I was reviewing a contract for a new client when the usual paranoia crept in: this indemnification clause — could it blow up in my face if the project goes sideways? I didn't feel like booking time with a lawyer for what was probably a minor concern. I opened Claude, pasted the clause, asked my question. Got a useful answer. Moved on.
Two weeks later, United States v. Heppner dropped into my feed and I went cold.
Not because I'm in a federal lawsuit — spoiler: I'm not — but because I understood something nobody had clearly explained to me when I started using these tools for real work: that conversation I had with Claude has zero legal protection equivalent to attorney-client privilege. It's discoverable. It's potential evidence. And I used it like it was a confidential consultation with a licensed professional.
Mandatory and non-negotiable disclaimer: I'm not a lawyer. This post is not legal advice of any kind. It's the reflection of a software architect who read a ruling and got scared enough to write about it. Talk to an actual lawyer for any concrete legal situation.
Legal Privilege and AI Chats: What the Heppner Ruling Actually Says
United States v. Heppner is a U.S. federal case, and technically it doesn't directly apply if you're outside the States. But the legal principle it establishes is universally relevant: attorney-client privilege requires, among other things, that the communication be with an attorney.
An AI is not an attorney. An AI is not licensed to practice law. An AI has no deontological confidentiality obligations. Therefore, what you tell an AI — even if you're asking about things with legal implications — enjoys zero protection under that privilege.
The court was pretty direct about it: the fact that someone believes they're having a confidential conversation doesn't create that privilege. Legal protection has formal requirements. AI chats don't meet them.
Now stop for a second and think about how many times you've asked your favorite model something like:
- "Is this non-compete clause reasonable?"
- "What happens if I miss the delivery deadline in this contract?"
- "Can I let someone go during their probation period without cause?"
- "Does this invoice have any tax issues?"
If you use these tools for your work, I'd bet you have. I have. And now we know that those conversations, under certain legal conditions, can be subpoenaed as evidence.
The Real Problem: The Privacy Model Nobody Explains to You
Here's the core of the issue — and this is where I get more technical because it's my turf.
When you start using Claude, ChatGPT, Gemini, or any LLM through a web interface, you're agreeing to terms of service that most people skim or skip entirely. Those terms establish, among other things, how your conversations are used. In some cases for training (with opt-out available), in others not. But the key point isn't training — it's that that data lives on third-party servers.
When you use the API — like I do for various workflows I've written about in other posts — the picture shifts a bit. Anthropic, for example, has stricter policies around data retention on the API vs. the web interface. But "stricter" isn't the same as "legally protected."
The mental model most people have when talking to an AI looks like this:
[You] ←→ [AI]
↑
(like a private
conversation)
The actual model looks more like this:
[You] → [Interface/App] → [Provider's Servers] → [Model]
↓ ↓
[Logs] [Data retained per
[Metrics] privacy policy]
↓
[Potentially
subpoenable via
court order]
I'm not saying Anthropic or any other provider is selling your data to the highest bidder. That's not the point. The point is that there's a chain of custody over that information that you don't control, and under certain legal conditions — subpoenas, court orders, investigations — that information can be demanded from the provider.
When I spent weeks optimizing my Claude Code workflow to automate repetitive tasks, this angle never crossed my mind. I was thinking about productivity. The Heppner ruling made me think about it as attack surface.
What You Can Actually Do: Separating Contexts With Intention
Here's the constructive part, because the goal isn't to scare you away from your tools. AI is genuinely useful. I use it every day. The point is using it with awareness of what information you're feeding into each context.
Practical Rule 1: Never Paste Real Legal Documents With Identifying Data
If you have a question about a contract clause, you can describe the situation in the abstract without pasting the full contract with real names, amounts, and dates.
// ❌ What you shouldn't do
"Check out this clause from the contract with Acme Corp, Tax ID 20-12345678-9,
for $500,000 that we signed on 03/15/2025..."
// ✅ What you can do
"In a service contract, there's a clause stating the provider
is liable for direct and indirect damages with no cap on the amount.
What general risks does this create for the provider?"
The difference is enormous. In the first case you're creating a record linkable to you and a specific situation. In the second you're making a conceptual inquiry.
Practical Rule 2: For Things That Matter, Use the API With Your Own Infrastructure
If you handle sensitive information frequently, the difference between using the web interface and using the API with a server you control is significant. In the first case, data lives on Anthropic's servers. In the second, you can configure things so the context doesn't leave your infrastructure.
It's not perfect — it still goes through Anthropic's servers for inference — but you can have much more control over what metadata gets generated and how things are stored locally.
When I set up my local MCP server, part of the reasoning was exactly this: I wanted certain tools running on my infrastructure, not in some third-party cloud. I wasn't thinking about legal implications at the time, but the principle applies directly.
Practical Rule 3: Know Your Provider's Retention Policy
Every provider has different policies. Worth reading, even just skimming:
- Anthropic API: by default doesn't use conversations for training, 30-day retention for abuse monitoring
- Claude.ai (web): has privacy controls but conversations pass through their servers
- ChatGPT: has training opt-out, but conversations are stored
- Self-hosted models: you manage everything — maximum control, maximum operational responsibility
When in doubt, a locally-run model like Ollama with Llama or Mistral running on your own machine is the only option where data genuinely doesn't leave your control. The tradeoff is capability vs. privacy.
The Mistakes I Actually Made
Back in 2023, when I started using the Claude API to automate things at work, I learned the hard way that giving it generic context produces generic garbage. What I also learned — later, and more painfully — is that the context you provide creates a record.
Some concrete mistakes I made or watched others make:
1. Using the chat as a repository for sensitive information
I'd ask questions and include client information, project details, dollar amounts in the context. For the model it was useful context. For me, in retrospect, it meant creating a record of confidential information on servers I don't control.
2. Assuming "delete the chat" means the data is gone
It's not. Deleting a conversation from your view doesn't necessarily delete the data from the provider's systems. There's a difference between clearing your chat history from the interface and having the server logs actually purged.
3. Not separating personal accounts from work accounts
Using the same Claude account to ask about Netflix shows and to review client contracts mixes contexts that should be kept apart.
This reminds me of the chaos I went through when I accidentally broke hot reload in my Docker setup by not understanding the layers properly — same root problem: not understanding the underlying model leads to unexpected consequences. Like when I was optimizing that Docker image and ran into problems I hadn't anticipated.
FAQ: Legal Privilege and AI Chats
Does the Heppner ruling apply outside the US?
Not directly — it's a U.S. federal ruling. But the legal principle is universally relevant: attorney-client privilege has formal requirements that an AI cannot satisfy in any jurisdiction. In most countries, the professional secrecy protections for lawyers have specific legal backing that simply doesn't extend to conversations with AI tools.
Does this mean I shouldn't use AI for anything law-related?
No. It means you need to be aware of what information you're sharing and understand those conversations carry no special legal protection. Using AI to understand general legal concepts, research public case law, or draft documents you'll later review with an actual lawyer is very different from using it as a substitute for a confidential legal consultation.
What if I use a local AI model, like Ollama?
In that case data doesn't leave your infrastructure, which eliminates the third-party problem of someone who can be hit with a court order. However, if that data is on your computer or server, you're the one who could be required to provide it. Privacy improves; legal exposure doesn't magically disappear.
Can AI providers refuse to hand over data when served with a court order?
They can try to fight it legally, but in general tech companies in the US comply with valid subpoenas. Providers publish transparency reports showing how many legal requests they receive. That number is not zero.
Is there any way to use AI with something close to real confidentiality?
The closest approximation: a local model (Ollama, LM Studio) running on hardware you control, not sending data to external services, on an isolated network. That's maximum privacy mode. The cost is that current local models have significantly less capability than frontier models like Claude or GPT-4. For many use cases it's enough; for complex legal analysis, probably not.
Should I be worried if I only asked Claude something minor?
Realistically, nobody is going to subpoena your conversations about whether a minor clause affects you — unless you're in the middle of relevant litigation. The problem isn't the immediate risk, which is probably low for most people. It's the wrong mental model: thinking it's confidential when it's not. That's what needs to be corrected.
The Problem Isn't the AI — It's the Mental Model
The Heppner ruling doesn't make me want to stop using AI tools. I still use them every day. Still automating things, still using them to understand concepts I don't have deep expertise in, still experimenting with architectures like the ones I talked about in the post on overengineering AI agents.
What changed is the mental model I walk in with.
Talking to an AI is not like talking to a lawyer, a doctor, an accountant, or any professional with deontological confidentiality obligations. It's closer to Googling with steroids: useful, powerful, but with zero implicit legal protection.
And that's fine. Tools are what they are. The problem appears when you use them as if they were something else.
What actually pisses me off — and this is the constructive kind of anger — is that nobody explains this to you when you start. The onboarding for any AI tool is optimized to get you to your first useful output as fast as possible. The actual privacy model, the legal implications of sharing certain information, the real limits of what these tools can and can't do: you discover all of that on your own, like I did, reading a federal ruling at 11pm.
So here's the practical summary: use AI for everything that's useful to you. But before you paste that contract, that sensitive conversation, that situation with real legal implications — ask yourself whether you want that information to exist on a server you don't control. Most of the time the answer will be that it doesn't matter. Sometimes it'll matter a lot.
For the second kind: talk to an actual lawyer. AI tools, for now, aren't built for that.
Do you have an internal policy for what information you can feed into AI tools? Or are you winging it like most people? I'm genuinely curious how you're handling this — drop a comment or shoot me a message.
Top comments (0)