Slide 18 · OWASP Scenario — Terms & Privacy Shift
The non-technical supply-chain attack: the fine print changes.
📄 OWASP LLM Top 10:2025 · LLM03 Sample Scenario #13
Scenario · T&Cs and Privacy Policy
“An LLM provider changes its terms and privacy policy so that, unless you explicitly opt out, your application's data may be used to train its models.”
No malware, no CVE — just a policy update from a vendor in your chain. Suddenly the prompts and documents your app sends could feed the provider's next training run, where they may be memorized and later surfaced to other users.
Why it matters: a supplier's legal terms are part of your supply chain, exactly like their code. OWASP also flags licensing the same way — a model or dataset under the wrong license can quietly compromise your right to ship.
The Through-Line of All Four Scenarios
Tampered weights, shared GPUs, swapped on-device models, shifting terms — none are “your code has a bug.” Every one is trust placed in a third party that turned out to be misplaced. Part 4 is how you earn that trust back through verification.