You don't need to be a Russian spy to violate the privacy of millions of women. Sometimes a period tracker app is enough – one of those that promises to calculate ovulation but in reality calculates how much your data is worth on the advertising market. The latest wake-up call comes from a series of interwoven revelations: on one hand, the discovery that an AI music generator was breached, exposing its scraping techniques; on the other, confirmation that Russian cyberspy groups are shifting focus to infrastructure hacking, while the U.S. Department of Homeland Security (DHS) took years to realize it had been compromised.

Period tracker apps have become invisible surveillants. Independent studies have shown that many share data with advertisers, brokers, and analytics platforms without truly informed consent. Menstrual cycles, symptoms, sexual activity, mood: a treasure trove for those training AI models or building psychometric profiles. And this is not science fiction: health data, when aggregated and deanonymized, feeds recommendation engines and even predictive credit tools.

The AI music generator breach is a piece of the same puzzle: the mass scraping of personal data to train generative models. If a simple tracker can become a goldmine, what happens when entire hospitals, insurers, or employers entrust their sensitive data to commercial LLMs hosted in the cloud? The risk is that those models, however “secure,” retain traces of the information or expose it to third parties through inference itself.

Meanwhile, traditional cyber threats do not abate. The Russian infrastructure attacks and DHS flaws show that perimeter security is a myth: data, once centralized in an external cloud, becomes a permanent target. That is why for those managing data that absolutely cannot leave their control – medical records, trade secrets, financial transactions – on-premise deployment of language models is becoming not just a technical necessity, but a legal and reputational imperative.

Running an LLM locally, on proprietary servers, changes the terms of the problem. With frameworks like vLLM or Ollama and quantization techniques to FP16 or INT8, it is possible to achieve acceptable inference performance on hardware with adequate VRAM. Of course, capital costs (CapEx) are higher than on-demand cloud consumption, but the Total Cost of Ownership is reevaluated when considering compliance risks: a breach can cost heavy fines and irreparable reputational damage. At AI-RADAR we offer analytical tools for those evaluating these trade-offs, but the direction is clear: data sovereignty is not a luxury, it is a strategic asset.

The case of period tracker apps is just the tip of the iceberg of a data economy built on surveillance. As generative AI becomes pervasive, distinguishing between who collects data and who turns it into power becomes a matter of architecture: local servers, quantized models, controlled training pipelines. For organizations handling sensitive data, the choice is not between cloud and on-premise, but between trust and control.