Most people tap "I agree" when setting up a new phone or app without reading what they're actually agreeing to. Here's what is quietly collecting in the background, and what can actually be done with it. Location: If you're signed into a Google account, your location history is probably being recorded. Not just GPS coordinates either. Google Maps builds a full Timeline of where you went, how long you stayed, and the routes you took. You can see everything stored at myactivity.google.com. Your daily activity: Android can detect steps, driving, walking patterns, and commute habits even if you never opened a fitness app. Over time this builds a behavioral profile of your routines. You can check which apps have access to this under Settings > Privacy > Permission Manager. Your ad profile: Google categorizes you into interest groups based on your searches, YouTube history, and location. Advertisers then bid to reach those groups in real time. Your data gets shared across that bidding process, and Google has limited control over what happens to it after it leaves their systems. You can see how Google has labeled you at adssettings.google.com. ***What are they actually allowed to do with all of this?*** Quite a lot. The US has no single privacy law covering this. Google says it does not sell your personal data, and technically that's true. But your data does flow through advertising systems where it gets shared with third parties in ways that are perfectly legal. Google participates in real-time bidding, where your data is shared with every advertiser who joins an auction, not just the winner. Some of those participants are data brokers who collect what they receive and sell it on. In most of the US, companies can legally collect and share your behavioral data as long as it's disclosed somewhere in their terms. None of this is hidden. It's in your settings and their terms of service. The problem is most people never look.

CrowdStrike just released its Global Threat Report for 2026, and one number stood out. AI-enabled cyberattacks increased 89% in 2025 compared to the year before. Nearly double. In a single year. The attacks you're already familiar with are now being produced by AI at a scale and quality that wasn't possible 12 months ago. Here's what that looks like in practice: - The phishing email that used to be easy to spot because of bad grammar? AI now writes it perfectly, in your tone, referencing your actual business context, in any language. - The fake invoice or wire transfer request that used to take an attacker hours to craft? AI generates hundreds of them in minutes, each personalized to a different company. - The "CEO" asking your finance team to move money urgently? AI can now clone voices and generate convincing video. The request sounds and looks exactly like the person your team trusts. The attacks themselves haven't changed. The volume and quality have. So what does this mean for you? It means the single most important defense you have right now is not software. It's process. Specifically: verification processes that don't rely solely on how something looks or sounds. Three things worth doing this week: 1. Establish a callback rule. Any request involving a wire transfer, credential change, or sensitive data access gets verified via a separate, known phone number. Not a reply to the email. Not a response to the message. A separate call. 2. Brief your finance and operations teams. They are the primary target. They need to know that convincing-looking requests are no longer a reliable signal of legitimacy. 3. Ask yourself: if someone impersonated me right now and contacted my team, what would stop them from complying? If your honest answer is "not much," that's your priority this week. The arms race CrowdStrike describes is real. The good news is that the defenses that matter most don't require a security budget, they require awareness and a few deliberate process changes.

If you use ChatGPT for your business, you understand how AI assistants work: you type a question, you get an answer. That's the model most of us are familiar with. But the AI landscape just shifted in a significant way. If you're not aware of it, it could be the most dangerous blind spot in your business right now. --- WHAT IS OPENCLAW? OpenClaw is a new kind of AI tool that doesn't just answer questions. It takes action. Unlike ChatGPT, which waits for your input and responds, OpenClaw is what's called an "agentic AI." It runs continuously in the background and can do things on its own: send emails, read and write files, browse the web, run commands on a computer, and connect to your calendar, Slack, WhatsApp, and other tools. Think of it less like a smart search engine and more like hiring someone who never sleeps, has access to everything on your computer, and acts without asking first. It became the fastest-growing software project in history. 180,000 developers adopted it in weeks. Some are buying dedicated hardware just to run it around the clock. Employees are almost certainly already experimenting with it. That's where the problem starts. --- THE PART YOUR SECURITY SOFTWARE CAN'T SEE If your business has any kind of security setup, even basic tools your IT provider manages, you probably rely on three layers of protection: - EDR (Endpoint Detection and Response): watches your computers for suspicious behavior - DLP (Data Loss Prevention): catches sensitive data leaving your network - IAM (Identity and Access Management): controls who has access to what Here's what security researchers discovered this month: OpenClaw can bypass all three of these without triggering a single alert. This is not a typical hack. There's no virus. No suspicious file. No alarm going off. Here's how it works in plain terms. An attacker hides a malicious instruction inside something completely ordinary - a forwarded email, a webpage, a document. When your employee's OpenClaw agent processes that content as part of its normal work, it reads the hidden instruction and follows it. It might forward your company's credentials to an external server. It might copy sensitive files. It might authorize a transaction.