top of page

← Back to ImpactWorks

logo-impactworks.png

๐—”๐—ป๐˜๐—ต๐—ฟ๐—ผ๐—ฝ๐—ถ๐—ฐ ๐—น๐—ฒ๐—ฎ๐—ธ๐—ฒ๐—ฑ ๐Ÿฑ๐Ÿญ๐Ÿฎ,๐Ÿฌ๐Ÿฌ๐Ÿฌ ๐—น๐—ถ๐—ป๐—ฒ๐˜€ ๐—ผ๐—ณ ๐—–๐—น๐—ฎ๐˜‚๐—ฑ๐—ฒ ๐—–๐—ผ๐—ฑ๐—ฒ ๐˜€๐—ผ๐˜‚๐—ฟ๐—ฐ๐—ฒ ๐—ฐ๐—ผ๐—ฑ๐—ฒ.

  • Writer: Christian Schulze
    Christian Schulze
  • May 4
  • 2 min read

๐—›๐—ฒ๐—ฟ๐—ฒ ๐—ถ๐˜€ ๐˜„๐—ต๐—ฎ๐˜ ๐—ถ๐˜ ๐—บ๐—ฒ๐—ฎ๐—ป๐˜€ ๐—ณ๐—ผ๐—ฟ ๐˜†๐—ผ๐˜‚.


I analyzed 20+ security reports. In plain language:


We assume AI tools work like a calculator: input in, output out, nothing saved. Wrong.


๐—œ๐—ณ ๐˜†๐—ผ๐˜‚ ๐˜‚๐˜€๐—ฒ ๐—–๐—น๐—ฎ๐˜‚๐—ฑ๐—ฒ ๐—ฎ๐˜€ ๐—ฎ ๐—ฝ๐—ฟ๐—ถ๐˜ƒ๐—ฎ๐˜๐—ฒ ๐˜‚๐˜€๐—ฒ๐—ฟ:


๐Ÿญ. ๐—˜๐˜ƒ๐—ฒ๐—ฟ๐˜† ๐—ณ๐—ถ๐—น๐—ฒ ๐˜†๐—ผ๐˜‚ ๐—ผ๐—ฝ๐—ฒ๐—ป ๐—ถ๐˜€ ๐˜€๐—ฒ๐—ป๐˜ ๐˜๐—ผ ๐—”๐—ป๐˜๐—ต๐—ฟ๐—ผ๐—ฝ๐—ถ๐—ฐ. With your user ID, email, and session data. (The Register, Apr 2026)


๐Ÿฎ. ๐—ฌ๐—ผ๐˜‚๐—ฟ ๐—ณ๐—ฟ๐˜‚๐˜€๐˜๐—ฟ๐—ฎ๐˜๐—ถ๐—ผ๐—ป ๐—ถ๐˜€ ๐˜๐—ฟ๐—ฎ๐—ฐ๐—ธ๐—ฒ๐—ฑ. A module scans your messages for profanity and phrases like "this sucks" and logs it. (Scientific American)


๐Ÿฏ. ๐——๐—ฎ๐˜๐—ฎ ๐—ฟ๐—ฒ๐˜๐—ฒ๐—ป๐˜๐—ถ๐—ผ๐—ป ๐—ฑ๐—ฒ๐—ฝ๐—ฒ๐—ป๐—ฑ๐˜€ ๐—ผ๐—ป ๐˜†๐—ผ๐˜‚๐—ฟ ๐—ฐ๐—ต๐—ผ๐—ถ๐—ฐ๐—ฒ. Opt into training: 5 years. Opt out: 30 days. But safety-flagged content is kept up to 7 years regardless of your settings.


๐—œ๐—ณ ๐˜†๐—ผ๐˜‚ ๐˜‚๐˜€๐—ฒ ๐—–๐—น๐—ฎ๐˜‚๐—ฑ๐—ฒ ๐—ถ๐—ป ๐—ฎ ๐—ฏ๐˜‚๐˜€๐—ถ๐—ป๐—ฒ๐˜€๐˜€ ๐—ฐ๐—ผ๐—ป๐˜๐—ฒ๐˜…๐˜:


๐Ÿฐ. ๐—”๐—ฐ๐—ฐ๐—ผ๐˜‚๐—ป๐˜ ๐˜๐˜†๐—ฝ๐—ฒ ๐—ฑ๐—ฒ๐˜๐—ฒ๐—ฟ๐—บ๐—ถ๐—ป๐—ฒ๐˜€ ๐—ฝ๐—ฟ๐—ผ๐˜๐—ฒ๐—ฐ๐˜๐—ถ๐—ผ๐—ป. Developers on personal accounts using company code fall under consumer terms, not enterprise agreements. Protections follow the account, not the code.


๐Ÿฑ. ๐—ฅ๐—ฒ๐—บ๐—ผ๐˜๐—ฒ ๐—ธ๐—ถ๐—น๐—น๐˜€๐˜„๐—ถ๐˜๐—ฐ๐—ต๐—ฒ๐˜€ ๐—ฒ๐˜…๐—ถ๐˜€๐˜. Anthropic can change Claude's behavior on your machine every 60 minutes. Including disabling security prompts. Without asking.


๐Ÿฒ. ๐—™๐—ถ๐˜ƒ๐—ฒ ๐—–๐—ฉ๐—˜๐˜€ ๐—ณ๐—ผ๐˜‚๐—ป๐—ฑ ๐˜„๐—ถ๐˜๐—ต๐—ถ๐—ป ๐—ฑ๐—ฎ๐˜†๐˜€. Including zero-interaction remote code execution. The source is now a map for attackers. (SecurityWeek)


๐—œ๐˜€ ๐˜๐—ต๐—ถ๐˜€ ๐—ผ๐—ป๐—น๐˜† ๐—”๐—ป๐˜๐—ต๐—ฟ๐—ผ๐—ฝ๐—ถ๐—ฐ?


OpenAI collects inputs and metadata by default. GitHub Copilot collects prompts and code snippets. And a class action lawsuit just revealed that Perplexity sent user chats to Meta and Google for ad targeting. Even in incognito mode. (SF Federal Court, March 2026)


Anthropic is not worse. We can just see it now. The others are black boxes or courtroom discoveries.


๐—ช๐—ต๐—ฎ๐˜ ๐˜†๐—ผ๐˜‚ ๐—ฐ๐—ฎ๐—ป ๐—ณ๐—ถ๐˜… ๐˜๐—ผ๐—ฑ๐—ฎ๐˜†. ๐—”๐—ป๐—ฑ ๐˜„๐—ต๐—ฎ๐˜ ๐˜†๐—ผ๐˜‚ ๐—ฐ๐—ฎ๐—ป๐—ป๐—ผ๐˜.


AI middleware like Langdock (Berlin, GDPR, ISO 27001, SOC 2 Type II) solves the data problem now. Your prompts stay in your infrastructure. No file transmission. No frustration tracking. No consumer-vs-enterprise gap.


What middleware cannot fix: remote killswitches. Those operate at client level, not API level. Anthropic can still disable features or bypass permissions on your machines. That requires contractual and regulatory solutions. Courts and enterprise agreements will have to catch up. Middleware covers the data layer today. The control layer needs the industry to act.


I explained the difference between data layer and control layer to my German Pinscher. She ignored both and went straight to the execution layer: the mailman.


๐—ฌ๐—ผ๐˜‚๐—ฟ ๐˜๐˜‚๐—ฟ๐—ป: Do you know what your AI tool sends home? And who can remotely change what it does on your machine?


Comments

bottom of page