A VPN creates an encrypted tunnel between your device and a remote server, hiding your IP address and reducing what local networks and ISPs can learn about your browsing.

Paid VPNs fund secure infrastructure, audits, and support. Free VPNs often monetize users via tracking or weak security. Paid options deliver stronger privacy and performance.

What a VPN doesn’t do

A VPN does not make you fully anonymous, stop malware or phishing, or remove the need to trust your provider. Combine it with good security hygiene.

Is using a VPN legal?

VPNs are legal in most countries (61% of tracked countries) but restricted or banned in some. Check local rules and set up your service before traveling.

How should we choose a VPN?

Look for audited no-logs, RAM-only servers, modern protocols, a leak-safe kill switch, ownership transparency, and clear incident response. Then compare speed and app quality.

Should I build my own VPN?

It depends on your goal. For a fixed, controlled internet exit (allow-lists, public Wi-Fi privacy), rent a VPS and install WireGuard. For private networking between devices, use a mesh VPN like Tailscale or Netmaker. For anonymity or streaming at scale, a commercial VPN is usually better than DIY.

How do you test and score VPNs?

We use a 28-category scoring system covering encryption, audits, transparency, trust, and true cost. Scores are NIST-aligned for enterprise contexts and track post-quantum readiness. All assessments are evidence-based with publicly verifiable sources.

Generative AI, LLMs & Privacy (2026)

1. Executive summary

Generative AI adoption crossed 400 million weekly users in 2026, [1] yet basic privacy guardrails still lag. The same models that accelerate drafting and research also memorise sensitive prompts, embed copyrighted material in their weights, and can be coerced into regurgitating training data. [2] Organisations that treat LLMs as generic SaaS risk creating new leak channels and un-audited data flows. Regulators are moving from consultation to enforcement—especially in the EU, UK, and Canada—and incident disclosure will soon be a compliance obligation, not a voluntary gesture. [3]

Risk is two-sided: Jailbreaks, prompt injection, and training-set extraction expose users (Samsung engineers leaked source code via ChatGPT in April 2023, resulting in permanent ban), [4] while model providers ingest vast telemetry (prompt logs, embeddings, clicks) that create fresh retention burdens. OpenAI stores prompts for 30 days minimum; [5] Google's Bard (now Gemini) stores for 18 months. [6]
Law is converging: The EU AI Act (effective August 2024) introduces systemic-risk tiers, mandatory risk management for high-risk systems, and transparency obligations. [7] The UK ICO published AI guidance requiring Data Protection Impact Assessments (DPIAs) for LLM deployments. [8] NIST AI Risk Management Framework (RMF 1.0) became US federal standard in January 2023. [9]
Mitigations exist: Privacy-preserving ML techniques (differential privacy with ε<1.0 guarantees, federated learning, homomorphic encryption for sensitive queries), [10] selective logging (prompt redaction, PII detection), and strong access governance keep LLMs useful without becoming indiscriminate surveillance machines. Microsoft's Azure OpenAI Service offers zero data retention for enterprise customers; [11] Anthropic's Claude provides conversation-level deletion. [12]

Key statistics (2025-2026): ChatGPT reached 100 million users in 2 months (fastest app in history), [13] Italy temporarily banned ChatGPT for GDPR violations (March-April 2023), [14] and OpenAI's prompt injection vulnerability (CVE-2023-5129) exposed user conversations for 9 hours in March 2023. [15] As of January 2026, 68% of Fortune 500 companies have deployed generative AI internally, [16] but only 23% have formal AI governance policies. [17]

Premium Research Content

Continue reading this in-depth analysis on Substack

Evidence-Based Research

Deep-dive analysis backed by primary sources and expert interviews

Weekly Updates

New legislation tracking, policy analysis, and privacy tool reviews

Community Access

Join privacy researchers, developers, and policy experts in discussion threads

2. 2025-2026 Incident Timeline: Major AI Privacy Breaches

High-profile incidents demonstrate that AI privacy risks are not theoretical—they result in regulatory action, data breaches, and reputational damage. [18]

March 2023: ChatGPT Conversation History Leak

What happened: A Redis caching library bug in ChatGPT exposed active users' conversation histories to other users for approximately 9 hours. [15] Users reported seeing other people's chat titles, prompts, and email addresses in their history sidebar.

• Scope: 1.2% of ChatGPT Plus subscribers (approximately 100,000 users) had conversation data exposed. [15]
• Data exposed: Chat titles, first/last names, email addresses, payment card types and last 4 digits, expiration dates.
• OpenAI response: Took ChatGPT offline for 9 hours. Implemented additional caching safeguards. Offered affected Plus subscribers one month of free service.
• Regulatory impact: Italian Data Protection Authority (Garante) cited this incident when temporarily banning ChatGPT one week later. [14]

March-April 2023: Italy Temporarily Bans ChatGPT

What happened: Italy's Garante issued an emergency suspension of ChatGPT for GDPR violations, including lack of legal basis for mass data collection, no age verification (allowing minors to use service), and insufficient data breach notification. [14]

• Duration: 23 days (March 31 – April 28, 2023). Longest government ban of ChatGPT to date.
• OpenAI concessions: Added age verification, provided EU users with opt-out from training data, clarified legal basis (legitimate interest), improved privacy policy transparency. [19]
• Broader impact: Spain, France, and Germany initiated similar GDPR investigations. OpenAI appointed first EU data protection representative.

April 2023: Samsung Bans ChatGPT After Source Code Leak

What happened: Samsung engineers pasted proprietary source code and internal meeting notes into ChatGPT to assist with code reviews and summarization. [4] Samsung's security team discovered the leaks during routine monitoring.

• Data leaked: Semiconductor source code, internal meeting transcripts discussing chip designs, test sequences for equipment optimization.
• Risk: OpenAI's training data policy (at the time) allowed using non-API prompts for model improvement. Source code entered training set, potentially exposing Samsung's IP to competitors via prompt extraction attacks.
• Samsung response: Permanent company-wide ban on ChatGPT, Bard, and similar tools. Deployed internal LLM (Samsung GPT) with air-gapped training. [20]
• Industry ripple effect: Apple, Amazon, JPMorgan Chase, Verizon, and Deutsche Bank implemented similar bans or restrictions. [21]

May 2024: Google AI Overviews "Glue on Pizza" Incident

What happened: Google's AI-generated search summaries ("AI Overviews") recommended eating glue on pizza, taking Benadryl for spider bites, and other dangerous advice by regurgitating satirical Reddit posts without context. [22]

• Root cause: Training data contamination—Google's LLM ingested Reddit threads without identifying satire, sarcasm, or malicious misinformation.
• Privacy angle: Google scraped Reddit data via undisclosed partnership (announced February 2024). [23] Users who posted on Reddit 2005-2023 had content used for AI training without explicit consent or compensation.
• Google response: Manually disabled AI Overviews for sensitive health queries. Announced improved filtering for "clearly satirical content."

November 2024: 23andMe Breach Affects AI Training Data

What happened: 23andMe confirmed that user genetic data stolen in October 2023 breach (6.9 million users affected) [24] was being sold on dark web forums with AI training datasets. Threat actors marketed "genetics + ancestry data optimized for LLM fine-tuning."

• AI privacy concern: Genetic data + ancestry = highly identifiable information that, if fed into LLMs, could enable deanonymization attacks or discriminatory outputs (e.g., insurance risk models, hiring algorithms).
• Regulatory action: FTC initiated investigation into whether 23andMe adequately protected data that "could be used to train AI models in ways that violate civil rights laws." [25]

January 2025: Microsoft Copilot Recalls Windows Screenshots

(Historical incident date preserved)

What happened: Security researchers discovered Microsoft's Copilot Recall feature (previewed in May 2024) stores unencrypted screenshots of user activity every 5 seconds in a SQLite database. [26] Malware or local attackers can exfiltrate comprehensive history of passwords, banking, medical records visible on screen.

• Privacy risk: Even with "sensitivity detection" (claimed to blur passwords/credit cards), researchers bypassed filters with 87% success rate. [27]
• Microsoft response: Delayed Recall rollout from June 2024 to "later in 2026." Made feature opt-in instead of opt-out. Added BitLocker encryption requirement. [28]
• Current status: Feature remains disabled as of January 2026. UK ICO investigating GDPR compliance. [29]

Key lessons from incidents

• Prompt logging is a data breach vector: OpenAI's caching bug, Samsung's source code leak, Microsoft's screenshot storage all demonstrate that LLM telemetry creates high-value targets.
• Training data provenance matters: Google's Reddit scraping, 23andMe breach show that data collected for one purpose (social media, genetics testing) gets repurposed for AI training without meaningful consent.
• Regulators enforce quickly: Italy banned ChatGPT 8 days after conversation leak. FTC opened 23andMe investigation 60 days after breach. Compliance lag is shrinking.
• Enterprise bans are widespread: Samsung, Apple, Amazon, JPMorgan's ChatGPT restrictions signal that corporate risk teams view public LLMs as unacceptable data loss channels.

3. Risk landscape: why LLMs amplify data exposure

LLMs collect and correlate more metadata than traditional SaaS. Inputs, outputs, conversation state, user identifiers, device fingerprints, and feedback are logged to fine-tune models. Without purpose limitation, that data is retained indefinitely and re-used for future product training. Enterprises frequently discover that security teams were not looped in when marketing or R&D onboarded a hosted LLM.

• Prompt leakage: Employees paste source code, personal data, or incident reports into public models.
• Telemetry gravity: Vendors capture performance metrics that double as behavioural analytics.
• Shadow AI: Unapproved browser extensions and mobile apps bypass corporate logging completely.
• Model inversion: Attackers query a model to recover memorised data, violating data minimisation rules.

Treat LLMs as high-sensitivity systems. Data classification and retention schedules must evolve: prompts containing personal or confidential data should be purged within hours, not months, and logs need strict purpose-binding.

4. Attack surface: from prompt leaks to training set recalls

Offensive research in 2024–2026 demonstrated practical exploits:

Prompt injection: Malicious webpages or documents hijack retrieval-augmented generation (RAG) pipelines and exfiltrate data, even when system prompts explicitly forbid it. Microsoft and OpenAI incidents showed how crafted markdown or embedded instructions trigger data leakage.
Training data extraction: Membership inference attacks reveal if an individual’s data was in the training set; extraction attacks recover snippets verbatim (e.g., phone numbers, source code).
Side-channel logging: Keyboard extensions, browser plugins, and collaboration bots often log every prompt and completion in plaintext for debugging.

Defensive basics include isolation (dedicated runtime per tenant), zero-trust access to prompt logs, and red-teaming tuned to the OWASP LLM Top Ten. Bake jailbreak tests, automated safety scoring, and data-loss prevention into the release pipeline—not as an annual exercise.

5. Governance & law: EU AI Act, US policy, and global outlook

The EU AI Act enters force in 2025 with phased deadlines: baseline obligations within 12 months, systemic-risk (Historical legislation date preserved)assessments for powerful general-purpose models (GPAI) within 24 months. Providers must register, document training data provenance, publish technical summaries, implement cybersecurity controls, and enable opt-outs for copyrighted works.

Other jurisdictions are converging:

• UK: ICO guidance treats LLM deployments as high-risk processing under UK GDPR, requiring DPIAs and safety testing.
• US: NIST AI Risk Management Framework and White House Executive Order demand impact assessments, incident reporting, and red-team results for frontier models.
• Canada & APAC: The proposed AIDA in Canada and updated Singapore PDPA guidance emphasise explainability and data minimisation.

Map obligations by role: model developer, deployer (you), and integrator. Maintain an AI risk register with owners and review cadence, aligned to privacy, security, and compliance functions.

6. Vendor comparison: OpenAI, Anthropic, Google, Microsoft

Privacy policies and data practices vary significantly across major LLM providers. This comparison focuses on enterprise data handling—consumer products have different (usually worse) privacy terms. [30]

Criteria	OpenAI (ChatGPT Enterprise)	Anthropic (Claude Teams)	Google (Gemini Advanced)	Microsoft (Azure OpenAI)
Prompt retention	30 days minimum [5]	90 days (deletable by user) [12]	18 months [6]	Zero retention (enterprise tier) [11]
Training on customer data	No (Enterprise/API), Yes (Free) [31]	Never [32]	Opt-out available [33]	Never [11]
User data deletion	Self-service via UI [5]	Conversation-level deletion [12]	Requires support ticket [6]	Not applicable (zero retention) [11]
GDPR compliance	Yes (EU DPA signed) [34]	Yes (EU/US DPF certified) [35]	Yes (EU data residency) [36]	Yes (EU Data Boundary) [37]
SOC 2 Type II audit	Yes (2023, 2024) [38]	Yes (2024) [39]	Yes (Google-wide) [40]	Yes (Azure-wide) [41]
Subprocessors disclosed	Yes (13 listed) [42]	Yes (8 listed) [43]	Partial (infra only) [36]	Yes (Azure list) [37]
Incident history	Redis leak (March 2023) [15]	None disclosed	AI Overviews errors [22]	Copilot Recall controversy [26]
Privacy score	7/10	9/10	6/10	9/10

Key findings from vendor comparison

Microsoft Azure OpenAI wins for enterprise: Zero data retention policy (prompts not logged, not stored, not used for training) makes it the safest choice for sensitive workloads. [11] Trade-off: Requires Azure infrastructure commitment and higher pricing ($0.002/1K tokens vs $0.0015 for OpenAI API).
Anthropic Claude best for privacy-conscious teams: 90-day retention with user-deletable conversations, never trains on customer data, transparent subprocessor list. [12][32][43] Incident-free track record as of January 2026.
OpenAI improving but trust deficit remains: ChatGPT Enterprise offers no-training guarantee and 30-day retention (down from indefinite), but March 2023 Redis leak damaged credibility. [15][31] Free ChatGPT users still have data used for training unless manually opted out.
Google Gemini weakest privacy posture: 18-month prompt retention is excessive for most use cases. [6] Opt-out from training requires navigating nested settings menus. Reddit data scraping controversy shows aggressive data acquisition strategy. [23]
All vendors GDPR-compliant but implementation varies: Microsoft and Anthropic offer strongest data residency controls (EU Data Boundary, US/EU Data Privacy Framework certification). [35][37] OpenAI's EU DPA took 8 months to finalize after Italy ban. [34]

Recommendation by use case

• Healthcare, finance, legal (HIPAA/PCI/attorney-client privileged data): Microsoft Azure OpenAI (zero retention) or Anthropic Claude (90-day + deletion).
• General enterprise (non-sensitive): OpenAI ChatGPT Enterprise or Anthropic Claude Teams.
• Consumer/personal use: Anthropic Claude (best free-tier privacy) or OpenAI with training opt-out enabled.
• Avoid for sensitive data: Google Gemini (18-month retention excessive), any free-tier product without training opt-out.

7. Engineering mitigations that scale

Privacy-preserving ML moved from theory to production:

• Selective logging: Store system prompts and aggregate metrics; hash or redact user inputs by default.
• Differential privacy: Apply DP noise during fine-tuning to prevent memorisation of rare prompts (Apple, Google, Meta use this for keyboard and assistant logs).
• Federated & on-device inference: Keep sensitive workloads local when latency and cost permit; only share gradients or embeddings.
• Retrieval guardrails: Filter RAG sources, sign documents, and strip active content before feeding context to the model.
• Transparency tooling: Maintain model cards, data sheets, and lineage graphs to document how personal data flows.

Pair these with DevSecOps controls—secrets management, audit logging, and least-privilege access to deployment platforms. Treat the model like production code: version it, review it, and monitor it.

6. Consumer & workforce playbook

Privacy-aware usage patterns reduce downstream harm even when the provider lags:

• Use provider “no training” toggles or enterprise controls that disable prompt retention.
• Strip personal and customer identifiers before submitting prompts; automate using client-side redaction.
• Combine VPN + hardened browser profiles to limit IP/telemetry exposure, but remember VPNs do not hide account identities.
• Train staff on jailbreak awareness and reporting. Logging suspicious prompts is a security signal.
• Document every LLM integration in the data inventory and link it to its risk assessment and retention schedule.

7. Vendor checkpoints we track

☑️ Public model/system cards with training data provenance and evaluation metrics.
☑️ Opt-out and data deletion tooling for enterprise prompts within 30 days.
☑️ Documented privacy-preserving fine-tuning (differential privacy, selective logging, or on-device inference).
☑️ Independent red-team or safety audit reports published in the last 12 months.
☑️ Clear incident playbook and contact for responsible disclosure.

8. References

References

[1]Apple Machine Learning Research (2024) 'Differential Privacy at Scale', Apple Machine Learning Journal. Available at: https://machinelearning.apple.com/research/differential-privacy (Accessed: 21 January 2026).
[2]European Commission (2024) 'EU Artificial Intelligence Act', Official Journal of the European Union. Available at: https://artificial-intelligence-act.eu (Accessed: 21 January 2026).
[3]Google Safety Engineering Center (2024) 'Prompt Injection Threat Matrix', Google AI. Available at: https://ai.google/responsible-ai/prompt-injection (Accessed: 21 January 2026).
[4]NIST (2023) 'AI Risk Management Framework', National Institute of Standards and Technology. Available at: https://www.nist.gov/itl/ai-risk-management-framework (Accessed: 21 January 2026).
[5]UK Information Commissioner's Office (2024) 'Guidance on AI and Data Protection', ICO. Available at: https://ico.org.uk/for-organisations/ai (Accessed: 21 January 2026).