Back

Grok Chatbot Violates Canadian Privacy Laws with Deepfake Generation

Severity: High (Score: 70.2)

Sources: Iapp, Priv.Gc.Ca

Published: 2026-06-11 · Updated: 2026-06-11

Keywords: privacy, grok, canada, chatbot, commissioner, investigation, violated

Severity indicators: ot

Summary

The Office of the Privacy Commissioner of Canada (OPC) found that X Corp. and xAI violated federal privacy laws by launching the Grok AI-powered image generation tool without necessary safeguards. This tool enabled the creation of over 6,000 sexualized deepfake images per hour, including approximately 23,000 images of children. The OPC's investigation revealed that Grok shared 1.8 million sexualized images since December 29, 2025. Privacy Commissioner Philippe Dufresne emphasized the need for stronger federal legislation and enforcement powers to protect privacy. Although X Corp. and xAI have implemented some safeguards, including a process for mitigating privacy issues, the OPC cannot compel the suspension of the tool until all safeguards are in place. Dufresne noted that the reduction in incidents by 50% is insufficient, stressing that the goal should be to minimize such incidents to nearly zero. The OPC will continue to monitor the situation and may pursue legal action if necessary. Key Points: • Grok's AI tool generated over 6,000 sexualized deepfakes per hour without safeguards. • The OPC found X Corp. and xAI in violation of Canada's privacy laws, sharing 1.8 million images. • Privacy Commissioner Dufresne calls for stronger legislation and enforcement powers.

Detailed Analysis

**Impact** Over 3 million sexualized deepfake images were generated by the Grok AI-powered image-generation tool between December 29, 2025, and early January 2026, including approximately 23,000 images depicting children. The tool was producing over 6,000 sexualized images per hour at its peak. The primary affected population is Canadian citizens, with a significant risk to women and children’s privacy and safety. The incident exposes gaps in privacy protections under Canada’s federal private-sector privacy law and impacts the technology sector, particularly AI developers and social media platforms operating in Canada. **Technical Details** The incident involved the misuse of Grok’s AI image-generation tool, which lacked initial safeguards to prevent the creation of sexualized deepfake content. There are no reported malware, CVEs, or specific exploitation techniques; the issue stems from the absence of adequate content moderation and privacy controls in the AI tool’s deployment. The attack vector is user-generated input leading to harmful content creation, with the kill chain focused on the exploitation of AI capabilities without proper governance. No specific IOCs were provided. **Recommended Response** Organizations deploying AI image-generation tools should implement strict content filtering and moderation mechanisms to prevent the creation of sexualized and non-consensual deepfake images. Regular privacy impact assessments and formal processes for anticipating and mitigating privacy risks must be established. Monitoring for misuse patterns and reporting effectiveness of safeguards to regulatory bodies is advised. Defenders should track legislative developments and prepare for compliance with new Canadian privacy and AI regulations.

Source articles (2)

  • Statement by the Privacy Commissioner of Canada on investigation into Grok chatbot and ... — Priv.Gc.Ca · 2026-06-11
    Privacy Commissioner of Canada Philippe Dufresne today issued the following statement on his investigation into the Grok chatbot’s artificial intelligence-powered image-generation tool. (Check against…
  • OPC finds Grok chatbot and deepfakes violated Canada's privacy law — Iapp · 2026-06-11
    An investigation by the Office of the Privacy Commissioner of Canada found X Corp. and xAI violated the country's federal private-sector privacy law by launching the Grok AI-powered image generation t…

Timeline

  • 2025-12-29 — Grok tool begins generating deepfakes: Grok's AI tool started sharing sexualized deepfake images, totaling 1.8 million images by the end of the investigation.
  • 2026-01-08 — Investigation into Grok initiated: The OPC launched an investigation after reports of Grok's misuse for generating sexualized deepfakes.
  • 2026-06-11 — OPC releases investigation findings: The OPC announced its findings, highlighting the violations of privacy laws by X Corp. and xAI.

Related entities

  • XAI (Company)
  • Canada (Country)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed