Yes, I agree that it's wrong, my point is really about the data itself being in their servers. Let's be real, a service nowadays DO have the choice to enable client-side encryption or methodology to be unable to consult data themselves, so any company that chose against that during development phase might have eventual motives of processing the data, my point is really about the blind trust from users which is just wrong from a security standpoint, every trust step added that you can't verify is just "faith" at this point, not security.

Term of services are irrelevant as they are breached all the time, major companies are getting fined all the time for it, we must rely on cryptography, not human trust and people needs to stop being surprised the moment they learn that the data they accepted to leave in cleartext is used, that would be a first step toward forcing the change and using proper security standards.

Want a useful action? Let's change the law to force cryptography regarding user data, attestation, SGX or whatever method (there is plenty), that would be a great start, the fact that in 2026 it's still legal to process user chats in plaintext is mindblowing.