Urban VPN Proxy Surreptitiously Intercepts AI Chats

This is pretty scary:

Urban VPN Proxy targets conversations across ten AI platforms: ChatGPT, Claude, Gemini, Microsoft Copilot, Perplexity, DeepSeek, Grok (xAI), Meta AI.

For each platform, the extension includes a dedicated “executor” script designed to intercept and capture conversations. The harvesting is enabled by default through hardcoded flags in the extension’s configuration.

There is no user-facing toggle to disable this. The only way to stop the data collection is to uninstall the extension entirely.

[…]

The data collection operates independently of the VPN functionality. Whether the VPN is connected or not, the harvesting runs continuously in the background.

[…]

What gets captured:

  • Every prompt you send to the AI
    Every response you receive

  • Conversation identifiers and timestamps
  • Session metadata
  • The specific AI platform and model used

    BoingBoing post.

    EDITED TO ADD (12/15): Two news articles.

    Tags: , , ,

    Posted on December 24, 2025 at 7:03 AM6 Comments

    Comments

    KC December 24, 2025 11:24 AM

    Those VPNs (especially the free ones) are spilling the tea. As the researchers show, this ‘tool’ and its surveillance family are using an aggressive technique so that the extension sees the raw API traffic, including all the AI conversation data. As noted above, even if the extension itself is disabled.

    The information market is mind-boggling.

    Jan van Prooijen December 25, 2025 6:47 AM

    This is of course a violation of the European GDPR. I assume they don’t have an establishment in the EU, so they will get away with it.
    And Google and Microsoft can get away with it.

    Anon December 25, 2025 8:24 AM

    Clive’s account appears to have been hijacked by someone wishing to advertise their own immaturity. An echo from the past?

    Clive Robonson December 25, 2025 12:23 PM

    @ Jan van Prooijen,

    With regards the GDPR and your observation that,

    “And Google and Microsoft can get away with it.”

    The reason they do is where they have put their EU HQs and Data Centers.

    Which is “Southern Ireland”…

    Their data commisioners all look the other way when it comes to taking action under such EU legislation… And the rest of Europe is getting sick of it and the nation for all sorts of “on the take” type behaviours.

    The current scandal is about the new data commissioner, who used to work for Facebook as an executive. It’s known that all Facebook Execs have to sign a life long binding contract not to do a whole list of things that FaceBook does not like…

    This is about the most favourable comment I’ve seen on the subject,

    https://www.rte.ie/news/business/2025/1024/1540371-irish-data-protection-commission/

    Which is as it’s from RTE is hardly surprising.

    Now you know who’s name to search for you can find the more interesting stuff.

    This how ever gives more background,

    https://euobserver.com/digital/ar6c78a452

    Who? December 26, 2025 9:33 PM

    @ Jan van Prooijen

    No way. The european GDPR is here to protect information collected by data brokers, not european citizens rights; in fact, a data broker only needs to show that collected information is valuable for its business model (whatever this business model is) and the european regulation will automatically protect it against removal requests by european citizens.

    This one is the way it works ——the way it worked, from the beginning—— as clearly explained to me by a data broker I asked to remove all collected data related to my activities.

    Leave a comment

    Blog moderation policy

    Login

    Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

    Sidebar photo of Bruce Schneier by Joe MacInnis.