AI assistants share sensitive user data, study finds

Researchers from University College London in the United Kingdom and the University of Reggio Calabria in Italy analyzed ten AI assistants, which need to be downloaded and installed on a computer or mobile phone to be used, and found that they collect a lot of personal data about users' online activity.

The analysis revealed that several assistants transmitted full content of web pages, including information visible on the screen, to their servers.

One of the AI assistants, Merlin, captured form inputs such as banking or health information, while ChatGPT, Copilot, Monica, and Sider were able to infer user attributes such as age, gender, income, and interests, and used this information to personalize responses even across different browsing sessions.

"This data collection and sharing is not trivial. Beyond selling or sharing data with third parties, in a world where massive cyberattacks are frequent, there is no way to know what is happening to browsing data once it is collected," warned Anna Maria Mandalari, one of the study's authors, quoted in a statement from University College London.

For the study, researchers simulated real-world browsing scenarios by creating the persona of a "rich millennial [digital native] male from California" in the United States, which they used to interact with the assistants while completing common internet tasks, including reading the news, shopping on Amazon, and watching videos on YouTube.

Private space activities were also included, such as accessing a university health portal, logging into a dating service, or accessing pornography, which researchers assumed users did not want to be tracked, as the data is personal and sensitive.

According to the study, conducted in the United States, some AI assistants, including Merlin and Sider, did not stop recording activity when the user switched to the private space as they should have, violating US data protection laws by collecting confidential health and education information.

The study's authors argue for the urgent need for regulatory oversight of AI assistants to protect users' personal data and recommend that developers adopt privacy-by-design principles, such as explicit user consent for data collection.