The scenario is not that AI will hack everything overnight. The scenario is quieter — and already happening: your data is being collected, cross-referenced, and stored for future decryption. Adversaries don't need to breach your accounts today. They need to collect your data today and act on it later. Here is what that actually means.
What It Is
Adversaries — including governments — are collecting encrypted communications and data now, storing them, and waiting for quantum computers powerful enough to crack current encryption. NIST has acknowledged this threat and mandated post-quantum cryptography migration by 2035. Security firm Utimaco and Palo Alto Networks both assess the timeline may be as short as 3 years.
What's at Risk
Encrypted messages, emails, financial transactions, and medical records sent over the internet in the last 5 years. If you sent something encrypted today, assume it is being stored and may be readable in the near future.
What to Do
Use Signal — it already implements post-quantum encryption. Don't assume encrypted = permanently safe. For highly sensitive communications, assume anything sent before 2025 may eventually be readable by a sufficiently resourced adversary.
Sources: NIST post-quantum cryptography standards (FIPS 203/204/205, 2024) · Palo Alto Networks 2026 cybersecurity predictions · Utimaco 2026 security trends report
What It Is
Data that was considered "anonymous" is no longer. AI systems can cross-reference location pings, browsing patterns, purchase history, and social media activity to identify individuals with high accuracy — even when no name is attached to any single dataset. This has been demonstrated repeatedly in academic research and is now a commercial reality.
What's at Risk
"Anonymous" location data sold by apps. Anonymized health data. Reddit accounts. Tumblr. Any forum post, ever. The academic literature is unambiguous: anonymization alone is not a meaningful privacy protection.
What to Do
Delete old accounts you no longer use. Assume any data point you've ever generated can eventually be connected to your identity. Use a VPN for sensitive searches. Private browsing only hides your history from the next person who opens your laptop — it doesn't stop tracking.
Sources: International AI Safety Report 2025 (96-expert collaborative report co-chaired by Yoshua Bengio) · Electronic Frontier Foundation — de-anonymization research compilation · Netflix Prize de-anonymization study (Narayanan & Shmatikoff, 2008) · AOL search data re-identification (2006)
What It Is
Already documented. CBP purchased location data from apps — no warrant, no court, no judge. The Fourth Amendment has a loophole: buying data commercially doesn't count as a "search." Your phone is already feeding a government database. The Fourth Amendment Is Not For Sale Act would close this loophole. It has not passed.
What's at Risk
Your location history. Your immigration status inferred from where you go. Who you met with. Where you worship. Where you protest. Where you seek medical care. This is not hypothetical — it is documented.
What to Do
Disable ad tracking on your phone (iPhone: Settings → Privacy → Tracking → OFF / Android: Settings → Google → Ads → Delete Advertising ID). Deny location permissions to every app that doesn't need it to function. Enable Lockdown Mode.
See the full documented breakdown: Ad tracking surveillance guide →Sources: 404 Media — CBP location data FOIA reporting (2024) · US District Court filings, Carpenter v. United States · Brennan Center — Closing the Data Broker Loophole (2023) · Congress.gov — Fourth Amendment Is Not For Sale Act
What It Is
AI models trained on scraped internet data can reproduce portions of what they were trained on. If your private information was scraped and included in a training dataset, an AI model may be able to reproduce it when prompted correctly. This has been demonstrated with GPT-4 and other major models.
What's at Risk
Old forum posts. Blog entries. Photos with metadata. Anything ever publicly accessible — including content you may have deleted from the original source but that was scraped before deletion.
What to Do
Google yourself regularly — your name, username variations, email addresses. Submit removal requests for old content. Use Google's "Results About You" tool. Check HaveIBeenPwned.com for data breaches. Old accounts you no longer monitor may be active data sources.
Sources: International AI Safety Report 2025 · Carlini et al., "Extracting Training Data from Large Language Models" (2021) · Private AI — AI privacy risk analysis 2025 · FTC — AI and consumer privacy enforcement actions 2024–2025
10 actions. Plain English. In order of impact. Takes under 30 minutes total.
1
Switch to Signal
For any communication you consider sensitive. Already implements post-quantum encryption.
2
Enable Lockdown Mode (iPhone)
Settings → Privacy & Security → Lockdown Mode. Reduces attack surface significantly.
3
Disable ad tracking
iPhone: Settings → Privacy → Tracking → OFF. Android: Settings → Google → Ads → Delete Advertising ID.
4
Audit location permissions
Every app. Deny location to anything that doesn't need it to function. Revoke 'always on' for everything.
5
Delete old accounts
Forums, social media, blogs you haven't posted to in years. Less data, fewer exposure points.
6
Use a password manager
1Password or Bitwarden. One breach shouldn't compromise every account. Unique passwords, everywhere.
7
Use a VPN for sensitive browsing
Mullvad or ProtonVPN. Hides browsing from your ISP. Not anonymous — but materially reduces exposure.
8
Check HaveIBeenPwned.com
Enter your email. If it's appeared in a breach, change that password everywhere you used it.
9
Google yourself
Your name, username variations, email addresses. Request removal of results that expose sensitive info.
10
Audit app permissions
Settings → Privacy. Camera, microphone, contacts, location — revoke everything not actively needed.
Not legal advice. Not a guarantee of security. Threat assessments reflect documented researcher and government assessments as of April 2026. Technology and legal frameworks change — verify current guidance before acting. Sources cited throughout.