SUBSCRIBE TO OUR FREE NEWSLETTER
Daily news & progressive opinion—funded by the people, not the corporations—delivered straight to your inbox.
5
#000000
#FFFFFF
5
#000000
#FFFFFF
data privacy
When Thought Becomes Record in the Age of AI
How a court footnote, retention orders, interagency data sharing, and the government's own words reveal what happens when we pour private thought into a chatbot.
Apr 18, 2026
Last month, a sentence went viral claiming that if you type into a chatbot, the FBI can get everything. The claim was too broad. The truth may be narrower, and worse.
Worse, because what is at stake is not some dramatic collapse of privacy. It is a daily practice so ordinary that most people do not even register it as exposure. Thought leaves a protected setting, enters a consumer platform, becomes a record, and then falls under rules the user did not write and will almost never see. Catastrophes announce themselves. Habits do not. Habits become infrastructure before the public notices what has changed.
This essay walks through six documents: a footnote, two preservation orders, an executive order on interagency sharing, a national security memorandum, and a budget request. Read one by one, each can be minimized. Read together, they describe an apparatus already in motion, and a desk already inside it.
A conversation is something you have. A record is something someone else keeps. The text box in front of you now performs both functions at once. It feels like conversation. It can become record.
I. The First Shift: When Thinking Starts Looking Like Disclosure
In United States v. Heppner, decided in the Southern District of New York on February 17, 2026, Judge Jed S. Rakoff wrote in a footnote: "But even if certain information that Heppner input into Claude was privileged, he waived the privilege by sharing that information with Claude and Anthropic, just as if he had shared it with any other third party."
Read that again, slowly. Speed helps disguise the act.
What happens when the record no longer belongs to the person who created it?
The footnote does not say the attorney-client relationship dissolves because a chatbot exists. It says something narrower, and more unsettling. Whatever Heppner himself carried out of a protected setting and voluntarily shared with Claude could lose privilege the way material shared with any other third party can lose privilege. The room remains protected. What leaves the room may not.
That is old doctrine meeting a new habit. The danger lies in the habit's ordinariness. A doctrine once applied to deliberate disclosure becomes harsher when the third party is a text box millions of people treat as an extension of private thought.
People use consumer chatbots to think through problems, including legal ones. They paste in memos, summaries, draft language, and questions they cannot yet frame in legal terms. Some of that material originated with counsel. Some did not. Not every exchange is privileged. That is not the point. The point is that the text box does not sort those categories for the user, and the user often does not sort them either. The platform feels intimate, immediate, and close enough to thought that the act often does not register as disclosure.
That is the shift. Most users do not believe they are sharing protected material with a third party. They believe they are working privately through a problem. The platform may not honor that distinction. The court may not honor it. The state may not honor it either.
The Heppner footnote may not survive appeal, but the pattern it marks does not depend on its survival. Carpenter v. United States points in a different direction on digital third-party records. A split among district courts is already visible. But appellate uncertainty is not protection in the meantime. Courts sort doctrine on one timetable. Institutions build systems on another. Retention practices, routing rules, and interagency structures can harden before doctrine settles.
The legal tracks must stay distinct. Privilege is not work product. Work product is not Fourth Amendment privacy. Privacy is not retention. Retention is not acquisition. Acquisition by warrant is not acquisition by administrative subpoena or interagency sharing. The sequence that follows does not require those categories to collapse. It requires only that, in practice, they begin to converge in ways that steadily weaken user control.
A ruling declaring that every chatbot exchange destroys privilege would trigger immediate alarm. A footnote this quiet does not. That is why the narrower reading is worse. It marks an ordinary act, repeated every day by people who think they are thinking privately when, in legal effect, they may be disclosing.
The public paraphrase overstated the law. The law understated the habit. Once that shift comes into view, the next question follows: What happens when the record no longer belongs to the person who created it?
II. The Record Leaves Your Hands
The Heppner footnote did not arrive alone. It arrived inside a pattern. The pattern matters more than the sentence.
Courts are sorting several adjacent questions the public keeps collapsing into one. One week before Heppner, in Warner v. Gilbarco, the Eastern District of Michigan rejected the claim that using ChatGPT to work through litigation material automatically destroyed work-product protection. Roughly six weeks later, Morgan v. V2X in the District of Colorado widened the split rather than closing it, recognizing Rule 26(b)(3) protection for AI-assisted material prepared by a pro se litigant while still imposing disclosure obligations and cautioning against uploading confidential information into mainstream AI systems.
Read together, these cases do not settle AI in the abstract. They suggest that courts are sorting channels, control, supervision, and institutional setting. Where the law sees counsel, protective orders, and defined litigation materials, it can still imagine a protected path. Where it sees voluntary disclosure into a consumer platform outside counsel's direction, the protection thins. A law firm inside a controlled environment gets one reading. A person at a kitchen table with a monthly subscription gets another. Ordinary users behave as though the boundary were settled in their favor. It is not. Uncertainty does not reduce the risk. It enlarges it.
Then the preservation orders deepen the problem. Once material becomes platform record, the user no longer controls the baseline that governs how long it exists or when it can be reached.
People still imagine their chat history exists inside a promise. It does not.
On May 13, 2025, in New York Times v. OpenAI, Judge Ona Wang entered a preserve-and-segregate order covering a vast population of user logs. On January 5, 2026, Judge Sidney Stein affirmed production of a 20 million de-identified log sample. His reasoning matters as much as the scale. He wrote that users' privacy interests in that material were weaker than in wiretapped phone calls because the users had voluntarily disclosed the contents to a platform that retained them in the ordinary course of business.
The point is not that one company lost a fight. The point is that deletion baselines can change outside the user's control. They can change in litigation the user is not party to, in a courtroom the user has never heard of, without notice to the person whose records are being kept. The later announcement that the broad preservation obligation ended does not erase that point. It confirms it. The baseline moved once. It can move again.
Even if the Heppner footnote falls on appeal, the preservation and retention architecture does not fall with it. Privilege doctrine is one track. Retention defaults are another, governed by platform terms, contract law, litigation holds, and administrative process. The constitutional fight may proceed in one courtroom while the records keep being kept in another.
Retention exposure is not uniform across users. When OpenAI's broad preservation obligation was in effect, it excluded Enterprise accounts, Edu accounts, and API customers who had contracted for Zero Data Retention. The organizations and professionals with resources to buy safer configurations could obtain them. Ordinary users on consumer accounts could not.
That stratification is a structural feature of the platform layer, not an accident of one lawsuit. Law firms can buy protected configurations. A person at a kitchen table with a monthly subscription cannot. Before the first subpoena arrives, before the first interagency route opens, before any category written into National Security Presidential Memorandum-7 (NSPM-7) is applied to anyone, the exposure is already stratified by who can afford which tier. That stratification will track the sorting that follows.
Retention is not government acquisition. It is the prior condition that makes acquisition possible. People still imagine their chat history exists inside a promise. It does not. It exists inside a current default, and defaults are fragile. A judge can change them. A litigation hold can change them. A production order can change them. The user often learns that only after the fact, if at all. Once a record can be kept, the next question is how it begins to move.
III. The State Has Already Built the Routes
On March 20, 2025, the White House issued an executive order with a title that sounds like office management: "Stopping Waste, Fraud, and Abuse by Eliminating Information Silos." The word "silo" sounds bureaucratic and dull. That is part of its function. It makes a structural change sound merely administrative. The key word is "eliminating."
Taken on its own, the order does not compel any single disclosure. Yet it plainly directs movement. It tells agency heads to ensure that designated officials receive full and prompt access to unclassified records, data, software, and IT systems. It authorizes sharing and consolidation within and across agencies. It calls for unfettered access to comprehensive data from state programs that receive federal funding, to the maximum extent consistent with law. The order treats the seams between agencies not as safeguards, but as obstacles. Boring language often carries the heaviest load because it is designed to pass without alarm. Usually, it does.
Administrative routing does not require a courtroom. It does not require a warrant. It requires an interagency agreement and a technical connection. Once that connection exists, records move under rules the user does not see, into hands the user did not anticipate, for purposes the user was never asked to weigh. Quietly at first. Then routinely. Then as a matter of course.
Once a state can create records, keep them, and move them with reduced friction, it no longer waits passively for events to arrive in fully formed cases.
That matters more when other forms of process reduce friction further. Washington Post reporting in February 2026 described the Department of Homeland Security's use of administrative subpoenas at volumes that experts and former staff estimated in the thousands or tens of thousands. American Civil Liberties Union (ACLU) litigation, including Doe v. DHS, added specific challenged cases to that pattern. Administrative subpoenas are not new. What matters is their operational use: speed, breadth, and limited front-end judicial review.
A system that can demand material quickly behaves differently from one that must persuade a judge before the process begins. A system that does not require a judge at the front end is not meaningfully slowed when a judge at the back end issues a clarifying opinion three years later. By then, the records have moved, and the institutional lesson has been learned.
The warrants aimed at journalist Hannah Natanson reveal the same pattern from another angle. Their significance is not that journalists are uniquely vulnerable. It is that Natanson's case was legible. She had a national byline. Her case could be read, tracked, and contested in public.
Most cases will not look like that. Most people caught in expanding process will be organizers, students, immigrants, and members of communities sorted first under every previous expansion of federal attention. They will not have a national employer or a legal defense fund. Their names will not trend. Their records will still move. The unreadable cases are the condition. The visible ones are the narrow window through which the rest of us glimpse it.
Names matter less than architecture. Replace any one official and the route still exists the next morning. The Information Silos order still stands. The subpoena posture still matters. The warrant machinery still works. Personnel matter. Architecture matters more.
Once a state can create records, keep them, and move them with reduced friction, it no longer waits passively for events to arrive in fully formed cases. It gains the practical ability to sort, correlate, and escalate before the public sees any full story. From there, the next question is unavoidable: What kinds of people has the state already told itself to look for?
IV. The Categories Are Already on the Page
The most revealing documents in this essay are not leaked. They are posted. The apparatus does not need secrecy for the first stages of this work. It can describe itself in public because the public rarely reads primary documents until the output becomes undeniable.
Start with NSPM-7, issued on September 25, 2025, under the title "Countering Domestic Terrorism and Organized Political Violence." Read that title carefully. "Domestic terrorism" is one phrase. "Organized political violence" is another. The memorandum joins them into a single operational field. A category this wide gives agencies room to sort more conduct, posture, and association than the public usually imagines when it hears the word "terrorism."
The FBI's Fiscal Year 2027 Budget Request, submitted in March 2026, translates that field into administrative appetite. On page 13, the request states that violent conduct in the United States commonly relates to views associated with anti-Americanism, anti-capitalism, and anti-Christianity; support for the overthrow of the US government; extremism on migration, race, and gender; and hostility toward those who hold traditional American views on family, religion, and morality. That ideological enumeration is the budget's own language. NSPM-7 supplies the broader "investigate, prosecute, and disrupt" frame within which it operates. The categories are framed in terms of political disposition and affiliation rather than completed acts.
Broad security language rarely falls evenly. It reaches certain communities first, long before the public agrees on what the category means or whom it is for.
Appetite alone does not move records. A vehicle does. The same request names it: the NSPM-7 Joint Mission Center, composed of personnel from 10 agencies, which the budget says will integrate intelligence, operational support, and financial analysis to proactively identify networks and prosecute domestic terrorist and related criminal actors.
That phrase matters. Proactive identification of networks is not the same as investigating a specific act after a complaint, a tip, or an arrest. The language moves upstream, away from completed acts and toward recurrent motivations, indicia, and network mapping. When the categories guiding that work are framed in ideological and cultural terms, network mapping does not remain confined to the individuals at any given node. It extends outward. That is how categories begin to function as engines. Broad markers, interagency routes, and a budget request for advance identification: That is the combination now on the page.
These documents do not prove that every citizen who holds one or more of these views is already under active federal investigation. They prove something serious enough. They show that the administration has formalized a broader operational category than most citizens realize, paired it with interagency movement of information, and requested funding for proactive identification under that category. The concern is not a proven dragnet. The concern is that the categories, routes, and funding streams are now broad enough to normalize sorting before a complete individualized case exists.
Kash Patel's name appears on a cover page. Stephen Miller, Russell Vought, and Todd Blanche occupy familiar nodes of power. Those offices matter. But the signature is not the explanation. It is the citation. The explanation is the architecture written into policy, budget language, and routing authority. That architecture will outlast the current roster, and most of the litigation currently aimed at one footnote inside it. Once categories are written, routes are built, and funding is requested, somebody meets them first.
V. Broad Powers Never Land Evenly
In American practice, that somebody is rarely random. Broad security language rarely falls evenly. It reaches certain communities first, long before the public agrees on what the category means or whom it is for. That is not incidental to the history. That is the history.
The recent treatment of students and faculty involved in campus Palestine solidarity shows the first mechanism clearly: label before case. Visa revocations, detention, and removal proceedings have moved ahead of any settled public showing of unprotected conduct. The label comes first. The individualized case comes later, if it comes at all. That is what proactive identification looks like when policy language leaves the page and lands on a life.
The Stop Cop City prosecutions show the second mechanism: association widening exposure. Protest activity, bail funds, and mutual aid networks were drawn into racketeering and domestic terrorism frames that stretched beyond any single completed act. Once the state begins to map relation, exposure no longer stops where conduct stops. It moves through contact, support, and nearness itself.
The newest entry point into an old machinery does not arrive with sirens or boots at the door. It arrives as invitation. It arrives as convenience. It arrives as a blinking cursor.
Standing Rock shows the third mechanism: records and suspicion moving across institutions. Federal agencies, state police, and private contractors shared surveillance functions across the very seams liberal legal culture likes to treat as safeguards. The point is that, in practice, observations, records, and suspicions moved across a cooperative field. The Information Silos order does not invent that logic. It removes more of its friction.
The post September 11 surveillance of Muslim American communities shows the oldest mechanism: population sorting before any specific act. Whole communities were subjected to preemptive scrutiny because of religion, association, and presumed risk. That template did not disappear when the emergency rhetoric faded. It remained ready for new technologies, new authorizations, new words, and new enemies.
Taken together, these examples reveal recurring forms, not isolated abuses: label before case, association widening exposure, records moving across institutions, populations sorted in advance. None of this depends on a future court adopting the broadest possible reading of Heppner. The apparatus already knows how to work on bodies, files, and communities.
What is new is not the appetite to sort, but the route by which sorting begins. The newest entry point into an old machinery does not arrive with sirens or boots at the door. It arrives as invitation. It arrives as convenience. It arrives as a blinking cursor.
VI. The Text Box Is the Last Voluntary Step
That cursor sits in a text box. That is where the sequence begins, not in a courtroom, not in a budget request, not in a raid after the fact. It begins here, at the tips of your fingers.
Once the record leaves your hands, the rest unfolds elsewhere: in retention policies you did not write, in orders you will never see, in routes built to reduce friction, in agencies already widening the categories through which they read the public. What felt private a moment ago enters systems that are not private at all.
By this point, the sequence should be visible. Ordinary use turns thought into record. Record is kept under terms the user does not control. Kept records travel along routes designed to reduce friction. They enter a state that has already begun defining, in public, the kinds of subjects it intends to sort before complete individualized stories arrive. None of those steps depends on whether one district court footnote survives appellate review. Each proceeds under its own authority and on its own timetable.
Once thought becomes record, and record becomes retainable, movable, sortable, the problem is no longer private. It is structural.
That is why civic literacy now matters at a different level. It is one of the few ways a citizen can see the structure before its output reaches him in a form he can no longer mistake. By the time most people encounter the apparatus as event, surprise is no defense. The route already existed. The category already existed. The records already existed.
That is also why the answer cannot be private caution alone. No defensive posture at one desk can interrupt an architecture built at the level of routes, retention, and category. The venues where architecture is contested are collective: civil liberties litigation at organizations like the ACLU and the Electronic Frontier Foundation; investigative reporting willing to read the documents before the output reaches the front page; and legislative pressure aimed at retention, at sharing, and at the scope of process. That is where the sequence can still be slowed. That is where it can still be narrowed. That is where it can still be broken.
The point is no longer just to be cautious at the desk. The point is to understand what the desk now connects to. Once thought becomes record, and record becomes retainable, movable, sortable, the problem is no longer private. It is structural.
The text box may feel like a place to think. It is also becoming a place where thought changes hands.
Keep ReadingShow Less
Groups Applaud as US House Panel Advances Bill to Curb Warrantless Collection of Americans' Data
"The data marketplace where advertisers go to sell ads for a local store should not be the same place the government goes to evade warrant requirements," the Electronic Frontier Foundation asserted.
Jul 19, 2023
Digital rights defenders on Wednesday hailed a U.S. congressional committee's approval of legislation that would protect Americans' data from being purchased by intelligence or law enforcement agencies without a warrant.
Reps. Warren Davidson (R-Ohio), Zoe Lofgren (D-Calif.), Jerry Nadler (D-N.Y.), Andy Biggs (R-Ariz.), Ken Buck (R-Colo.), Pramila Jayapal (D-Wash.), Thomas Massie (R-Ky.), and Sara Jacobs (D-Calif.) on Tuesday reintroduced the Fourth Amendment Is Not for Sale Act (FANFSA) in a bid to close a loophole in federal law exploited by spy agencies and police to collect U.S. citizens' phone and other data without obtaining warrants.
On Wednesday, the House Judiciary Committee quickly moved to advance FANFSA.
"Democrats and Republicans on the House Judiciary Committee just made clear that the data broker loophole must and will be closed."
"The Fourth Amendment protects the right to privacy, and it is not for sale," Davidson said in a statement. "Our bipartisan legislation creates needed reform by prohibiting the government from purchasing Americans' data without judicial oversight. Unconstitutional mass government surveillance must end."
Jayapal, who chairs the Congressional Progressive Caucus, said that "the Fourth Amendment protects Americans from unreasonable search or seizure and it is critical that we not let the government sidestep that right by purchasing data."
"Sensitive data that can cover anything from Americans' location data, internet activity, or healthcare data must be protected," she added. "This is a civil rights issue and it's time to ban this practice."
Groups including Demand Progress, Electronic Frontier Foundation (EFF), Electronic Privacy Information Center (EPIC), and Free Press Action welcomed the committee's FANFSA vote.
"Democrats and Republicans on the House Judiciary Committee just made clear that the data broker loophole must and will be closed," Demand Progress senior policy council Sean Vitka said in a statement. "This is a major step forward for privacy in the digital age."
EPIC deputy director Caitriona Fitzgerald called FANFSA "the latest sign of bipartisan support in Congress to tackle the government's warrantless purchase of Americans' personal data, such as location information and internet records, in circumvention of the Fourth Amendment and statutory protections."
Wednesday's vote precedes the highly anticipated debate later this year over potential reauthorization of Section 702 of the Foreign Intelligence Surveillance Act, a sweeping warrantless mandate that has been abused hundreds of thousands of times, including to spy on protestors, congressional donors, journalists, and others. Section 702 is set to expire at the end of the year unless reauthorized by Congress.
From COINTELPRO—a Federal Bureau of Investigation surveillance, infiltration, and disruption program targeting U.S. leftists in which the FBI funded and armed murderous far-right militants to terrorize dissidents—to the War on Terror-era National Security Agency global mass spying exposed by exiled whistleblower Edward Snowden and monitoring of Black Lives Matter and other activists, the U.S. government has a long history of illegal surveillance of its own citizens.
"News outlets have been filled with headlines in the last year of government agencies, from immigration enforcement to the U.S. military, acquiring location data collected about you by smartphone applications," EFF said in a pro-FANFSA petition. "The data marketplace where advertisers go to sell ads for a local store should not be the same place the government goes to evade warrant requirements."
The House Judiciary Committee's FANFSA vote follows the full lower chamber's unanimous approval last week of the Davidson-Jacobs amendment to the 2024 National Defense Authorization Act that would close a loophole used by the Pentagon and NSA to purchase data that would otherwise require a warrant, court order, or subpoena.
U.S. intelligence agencies have long been accused of paying their way around the Constitution to obtain protected location information in bulk, including data from Muslim dating and prayer apps.
"The government should not be able to buy its way out of the Fourth Amendment. Requiring a warrant for any data not only protects our right to privacy, but our freedoms of association, religion, and belief," Free Press Action vice president of policy and general counsel Matt Wood said in a statement.
"This is a protection that must also extend to personal information scavenged by data brokers," he added. "The Fourth Amendment Is Not For Sale Act closes a legal loophole and ensures that law enforcement and intelligence agencies can't do an end-run around the Constitution."
Keep ReadingShow Less
In Victory for Online Privacy, Facebook Fined $1.3 Billion for Sending EU User Data to US
"Unless U.S. surveillance laws get fixed," said one privacy campaigner, "Meta will have to fundamentally restructure its systems."
May 22, 2023
Facebook and its parent company, Meta, will soon be forced to "fundamentally" change its social media platform's structure, said one advocate following a ruling announced Monday by a data privacy panel in Ireland.
The Data Protection Commission in Ireland, where Facebook has its European Union headquarters, announced that the European Data Protection Board (EDPB) found the tech company liable for a $1.3 billion fine for transferring and storing data from E.U. users to the United States. The company was given six months to return all personal data to data centers in the E.U. and to stop transferring the information, including photos, communications, and information gathered for targeted ads.
The ruling comes three years after the European Court of Justice (ECJ) determined that data sent from the E.U. was not sufficiently protected from government spying in the U.S. The EDPB on Monday said Facebook has refused to comply with that ruling and the General Data Protection Regulation (GDPR), a set of privacy laws passed five years ago.
By transferring and storing the data of millions of E.U. users, Facebook committed "systematic, repetitive, and continuous" infringements of European users' rights, the EDPB found.
"Facebook has millions of users in Europe, so the volume of personal data transferred is massive," said Andrea Jelinek, chair of the EDPB. "The unprecedented fine is a strong signal to organizations that serious infringements have far-reaching consequences."
A number of tech observers said the monetary fine is relatively inconsequential to the $562 billion company, but pointed to the order that Facebook delete "a decade of data" that it's relied on for targeted advertising.
The "imposition of a major fine reflects the company's continuous failure to secure the data of its users and comply with regulators," said the Real Facebook Oversight Board, a coalition of academics, journalists, and civil rights campaigners. "Meta is one of a few large companies that rely on contractual clauses to allow unfettered access to users' data. Fines may not force Meta to change its behavior, but they are a critical reminder that the company has been found, yet again, to have broken the law."
Susan Li, chief financial officer of Meta, told investors last month that the company makes 10% of its worldwide ad revenue from ads in European countries, suggesting it relies heavily on the practices the EDPB has ruled it must end.
Max Schrems, an Austrian privacy activist who won the case that went to the ECJ in 2020 regarding E.U.-U.S. data sharing, noted that "the fine could have been much higher, given that the maximum fine is more than $4 billion and Meta has knowingly broken the law to make a profit for ten years."
However, "unless U.S. surveillance laws get fixed," said Schrems, "Meta will have to fundamentally restructure its systems."
The U.S. and E.U. are currently working out a data sharing agreement to replace the "Privacy Shield" pact that was struck down in 2020.
To enable Facebook and other companies to continue moving information from the E.U. to the U.S., said Schrems, "the simplest fix would be reasonable limitations in U.S. surveillance law" to assure European officials that users will not be put at risk by American spy agencies.
"There is an understanding on both sides of the Atlantic that we need probable cause and judicial approval of surveillance," said Schrems. "It would be time to grant these basic protections to E.U. customers of U.S. cloud providers. Any other big U.S. cloud provider, such as Amazon, Google or Microsoft could be hit with a similar decision under E.U. law."
Congress is set to reauthorize Section 702 of the Foreign Intelligence Surveillance Act (FISA) this year, and the law is a frequent target of privacy advocates who object to the mass collection of geolocation data and other rights abuses.
Without far-reaching changes to surveillance in the U.S., said Schrems, "the long-term solution seems to be some form of 'federated social network' where most personal data would stay in the E.U., while only 'necessary' transfers would continue—for example when a European sends a direct message to a U.S. friend."
Facebook said Monday that it plans to appeal the decision, but Schrems said the company can likely only "delay the payment of the fine for a bit."
"There is no real chance," he said, "to have this decision materially overturned."
Keep ReadingShow Less
Most Popular