? Then map the supporting tools, people, and dependencies.

A good business impact analysis and an accurate risk assessment are widely recognized as foundational to an effective business continuity plan. This is where you define what unacceptable downtime looks like to your business, which functions are time-critical, and where the biggest dependency risks live.

From a security angle, continuity planning should extend beyond core infrastructure. You must consider:

Identity providers and admin consoles.
Password and key storage.
Shared inboxes and customer communication channels.
Finance tools and payment workflows.
Vendor access paths and integrations.

If a disruption blocks access to any of these systems, teams may be unable to operate or execute recovery steps. At that moment, downtime is an access problem, not a data-loss problem.

2. Treat access control as a continuity control

Access control is often discussed as security, but it’s also continuity engineering. During an incident, you need to reduce risk quickly without breaking the business.

Practical continuity-minded access patterns include:

Least-privilege roles for day-to-day work.
Separate admin accounts (used only when needed).
Clear break glass procedures for emergency access.
Documented ownership for critical systems and vaults.
Scheduled access reviews and offboarding controls.

The point isn’t to add bureaucracy; it’s to ensure you can change access rapidly and confidently when the environment is unstable.

3. Centralize credential governance

Shadow access happens when credentials are stored outside controlled systems: browser-saved passwords, shared spreadsheets, notes, ticket comments, or temporary chat messages. These shortcuts feel productive until you’re trying to contain an incident and discover you don’t know who has access to what. A key finding of our 2026 SMB cybersecurity report was that teams with password managers often didn’t use them.

Centralized credential governance means:

Credentials live in a controlled system.
Sharing is deliberate and revocable.
Offboarding isn’t a scavenger hunt.
Rotations can happen without breaking workflows.
You can prove your controls exist.

This is a continuity win as much as a security win: the fewer unknown credentials that exist, the fewer emergency resets you need.

4. Elaborate a credential compromise playbook

Credential compromise often triggers the most disruptive continuity actions: e.g., mass resets, revoked sessions, forced multi-factor authentication (MFA) changes, access reviews, and emergency communications. If you’ve never rehearsed it, the situation becomes chaotic quickly.

A credential compromise playbook should answer:

How do we detect signs of compromise?
Who can revoke access and where?
What do we rotate first (high-privilege accounts, shared vaults, API keys)?
How do we communicate changes without leaking secrets?
How do we keep customer-facing operations running during resets?

This is where incident response and continuity overlap directly. Incident response planning is not an extra. It’s how you stop relying on improvisation and start relying on continuity.

5. Use encryption to reduce impact, not just for compliance

Encryption is typically framed as a compliance checkbox. In continuity terms, encryption reduces blast radius when things go wrong.

Examples:

Encrypted credential vaults protected by access keys reduce the risk of secrets being exposed through device compromise or insecure storage.
End-to-end encryption models limit visibility of sensitive content, which can matter for risk posture and data protection.
Strong encryption also supports safer collaboration (sharing access without exposing secrets in plain text).

This is also where many teams get stuck: they want encryption, but they worry it will slow down work. The right tools make encryption part of normal workflows, not a special process people use to bypass.

6. Make security awareness operational

In many organizations, the first continuity break is a human workaround: someone shares a password over chat because a teammate is locked out; someone uses a personal account to keep work moving; someone approves an urgent access request without checking scope.

This is why security awareness is a continuity control. It reduces the chance that a disruption becomes worse through reactive behavior.

If you need a practical baseline for small teams that still applies to enterprise habits, Proton’s roundup of cybersecurity solutions for small businesses emphasizes choosing tools that reduce risk without requiring heavy time or budget investment.

The aim is simple: make secure actions the easiest actions, especially when people are stressed.

7. Test your plan like you expect it to fail, and improve continuously

A continuity plan that hasn’t been tested is still an assumption. Testing shows what actually works under pressure: whether recovery steps are executable, access rights are correct, credentials can be retrieved securely when required, communication paths hold up, vendor dependencies are clear, and your critical functions were prioritized correctly.

The FFIEC booklet explicitly affirms that business continuity planning is only proven through testing or real-world use, so tabletop exercises should reflect modern scenarios, such as:

Authentication outage tied to a SaaS provider.
A credential compromise that forces rapid rotations
Ransomware that requires isolation and emergency access changes.
A vendor incident that demands fast containment and coordinated communications.

Therefore, treat what you’ve learned like product work: capture the gaps, assign owners, set deadlines, and retest until the plan is reliable.

How does Proton Pass for Business support continuity strategies?

Proton Pass for Business is not a full business continuity platform, and it doesn’t replace backup systems, DR infrastructure, or broader governance. Where it supports business continuity strategies most directly is in a high-leverage continuity control area: credentials and access.

Continuity efforts often fail in the messy middle of incidents: when teams are trying to contain risk, keep operations running, and coordinate changes without leaking secrets or losing control. Proton Pass for Business helps reduce that chaos by making secure credential practices easier to adopt and enforce.

Here’s how it maps to continuity needs:

Secure, centralized credential storage and sharing. Proton Pass is designed for business credential management, helping teams avoid storing secrets in scattered documents or chats, therefore enabling safer sharing patterns.
Administrative controls and governance. Proton Pass for Business includes team management and security policies (including rules around sharing and 2FA), which support continuity governance as organizations scale.
Visibility through logs and reporting. During disruption, visibility matters. You need to know what changed and when. Proton Pass offers usage logs and reporting, so admins can review activity across team accounts.
Trust through transparency. Proton’s approach emphasizes verifiable security: Proton Pass is open source, and Proton publishes independent audits, supporting organizations that seek evidence-based security controls.
Dark web monitoring. Pass Monitor alerts admins and team members if logins stored in their Proton Pass vaults appear in breach datasets, so they can rotate affected credentials early and reduce post-compromise risk.
Password health check. Pass Monitor also flags weak or reused passwords (and inactive 2FA), helping teams fix risky credentials before they’re exploited.

In continuity terms, the value is practical: fewer unknown credentials, less insecure workarounds during incidents, faster rotations when compromise is suspected, and clearer accountability for access changes. That’s how access and password management stop being just security and become operational resilience.

Final takeaway: continuity is a system, not a backup job

Backups are necessary, but modern business continuity strategies require more than recovery storage. They ask for a plan you can run under pressure, controls you can prove, and access practices that won’t collapse when the environment becomes unstable.

If you want a practical roadmap to strengthen continuity through security, with quick wins you can implement now, download Proton’s comprehensive security ebook for growing businesses.

What does cybersecurity have to do with compliance and business continuity?

Ben Wolford — Wed, 11 Mar 2026 12:57:28 GMT

Compliance has evolved from a legal requirement into a core pillar of operational resilience. Identity, authentication, and credential governance are now central to regulatory audits and compliance frameworks.

The attack that compromised at least 11 US government departments began with malicious code hidden in a trusted vendor’s software update. By the time it was publicly acknowledged in December 2020, the SolarWinds breach had exposed the Treasury Department, the Department of Justice, the Pentagon and other federal agencies to Russian intelligence operatives who spent months inside extremely sensitive networks.

In a different attack revealed just three months later, hackers were found to have accessed 150,000 security cameras at hospitals, prisons, and police departments after finding a security company’s super admin credentials exposed online. The company, Verkada, provides cloud-based, AI-powered physical security systems that integrate video surveillance, access control, environmental sensors, alarms, and visitor management into a single platform, making such an attack particularly devastating.

In both cases, attackers entered through a single point of weakness, then moved into systems affecting critical infrastructure and global enterprises. The implications are clear: inadequate credential controls have the potential to transform preventable vulnerabilities into catastrophic breaches. It’s partly why regulators have taken a strong stance on cybersecurity compliance.

Despite such expensive lessons, credential theft and account takeover remain among the most consistent attack vectors as billions of compromised credentials continue to circulate in criminal markets. While leadership attention often centers on sophisticated exploits and advanced threats, the most damaging breaches still begin with compromised logins and basic human error.

This guide explains how cybersecurity practices directly support compliance and business continuity, with practical, business-focused steps you can implement immediately.

What is compliance in cybersecurity?

Why do cybersecurity failures impact compliance and continuity?

How does poor password management create compliance risk?

Which security practices support compliance requirements?

Align security, compliance, and continuity with Proton Pass for Business

Compliance and continuity depend on cybersecurity foundations

What is compliance in cybersecurity?

Cybersecurity compliance means aligning your technical and organizational safeguards with the laws, regulations, standards, and internal policies that govern your data and systems. More than simply avoiding fines or passing audits, compliance is about demonstrating that your controls are real, consistently applied, and effective under pressure.

In practice, compliance answers three simple questions: What are you required to protect? How are you protecting it? Can you prove it?

Most cybersecurity compliance requirements fall into three buckets:

Data protection regulations

These are laws that dictate how personal and sensitive data must be collected, processed, stored, and secured. Examples include GDPR, CCPA, and sector-specific privacy rules. They typically require documented safeguards, breach notification procedures, as well as clear governance over data handling.

It looks like this: if a customer asks what data you hold about them, you must be able to locate, produce, correct, or delete it within defined timelines. That requires data inventories, access controls, retention rules, and response workflows. In other words, it’s much more than a privacy policy notice or a pop-up on your website.

If a breach occurs, regulators will expect timestamps, logs, incident reports, and proof of containment actions, not general assurances.

Industry standards

These frameworks define baseline security expectations for organizations and service providers. SOC 2, ISO 27001, and PCI DSS are common in many industries. Customers, partners, or procurement teams usually require compliance with these standards, which are often contract-driven, before signing deals.

Practically, this encompasses controls such as role-based access, change management records, vendor risk reviews, encryption standards, and monitored logging. For instance, under PCI DSS, payment data environments must be segmented and tightly access-controlled.

Under SOC 2, you must show that access is reviewed regularly and revoked when roles change. Auditors will sample tickets, logs, and access lists to confirm adherence.

Internal governance

Internal governance turns external obligations into day-to-day operating rules. These include your access control policies, retention schedules, acceptable use rules, incident response playbooks, and vendor onboarding requirements.

For instance, if your policy says terminated employees lose access immediately, compliance means you can show the offboarding checklist, the access removal tickets, and the system logs confirming deactivation for every such event.

Compliance is really about traceability and responsibility. Auditors and regulators demand traceability: who owns each control, how it’s enforced, how often it’s reviewed, and what evidence confirms it happened.

This accountability extends far beyond IT. Marketing, HR, finance, and even sales teams all handle sensitive data, making these functions part of the compliance surface.

Compliance is also continuous, not episodic. Regulations evolve; tools change; vendors rotate. Treating compliance as a one-time certification creates drift between documented controls and actual practice, generating a gap that becomes obvious during audits, investigations, or customer due diligence. Maintaining continuous review and testing helps keep compliance real, not cosmetic.

Why do cybersecurity failures impact compliance and continuity?

When security controls fail, the damage can be difficult to contain. A single intrusion or compromised account can trigger a compliance breach, then escalate into an operational crisis. The progression is fast, public, and costly. According to PwC’s 2025 Global Digital Trust Insights report, the average cost of a data breach for surveyed companies is estimated at US$3.3M.

Consider how a typical breach unfolds. When unauthorized access exposes customer or employee data, the immediate security incident quickly becomes a legal obligation. Privacy regulations impose strict breach notification timelines and documentation standards. For instance, GDPR requires notification within 72 hours, and similar obligations exist across US state laws and sector-specific regulations.

Small businesses are no less exposed to these risks than large enterprises. For instance, a local retailer that relies on point-of-sale systems and online orders can face significant downtime, lost revenue, and lasting reputational damage if its network is compromised.

The risk is even greater for businesses running e-commerce operations without dedicated security resources. For a practical breakdown of these risks as well as affordable ways to address them, see our SMB cybersecurity report and our guide to cybersecurity for small businesses.

The cost of reactive compliance

Organizations that miss these deadlines, submit incomplete reports, or cannot demonstrate reasonable safeguards face dual exposure: both the original breach and a subsequent compliance violation. During enforcement proceedings, regulators consistently examine whether foundational controls (multi-factor authentication, periodic access reviews, and comprehensive logging) were properly implemented and maintained.

Threat intelligence consistently points to the same vulnerability: credential compromise and access control gaps remain the most common entry points. As recent research indicates, billions of credentials have been exposed through infostealer malware and phishing campaigns, making account takeover one of the most prevalent breach techniques.

Sadly, incident reports frequently reveal that security tools were deployed but not operationally effective, meaning logs went unreviewed, alerts remained untuned, and dormant accounts accumulated over time.

Auditors refer to this as the “control on paper” problem: security measures are in place, but they aren’t effective in real-world conditions.

When security controls exist in theory but fail in practice

Ransomware incidents illustrate the compliance-continuity connection particularly well. When you lose access to your data, it doesn’t suspend regulatory obligations. Being suddenly unable to retrieve customer records, respond to lawful requests, or produce audit trails compounds the problem, meaning the ransomware incident actually triggers new reporting obligations and regulatory inquiries.

The gap often widens because organizations test incident response and disaster recovery in isolation. In practice, an incident response (IR) plan prioritizes containment, evidence preservation, and eradication, while a disaster recovery (DR) plan focuses on restoring systems and business operations.

During an active ransomware event, those priorities can collide when recovery begins before containment is complete, or backups are restored without full confidence that the threat has been removed. Such a misalignment reveals itself in serious incidents, when time is limited and coordination matters most.

Where continuity plans break down

Business continuity failures are often rooted in security oversights:

Backups are online and get encrypted along with production data: When backups aren’t isolated, ransomware can encrypt both primary and recovery copies, eliminating the organization’s clean restore point and forcing prolonged downtime or ransom negotiations.
Recovery and admin accounts lack multi-factor authentication: Without multi-factor authentication (MFA), privileged accounts become easy targets for credential theft or brute-force attacks, allowing attackers to disable backups, delete logs, or expand lateral access.
Critical credentials live in personal files, chat threads, or email: Informal methods of storing sensitive credentials increase the risk of leakage during phishing or account compromise, accelerating attacker movement across systems.
Access to recovery systems depends on one or two individuals: Single points of dependency create operational bottlenecks during incidents and increase risk if those individuals are unavailable or compromised.
Runbooks exist but aren’t reachable when core systems are offline: If recovery documentation is stored within affected systems, teams lose procedural guidance precisely when structured response is most critical, leading to delays and missteps.

Actionable fixes for such oversights are straightforward but frequently overlooked. Standard operating procedures call for regularly maintained offline or immutable backups, strong authentication protection for all recovery accounts, storing shared credentials in controlled vaults, and running full recovery exercises at least once annually.

There is also a long-tail trust effect because regulators, customers, and partners evaluate response quality as much as incident severity. Detection speed, clarity of communication, quality of logs, and proof of corrective action all influence outcomes. Two organizations can experience similar breaches and face very different regulatory penalties and commercial fallout based on how prepared and transparent their response was.

Post-incident reviews reveal a consistent pattern where controls existed but weren’t enforced, reviews were scheduled but not performed, and exceptions were granted and never revisited. When security incidents occur, they expose operational reality and reveal whether compliance and continuity controls function as lived practices or merely exist as well-written documents.

How does poor password management create compliance risks?

Credential weakness is still one of the most common root causes behind security and compliance incidents. This is caused by friction generated by complicated or lengthy login requirements for business networks.

Traditional password habits are hard to sustain at scale. Password reuse is a classic example, where one third-party breach can unlock multiple internal systems if credentials are reused. From a compliance standpoint, that means regulated data can be exposed through an unrelated service failure.

Many frameworks explicitly require safeguards against unauthorized access, but weak credential hygiene undermines that requirement.

Shared account security

Shared accounts create significant compliance challenges. When multiple people use the same login, individual accountability becomes difficult to demonstrate. Most regulatory frameworks require user-level traceability, meaning the ability to show who accessed what and when.

Without structured credential controls, shared logins weaken audit trails and complicate control validation. Centralized access management with individual credentials and activity visibility helps restore traceability while maintaining operational efficiency.

Remote work and SaaS sprawl increase the risk. Complex work arrangements sometimes require staff to log in from multiple devices, locations, and networks. Contractors may also need limited access for temporary projects. Then, without centralized credential governance, organizations quickly lose visibility into who has access to what—and from where.

Common credential control expectations

Most compliance frameworks don’t prescribe specific tools, but they do set clear expectations for how access to systems and data should be controlled. In practice, those expectations tend to converge around a common set of credential management principles.

Common credential control expectations include:

Unique user identities for system access
Access logging tied to individuals
Periodic access reviews
Privileged account protection
Credential lifecycle controls

When password management becomes difficult to maintain, people improvise. Credentials end up stored in notes, reused across systems, or shared over messaging tools. Those workarounds bypass both security safeguards and compliance controls, even when policies exist on paper.

The practical fix is not stricter rules alone, but better tooling and workflows. When secure credential handling is easier than insecure shortcuts, everyday behavior aligns with policy instead of working around it. In particular, purpose-built business password managers are designed to close this gap.

Here’s a closer look at how Proton’s dedicated business password platform helps solve this credential control nightmare.

Which security practices support compliance requirements?

Strong compliance does not come from isolated controls or one-off fixes. It grows from layered, integrated security practices that work together across systems, teams, and workflows. Regulators and auditors increasingly search for evidence that controls are not only defined but also consistently enforced and aligned with how the organization actually operates.

The most effective programs focus on a few core practice areas that show up across nearly every compliance framework.

1. Access control and identity

Access control sits at the center of both security and compliance. It governs who can access systems, data, and services, under what conditions, and with what level of privilege. In practical terms, this includes identity verification, permission management, and ongoing monitoring of access behavior.

Policies alone are not enough. Compliance frameworks expect access boundaries to be enforced automatically and consistently, not manually or informally. That means access decisions should be driven by identity and role, not convenience.

Least-privilege design is one of the most effective control patterns regulators look for. Each person receives only the access required to perform their role and nothing more. This approach reduces the blast radius of breaches, limits accidental exposure, and aligns cleanly with audit expectations. It does require upfront role mapping, granular permissions, and regular review cycles, but it pays off by reducing both risk and remediation effort.

2. Unified control mapping

As regulatory scope expands, many organizations struggle under overlapping requirements. GDPR, SOC 2, ISO standards, and sector-specific rules often ask for similar controls, just expressed differently.

Mature compliance programs avoid managing these requirements in isolation. Instead, they map obligations to a unified control framework that shows how each control satisfies multiple regulations at once. This approach reduces duplication, simplifies documentation, and makes audits more predictable.

From a continuity perspective, unified mapping also clarifies priorities during incidents. Teams know which controls matter most, what evidence must be preserved, and which regulatory timelines apply when systems are under stress.

3. Incident response readiness

Having an incident response plan on paper is essential, but documentation alone is not enough to demonstrate compliance. Regulators increasingly assess whether organizations can execute those plans under real conditions.

Effective readiness typically includes:

Clearly defined incident roles and decision authority
Communication templates and escalation paths
Regulatory notification procedures tied to specific thresholds
Evidence preservation methods to support audits and investigations
Regular tabletop and simulation exercises

This preparation directly supports business continuity. When an incident occurs, teams are not improvising under pressure. They can contain damage, meet reporting obligations, and restore operations faster, all while maintaining compliance.

4. Remote and distributed security controls

Remote and hybrid work environments have fundamentally changed the compliance landscape. Data now moves across devices, networks, and locations that traditional perimeter controls were never designed to protect.

To keep compliance intact, controls must travel with the data. That means enforcing:

Strong authentication across all access points
Encrypted communications by default
Endpoint safeguards for managed and unmanaged devices
Cloud-aware monitoring that reflects how services are actually used

Compliance obligations do not shrink when staff work remotely. In fact, regulators often expect stronger identity and access controls in distributed environments, precisely because visibility and oversight are harder to maintain.

5. AI and data governance

AI systems introduce new compliance considerations because they typically process large volumes of data, including personal or regulated information. Even when AI tools are experimental or internal, governance expectations still apply.

Compliance programs should clearly document:

Data sources used for training or inference
The scope and purpose of processing
Retention and deletion behavior
Third-party exposure and vendor dependencies

As automation increases, governance must keep pace. Regulators are less concerned with whether AI is used and more with whether organizations understand and control how data flows through those systems.

6. The unifying principle: usability

Across all of these areas, one principle consistently determines the success or failure of controls: usability.

Controls that block legitimate work get bypassed. Controls that align with real workflows get followed. When security practices support how people actually work, compliance stops being an obstacle and starts reinforcing operational resilience.

Practical security enables practical compliance—and that’s what keeps businesses running when conditions are less than ideal.

Align security, compliance, and continuity with Proton Pass for Business

Credential governance and access traceability are two of the most common (and most frequently failed) control areas in compliance audits and post-incident investigations.

Organizations often struggle to answer fundamental questions: Who has access to what? Why do they have it? When was it last reviewed? Can it be revoked quickly? Just as important, do we have visibility into password health, such as weak, reused, or compromised credentials, and exposure to known data breaches?

Without centralized oversight and reporting, these gaps remain hidden until an audit or incident forces scrutiny. Business password management platforms are designed to close that operational gap.

Proton Pass for Business, our business password manager, positions credential management as a governance and resilience control, not just a convenience feature. It provides organizations with a structured way to manage identities, credentials, and shared access across teams, with built-in auditability and policy enforcement.

Compliance-aligned access governance

Many regulatory and audit frameworks require extensive access oversight, including unique user identification, controlled credential sharing, and demonstrable access oversight.

Proton Pass for Business supports these requirements through structured access governance that is practical to operate day to day. It provides administrative visibility through activity logs and reporting on credential access, password changes, sharing actions, and identified risks such as weak or exposed credentials, helping organizations maintain traceability and demonstrate control effectiveness during audits.

Organizations can implement controls such as:

Enforcing unique credentials per user and per service
Moving from informal shared logins to secure, traceable credential sharing
Structuring vault access based on defined responsibilities, with controlled sharing
Restricting who can view, edit, or share specific credentials
Maintaining recorded histories of credential access and changes

In practical terms, this means you can replace informal password sharing over email or chat with policy-based sharing tied to roles and teams. During audits, instead of explaining process intent, you can show system-level enforcement and access records.

Visibility across distributed environments

Modern access sprawl is driven by SaaS adoption, remote work, and contractor ecosystems. Credentials end up scattered across browsers, devices, spreadsheets, and personal password stores. That fragmentation makes compliance reviews and access certifications slow and error-prone.

Centralized credential vaulting changes that. Security and IT teams gain a consolidated view of business-critical accounts and who can access them. That makes periodic access reviews, which are required under many frameworks, operationally feasible.

Actionable practices enabled by centralized credential platforms include:

Running quarterly access reviews by vault or role
Rapidly removing access when employees change roles or leave
Identifying orphaned or unused accounts
Standardizing how high-risk credentials are stored and shared

Instead of chasing passwords across systems, reviewers work from a controlled inventory.

Continuity and incident response support

Business continuity plans often fail on a simple point: responders can’t get the access they need when systems are under stress. Credentials go missing, get locked in personal vaults, or are known only to one administrator. That turns a recoverable incident into extended downtime.

Secure, centralized credential vaulting supports continuity by ensuring that authorized responders can reach critical systems without weakening controls. Teams can predefine emergency access groups, segregate high-risk credentials, and ensure recovery accounts are stored with strong protection.

Operationally, this supports continuity measures such as:

Securing backup system credentials separately from production
Protecting admin and recovery accounts with strong authentication
Ensuring at least two authorized roles can access critical credentials
Documenting and testing emergency access workflows

Continuity stops being dependent on individual memory and starts being system-supported.

Governance and audit readiness

From an audit and governance standpoint, credential platforms provide usable evidence, not just policy statements. Auditors and assessors typically want artifacts, including logs, histories, access lists, and proof of review.

Centralized credential management within Proton Pass helps produce that evidence through:

Access detailed activity logs for all credentials
Clear ownership and vault structures
Demonstrable policy enforcement
Access and visibility into shared vault access and stored item log events
Controlled and reviewable sharing records

That shortens audit cycles and reduces remediation findings tied to identity and access management.

Compliance and continuity depend on cybersecurity foundations

Cybersecurity, compliance, and business continuity are now structurally linked. You aren’t able to maintain one without the others. Security incidents create compliance gaps, which lead to operational vulnerability. Continuity plans will fail without secure, reliable access to systems and data.

Resilient organizations don’t chase perfect security or compliance, because neither exists. Instead, they build integrated control environments where security practices support regulatory obligations and continuity planning assumes real-world threat conditions.

That integration requires leadership backing, regular control testing, workflow-friendly tools, and continuous refinement. When done right, security becomes a business enabler that supports growth, partnerships, expansion, and customer trust.

For many organizations, the most practical place to start is strengthening the fundamentals: identity, access, credential governance, incident readiness, and auditability.

At Proton, building a secure environment is a top priority. Find out how to enhance your cybersecurity with our guidelines and dedicated tools.

What is an eavesdropping attack? Everything you need to know

Kate Menzies — Wed, 11 Mar 2026 11:11:59 GMT

Most of the time, “eavesdropping” means listening in on a conversation in public, but hackers are more clever. For them, eavesdropping means listening in on a conversation between two devices.

An eavesdropping attack gives criminals or spies access to personal data and business networks, helping them extract data, steal money, and potentially commit fraud.

What is an eavesdropping attack?

Hackers use eavesdropping attacks to access data that’s being shared between devices, such as the activity on your phone while you’re connected to a public WiFi network. They can do this using a few different methods:

Keystroke logging (or keylogging) allows someone to see what you’re typing on your keyboard without your knowledge. This can be done using either software or hardware, and may be used by governments or law enforcement to monitor suspicious activity. However, keylogging can also be deployed as a form of spyware. By seeing what you’re typing, hackers can collect sensitive information, such as passwords for banking apps.
Man-in-the-middle (MITM) attacks are a way for a hacker to insert themselves into an email conversation or gain access to a WiFi connection and silently monitor data being shared. There are different ways to launch MITM attacks, such as HTTPS spoofing, session hijacking, and malware.
Unsecured networks such as free public WiFi are one of the easiest ways to illicitly gain access to devices. Unencrypted networks can be monitored without much effort on a hacker’s side; they don’t even need to convince you to click a link. A fake hotspot set up to look like public WiFi can also trick you into connecting to it, and once you’re connected hackers can see the activity on your device.
Network sniffing uses software to take snapshots of data being transmitted over a network without sending it to a different location or changing it at all. It can be used safely by IT admins to monitor network connections for security purposes, but it can also be used by hackers to collect sensitive information from your devices. This type of attack uses your computer’s network interface card (NIC) to allow someone to capture and access pieces (known as packets) of data.
Unsecured accounts with weak passwords grant hackers very easy access to your digital life. It isn’t even necessary to launch an attack if your passwords can be found on the dark web. If and when a data breach occurs for an online service you use, a single password can grant access to all of your online accounts if you aren’t creating strong and unique passwords for each account and using two-factor authentication.

Why do hackers use eavesdropping attacks?

Despite there being many ways to launching eavesdropping attacks, there’s one main goal: to intercept sensitive, unencrypted data and exploit it. Eavesdropping attacks are an extremely effective way to steal personal data from individuals, and sensitive and proprietary information from businesses.

How do eavesdropping attacks affect individuals?

Eavesdropping can be used to target individuals already known to a bad actor or to identify future victims for future phishing scams, blackmail, or identity fraud.

Financial loss is a significant risk if an individual is targeted by an eavesdropping attack. Your online banking portal login details or your credit card information can be targeted, leading you to potential financial loss and identity fraud.
Hackers can blackmail you by stealing personal data such as your medical information, private conversations, or browsing history.
If you’re targeted by an eavesdropping attack while you’re using a personal device for work purposes, hackers could access sensitive business data. Loss of this data could result in penalties at work or even legal consequences if proprietary or sensitive customer data is stolen.
Stalkerware or intimate partner surveillance (IPS) can be used to remotely monitor someone’s location as well as what to see they’re doing on their devices and even deprive them of access to their bank accounts. This is known as tech abuse and is used as a means of domestic control and abuse. More resources can be accessed through the National Domestic Violence Hotline in the US and Refuge in the UK.

How do eavesdropping attacks affect businesses?

While the risks of eavesdropping attacks can be dangerous for individuals, they can also be catastrophic for businesses.

Reputational damage is caused when your customers or your clients find out that your business has been affected by a cyberattack: it’s difficult and sometimes impossible to rebuild this trust.
Operational continuity isn’t possible when your business is actively being targeted by a cyberattack. Employees could lose access to critical data and systems.
Businesses are also vulnerable to financial loss if financial documents or banking information are stolen. Smaller businesses may not be able to recover from a significant loss.
Fines can be imposed against businesses if sensitive customer data isn’t adequately stored and protected according to your local data protection regulations.
Your business data may appear on the dark web once it’s been stolen. This leaves you open to increased scams and spam in the future as hackers see your business as a target. An eavesdropping attack is an ideal way for bad actors to see exactly what they can get from your business and plan further attacks in the future such as phishing attacks and ransomware.

How to protect yourself against eavesdropping attacks

It’s not too difficult to make sure that your data and your devices are protected against all kinds of cyberattacks. You don’t need to be a tech expert, you just need the right approach and the right tools.

Use a VPN

A secure VPN encrypts the data your devices send and receive: if the data is encrypted, hackers can’t intercept it. VPNs can protect all of your devices, including phones, tablets, laptops, and PCs so that you can use the internet with total privacy. It’s also advisable to avoid public WiFi, especially if it’s unsecured. Ads, trackers, and eavesdropping can all be prevented just by switching on your VPN.

Protect your accounts

The passwords you use to protect your accounts are more important than you might think. Repeating the same password for multiple accounts means it’s much easier for your accounts to be hacked. Make sure you’re creating a different strong password for each account, and use a secure password manager to store, autofill, and even share your passwords securely.

Protect your personal data

Data privacy helps you to prevent too much of your personal information ending up online where you can’t control who can see it. To protect your personal data, don’t share sensitive information like your email address, name, or date of birth unless it’s necessary (for example, on a health insurance website or a government services portal). You can hide your personal email address by using email aliases, which hide your real email address and protect you from spam, scams, and tracking. The more you hide your personal data online, the harder it is for anyone to target you.

Use two-factor authentication

Two-factor authentication (2FA) creates an extra layer of protection for your accounts. It’s an additional step to logging in which makes it much harder for someone else to access your account. There are different forms of 2FA available such as biometric logins, PIN codes, codes generated using an authenticator app, and physical security keys. You can also create passkeys for your accounts if they’re supported by the service you’re using.

Regularly update your devices and your apps

One of the easiest ways to make sure your devices are secure is to regularly update your operating system (OS) and your apps. Updates protect you against vulnerabilities in older versions, so you can protect yourself just by making sure you’re using the latest version of your device’s OS and any apps installed.

How to protect your business against eavesdropping attacks

In a world where many employees work remotely and use their own devices, the attack surface for businesses has grown significantly. Protecting your business network against eavesdropping attacks takes a different form than protecting an individual’s devices, but it’s achievable with rigorous focus on monitoring your network traffic, reviewing access logs, and putting adequate security measures in place.

Use a business VPN

Data encryption protects anything being sent or received within your business network. A business VPN encrypts all traffic and can also create a secure working environment that team members can log into on any device from any location without compromising the security of your network. Team members are protected against IP tracking and malware, no matter where they are. Sensitive information is protected when it’s encrypted, meaning your business can remain compliant with ISO 27001, GDPR, and HIPAA regulations.

Improve your password management

Password management within your business can be simplified with a business password manager. Team members can generate passwords according to your business’s requirements, then store them in shared vaults for teams, even sharing them outside your network securely if needed with secure links. Protecting accounts that have access to sensitive data protects your business network from becoming an attractive prospect for hackers.

Strengthen access management

If gaining access to your business network requires proper identification and authentication, it’s more difficult for anyone to sneak in undetected. Operating with the principle of least privilege means making sure that team members only have access to the systems, apps, and data they strictly require for their roles. Your IT admins can then implement tools such as sharing policies, single sign-on (SSO), and enforced 2FA to make sure that only the right people have access to your network.

Monitor network traffic

To detect an eavesdropper in your network, you need to check your traffic. IT admins should regularly review the activity within your systems, looking for logins from new IP addresses, devices or locations, or irregular behavior such as sharing multiple documents. Usage logs are a helpful tool for spotting suspicious activity and acting accordingly. If your access management is organized well, all an admin needs to do is revoke access to an affected user or shut down an affected system in order to stop the hacker in their tracks.

Protect yourself against eavesdropping attacks with the right tools

No matter whether you’re looking to protect yourself or your business, Proton has a suite of privacy-first tools designed to encrypt your personal data and your online behavior. Eavesdropping attacks rely on people being careless when it comes to their privacy, so don’t let hackers get the best of you.

OpenAI trains on your data, but there’s a free, private ChatGPT alternative

Elena Constantinescu — Tue, 10 Mar 2026 18:51:42 GMT

AI assistants like ChatGPT promise to make work faster and easier. But every time you enter sensitive information, describe a confidential problem, or ask a personal question, you are handing over valuable data that can be collected, processed, and shared beyond what you intended.

Big Tech AI tools collect and analyze user interactions to improve their models and monetize their platforms, raising serious concerns about intellectual property and data ownership. Public concern peaked in March 2025, when more than four million users pledged to leave ChatGPT after a controversial partnership with the US government raised fears about mass surveillance and government access to AI training data.

As AI privacy and security issues become more widely understood, many people are now looking for a private ChatGPT alternative that lets them use AI without giving up control of their data.

Why do you need a ChatGPT alternative?
What a private alternative to ChatGPT looks like
Switch to private AI

Why do you need a ChatGPT alternative?

AI assistants like ChatGPT can be incredibly useful, but they’re not designed to be private workspaces. Like many Big Tech platforms, ChatGPT collects data from user interactions, including your prompts, uploaded files, and usage patterns. This data may be stored, reviewed by humans for quality control, or used to improve AI models.

Because conversations aren’t protected with zero-access encryption, the platform itself or its partners may be able to access the data you submit. Anything you type into an AI chat could be stored, analyzed, or exposed in the event of a breach, which creates risks for both individuals and organizations. Prompts may reveal sensitive personal information, while employees might unknowingly paste confidential company data into AI tools, exposing intellectual property or client information.

At the same time, OpenAI has begun introducing ads into ChatGPT for some users, raising even more questions about how it monetizes user interactions and what role personal data plays. It’s no wonder why many people are questioning how safe ChatGPT really is, especially for sensitive information.

What a private alternative to ChatGPT looks like

If you’re uneasy about handing over your personal and business data every time you use an AI assistant, you’re not alone — and you’re not out of options. We built Lumo to be everything the current generation of AI tools isn’t: private, secure, transparent, and built to work for you, not for advertisers or data brokers.

Here’s what makes Lumo unique:

No logs

When you send a message, it’s securely transmitted to our servers using bidirectional asymmetric encryption — a form of end-to-end encryption. Lumo processes your query on servers in Europe that we control, generates a response, and then immediately deletes your data.

Zero-access encrypted chat history

If you use Lumo with a Proton Account, your chat history is saved with zero-access encryption, so you’re the only one who can access it. Or, if you prefer not to keep any history at all, you can use Lumo in Ghost mode, where nothing is saved after your session ends. Either way, you own and control your data, not Proton.

Not used for AI training

Your conversations are never used to train the model. Unlike other AI tools that learn from user data, Lumo doesn’t feed your chats back into the system, where they can potentially be leaked or used to profile you.

Built and hosted in Europe

Lumo is hosted on European servers and operates under European legal jurisdiction. Unlike Big Tech based in the US, you’re protected from warrantless or mass surveillance regimes.

Open source and transparent

Unlike AI tools similar to ChatGPT that rely on closed proprietary systems, Lumo uses open-source models and open source code for all our apps. Anyone can review how these models operate and confirm that there’s no silent tracking or unauthorized data collection.

No third-party data sharing

Big Tech AI assistants send your data to vendors, partners, or other third parties. With Lumo, your chats are encrypted from your device to our servers, processed privately, and then deleted.

No ads

Lumo never shows ads and never uses your conversations for targeted ads. Unlike many AI platforms that rely on advertising or behavioral data to generate revenue, Lumo is supported by subscriptions — not by profiling users. That means your interactions stay private and the assistant’s responses aren’t influenced by advertisers.

Switch to private AI

With Lumo, you can stop worrying about the type of sensitive data you enter into an AI chatbot. You can:

Draft contracts with confidential legal or business details.
Upload proprietary documents without worrying about leaks.
Analyze sensitive personal data like PII, HR records, or client information with full control.
Explore private medical questions without exposing your health data.
Write, code, or brainstorm — all without leaving a digital paper trail.
Work on long-term projects using files, chats, and instructions in a private encrypted workspace.

Try Lumo now and see what AI looks like when your privacy matters most. And when you’re ready to bring that same level of privacy to your workplace, Lumo for Business helps your team collaborate securely and stay productive without compromising sensitive company data.

Use Lumo now Get Lumo for Business

You can also download Lumo from Google Play or App Store.

Is ChatGPT safe to use? Here’s what you should know.

Elena Constantinescu — Thu, 05 Mar 2026 17:09:00 GMT

ChatGPT is a powerful AI assistant used by million of users daily, but is it safe to use? It’s owned and operated by OpenAI, one of the largest tech companies in the world. And like many Big Tech platforms, OpenAI collects large amounts of user data. That data is not protected with zero-access encryption, so the company can divulge it to business partners (including advertising and analytics companies), the government, and hackers in the event of a data breach.

Behind the scenes, OpenAI’s large language models (LLM) are constantly learning from what you type. Sensitive questions, like asking about health symptoms, legal matters, or intellectual property, can feed into complex profiling systems or help train AI models used far beyond your original intent.

Concerns about how AI companies handle user data are growing. In March 2026, over 2.5 million users pledged to leave ChatGPT after a controversial partnership with the US government raised questions about how AI systems are deployed and governed. It’s a reminder that when you interact with an AI assistant without strong privacy protections, you may be sharing more information than you realize.

Is ChatGPT safe? The risks of using AI like ChatGPT and other Big Tech
Things you should never share with ChatGPT
How to stay safe when using ChatGPT
Switch to a private AI assistant

Is ChatGPT safe? The risks of using AI like ChatGPT and other Big Tech

Before choosing AI tools like ChatGPT, Gemini, Meta AI, Copilot, and DeepSeek, it’s worth understanding their security and privacy risks:

Risk	Potential impact	Why it matters
Data collection and logging	Prompts, file uploads, and interaction patterns may be stored	Can be used for AI training, behavioral profiling, or human review
Lack of zero-access encryption	Conversations may be accessed by OpenAI and its partners	Increases risk of exposing sensitive data
Regulatory and IP concerns	GDPR/HIPAA exposure or proprietary data leaks	Legal liability and financial consequences
Closed-source system	Limited transparency into data handling	Requires trust in OpenAI
In-app ads	Increased tracking and profiling	Unclear how chat data informs personalized ads

Personal privacy

Here’s what you risk by using ChatGPT:

ChatGPT may collect the information you enter — such as questions, responses, and how you interact with the tool — to train its AI models. If you upload a resume, legal document, a medical report, or another file with personal data, that content may be stored and processed too.
Even if you never enter your name or other personal data, your prompts can reveal patterns over time, such as health concerns, religious doubts, political leanings, family status, or emotional state. Combined with your IP address and other technical identifiers, these patterns can be used to build detailed behavioral profiles.
You might be able to opt out of AI training, but your conversations are still logged and sensitive details might be seen by human reviewers if they’re flagged, such as when you submit feedback.
Your chat history is protected while being sent and stored, but it’s not protected with zero-access encryption, so OpenAI or a third party can still access your past conversations.
In July 2025, thousands of shared ChatGPT conversations appeared in Google search results, exposing deeply personal exchanges that users likely assumed were private. OpenAI soon pulled the feature and said it was working with Google to de-index the results, but the incident highlights how easily AI interactions can slip into the public domain without you realizing it.
In early 2026, OpenAI introduced ads for ChatGPT users on the free and ChatGPT Go plans. Despite assurances that ads won’t influence responses or involve sharing personal data with advertisers, the move follows a well-established Big Tech pattern in which advertising eventually becomes normalized after initial privacy concerns.

Business risk

OpenAI is a US company, so using ChatGPT can raise data protection concerns and risks of leaking sensitive information. If you’re based in Europe or elsewhere, your data could still be subject to US jurisdiction since it’s processed by a US company. Here’s what that means:

Without strong data protection guarantees, your organization risks fines or regulatory scrutiny under laws such as GDPR and HIPAA.
You risk leaks by training AI models on your company data. For example, employees might enter proprietary code, confidential contracts, or client information into ChatGPT, potentially exposing intellectual property, trade secrets, or customer data.
OpenAI may share data with partners, vendors, other third parties, or through app integrations — which could have weaker privacy protections or different data policies. In 2025, a breach involving one of OpenAI’s analytics vendors exposed identifying information about API customers.
Under US laws like the Patriot Act or FISA (Foreign Intelligence Surveillance Act), companies can be compelled to provide data to government agencies, often with secrecy orders that prevent them from notifying users.

Lack of transparency

The above are known risks. But what’s especially risky about ChatGPT (and other closed source software) is what you aren’t permitted to know.

The code of ChatGPT’s apps are not open source, so there’s no public oversight into how it works, what it logs, or how it processes your data behind the scenes. You must rely on OpenAI’s policies and trust that the system handles data responsibly.
Although OpenAI has released open-weight models that can be publicly examined, the AI models that ChatGPT uses aren’t open source so you can’t check how the data was pre-trained on large datasets.

Things you should never share with ChatGPT

Even though ChatGPT can be helpful, you should never treat it like a secure vault for sensitive information. Avoid entering anything that could harm you, your company, or others if it were stored, reviewed, or accidentally exposed:

Passwords and authentication data, such as account passwords, two-factor authentication (2FA) codes, backup authentication codes, or private API keys.

Government identification numbers, including Social Security, national ID, passport, driver’s license, and tax identification numbers.

Financial and banking information, such as credit or debit card numbers, IBANs, online banking credentials, investment account logins, or Bitcoin wallet private keys.

Highly sensitive personal data that could be used to identify or track you or your family, such as home address and phone number, birth date, or private photos or documents.

Health information, such as medical reports, diagnostic records, insurance numbers, patient IDs, or detailed health histories tied to your identity.

Confidential work or company data, including proprietary source code, internal strategy documents, confidential contracts, customer databases, client details, financial projections, unpublished reports, or NDAs.

Legal and privileged information, such as attorney-client communications, legal case strategies, evidence documents, or confidential settlement discussions.

How to stay safe when using ChatGPT

You don’t have to avoid AI tools entirely, but you should treat them like public-facing services rather than private workspaces. A few simple habits can significantly reduce your risk:

Avoid sharing sensitive information you wouldn’t want stored, reviewed, or exposed publicly.
Remove identifying details or replace them with placeholders or fictional examples.
Only upload files that do not contain sensitive or confidential information.
Treat AI chats like emails or support tickets that could be seen by other people.
Review privacy settings and disable settings like chat history, memory, or AI training.
Delete conversations you no longer need to reduce how much personal information remains associated with your account.

Switch to a private AI assistant

If you’re concerned about sharing personal or business information with AI tools, try Lumo. Our private ChatGPT alternative never logs your conversations or uses them for model training. Your data is protected with bidirectional asymmetric encryption (a form of end-to-end encryption) and processed on European servers controlled by Proton.

When you use Lumo with a Proton Account, your conversations are protected with zero-access encryption, meaning only you can read them — not even Proton. For maximum privacy, Ghost mode allows you to use Lumo without saving any history at all.

Lumo uses open-source models, so anyone can verify that no hidden tracking or data collection occurs.

Use Lumo now Get Lumo for Business

You can also download Lumo from Google Play or App Store.

The Proton guide to privacy at protests

Richie Koch — Tue, 03 Mar 2026 15:35:11 GMT

From Minneapolis to Munich to Tehran, people are taking to the streets as a form of political expression. The right to peaceful assembly and protest are bedrocks of democracy, and we support everyone’s ability to exercise these rights. Proton’s mission is to protect people’s privacy and freedom from surveillance and censorship. For this reason, protesters across the political spectrum and around the world have turned to our encrypted email, VPN, and other services to keep their communications and online activity safe from monitoring and attacks.

Digital privacy is only one concern; demonstrators must protect themselves offline too. Governments are monitoring protests with increasingly draconian methods, like the thousands of CCTV cameras with AI facial recognition in Hong Kong, and the surveillance creep and rise of Immigration and Customs Enforcement (ICE) raids in cities all over the US.

ICE has deployed mobile biometric tools, such as the Mobile Fortify app, which allows agents to identify individuals in a crowd by pointing a smartphone camera at their face or fingerprints, which matches them against federal databases. Because the biometric matches are considered definitive, US citizens have been wrongfully detained after being misidentified by the technology.

Federal agencies are also circumventing the need for search warrants by purchasing bulk location data from commercial data brokers. If you have apps on your phone that collect and sell your movement history, agencies can use this data to identify individuals back to their homes or workplaces.

In the face of these privacy threats, this guide explains how to defend your rights at a protest in three important areas: your phone, your communications in the cloud, and your face. It’s critical that you remain in control of each of these “identifiers” so you can peacefully voice your opinion without fear of repression or repercussions for exercising your rights.

Secure your phone

Smartphones have made it much easier for protesters to record what’s happening in front of them, and video recordings can be powerful calls to action and tools to hold those in power accountable. However, smartphones also contain massive amounts of personal information and are constantly transmitting data.

Many law enforcement agencies in the US use IMSI-catchers (often called Stingrays), which act like fake phone towers to track your location and phone number. While modern 5G networks have better built-in protections, authorities can use jamming techniques to force your phone onto older, less secure 4G or 2G networks to bypass those safeguards.

If you want to protect your data, you have three primary options:

Leave your phone at home

This one is self-explanatory: The authorities won’t be able to track your phone at the protest if you don’t have it. To avoid suspicion, leave your phone on while you are at the protest. For maximum digital privacy, you should not bring any device that can create an external connection, including smartwatches, fitness trackers, or Bluetooth headphones.

Depending on your threat model, you might decide the extra privacy of leaving your phone behind is not worth the inconvenience.

Bring a clean phone

The phone you use every day is linked to your identity, and you could leave it at home (but still on) to make sure authorities cannot access it. If you want a phone with you at the protest, you could buy a new, cheap phone. However, for this to be effective, there are steps you will need to follow. This new phone can only be used at protests. You should not turn it on before you arrive at the protest, and you should turn it off before you leave. You will need a new SIM card. You cannot use your regular SIM in your “protest-only” phone. You should only load the apps that are essential. And you should not link your protest phone to your normal phone in any way.

If you buy a cheap, unlocked Android device and a prepaid SIM that you only turn on and use at the protest, it will be very difficult for anyone to track or identify you. Do not log in to it with your Google account (or your iCloud account if it’s an iPhone). To be extra cautious, you should buy the phone and SIM with cash or a gift card. You could also use a trusted VPN provider, like Proton VPN, to access the open source app repository F-Droid and download the apps you want for the protest. The goal is to put as little personal information as possible on this protest phone.

Buying a new prepaid phone can be expensive, especially if you’re only going to use it for one afternoon. If a new one costs too much, you can bring your regular phone, but precautions must be taken.

Turn off all location data and keep your phone off until you need it

This is the most convenient but least private option. If you must use your primary phone, take these steps to minimize your data trail:

Reset your advertising ID: This is a hidden ID that apps can use to track you. On Android, go to Settings > Security and privacy > Privacy controls > Ads and tap Reset/Delete Advertising ID. On iOS, go to Settings > Privacy & Security > Tracking and ensure Allow Apps to Request to Track is off.
Use airplane mode: Keep your phone in Airplane Mode whenever you aren’t actively using it to stop it pinging nearby towers.
Use a Faraday bag: This is a small pouch that blocks all radio signals. It is more reliable than simply turning your phone off, as some modern devices may still be tracked even when they appear to be off.
Disable 2G: If your phone allows it, turn off 2G to prevent IMSI-catchers from forcing your phone onto an old, unencrypted connection.

Encrypt your phone

Regardless of which phone you bring, if you have one at a protest, you should encrypt it. This will prevent the police or anyone who gets physical access to your phone from accessing your data. If you set a passcode on your iOS device, it is already encrypted. Most Android devices also automatically encrypt themselves, but if you are uncertain, you can tap Settings, then Security, and see if Device Encryption has been activated.

You should also make sure you update your device’s settings so that it does not display notifications when the screen is locked.

Turn off biometrics on your phone

Do not use biometric authentication, like face or fingerprint scans, to secure your iOS or Android device. While the legal landscape is shifting, it remains unsettled. In early 2026, some US courts ruled that compelling a person to unlock their phone with a thumbprint is a “testimonial act” protected by the Fifth Amendment. However, other courts disagree, and federal agencies like ICE use warrants that explicitly authorize them to forcibly hold a phone to your face or use your fingers to bypass security.

It is much harder for authorities to legally or physically force you to provide a memorized passcode.

Use a strong passcode: For the best security, your PIN or passcode should be at least 10 digits long, avoid obvious sequences, and ideally include numbers and letters if possible.
Enable lockdown mode: On both iOS and modern Android devices, you can quickly enter a lockdown state (usually by holding the power and volume buttons) to instantly disable biometrics and require a passcode for the next unlock.
Know your rights: In the US, you are generally not obligated to share your passcode with law enforcement. However, in countries like the UK and Australia, authorities can legally compel you to hand over your password or face criminal charges.

Use secure messaging apps that are end-to-end encrypted

If you are at a protest and are worried about your privacy, you should not use SMS. It is the easiest messaging method for law enforcement to intercept. Instead, you should use an end-to-end encrypted secure messaging app. The most secure messaging app is Signal, which is operated by a nonprofit and collects almost no metadata.

Use disappearing messages so that if your phone is seized, your past conversations are already gone.
You can hide your phone number and use a username, which prevents your identity from being linked to your account if a stranger adds you in a group chat.

Although WhatsApp is end-to-end encrypted, Facebook controls the metadata. While they can’t read your messages, they do record who you message and when. Law enforcement can request this metadata to map out protest networks.

Apple’s iMessage is also end-to-end encrypted, but only if you turn on Advanced Data Protection. But please note, if you turn on iCloud backup on your iOS device for WhatsApp or iMessage, your messages will be saved in an unencrypted state.

Protesters should not use Bridgefy. Despite marketing itself as a “protest app” and an end-to-end encrypted messaging service, it is not end-to-end encrypted and should not be trusted with sensitive communications.

Bridgefy uses Bluetooth and a mesh network routing so that users can message each other without an internet connection. However, a group of researchers devised a series of attacks against the app and discovered it puts an incredible amount of user data at risk. As Ars Technica reported, even attackers with only moderate resources can deanonymize users, decrypt and read messages, and tamper with messages in transit.

The researchers shared these vulnerabilities with Bridgefy in April, but they have not yet been fixed.

Use end-to-end encrypted email

Email services like Gmail or Outlook can scan your messages and provide them to law enforcement. If you need to coordinate privately using email, it’s important that all members of the conversation are using a secure email service that supports end-to-end encryption.

Conversations in Proton Mail are end-to-end encrypted (meaning only the sender and recipient can access the contents of the message) when both parties are using Proton (or another PGP-enabled service). Otherwise, the communication will be zero-access encrypted, meaning Proton won’t have access to the messages, but the service of the person you’re writing to will unless you password-protect your emails.

Proton Mail also lets you send self-destructing messages, which are erased from your recipient’s inbox at a specified time you set.

To protect your inbox from physical searches, you should use app-level PIN protection. This requires a code or biometric check specifically for the Proton Mail app, meaning that even if someone manages to unlock your phone, they will still be blocked from your emails. For an added layer of physical privacy, you can use the discreet app icon feature to change the Proton Mail icon on your home screen to look like a generic utility app, such as a calculator or weather app. This makes it much less obvious that you have a secure communication tool installed if your phone is inspected.

Proton is based in Switzerland, so your data is protected by some of the world’s strongest privacy laws. We are prohibited by Swiss law from responding to any foreign data requests unless they are approved by a Swiss court, providing a vital legal barrier against overreaching surveillance.

Be wary of posting to social media

You can put yourself and other protesters at risk by posting on social media. There is little point in going through the effort to protect your smartphone from being monitored if you share everything you are doing on Facebook, X, or TikTok.

In 2026, federal agencies use AI-driven social media monitoring to scrape protest photos and videos. These tools can identify you or your friends through facial recognition, unique tattoos, or even the metadata hidden in your files. To preserve your privacy, be mindful of the information you share about yourself and the protest in general. If you do take pictures, ensure that all faces and identifying features are blurred or covered first.

Strip photos and videos of faces and metadata

If you must post to social media, be careful what information your photos inadvertently expose. When you take a photo or video with your smartphone, it records metadata (also known as EXIF metadata), which includes the exact time, date, and GPS coordinates of where the image was captured.

You can prevent your smartphone camera from adding location metadata in your iOS and Android settings, but for photos you have already taken, you should scrub the data before sharing. The most effective way to do this quickly is to use the Signal app.

Open Signal and select a photo as if you are sending it, then use the blur tool to hide faces. Signal automatically strips out all EXIF metadata and hides facial features in a way that is difficult for AI to reverse.

Taking a screenshot is a popular way to hide data, because they do not carry the original GPS metadata. However, screenshots may still contain metadata from your device, such as the time of the capture or your phone’s model. For a more thorough approach, use specialized tools like PrivMeta or Image Scrubber, which allow you to wipe metadata and paint over faces while your phone is in airplane mode.

Tip: Pixelation can sometimes be undone, so covering faces with solid black boxes or opaque digital stickers is a much more secure way to protect identities.

Your face is your identity

If you are at a protest, it’s impossible to control who takes photos of you. To protect your privacy, you should plan on covering your face in a way that disrupts modern AI. While medical masks were once sufficient, current surveillance technology can often identify individuals by analyzing only the area around the eyes and the bridge of the nose.

To be effective in 2026, you should use a combination of items to break up your facial symmetry. A wide-brimmed hat pulled low can block overhead cameras, while large, wrap-around sunglasses can obscure the key landmarks around your eyes. Using a bandana or neck gaiter that covers from the bridge of your nose down to your chest is much more effective than a simple mask.

For even greater protection, consider garments or makeup that use specific patterns designed to confuse AI. Look into computer vision dazzle (CV Dazzle), which uses high-contrast shapes to hide the bridge of the nose and eyes.

Finally, remember that law enforcement also uses unique identifiers like tattoos, bright-colored hair, or specific logos on your clothing to track you. Covering these with long sleeves, gloves, or plain, unbranded layers is just as important as covering your face.

Final takeaways

As a Swiss organization, we are politically neutral; however, we are unequivocal in our defense of citizens’ fundamental human rights. We believe everyone, including protesters, has the right to security, privacy, and freedom. Peaceful popular protests are often catalysts for long-overdue policy changes. If you are protesting peacefully and you want to protect your privacy, you should:

Secure your phone (or leave it at home)
Use end-to-end encrypted messaging and private email apps
Be careful about posting on social media
Scrub out identifying information from photos and videos

It is also important to note that as a Swiss organization, Proton Mail is subject to Swiss law, meaning we will take firm action against those who use our service for purposes that are illegal in Switzerland. We have clear terms and conditions as well as a zero-tolerance policy for crime. If any user violates those terms and conditions or uses Proton in the commission of a crime under Swiss law, such as the destruction of property, we will disable their account.

We’re proud that Proton Mail and Proton VPN have become tools that protesters and demonstrators use to share their voices. We are firm in our stance that everyone has the right to privacy, and we hope this guide helps peaceful protesters stay safe.

UPDATE Aug. 25, 2020: This story now includes information about the Bridgefy messaging app.

UPDATE June 17, 2025: Added information about license plate scanners, Faraday bags, and Signal removing EXIF data.

UPDATE March 3, 2026: Updated to include information on federal biometric surveillance (Mobile Fortify), the data broker loophole, and 2026 legal rulings on compelled biometric unlocking.

You can get a free secure email account from Proton Mail here.

We also provide a free VPN service to protect your privacy. Proton Mail and Proton VPN are funded by community contributions. If you would like to support our development efforts, you can upgrade to a paid plan. Thank you for your support.

***

Feel free to share your feedback and questions with us via our official social media channels on Twitter and Reddit.

How to know if your phone is hacked — and what to do next

Kate Menzies — Tue, 03 Mar 2026 11:24:37 GMT

You probably know your computer can be hacked, but did you know your phone can be, too?

Your phone is likely how you text friends and family, make healthcare appointments, shop online, and manage your bank accounts, making it an ideal target for hackers to access your personal data very quickly.

If your phone is hacked, you’re vulnerable to identity fraud and, potentially, serious financial loss. We’ll help you understand exactly how your phone can be hacked and what you can do to prevent it.

How can someone hack your phone?

There are several paths hackers can take to target and break into your mobile device.

Public WiFi

Connecting to a public WiFi network presents a lot of risks. Hackers can create public hotspots with names that look legitimate in order to trick you into connecting to them. When you connect to a fake hotspot, you may be directed to a landing page and prompted to create an account in order to connect to the internet. Once you’re connected, hackers will be able to see everything you’re doing and collect data that may include your email address and passwords in order to access your online accounts. If you connect to public WiFi that isn’t password protected, hackers can also use man-in-the-middle attacks to insert themselves between your device and the website or app you’re using, intercepting or even altering your data.

How to protect yourself against public WiFi attacks:

Use a secure VPN to hide your online activity
Use caution when connecting to public WiFi networks (and consider not doing it)

Malicious apps

Hackers are able to hide malware in apps uploaded to fake app stores or sent to you via phishing emails.If you’ve accidentally downloaded a malicious app, a hacker can gain access to your phone and your online accounts. They can also find sensitive data about you, and potentially use it to commit identity fraud.

How to protect yourself against malicious phone apps:

Never click a link or download an app sent to you by someone you don’t know via email or text
Only download apps from official app stores

Phishing scams and malware

Phishing is a tactic hackers use to trick you into revealing personal data or downloading a malicious app (also known as malware). A hacker can gain access to your phone by posing as a customer service agent or an authority figure and convincing you to hand over login credentials for your accounts. If you download malware from a fake app store or an email sent to you by a hacker, the app can be used to gain access to other apps on your phone.

How to protect yourself against phishing scams and malware:

Use email aliases to hide your personal email address when you’re creating new accounts online
Switch off email aliases and create new ones if you start to receive spam emails
Never give out your personal information via email, phone call, or text unless you’ve verified that you’re speaking to a legitimate governmental or business representative. They’ll never ask you for your password, so never give that out.

SIM-swapping

A SIM-swap attack is a type of identity theft that hackers can use to convince your mobile carrier to switch your phone service over to a new SIM card in their possession. They can then perform an account takeover, gaining access to your phone number and all the apps you use on your phone.

How to protect yourself against SIM-swapping attacks:

Don’t share personal information such as your phone number online
Create strong passwords for all of your online accounts
Use two-factor authentication (2FA) to create extra protection for your accounts

Surveillance

In more extreme cases, software such as Pegasus spyware can be sold to governments for surveillance purposes. This type of spyware can be deployed without the device owner taking any action, granting full access to all of the apps and data stored on the device as well as the camera and microphone. According to an investigation conducted by the Forbidden Stories consortium and Amnesty International, Pegasus spyware has been used against “at least 180 journalists […] in countries like India, Mexico, Hungary, Morocco and France, among others.” This type of hack is more likely to affect high-profile or politically sensitive workers, so it isn’t common.

How to protect yourself against government surveillance:

Consider extra safety precautions if you’re a politically exposed person such as high security programs
Consider using a dumb phone if you’re traveling
If you have a phone that connects to the internet, use a VPN

How to check if your phone has been hacked

Check your phone’s battery life

If the battery level on your phone suddenly decreases much faster than usual, this is a very common sign that your phone has been hacked. This is caused by malware running on your phone so that hackers can collect your data, and potentially even activate your phone’s microphone or camera remotely.

Check your signal

If your phone is suddenly unable to connect to your mobile carrier, make phone calls, or send texts for no reason, you may have been affected by a SIM-swapping attack. If you don’t move quickly, hackers will be able to access everything on your phone and you may be locked out of your accounts or see fraudulent transactions being made from your bank account. Contact your service provider to make sure that there are no issues with your network, and if there aren’t then you’ll need to confirm with your provider that you’ve been affected by a SIM swap attack.

Check your phone for unusual behavior

Unusual behavior may look like your phone crashing or restarting unexpectedly. You may see random pop-ups or ads that you haven’t seen before, as well as strange activity such as your phone taking a long time to load or the battery suddenly overheating. You may receive security alerts you haven’t seen before that hackers have generated, or you might start receiving a high volume of spam or phishing emails. If your phone starts acting suspiciously, you may have been hacked.

Check your settings and data usage

If the settings on your phone suddenly change without warning, for instance camera and microphone access for apps or two-factor authentication being switched off for your accounts, your phone could have been hacked. If you’re unsure of the settings you should use for your apps, look for handy app guides online about exactly what the apps on your phone can do and what they have access to.

You should also check for any unusual spikes in data usage on your phone. This could be a sign that your device has downloaded new apps or malware without your permission, or that it’s downloaded a large amount of data.

Check your phone for apps you don’t recognize

Go through your phone’s library to make sure that there aren’t any apps you didn’t download. If you spot an app you aren’t sure about, check online to see if it could have come preinstalled on your phone. Make sure that you know the purpose of every app on your phone, and if you can’t be sure, you can perform a hard reset to restore your phone to factory settings.

What to do if your phone was hacked

Here’s a step-by-step guide for what to do if you know that your phone has been hacked.

Back up your photos, files, and contacts. If there’s anything on your device that you want to save, make sure you back it up to secure cloud storage.
Reset your phone to factory settings. This will get rid of any malware and malicious apps.
Update your OS to the latest version after resetting your phone. Updating your phone will protect you from existing vulnerabilities in the device’s OS that hackers could exploit.
Download apps manually from the official app store. Don’t use automatic backup to restore your apps: you might download malware apps again. Instead, go to your device’s official app store and don’t visit any third party app stores.
Change your passwords, focusing on sensitive apps such as online banking, email, and cloud storage apps.

How to prevent your phone from being hacked

Your phone requires a different security approach than your laptop or PC does: it’s unlikely that you need antivirus protection, but you still need to take care when you’re downloading apps and where you’re sharing sensitive data. Thankfully, by taking the following steps you can protect your phone.

Regularly update your operating system and your apps: One of the most important tools in your arsenal is simply regularly updating your phone and everything on it. Hackers exploit weaknesses in older versions of device operating systems and apps, so regular updates help you ensure that you’re protecting yourself from known vulnerabilities.

Only download official apps: When you’re looking for apps, make sure you’re visiting the official app store for your device e.g., Apple’s App Store or the Google Play Store. Unregulated third-party app stores may allow hackers to upload malware, so it isn’t worth using them.

Use a VPN: A VPN will hide your online activity, making it much harder for a hacker to intercept your phone. You’re less vulnerable to being spied on when you’re connected to a secure VPN, even if you’re connected to public Wi-Fi. Proton VPN protects your privacy and keeps no logs of what you do online, meaning what you do online on your phone is hidden from hackers, advertisers, and governments.

Don’t ever give out your login credentials: No customer service agent or representative for a company or governmental agency will ever ask you for your login credentials. If you’re asked to give your email address or password on the phone, or via email or text, it’s highly likely that you’re being targeted by a scammer. If you need to share your passwords securely with a family member or a friend, it’s possible to do this safely with a password manager, but you should never give your login credentials to anyone you don’t know.

Use a password manager: As mentioned above, a password manager will help you share passwords securely if you need to. Securing your accounts is easy with the right tool: Proton Pass protects your passwords, keeping them in a single, secure location for you to access when you need, instead of spreading them across insecure locations such as written notes or documents. All of the passwords to your banking apps, your government services, your online shopping accounts, and more can be easily stored, autofilled, and even securely shared with family and friends if necessary.

Use two-factor authentication: Two-factor authentication (2FA) creates an extra way to verify your identity when you log into one of your online accounts. As well as a password, you can use a biometric login, a single-use code generated by a secure authenticator app, or a security key. There are many ways you can make it harder for a hacker to access your account, and it’s worth activating 2FA for as many of your accounts as you can.

Ensure your phone stays safe in the future

Choosing the right tools is half the battle when it comes to keeping your devices safe. With so many malicious apps and phishing scams online, how can you stay safe? With a secure VPN and password manager, you can protect your sensitive data, your devices, and your online life, no matter your level of tech expertise. Proton puts your privacy first and gives you the power to protect yourself from bad actors online.

Are AI toys safe? A major leak exposes troubling privacy gaps

Edward Komenda — Fri, 27 Feb 2026 18:55:56 GMT

AI-powered toys are among the latest tech marketed to families: plushies, robots, and dolls that can talk back, remember details, and interact conversationally with children using large language models.

But beneath the friendly promotions lie serious safety, privacy, and developmental concerns that have drawn increasing scrutiny from researchers, consumer groups, and child advocates.

Children chat logs exposed

A striking example surfaced in January 2026, when security researchers Joseph Thacker and Joel Margolis discovered that an AI toy called Bondu left more than 50,000 children’s chat transcripts exposed on a web-based console. By simply logging in with a Gmail account — no special credentials — they accessed entire conversation histories, names, birthdates, family details, and even device information tied to young users.

That exposure underscores a creepier truth: many AI toys store and process detailed data about children to provide context back to language models like GPT-5 and Gemini. The richer the dataset, the more sensitive the information. Yet infrastructure security, access controls, and data minimization are often afterthoughts in product design.

Beyond privacy flaws, other incidents reveal tangible psychological risks. Investigations have found some AI toys capable of offering instructions on dangerous items, discussing explicit content, or generating unsafe replies during testing. Advocacy groups like Fairplay for Kids and Common Sense Media warn that these toys can undermine healthy development, encourage obsessive focus on machines, blur boundaries between real relationships and algorithmic responses, and prey on children’s trust.

Experts also raise concerns about emotional attachment. AI toys are designed to remember past conversations and present themselves as empathetic companions. Children who naturally trust voices they hear may over-rely on these devices, potentially hindering resilience, social skills, and real world bonding.

Here’s a look at what’s at stake.

The privacy and security risks of AI toys

Data collection often exceeds what families expect.
Storage of transcripts, profiles, and preferences creates high-value targets for attackers.
Poor authentication and API flaws can expose data broadly.
Third-party AI services may see or process children’s conversational content.

These risks are not new. Earlier generations of connected toys like CloudPets and My Friend Cayla suffered major breaches or were banned for insecurity, but AI integration amplifies them by increasing data volume and personalization.

Psychological and developmental concerns

AI companions can confuse developing social understanding.
Exposure to inappropriate or dangerous content is possible even with safeguards.
Heavy reliance on AI may crowd out imaginative play critical for growth.

Should you use AI toys at all?

Ideally, no. At least not right now.

AI toys combine microphones, cloud storage, large language models, and detailed behavioral profiling in products designed for children. At this stage, there is no reliable guarantee that the data collected will remain private, secure, or free from misuse. Security flaws, excessive data retention, and unpredictable AI outputs are still common across the industry.

If you can avoid introducing an AI-connected toy into your child’s environment, that is the safest option.

If you decide to use one anyway, here’s how to reduce the risks.

If you’re a parent, here’s how to limit the risks

Choose the least connected option. Prefer toys that process interactions locally and store minimal data.
Read the privacy policy carefully. Look for what is stored, how long it’s retained, and whether conversations are shared with third parties.
Disable unnecessary features. Turn off cloud backups, data sharing, and voice recording storage where possible.
Use strong account security. Enable two-factor authentication and unique passwords.
Keep devices out of bedrooms. Avoid placing internet-connected microphones in private spaces.
Have conversations with your child. Make sure they understand the toy is not a real friend and should not replace real relationships.

Consumer advocacy groups have recommended avoiding these products entirely for young children, especially under age five.

A case for stricter standards

AI toys may promise learning and companionship, but current evidence shows multiple layers of risk spanning privacy, security, and child development.

The Bondu exposure is a vivid reminder that “safety” is about much more than content control. It’s about how systems are built, what they collect, and how they protect the most vulnerable users. As this technology evolves, so must the safeguards designed to keep children truly safe.

What 3,000 SMBs revealed about cyber risk in 2026

Raphael Auphan — Thu, 26 Feb 2026 12:23:02 GMT

Startups, family businesses, boutique consulting firms — these are the companies most at risk of cybersecurity attacks. And they know it. So they’ve been taking precautions to stay safe from hackers: adopting tools, tightening policies, and investing in employee training.

Despite these precautions, nearly one in four SMBs fell victim to cyberattacks in the past 12 months alone.

These are among the major findings of Proton’s 2026 SMB Cybersecurity Report, a global study that surveyed 3,000 decision-makers at companies with fewer than 250 employees across six key markets: US, UK, Brazil, France, Germany, and Japan.

Our report offers data and lessons that go beyond the generic and false “SMBs are unprepared” cliché, showing how leaders are actually investing in cybersecurity and why those investments have failed to protect so many of them.

Download the free report

Why we ran this study

At Proton, we regularly survey our community to understand how people use technology and where they feel their sensitive data is vulnerable. With these insights, we can develop new products and features or make recommendations to the customers that depend on our encrypted business solutions. We identified a gap in the research when it comes to SMBs.

Much of today’s cybersecurity research still assumes an enterprise-level setup, with bigger budgets, in‑house security experts, and a CISO in every meeting. That’s not the reality for most SMBs, where the same person may well be signing off on sales targets, lunch orders, and security policies.

We commissioned this report to answer a simple question: What is the real-world risk for SMBs, and what measures are they taking to protect themselves?

Here’s what our report found

With such a large-scale survey, we could identify several surprising and sweeping conclusions that were consistent across SMBs in multiple industries and countries.

Spending is up, but security isn’t: Many SMBs have run formal risk assessments, introduced regular audits, and rolled out modern measures like multi-factor authentication and password managers. On paper, they look significantly more mature than the stereotype of the unprotected small business. And yet, many still report serious cyber incidents within the same year — often with financial damage that can wipe out months of investment or even halt operations. Well over 1 million small- and medium-sized businesses suffered a cyberattack last year, taking into account the number of SMBs in the markets we studied.
Human error can’t be patched: People remain one of the biggest vulnerabilities in SMB security. Organizations are not ignoring this; most invest in security awareness training and phishing education. But many businesses also acknowledge that confidence in employees’ ability to spot and avoid every threat is limited. Credential sharing tells this story clearly. Even in companies that have rolled out password managers, logins still circulate via email, messaging apps, shared documents, calls, and written notes.
Cloud and AI has expanded the attack surface: Almost all of the businesses we surveyed now rely on major cloud providers for core operations, and many have started to integrate AI tools into their workflows. What stands out is the gap between dependency and confidence. Businesses frequently assume that being on a large platform means their data is automatically safe, even when they can’t clearly explain where it is stored, how it is encrypted, or who can access it.
Security is now a selling point: A clear majority of SMBs say that demonstrating strong data protection has become critical for winning new business, and only a small fraction say clients never ask about security. It’s no wonder. When businesses are attacked, the damage isn’t limited to the business that suffered the breach. It cascades outward. Your partners’ data can be exposed, their operations disrupted, their reputation tarnished, and their own customers put at risk.

Get the full report

Proton gives people and organizations meaningful control over their data through end‑to‑end encryption, open standards, privacy-first Swiss jurisdiction, and a business model that doesn’t depend on exploiting user information.

With the SMB Cybersecurity Report 2026, we’re extending that same philosophy to the way smaller organizations understand their risk. For small business leaders, the report provides a practical benchmark. The report includes four key insights and five actionable recommendations for your SMB. You’ll gain clues into whether your security posture is as strong as you think it is, where it needs reinforcing, and what to prioritize next.

You can explore the full findings, including regional trends, sector differences, and concrete recommendations, in the complete SMB Cybersecurity Report 2026.

Download the free report