LeakyLM — AI Assistants Are Leaking Your Conversations
Research Disclosure
Your AI Assistant Is Leaking Your Conversations
We disclose structural privacy risks in prominent generative AI products — Perplexity, Anthropic's Claude,<br>xAI's Grok, and OpenAI's ChatGPT — caused by third-party trackers embedded in LLM services that leak user<br>conversations, identities, and sensitive metadata.
See the Evidence<br>Report a Finding
AI Platforms Tested
13+<br>Third-party Trackers Found
Platforms Affected
Disclosed to Users
Update — [Date]
[Platform] has removed the [tracker] script following responsible disclosure.
Paper Accepted — [Venue]
Our peer-reviewed paper "[Title]" has been accepted to [Conference].
─────────────────────────────────────────────────────────── -->
Generative AI is rapidly becoming a foundational layer of the Internet, enabling the emergence of agentic<br>systems that mediate users' interaction with digital services. Despite this transformation, underlying<br>data-driven economic dynamics remain largely unchanged, as acknowledged by prominent<br>industry actors. This<br>continuity extends to the integration of third-party trackers within generative AI ecosystems to monitor<br>users' actions, which retain the capability to collect sensitive user data.
In this report, we disclose concerning structural privacy risks caused by (1) the systematic introduction of<br>third-party analytics services in prominent generative AI products developed by major AI actors such as<br>Perplexity, Anthropic's Claude, xAI's Grok, and OpenAI's ChatGPT; and (2) insecure access control mechanisms<br>in some of these LLMs that leak user conversations to third-party trackers embedded in LLM services, as well<br>as the conversation title which can be a very sensitive data type that can disclose users' concerns,<br>conversation topics, interests, and more. Meta's AI, MS Copilot, and Google Gemini are out of scope of this<br>analysis because they act both as LLM providers and third-party trackers, falling into a different threat<br>model. We plan to extend the scope of our analysis to include these products in the coming weeks.
Key privacy concerning observations
Leakage of conversation URLs to third-party advertising and tracking services
User conversations in LLM services frequently contain sensitive information introduced by end users. Yet,<br>conversation URLs are disclosed to third-party trackers such as the Meta Pixel, as shown in Figure 1 by<br>default, for Grok and Perplexity. These URLs often serve as publicly available<br>permalinks<br>with weak access control, making them accessible by default to anyone knowing the URL. This potentially<br>allows the trackers to access user conversations and their content. In Grok's case, shared conversations<br>also generate publicly accessible screenshot images of the conversation content, with verbatim message<br>text exposed in Open Graph metadata received by TikTok's tracker.<br>Table 1 describes the default access control<br>mechanisms across LLMs.
Linkability to user identities
Conversation URLs are frequently shared by LLM providers alongside tracking identifiers to third-party<br>trackers (e.g., cookies such as fbp, in the case of Meta Pixel), which<br>enable trackers to map online activity to user identities and behavioral profiles per<br>official privacy policies. In some cases, the trackers also perform<br>cookie syncing/server-side tracking<br>and collect user email hashes through the logging forms, allowing for persistent user tracking, targeting,<br>and<br>reidentification. Table 2 lists the PII and conversation leaks observed.
Potentially misleading privacy controls and privacy disclosures
The studied LLMs offer privacy controls to limit conversation visibility, but may mislead users by implying stronger protections than are actually enforced. Privacy policies of<br>Grok,<br>Perplexity,<br>OpenAI, and<br>Claude<br>confirm the collection of user conversations, usage telemetry, and metadata for first-party purposes, the use of third-party cookies (e.g., Meta, Google, TikTok) for analytics and advertising, and data sharing with third parties. Yet, they do not clearly state that user conversations are shared with online advertising and tracking services — relying instead on broad language (e.g., "content you submit" or "business partners") that leaves uncertainty about actual data flows. Cookie consent forms present further transparency shortcomings, as Fig. 2 shows.
Although preliminary, our findings reveal systemic weak privacy and security postures across LLM services.<br>While we do not yet have evidence that conversations are read by trackers, permalink dissemination and by<br>extension the capability to read them exist, and therefore the potential risk.
Privacy Impact: Why does it matter?
Generative AI systems are rapidly reaching mass adoption. According to<br>Eurostat, 32.7% of the EU population (ages 16–74) used generative AI in 2025 , primarily for personal<br>purposes (25.1%), but also for work (15.1%), covering all sorts of professionals, and...