IT NEWS

Last month, a strange thing happened in cybersecurity: a type of cyberthreat typically reserved for large businesses and critical services appeared on the computers of everyday people.

Starting on July 20, hundreds of individuals across the globe began reporting problems with ransomware. Ransomware is an existential threat to businesses everywhere, but for years, it has been understood as primarily that—a business threat.

By focusing their attacks on multimillion-dollar organizations and essential government and health services, ransomware gangs hope to force a payment from their victims who cannot risk shutting down. For some victims, like hospitals, such an impact to their services could be a matter of life and death.

But for the ransomware campaign in July, which involved a variant called Magniber, cybercriminals focused not at all on businesses, but on people. After victims had their computers infected, they received a ransom note and a demand for $1,000 in exchange for having their devices and files cleaned. If victims waited for more than three days to pay up, the demand shot up to $5,000.

The campaign lands during a devastating period of ransomware attacks against businesses, in which the frequency of attacks has steadily climbed up and up, annually, for several years. This increase in attacks is recorded and analyzed in the latest 2024 ThreatDown State of Ransomware report by Malwarebytes, which can be viewed below.

With a global increase in ransomware attacks against businesses, and with no decryption key in sight for victims of Magniber, it’s more clear than ever that ransomware is a must-know cybersecurity risk for people at home.

Why you need to know about ransomware

The most important services in your life are also the most attractive targets for ransomware gangs around the world, which is why your banks, grocery stores, hospitals, schools, government resources, and more could, without any fault of your own, suddenly grind to a halt. Because of ransomware attacks in the past, surgeries have been delayed, classes have been cancelled, and, more recently, a credit union’s customers had their direct deposit payments thrown into disarray.

In ransomware attacks, the pressure is the point.

For years, cybercriminals have focused their ransomware attacks against the types of organizations that are essential for everyday life, including hospitals, schools, critical infrastructure, and entire city governments. Once these organizations are infected with ransomware, their systems and devices become useless, as a ransomware attack will grab all files stored within reach and “encrypt” them—making them inaccessible to their own users without a related “decryption key.”

It is at this critical moment when the clock starts ticking for ransomware victims.

Organizations without reliable backups, unable to work or provide vital services, are pressured into a dreadful decision: Do they pay the cybercriminals a ransom to receive the decryption key (and trust that it works), or do they try to start from scratch, rebuild their technology operations, and refuse to fund the efforts of cybercriminals?

For businesses around the world, it’s a question that is happening more frequently, Malwarebytes found.

Between July 2023 and July 2024, ransomware attacks against organizations increased by 33% across the world, year-over-year, according to the 2024 ThreatDown State of Ransomware report. The US and the United Kingdom suffered the greatest uptick in attacks during the same time period, of 63% and 67% respectively.

But it wasn’t just the frequency that increased. It was also the ransom payments.

While the attacks that deployed Magniber against everyday people requested just thousands of dollars, ransomware attacks against businesses and organizations can include demands of millions upon millions of dollars.

In fact, in 2023, the total sum of all ransomware payments made—meaning actual money transferred to cybercriminals by their victims—surpassed $1 billion. The average ransom payment during the same time period was $620,000, and the cost of recovering from a ransomware attack was an astonishing $4.7 million.

In its investigation, Malwarebytes also revealed that ransomware attacks against organizations were becoming faster, happening more frequently at night (so as to avoid detection), and relied increasingly on an attack method in which cybercriminals would use a breached computer’s own software to help carry out the attack.

But most intriguing to everyday users is the discovery that the US is unique in suffering attacks on healthcare facilities and schools and colleges. While the US accounts for a shocking 48% of all ransomware attacks worldwide, it accounts for 60% of all education attacks and 71% of all healthcare attacks.

Your role in this threat landscape is complex. While there is not much you can do to protect hospitals, schools, banks, and city governments, there also is not much you should do. These are separate entities that are responsible for their own cybersecurity and the public cannot be expected to manage the operations of every service they need.

That said, there are steps you can take to protect yourself from ransomware attacks.

How home users can prevent ransomware

There are some rules that can help you avoid falling victim to this type of ransomware:

• Make sure your system and software, including your browser, are on the latest version. Criminals will exploit known holes that have been patched by the vendors but not updated everywhere.
• Run a trusted anti-malware solution.
• Never download illegal software, cracks, and key generators.
• Use a malicious content blocker to stop your browser from visiting bad sites.
• Don’t open unexpected email attachments.
• Don’t click on links before checking where they will take you.

If you do accidentally get caught by ransomware, we recommend you don’t pay. There’s no guarantee you’ll get your files back, and you’ll be helping to line the pockets of criminals.

You can also read the full 2024 ThreatDown State of Ransomware report below.

Texas Attorney General Ken Paxton has sued General Motors (GM) for the unlawful collection and sale of over 1.5 million Texans’ private driving data to insurance companies without their knowledge or consent.

In June, the Attorney General (AG) announced he had opened an investigation into several car manufacturers over allegations that the companies had improperly collected mass amounts of data about drivers directly from the vehicles and then sold the information to third parties.

Following that investigation, the AG explained in a press release, he decided to sue General Motors:

 “Our investigation revealed that General Motors has engaged in egregious business practices that violated Texans’ privacy and broke the law. We will hold them accountable.”

The court filing provides some more detail. It reasons that when consumers buy a vehicle, they want a mode of transportation to get them from one point to another, but with GM (and its subsidiary OnStar) they unwittingly opt-in to an all-seeing surveillance system.

GM collected scores of data points from consumers about their driving habits and monetized that data by selling it on to other commercial parties. The AG accuses GM of installing technology that allegedly improves the safety, functionality, and operability of its vehicles, but at the same time this technology gathers driving data about the vehicle’s usage.

The driving data collected and sold by GM included trip details like speed, seatbelt status, and driven distance. On top of that, GM gathered data through other products like its mobile apps.

GM had agreements with various companies which allowed them to the driving data to calculate a driving score based on risk analysis. After buying a license from GM, an insurer could access the driving scores of over 16 million customers. Based on those scores the insurer could and did increase monthly premiums, drop coverage, or deny coverage.

GM claimed to have consent, but according to the AG it “engaged in a series of misleading and deceptive acts” to obtain that consent.

Among others, the onboarding process was treated as a mandatory pre-requisite to take ownership of the car. But it was nothing short of a deceptive flow to ensure customers would agree to sign up for GM’s products and get enrolled in the driving data collection scheme. Customers were presented electronically with some fifty pages of disclosures about its OnStar products, which consisted of product descriptions and a confusing series of applicable user terms and privacy notices.

At no point did GM disclose that it would sell any of their data, much less their driving data, nor did it disclose that it had contracts in place to make driving scores available to other companies or permit companies to re-sell driving scores to insurance companies.

Last year on the Malwarebytes Lock and Code podcast, David Ruiz spoke to a team of researchers at Mozilla who had reviewed the privacy and data collection policies of various product categories over several years. They reported that classified cars were the worst product category they ever reviewed for privacy.

A modern car hasn’t solely been a transportation vehicle for a long time. With multiple digital systems, they are increasingly plugged into web applications and digital processes—both of which are vulnerable to security flaws.

But at least those flaws are not intentional; some of the privacy issues apparently are. So it’s good to see a raised awareness among consumers about these issues, and investigations conducted.

As we noted, an ongoing US Senate investigation indicated that connected car makers violate consumer privacy by sharing and selling drivers’ data, including their location, on a vast scale, and that the same car makers often obtain consumer consent through deception.

Based on this investigation, senators have urged the Federal Trade Commission (FTC) to investigate automakers’ disclosure of millions of Americans’ driving data to data brokers, and to share new-found details about the practice.

As always, we will keep an eye on the developments in this field.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Stalkerware researcher maia arson crimew strikes again. Big time.

We know maia as a researcher that loves to go after stalkerware peddlers, which Malwarebytes—as one of the founding members of the Coalition Against Stalkerware—loves to see.

This time the target company, Tracki, is one selling GPS trackers and doesn’t hesitate to explicitly market itself as a device for spying on a spouse or other family member. Tracki devices are sold by some major telecommunication companies, sometimes under the Tracki brand or sometimes under their own label.

Tracki’s mother company Trackimo—hey we’re not the ones that made that name up—co-owns a subsidiary called watchinU that offers a Nickelodeon-branded smart watch for kids, the NickWatch, which is currently only available in the UK and Israel.

The investigation into Tracki, besides uncovering a tangled web of companies, dubious websites, and false identities, also led to a data breach that maia says could possibly affect almost 12 million users.

Researching the technology behind the tracker and the web portal for customers that want to see all their trackers on a map, maia found various hardcoded usernames and passwords used to load data from a number of administration and support tools.

One of the tools, the Trackimo Troubleshooter, was designed for remote debugging of all Tracki and Trackimo devices, by showing the technical support agents practically all the data from any given device by just entering a device identification number.

This “simple internal support tool” required no other authentication than logging in using a password that shared between Tracki and Trackimo employees. All you need to is a device id which follows a standardized format, so it looks like it’s possible with a bit of scripting to grab all the relevant data from each device.

Tracki support receives multiple subpoenas per week from local and federal law enforcement worldwide. Many are for stalking or harassment but also occasionally for other charges, including domestic violence, attempted murder, and murder. In all these cases, the victim was being tracked by using a Tracki device. maia says Trackimo is not only aware of these use cases, but actively assisted customers to set up nonconsensual tracking of individuals via its helpdesk.

Worryingly, agencies and military programs in the US and other governments around the world use Tracki devices, typically for asset, personnel, and vehicle tracking.

Our takeaway from this research is that by deciding to use stalkerware, of almost any kind, you are not the only one who might be able to follow the target. We have shown time and time again that these companies do not invest as much in keeping their records secure as you would expect or hope.

If you’re curious about the companies and people behind them, please read maia’s blog. It contains a lot of juicy details.

Check your digital footprint

Malwarebytes has a free tool for you to check how much of your personal data has been exposed online. Submit your email address (it’s best to give the one you most frequently use) to our free Digital Footprint scan and we’ll give you a report and recommendations.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Millennials are in a bind.

According to a new analysis of research released earlier this year by Malwarebytes, Millennials are significantly more likely than every other generation to feel that there is no need to share their online account logins with boyfriends, girlfriends, spouses, or significant others, and that keeping such information private shows trust between partners.

And yet, Millennials still grant their romantic partners the same level of access as Gen Z partners do to their devices, locations, online banking accounts, ride-sharing services, vacation rental platforms, and more, causing a crisis of consent amongst a small number of Millennial partners who agreed: Their sharing is done only under duress.

The new findings—which come from a follow-on investigation into the data compiled in the Malwarebytes report “What’s mine is yours: How couples share an all-access pass to their digital lives”—reveal a unique problem for Millennials who grew up before the internet took hold of public life. Straddled with fading privacy norms, Millennials are not entirely convinced that healthy relationships should involve such high, digital demands.

A stronger sense of privacy

For Millennials, privacy is seemingly sacred.

Ranking higher than any other age group, 67% of Millennials in committed relationships agreed that they “don’t feel the need to share my device logins or passwords with significant others.” The rates of agreement for the same sentiment were significantly lower amongst Gen Z respondents (57%), Gen X respondents (52%), and Baby Boomer respondents (49%).

Relatedly, Millennials also believed that privacy between romantic partners was crucial to a healthy relationship.

When asked about a similar statement, 73% of Millennials agreed that “keeping your personal login information (account or computer passwords, device PINs, etc.) private in a romantic partnership shows trust between partners.” Again, the rates of agreement amongst other age groups were lower, with just 56% of Gen X respondents and 57% of Baby Boomers feeling the same way. Gen Z respondents also reported a lower rate, at 68%.

Alone, these two findings don’t reveal that Millennials are particularly unique, but it is where Millennials split off—from either Gen Z respondents or older Gen X respondents and Baby Boomers—that their online beliefs come into focus.

For example, Millennials, Gen X respondents, and Baby Boomers all reported similar rates of refusing to share their locations with their romantic partners through apps like Apple’s Find My, or through third-party apps like Google Maps. When asked if they currently share their locations these ways with their significant others, 16% of Millennials said “No, and I never would.” They were joined nearly hand-in-hand with Gen X respondents (17%) and Baby Boomer respondents (18%).

But in looking at Gen Z, a separate vision of location privacy emerges—just 10% of Gen Z respondents said they do not, and never would, share their locations with their significant through the use of apps. Gen Z respondents, for their part, were the most likely to agree that “sharing locations with my significant other makes me feel safer” (85%).

Unsatisfied with account sharing and unconvinced about location sharing, Millennials should report lower rates of those exact activities with their own romantic partners.

The strange thing is they don’t.

Similar sharing

Millennials in committed relationships share just as much access to many of their devices and online accounts as Gen Z respondents do—from their computers to their tablets to their messaging apps and their online photo albums.

When asked if their romantic partners have access to specific types of personal accounts, Millennials and Gen Z reported similar rates of sharing for:

• Computer PIN/password (73% of Millennials and 69% of Gen Z)
• Location sharing apps such as Find My/Find My Device (71% of Millennials and 73% of Gen Z)
• Messaging apps such as WhatsApp, Messenger, Viber, WeChat, etc. (55% of Millennials and 52% of Gen Z)
• Food/grocery deliver apps such as Uber Eats, DoorDash, Instacart, etc. (63% of Millennials and 60% of Gen Z)
• Ride-hailing apps such as Uber, Lyft, etc. (57% of Millennials and 58% of Gen Z)
• Vacation rental apps such as Airbnb, Vrbo, etc. (58% of Millennials and 55% of Gen Z)

In fact, though variations between the two generations did appear for certain behaviors, including sharing access to email accounts, social media, and phone passcodes, the difference in reporting was never large enough to be statistically significant. When it comes to sharing actual account and location access, Millennials are far more similar to Gen Z than to Gen X and Baby Boomer respondents.

But the sharing doesn’t come without wrinkles.

More than any other generation, Millennials were more likely to say they shared account access with their romantic partners only because their partners insisted.

For respondents who granted at least some account and app access to their boyfriends, girlfriends, spouses, or partners, 16% of Millennials agreed:

“My partner insists on sharing account access even though I don’t want to.”

That rate was significantly higher than Gen Z (9%), Gen X (4%), and Baby Boomers (1%).

Millennials were also the most likely to agree that, if they had granted some account access to their romantic partners, it was because of threats they received.

At significantly higher rates than Gen X respondents (2%) and Baby Boomers (2%), and at slightly higher rates than Gen Z respondents (9%), 14% of Millennials agreed: “My partner has threatened me over sharing account access (for example, said they would break up with me, harm me physically or emotionally, not talk to me/shut me out, etc.).”

Different dilemma

Millennials in committed relationships are at a crossroads.

As the last generation to be raised without smartphones, their sense of privacy—particularly around location—stands in stark contrast to Gen Z. They are less likely to see the value in sharing online account access with their romantic partners, and more likely to say that, when they do share such access, it is only because their partner insists.

Where the pressure is coming from, exactly, is unclear. It may be from having relationships with Gen Z partners (the reported average age gap between heterosexual couples in America of 2.3 years allows for intergenerational couples in their late 20s for Millennials and Gen Z). It may also be from other Millennials who are becoming influenced by modern dating norms.

Whatever the cause, there is guidance for setting and adhering to the type of online sharing that works for each couple. To learn more about consensual location sharing, avoiding online harassment, and what risks lie ahead for couples that overshare, visit the Modern Love in the Digital Age hub below.

Last week on Malwarebytes Labs:

• Dozens of Google products targeted by scammers via malicious search ads
• Microsoft patches bug that could have allowed an attacker to revert your computer back to an older, vulnerable version
• We’re making it easier for you to protect your identity
• X accused of unlawfully using personal data of 60 million+ users to train its AI
• Malwarebytes awarded Parent Tested Parent Approved Seal of Approval
• Data theft forum admins busted after flashing their cash in a life of luxury
• AI girlfriends want to know all about you. So might ChatGPT (Lock and Code S05E17)
• Google Manifest V3 and Malwarebytes Browser Guard

Last week on ThreatDown:

• Ransomware payments on track to smash $1.1 billion record
• Ransomware review: August 2024
• Malwarebytes expands protection to ARM-powered Windows devices with ThreatDown product portfolio
• Update now! August Patch Tuesday covers several zero-days
• Patch now! Microsoft Office flaw could leak NTLM hashes

Stay safe!

In a previous blog, we saw criminals distribute malware via malicious ads for Google Authenticator. This time, brazen malvertisers went as far as impersonating Google’s entire product line and redirecting victims to a fake Google home page.

Clearly not afraid of poking the bear, they even used and abused yet another Google product, Looker Studio, to lock up the browser of Windows and Mac users alike.

We describe how they were able to achieve this, relying almost exclusively on stolen or free accounts and leveraging Google’s APIs to create rotating malicious URLs for the browser lock.

All malicious activities described in this blog have been reported to Google. Malwarebytes customers were proactively protected against this attack via the Malwarebytes Browser Guard extension.

Malvertising {keyword:google)

The following image is a collage of malicious ads that all came from Google searches each consisting of two keywords: google {product}. They all tie back to the same advertiser, which we believe may be unaware that their account was compromised. In fact, we previously saw that same advertiser in two other unrelated incidents at the end of June 2024 for Brave (malware download) and Tonkeeper (phishing).

While brand impersonation is commonly done via tracking templates, in this instance the fraudsters relied on keyword insertion to do the work for them. This is particularly useful when targeting a single company and its entire portfolio. Notice how all the ads follow the same pattern with a display URL showing lookerstudio.google.com (a Google product also later abused in this scheme).

Shortly after we reported this initial wave of ads, we saw the same scammers (the final URL after clicking on the ad is also going to lookerstudio.google.com) register a new advertiser account. In this case, despite their identity not having been verified yet, their ad still showed up for a standard “google maps” search. This time, the ad’s display URL mirrors the product (maps.google.com):

Fake Google Search page via Looker Studio

Originally intended as a tool to convert data into dashboards, the scammers are misusing Looker Studio to display a dynamically generated image instead. The image is stretched across the screen to give the illusion that you are at the Google home page, ready to make a new search.

Opening Developer Tools in Chrome, we can see that the “Google search page” is indeed just one large image:

What’s interesting is how this image is used as a lure that requires some user interaction to trigger an action. Leveraging the Looker Studio API, the scammers are embedding a hidden hyperlink that will be launched as a new tab when a victims clicks on the image:

Tech support scam

The embedded linkUrl cddssddds434334[.]z13[.]web[.]core[.]windows[.]net redirects to a fake Microsoft or Apple alert page that will attempt to hijack the browser by going in full screen mode and play a recording. These fake alerts are the most common way innocent people fall victims to tech support scams. In such a situation, many people will assume there is something wrong their computer and will follow the instructions they are given on screen.

Calling the phone number for assistance will kickstart a conversation with a call center often located overseas. Fake Microsoft or Apple representatives will persuade victims to buy gift cards or log into their bank account to pay for the ‘repairs’.

The scam URL is part of web[.]core[.]windows[.]net which belongs to Microsoft Azure and is commonly abused by scammers. In this particular instance, the Looker Studio API provides a new malicious URL (rotated at regular intervals) to make any blocking via conventional means futile.

Conclusion

As we saw in this blog, malicious ads can be combined with a number of tricks to evade detection from Google and defenders in general. Dynamic keyword insertion can be abused to target a larger audience related to the same topic, which in this case was Google’s products.

Finally, it’s worth noting that in this particular scheme, all web resources used from start to finish are provided by cloud providers, often free of charge. That means more flexibility for the criminals while increasing difficulty to block.

As we were investigating this campaign, we checked that Malwarebytes customers were protected. Despite the malicious URLs being hosted on Microsoft Azure and rotating regularly, Malwarebytes Browser Guard was already blocking this attack thanks to its heuristics engine.

Indicators of Compromise

Google advertiser accounts

08141293921851408385
Dhruv
06037672575822200833

Looker Studio URLs

lookerstudio[.]google[.]com/embed/reporting/fa7aca93-cabd-47bf-bae3-cb5e299c8884/
lookerstudio[.]google[.]com/embed/reporting/42b6f86d-2a06-4b38-9f94-808a75572bb8/
lookerstudio[.]google[.]com/embed/reporting/fbd88a24-af73-4c76-94dc-5c55345e291d/

Microsoft has released a patch for a bug for a “downgrade attack” that was recently revealed by researchers at security conferences Black Hat and Def Con.

What does that mean in layman terms?

You: Let me check whether my system is fully updated

Windows: Sure, all’s well

Attacker: *Chuckles and deploys an attack against a vulnerability for which you could have been patched long ago*

With a downgrade attack, the victim may have done all they can to keep their computer and software up to date, but an attacker can force it to revert to an older, vulnerable version and then use a known bug to infect your device.

With this particular attack, the researcher built a tool called “Windows Downdate” that takes over Windows Updates to turn a completely patched Windows system into a system which is exploitable by thousands of vulnerabilities from the past.

Microsoft has now patched the two vulnerabilities in Windows (CVE-2024-38202 and CVE-2024-21302) that the researcher used to create Windows Downdate. To manually check whether you have received this update:

• Click Settings in the Start menu
• Click Windows Update
• Select Update History

You should see this entry (KB5041585 successfully installed) for Windows 11:

If you don’t see this, you can start the update by clicking the Check for updates button from the Windows Update menu, or download the relevant update from the Microsoft Update Catalog.

For Windows 10 systems the method is the same, but the KB number is KB5041580 and the update catalog can be found by following this link.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Things have changed in cybersecurity. 

Gone are the days when our only worry was downloading a virus. Now, 71% of people say having their data leaked and identity stolen is one of their biggest fears about being online. Sadly, they’re right to be concerned: Fraud losses hit $10 billion in 2023 (up 14% from 2022). 

But as the threats have evolved, so have we, and over the last year we’ve added products that protect your entire digital life. Now we’re making things even easier: We’re embedding our identity solutions into our Malwarebytes dashboard so you can manage everything in one place.  

Our all-new identity module lets you: 

• Scan for your exposed personal data for free 

• Upgrade or manage your identity theft protection (active alerts and insurance) 

Available now for Windows. More platforms on the way. 

Try it yourself: Simply open Malwarebytes, or if you don’t have our app you can download it here. 

In what may come as a surprise to nobody at all, there’s been yet another complaint about using social media data to train Artificial Intelligence (AI).

This time the complaint is against X (formerly Twitter) and Grok, the conversational AI chatbot developed by Elon Musk’s company xAI. Grok is a large language model (LLM) chatbot able to generate text and engage in conversations with users.

Unlike other chatbots, Grok has the ability to access information in real-time through X and to respond to some types of questions that would typically face rejection by other AI systems. Grok is available for X users that have a Premium or Premium+ subscription.

According to European privacy group NYOB (None Of Your Business):

“X began unlawfully using the personal data of more than 60 million users in the EU/EEA to train its AI technologies (like “Grok”) without their consent.”

NOYB decided to follow up on High Court proceedings launched by the Irish Data Protection Commission (DPC) against Twitter International Unlimited Company over concerns about the processing of the personal data of European users of the X platform, as it said it it was unsatisfied with the outcome of those proceedings.

Dublin-based Twitter International Unlimited Company is the data controller in the EU with respect to all personal data on X.

The DPC claimed that by its use of Grok, Twitter International is not complying with its obligations under the GDPR, the EU regulation that sets guidelines for information privacy and data protection.

Despite the implementation of mitigation measures—after the fact–the DPC says that the data of a very significant number of X’s millions of European-based users have been and continue to be processed without the protection of these mitigation measures, which isn’t consistent with rights under GDPR.

But NOYB says the DPC is missing the mark:

“The court documents are not public, but from the oral hearing we understand that the DPC was not questioning the legality of this processing itself. It seems the DPC was concerned with so-called ‘mitigation measures’ and a lack of cooperation by Twitter. The DPC seems to take action around the edges, but shies away from the core problem.”

For this reason, NOYB has now filed GDPR complaints with data protection authorities in nine countries (Austria, Belgium, France, Greece, Ireland, Italy, Netherlands, Poland, and Spain).

All they had to do was ask

The EU’s GDPR provides an easy solution for companies that wish to use personal data for AI development and training: Just ask users for their consent in a clear way. But X just took the data without asking for permission and later created an opt-out option referred to as the mitigation measures.

It wasn’t until two months after the start of the Grok training, that users noticed X had activated a default setting for everyone that gives the company the right to use their data to train Grok. The easiest way to check if you are sharing your data is to visit https://x.com/settings/grok_settings while you are logged in to X. If there is a checkmark, you are sharing your data for the training of Grok. Remove that checkmark and it stops.

In a similar case about the use of personal data for targeted advertising, Meta argued that it has a legitimate interest that overrides users’ fundamental rights. This counts as one of the six possible legal bases to escape GDPR regulations, but the Court of Justice rejected this reasoning.

Many AI system providers have run into problems with GDPR, specifically the regulation that stipulates the “right to be forgotten,” which is something most AI systems are unable to comply with. A good reason not to ingest these data into their AI systems in the first place, I would say.

Likewise, these companies always claim that it’s impossible to answer requests to get a copy of the personal data contained in training data or the sources of such data. They also claim they have an inability to correct inaccurate personal data. All these concerns raise a lot of questions when it comes to the unlimited ingestion of personal data into AI systems.

When the EU adopted the EU Artificial Intelligence Act (“AI Act”) which aims to regulate artificial intelligence (AI) to ensure better conditions for the development and use of this innovative technology, some of these considerations played a role. Article 2(7)) for example calls for the right to privacy and protection of personal data to be guaranteed throughout the entire lifecycle of the AI system.

We don’t just report on threats – we help protect your social media

Cybersecurity risks should never spread beyond a headline. Protect your social media accounts by using Cyrus, powered by Malwarebytes.

We’re delighted to say Malwarebytes has been awarded the Parent Tested Parent Approved Seal of Approval for product excellence. 

The Seal of Approval is given to products that have earned the trust of families, and serves as a quick and reliable indicator of quality and dependability for parents and caregivers. 

Malwarebytes Plus, our Premium Security + Privacy VPN bundle, was tested and reviewed by a group of parents, and scored high in areas of ease of installation and use, value for money, and effectiveness.  

Reviewers noted that Malwarebytes Plus not only enhanced their device security, but also provided them with peace of mind, making them feel more confident about their family’s online safety. 

100% of the reviewers said they found it “very easy” to set up Malwarebytes on their device, with 94% saying they would continue using Malwarebytes after the testing period. 

They also praised the user friendliness of the program:

“Malwarebytes Plus is hands down the best antivirus system on the market. You don’t have to be a rocket scientist to run it – it does all the work for you!” 

94% said Malwarebytes was “very easy” to use for protecting their privacy online. One reviewer highlighted the peace of mind it offers: “I think every parent would feel safe about their children’s computer use after installing this software.” 

Sharon Vinderine, Founder and CEO of Parent Tested Parent Approved said:

“The Parent Tested Parent Approved Seal of Approval is much more than an award; it’s the at-a-glance symbol of trust and reliability for millions of families.” 

Protect your—and your family’s—devices by using Malwarebytes.