Respect citizens' data or get out
DeepSeek bans, attackers using generative AI, and cybercrime forum takedowns
The boundaries of countries do not end at geographic borders
One of the reasons the General Data Protection Regulation (GDPR) has had such an outsize impact on data processing globally, not just in the EU, is because of one small but mighty section of the legal text: Section 3, Territorial scope. This section establishes that GDPR applies to any company, including those that do not hold offices or operate in the EU. Since the EU views personal data protection as a fundamental right, it must protect its citizens’ personal data regardless of where that data resides. There is historical precedent for extraterritorial laws like these, such as the US Helms-Burton Act or China’s Anti-Foreign Sanctions Law.
Where this gets interesting: it means businesses that operate entirely outside of the EU can still be subject to EU regulations on data privacy. It doesn’t matter if you’re a multinational or not, you’re still subject to the changing winds of geopolitical forces that sculpt regulations everywhere. The boundaries of nations are not just geographic but also determined by what citizens do and where they do it. If a company wants access to a market, it must comply. If a government wants to maintain strong geopolitical ties with another government, it has to make sure its companies comply.
Italy blocked DeepSeek as other nations tumble towards bans of their own
What happened: Italy’s data processing regulator, Garante, launched an investigation into whether or not DeepSeek is respecting GDPR rules: what Italian data is being collected by the app, how it is being used, and whether it is being stored in China. As we discussed last week, DeepSeek’s privacy policy states that many different kinds of data are collected and stored in China. Garante distilled the response by the companies behind DeepSeek to the following:
“Contrary to what the authority found, the companies declared that they do not operate in Italy and that European legislation does not apply to them.”
Spicy… and debatable. Garante ordered the companies behind DeepSeek to stop processing Italians’ data, and the app was also removed from Google and iOS app stores in Italy. The Italians aren’t the only ones: Belgium, Ireland, France, and South Korea are all investigating how DeepSeek uses citizen’s data. The United States Navy, NASA, Congress, and the state of Texas banned the app on government-issued devices. Taiwan also banned government agencies from using DeepSeek’s AI model for national security reasons.
Take note: Companies like the ones that own DeepSeek can try to refuse to comply with GDPR because it is 1) not operated in the EU and 2) not operated in a strong EU ally. However, that doesn’t mean that Italy is powerless here. Italy could feasibly negotiate with China to bring it into line, and it can also block distribution channels for the app like it did last week with the App Store.
Attackers are experimenting with generative AI, but not getting too far out of the box
What happened: Google released an in-depth report on how threat actors are leveraging Gemini - Google’s AI chatbot - for cyberattacks. Attackers in Iran were the most frequent users of Gemini, though Google also found attackers leveraging it in China, the Democratic People’s Republic of Korea, and Russia. They used it to help code malware, gather reconnaissance, advise on topics like evasion techniques, and research vulnerabilities and various technologies.
Take note: Most malicious use of generative AI has been academic, especially regarding advanced uses like prompt attacks. The use cases Google found in this report align with what we expect attackers to use it for. While it helps the attackers in some ways, it cannot automate entire attacks or provide attackers with new kinds of malware or zero days. However, if a group of attackers are to innovate on this, it will be those that are government-backed.
Cybercrime forums Cracked and Nulled get cracked and nulled
Taking down cybercrime forums is not simple. It can take years of work and international cooperation to identify and locate suspects, track down the infrastructure that supports it, and gather enough evidence to make a compelling legal case. It’s also not just a digital operation - suspects are arrested, property is searched, and hardware and cash are seized. Takedowns like these are a reminder that behind every cyberattack are humans and real-world circumstances. Information security does not exist in a vacuum or only online; it exists as a fundamental piece of the society we’ve built.
What happened: German authorities led a Europol-supported operation with law enforcement from seven other countries (Australia, France, Greece, Italy, Romania, Spain, and the United States) to take down two huge cybercrime forums called Cracked and Nulled. Cracked and Nulled had over 10 million users combined who went to these sites to sell stolen data, buy malware, and access infrastructure to carry out attacks.
Take note: While cybercrime attackers will continue to stand up forums like these, every single one law enforcement takes down is another costly speed bump for attackers. The more expensive we can make cybercrime, the less attractive it is to criminals.
I want to hear your perspective. Have thoughts on this? Write me a comment below!