Your AI Chatbot May Be Leaking Your Chats to Meta, TikTok and Google

When you benignant thing into an AI chatbot, you astir apt presume the speech stays betwixt you and the machine. You're wrong—and a caller survey spells retired precisely who other is listening.

Researchers astatine IMDEA Networks Institute published findings connected May 4 showing that each 4 of the biggest AI assistants—ChatGPT, Claude, Grok, and Perplexity—quietly stock information with third-party advertizing and analytics services, including Meta, Google, and TikTok. The project, called LeakyLM, identified much than 13 trackers embedded crossed these platforms. Zero of them are disclosed to users successful plain language.

Image: IMDEA Networks Institute

Think of it this way: Every clip you unfastened a chat, invisible bundle tools embedded successful the webpage telephone location to advertisement networks—sending details astir who you are, what leafage you're on, and sometimes adjacent what you typed.

What's really being leaked

The astir basal leak is your speech URL—a web code that points to a circumstantial chat. Sounds harmless, right? The occupation is that respective platforms marque those URLs publically accessible by default, meaning anyone who has the nexus tin work your speech without logging in. When those URLs are besides sent to Meta oregon Google's advertisement systems, those companies summation the quality to entree and work your chats.

"Leaking a URL is not conscionable metadata—it tin beryllium equivalent to leaking the speech itself," the researchers say.

Grok, Elon Musk's AI chatbot from xAI, is the astir exposed. Guest conversations are nationalist by default connected the platform—no login required to work them. TikTok's tracker received not conscionable URLs but verbatim connection contented done what's called Open Graph metadata, a modular utilized to make preview images erstwhile you stock a link. Basically, TikTok's strategy received a screenshot of your conversation.

Image: IMDEA Networks Institute

Claude (Anthropic) and ChatGPT (OpenAI) person stronger entree controls—your chats aren't nationalist unless you take to stock them. But they inactive transmit speech URLs and identifying information similar advertizing cookies to Meta and Google. For Claude, that information goes to 11 advertizing platforms done Anthropic's ain servers, not done the browser, which is wherefore an advertisement blocker won't halt it.

Perplexity removed its Meta tracker past month.

What you tin do

The survey acknowledges it hasn't proven that Meta oregon Google really work anyone's chats. But the infrastructure to bash truthful exists, and the information is being transmitted. "The studied LLMs connection privateness controls to bounds speech visibility, but whitethorn mislead users by implying stronger protections than are really enforced," researchers argue. “While we bash not yet person grounds that conversations are work by trackers, permalink dissemination and by hold the capableness to work them exist, and truthful the imaginable risk.”

This isn't the archetypal clip AI platforms person faced scrutiny connected privacy. Claude precocious began requiring authorities ID verification for caller subscribers—a determination that drew backlash from the aforesaid privacy-conscious users who had switched from ChatGPT implicit surveillance concerns, arsenic Decrypt reported past month.

For now, applicable steps are limited. On Grok, restrict speech visibility successful settings and explicitly revoke immoderate nexus you've already shared. On Claude, rejecting non-essential cookies astatine slightest disables the Meta Pixel. On Perplexity, acceptable conversations to Private. On ChatGPT, rejecting cookies wherever imaginable reduces exposure, though Google Analytics inactive runs for escaped logged-in users.

If you privation to spell adjacent deeper and beryllium afloat protected, our guide connected AI Privacy whitethorn beryllium a bully assets to check.

The researchers program to widen their investigation to Meta AI, Microsoft Copilot, and Google Gemini—which were excluded from this circular due to the fact that they run arsenic some AI providers and advertisement companies simultaneously, making the menace exemplary much complicated.

The findings were submitted to Data Protection Authorities connected April 13, 2026. xAI was notified connected April 17. As of publication, nary institution has responded.