Law and The Machine

The Death of Attorney-Client Privilege in the AI Era

April 10, 202617:02Law and The Machine

This episode explores the landmark *United States v. Heppner* case, where a federal court ruled that a defendant's AI chats with Claude, used for legal strategy, were not protected by attorney-client privilege or work-product doctrine and could be used against him. Listeners will learn how established legal principles, like the Third-Party Doctrine, are being applied to AI, demonstrating that consumer-facing LLMs offer no confidentiality due to their terms of service and data processing. The discussion serves as a critical warning about the legal risks and lack of privacy when using public AI tools for sensitive information.

Key Takeaways

Detailed Report

The rapid integration of artificial intelligence into daily life is fundamentally reshaping established legal protections, particularly attorney-client privilege and personal privacy. Recent court rulings highlight a critical shift: public AI platforms are not considered private confidants, and interactions with them can lead to the forfeiture of sensitive information.

The Heppner Precedent: A Blow to Attorney-Client Privilege

In *United States v. Heppner*, a former CEO under federal investigation for fraud used Anthropic's Claude to brainstorm defense strategies, feeding it sensitive case details before emailing the AI-generated documents to his legal team. The FBI subsequently seized these documents, and the government moved to use them as evidence.

Judge Rakoff of the Southern District of New York dismissed Heppner's claim of attorney-client privilege and work-product protection. The judge's reasoning was rooted in established legal doctrine, not new law. First, Claude is not a lawyer and explicitly disclaims giving legal advice; thus, conversations with it are not privileged communications between a client and an attorney.

Second, and more devastatingly, the 'Third-Party Doctrine' applied. For privilege to exist, there must be a reasonable expectation of confidentiality. Judge Rakoff noted that Anthropic's privacy policy stated they collect user inputs, may use them for training, and can disclose data to third parties or governmental authorities. By agreeing to these terms, Heppner voluntarily shared his information with a third party, legally akin to discussing defense strategy loudly in a crowded coffee shop. The work-product doctrine also failed, as Heppner acted independently, not at the direction of his counsel.

From a technical standpoint, this ruling acknowledges that data entered into consumer web interfaces like Claude or ChatGPT is immediately transmitted to the AI company's servers, logged, processed, and stored. This data leaves the user's control, entering a corporate system, and thereby becomes discoverable.

Mass Disclosure: The In re OpenAI MDL

The implications of this loss of privacy extend beyond individual cases. In the *In re OpenAI* multidistrict litigation, a class action combining numerous copyright lawsuits, plaintiffs sought 120 million user conversation logs to prove OpenAI trained its models on copyrighted works. OpenAI initially offered 20 million logs, then tried to backtrack, citing user privacy.

Judge Stein rejected OpenAI's argument, compelling the production of the 20 million de-identified logs. The court's reasoning echoed *Heppner*: users 'voluntarily disclosed' their communications to OpenAI, agreeing to terms that granted OpenAI legal ownership and retention of those logs. While the court acknowledged user privacy interests, it deemed them adequately addressed by de-identification, sample size reduction, and protective orders.

However, 'de-identification' in the context of large language model logs is often a legal fig leaf. Stripping out names or email addresses may not prevent re-identification if the content of the query itself contains highly specific or unique details. This ruling exposed millions of private queries to opposing lawyers and expert witnesses, demonstrating that user privacy on consumer AI platforms is effectively non-existent when faced with civil discovery.

Maintaining Privilege: The Tremblay Exception and Secure AI

There is a critical distinction for maintaining privilege, as seen in *Tremblay v. OpenAI*. In this copyright infringement lawsuit, attorneys used ChatGPT to generate summaries of authors' works to build their case. When OpenAI demanded these prompts and outputs during discovery, Judge Martinez-Olguin denied the request, ruling them protected 'opinion work product.' The judge viewed the queries as 'crafted by counsel and contain counsel's mental impressions and opinions about how to interrogate ChatGPT,' equating generative AI to a 'tool, not a person.'

This highlights two key variables for discoverability: *who is using the tool* and *what is the expectation of confidentiality*. In *Tremblay*, attorneys were authoring prompts as part of a deliberate litigation strategy, whereas in *Heppner*, the client acted independently. The work-product doctrine protects a lawyer's strategic thinking, not a defendant's independent internet research.

Confidentiality also hinges on the terms of service. Heppner used a public, consumer-facing AI with terms allowing data harvesting. In contrast, legal professionals and corporations that successfully protect their AI work product, as in *Warner v. Gilbarco, Inc.*, typically utilize 'closed-universe,' enterprise-grade AI tools with strict zero-retention contracts. This creates a two-tiered system: consumer AI offers zero legal privacy, while enterprise solutions can provide protection.

The Government's Double Standard: FOIA and Deliberative Process Privilege

A significant contradiction emerges when examining the government's own use of AI. In *United States v. Heppner*, the Department of Justice successfully argued that a private citizen waives confidentiality by typing sensitive information into a commercial, third-party AI platform, relying heavily on the AI company's terms of service.

Simultaneously, federal agencies like the FDA and Department of Energy are rapidly adopting these same commercial AI platforms to summarize policy memos, draft regulatory guidance, and analyze sensitive data. These internal government deliberations are transmitted to third-party corporate servers (e.g., Microsoft, Google, OpenAI).

Under the Freedom of Information Act (FOIA), the public has a right to federal agency records, though the government often shields internal documents using FOIA Exemption 5, the 'deliberative process privilege.' This privilege protects pre-decisional, internal agency memos. However, applying the DOJ's *Heppner* logic, the government, by using commercial AI, has 'voluntarily disclosed' its internal deliberations to a third party, thereby waiving its deliberative process privilege.

Despite this, when journalists or watchdog groups file FOIA requests for AI-generated agency records or prompts, agencies routinely deny them, claiming the deliberative process privilege remains intact. This represents a blatant double standard: the government weaponizes AI terms of service against private citizens while ignoring those same terms to protect its own internal processes.

Conclusion

The legal landscape for AI interactions is rapidly evolving, with profound consequences for individual privacy and legal protections. The *Heppner* and *OpenAI MDL* cases serve as stark reminders that consumer AI platforms offer no inherent privacy or privilege. The critical distinction lies in who is using the tool and the contractual expectation of confidentiality. As AI becomes more ubiquitous, users must be acutely aware that interacting with a chatbot can unknowingly forfeit fundamental legal rights, and the government's inconsistent application of these principles raises serious questions about fairness and transparency.

Show Notes

Works Referenced

  • United States v. Heppner: A landmark 2024 ruling by Judge Rakoff in the Southern District of New York that found communications with a public AI chatbot are not protected by attorney-client privilege or work-product doctrine.
  • Anthropic: The AI company behind Claude, whose terms of service were central to the *Heppner* ruling regarding user data collection and disclosure.
  • Claude: The specific AI chatbot used by Bradley Heppner, a former CEO, to brainstorm defense strategies, leading to the precedent-setting *United States v. Heppner* decision.
  • In re OpenAI multidistrict litigation (OpenAI MDL): A consolidated class action lawsuit combining over a dozen copyright claims against OpenAI, where the court compelled the disclosure of millions of de-identified user conversation logs.
  • OpenAI: The AI company facing the multidistrict litigation and other lawsuits, whose user data retention policies were scrutinized by the courts.
  • ChatGPT: OpenAI's prominent AI chatbot, whose user logs were subject to discovery in the *In re OpenAI* multidistrict litigation.
  • Tremblay v. OpenAI: A 2024 copyright infringement lawsuit where the court protected attorneys' prompts to ChatGPT as opinion work product, distinguishing it from client-initiated AI use.
  • Sarah Silverman: An author mentioned as a plaintiff in the *Tremblay v. OpenAI* case, alleging copyright infringement by AI models.
  • Baker Donelson: A law firm whose legal alert, AI and Attorney-Client Privilege: Who Holds the Pen?, was referenced for its insights on the discoverability of AI interactions.
  • *Warner v. Gilbarco, Inc.*: A hypothetical 2026 case mentioned as an example where enterprise-grade AI tools with zero-retention contracts successfully protected AI work product.
  • Microsoft Copilot: An example of a commercial Large Language Model (LLM) that federal agencies are adopting for internal government use.
  • Google Gemini: Another example of a commercial Large Language Model (LLM) being used by federal agencies.
  • Department of Justice (DOJ): The U.S. federal agency that successfully argued in *United States v. Heppner* that using commercial AI waives confidentiality, while simultaneously claiming privilege for its own AI-assisted deliberations.
  • Freedom of Information Act (FOIA): A U.S. federal law granting the public the right to access government records, relevant to the discussion of government AI use and transparency.
  • Food and Drug Administration (FDA): A U.S. federal agency mentioned as adopting commercial LLMs for internal operations.
  • Department of Energy: A U.S. federal agency mentioned as adopting commercial LLMs for internal operations.

Glossary

  • Attorney-client privilege: A legal rule that protects confidential communications between a client and their attorney from disclosure in legal proceedings.
  • Work-product doctrine: A legal principle that protects materials prepared by an attorney (or at their direction) in anticipation of litigation from discovery by opposing parties.
  • Third-Party Doctrine: A legal concept stating that individuals have no reasonable expectation of privacy in information voluntarily disclosed to third parties, such as service providers.
  • LLM (Large Language Model): An artificial intelligence program trained on vast amounts of text data, capable of understanding, generating, and responding to human language.
  • De-identification: The process of removing or obscuring personal identifiers from data to protect individual privacy, though perfect de-identification in AI contexts is often difficult.
  • Multidistrict litigation (MDL): A legal procedure in the U.S. federal court system that consolidates multiple similar lawsuits from different districts into one court for pretrial proceedings to streamline discovery and other processes.
  • Opinion work product: A stronger form of work product protection that shields an attorney's mental impressions, conclusions, opinions, or legal theories from discovery.
  • Zero-retention contracts: Agreements with AI service providers that guarantee user data and prompts are not stored, logged, or used for model training after processing, ensuring maximum confidentiality.
  • Freedom of Information Act (FOIA): A U.S. federal law that grants the public the right to request access to records from any federal agency.
  • Deliberative process privilege (FOIA Exemption 5): A specific exemption under FOIA that protects internal, pre-decisional communications within federal agencies, allowing officials to discuss policy candidly without public scrutiny.

Full Transcript

HostImagine this: you're under federal investigation, facing serious charges. You turn to an AI, like Claude, to help you brainstorm defense strategies, to get your thoughts in order. You think it's a private conversation, like a digital notepad for your legal team.
ExpertAnd then, the federal government seizes those exact AI chats and uses them *against* you in court, arguing that by typing them into the AI, you effectively shouted your deepest legal strategies to the world.
HostThat's not a hypothetical. That's exactly what happened in *United States v. Heppner* just a few months ago, a ruling that has completely upended the foundational concept of attorney-client privilege in the AI era.
ExpertIt's a wake-up call that "private" AI conversations are anything but. The law is finally catching up to the technical reality of how these models work, and it's not looking good for user confidentiality.
HostThis *Heppner* ruling is astonishing. Bradley Heppner, a former CEO, was under investigation for a $300 million fraud. He knew he was a target. He had lawyers. But on his own, he went to Anthropic's Claude. He fed it sensitive details about his case, asked it for defense strategies, and then emailed those 31 AI-generated documents to his legal team.
ExpertAnd the FBI, after seizing his devices, found those documents. The government moved to use them as evidence. Heppner’s defense, naturally, claimed attorney-client privilege and work-product protection.
HostBut Judge Rakoff in the Southern District of New York just... dismissed it. Flat out. How did he do that?
ExpertHe didn't invent new law, that's the thing. He applied established, decades-old legal doctrine to a new technology. First, he pointed out the obvious: Claude is not a lawyer. Attorney-client privilege is strictly for communications *between a client and a lawyer*. Claude explicitly disclaims giving legal advice. So, in the eyes of the court, Heppner was essentially having a conversation with a very sophisticated, but legally unqualified, third party.
HostBut Heppner intended for these conversations to inform his lawyers! He sent them the documents. Doesn't that count?
ExpertNot in this context, because of the second, and arguably more devastating, point: the "Third-Party Doctrine." For privilege to exist, there has to be a reasonable expectation of confidentiality. Judge Rakoff looked at Anthropic's privacy policy, which states they collect user inputs, may use them for training, and can disclose data to third parties or governmental authorities. Heppner agreed to these terms.
HostSo, by agreeing to the terms of service, he forfeited any expectation of privacy?
ExpertExactly. The court's logic is brutal in its simplicity: voluntarily typing sensitive information into a public LLM is legally no different than discussing your defense strategy loudly in a crowded coffee shop. You've shared it with a third party—Anthropic, in this case—and once you do that, the law says you've waived your right to confidentiality. It's a corporate data broker, in the court's view, not a private confidant.
HostThat's a gut punch for anyone who uses these tools thinking they're a private brainstorming partner. And what about the work-product doctrine? That protects materials prepared in anticipation of litigation.
ExpertThat also failed, because Heppner acted on his own. The work-product doctrine generally protects materials prepared *by or at the direction of counsel*. Since his lawyers didn't instruct him to use Claude, the documents didn't reflect their strategy at the time of creation. And simply forwarding them afterward? That didn't retroactively convert them into protected work product. The privilege was gone the moment he hit "send" on that first prompt.
HostSo, the moment you type it into a public AI, it's out there. There's no calling it back. From a technical standpoint, how does that data actually flow?
ExpertThat's key. When you type a prompt into a consumer web interface like Claude or ChatGPT, that data doesn't stay on your machine. It's immediately transmitted to the AI company's servers. It's logged, processed, and often stored in massive data lakes. These logs are used for model training, for human review, for all sorts of purposes that are explicitly laid out in those terms of service that nobody reads. The law is simply acknowledging this technical reality: the data is leaving your control and entering a corporate system, making it discoverable.
HostSo, Heppner shows us the risk at an individual level. But this isn't just about one person's misstep. We're seeing this play out on an industrial scale, right?
ExpertAbsolutely. Look at the *In re OpenAI* multidistrict litigation. This is a massive class action combining over a dozen copyright lawsuits by news organizations and authors, all alleging OpenAI trained its models on their copyrighted works without permission.
HostAnd how does Heppner's problem of personal privacy scale up here?
ExpertTo prove their case, the plaintiffs needed to see how ChatGPT interacts with users, specifically how often it might be regurgitating copyrighted material. They requested 120 million user conversation logs. OpenAI, after some pushback, offered a sample of 20 million.
Host20 million user logs. That's a staggering amount of data.
ExpertIt is. But then OpenAI tried to backtrack, saying they should only have to produce logs that explicitly implicated the plaintiffs' works, arguing that producing "unrelated" logs would invade user privacy.
HostAnd the court said…?
Expert"No." Judge Stein rejected OpenAI's argument, compelling them to hand over the full 20 million de-identified logs. And the reason he gave is what really connects to *Heppner*: users "voluntarily disclosed" their communications to OpenAI. Just like Heppner, ChatGPT users willingly hand their data over to the platform, agreeing to terms that grant OpenAI legal ownership and retention of those logs.
HostSo, the court basically said, "You signed the contract, you gave up your privacy."
ExpertPrecisely. Judge Stein acknowledged that users might have "sincere" privacy interests, but he ruled those interests were adequately addressed by things like de-identification, reducing the sample size, and a protective order.
HostLet's talk about that "de-identification" for a second, because that feels like a legal fig leaf to me. If I'm asking ChatGPT for advice on my specific, obscure medical condition, or a very niche corporate strategy for my company, even if they strip out my name, the content itself is still highly identifying, isn't it?
ExpertIt absolutely can be. "De-identification" in the context of LLM logs is notoriously difficult, if not impossible, to do perfectly. An AI company might strip out your email address or your name, but if you're asking it to "Draft an email to my boss, Sarah at Initech, about my medical leave for a broken femur," the *content* of that prompt contains incredibly specific, identifying information. For a determined adversary, or even just for an expert witness sifting through millions of logs, reconstructing identities or specific scenarios becomes much easier than courts often assume.
HostAnd the hypocrisy here from OpenAI is striking. They fight tooth and nail against copyright claims, often invoking "fair use," but then they try to use their users' privacy as a shield when it's convenient for them in discovery.
ExpertExactly. When the court pierced that shield, it exposed 20 million users' private queries to a team of opposing lawyers and expert witnesses. It really demonstrates that for consumer AI platforms, user privacy is effectively non-existent when faced with civil discovery.
HostSo, on one side, we have *Heppner*, where an individual's legal privilege is shattered. On the other, the *OpenAI MDL*, where the collective privacy of millions is exposed. Is there any way to use AI tools and maintain privilege or confidentiality?
ExpertYes, there is. The critical distinction lies in *Tremblay v. OpenAI*, another significant case from 2024. This was a copyright infringement lawsuit brought by authors like Sarah Silverman. Their attorneys actually used ChatGPT *themselves* to generate summaries of the authors' works to prove the AI had memorized copyrighted content.
HostSo, the lawyers were using the AI to build their case.
ExpertRight. And then, during discovery, OpenAI demanded that the plaintiffs hand over *all* the prompts and outputs their lawyers had generated, including those that failed to produce copyrighted text. They wanted to see the lawyers' internal thought process.
HostAnd the court protected those?
ExpertYes. Judge Martinez-Olguin denied OpenAI's request, ruling that those prompts were protected **opinion work product**. The judge said the queries were "crafted by counsel and contain counsel's mental impressions and opinions about how to interrogate ChatGPT." She explicitly called generative AI "tools, not persons," equating the prompts to a litigant's "internal mental impressions reformatted through software."
HostSo, the key difference seems to be "who holds the pen," as one law firm put it.
ExpertPrecisely. A legal alert from Baker Donelson, which we've been following, really crystalizes this. They argue the discoverability of AI interactions hinges on two variables: *who is using the tool* and *what is the expectation of confidentiality*. In *Tremblay*, attorneys were authoring the prompts as part of a deliberate litigation strategy. In *Heppner*, the client acted independently. The work-product doctrine protects a lawyer's strategic thinking, not a defendant's independent internet research.
HostAnd the second variable? Confidentiality. That goes back to the terms of service, right?
ExpertAbsolutely. Heppner used a public, consumer-facing version of Claude with terms of service that explicitly allowed data harvesting and third-party disclosure. In contrast, cases like *Tremblay* saw AI work product protected because attorneys crafted the queries as opinion work product. Law firms and corporations that successfully protect their AI work product, as seen in another 2026 case, *Warner v. Gilbarco, Inc.*, typically use "closed-universe," enterprise-grade AI tools with strict zero-retention contracts.
HostSo, it's a two-tiered system. If you're a private citizen using a free or standard paid tier of an AI chatbot, you have zero legal privacy. None. Your chats are discoverable in a divorce, a civil lawsuit, or a criminal probe.
ExpertAnd if you're a lawyer paying $100,000 a year for an enterprise, zero-retention AI environment, your work is protected. It's a stark class divide for digital rights. The average consumer is lured into a false sense of security by these conversational, anthropomorphic interfaces, making them feel like a private diary or a thought partner. But legally, there's no difference between typing a confession into ChatGPT and posting it on a public billboard owned by a data broker.
HostThe willful ignorance of the consumer, as you called it. We just click "agree" on those terms of service, and courts are holding us to those contracts with ruthless efficiency.
ExpertIt's a trap. A legal trap, built on the technical architecture of these platforms and user behavior.
HostThis brings us to "The Conflict Docket," our recurring segment where we explore the blurring lines between AI regulator, contractor, and lobbyist. And this week, the government itself seems to be operating under a massive double standard.
ExpertThat's an understatement. In *United States v. Heppner*, the Department of Justice successfully argued that when a private citizen types sensitive information into a commercial, third-party AI platform, they destroy their expectation of confidentiality. They relied heavily on the AI company's Terms of Service.
HostBecause that data leaves your control and goes to a corporate server.
ExpertExactly. Legal privilege, waived. Now, at the same time, the federal government itself is rapidly adopting these *exact same commercial AI platforms*. Throughout late 2025 and into this year, agencies like the FDA and the Department of Energy are deploying commercial LLMs to summarize policy memos, draft regulatory guidance, analyze sensitive data. They're spending hundreds of millions of dollars on this.
HostSo federal workers are using Microsoft's Copilot, or Google's Gemini, or some enterprise version of OpenAI, to handle internal government deliberations.
ExpertThat's the setup. And here's the conflict: under the Freedom of Information Act, the public has the right to request records from federal agencies. But the government often shields its internal documents using FOIA Exemption 5, the "deliberative process privilege." This privilege protects pre-decisional, internal agency memos, allowing officials to debate policy candidly without public scrutiny.
HostSo, if a federal employee uses a commercial AI platform to draft a pre-decisional policy memo, that data is transmitted to a third-party corporate server. Microsoft's, Google's, OpenAI's.
ExpertCorrect. Now, apply the DOJ's *exact logic* from the *Heppner* case. The government has just "voluntarily disclosed" its internal deliberations to a third party. Therefore, it should have entirely waived its deliberative process privilege for those documents.
HostBut I bet that's not what happens.
ExpertNot at all. When journalists or watchdog groups file FOIA requests for AI-generated agency records or the prompts federal workers are using to shape public policy, agencies routinely deny them, claiming the deliberative process privilege remains intact.
HostSo, when a private citizen uses commercial AI, the DOJ says the presence of a corporate third-party destroys confidentiality. But when a federal agency uses commercial AI, the government claims its confidentiality is magically preserved. It's a blatant double standard.
ExpertIt's more than a double standard; it's a fundamental contradiction. The government is weaponizing the terms of service of these AI companies against private citizens, while simultaneously ignoring those very same terms when it comes to its own operations and seeking to protect its internal processes.
HostSo, the question that is left hanging for our listeners is this: If the Justice Department argues that typing sensitive data into an AI platform waives legal privilege for a private citizen, why does the government believe its own deliberative process privilege remains intact when federal workers use those same commercial platforms?
HostIt seems we're entering a new legal landscape where old rules are being applied to new tech with devastating consequences for individual privacy and legal protections.
ExpertAbsolutely. The first key takeaway is that the AI Third-Party Doctrine is real. The *Heppner* ruling confirms that using a public AI platform for legal, financial, or any sensitive matter acts as a total waiver of attorney-client privilege. The law sees the AI not as a private tool, but as a corporate third-party listener.
HostAnd once that bell is rung, you can't un-ring it. Sending those AI-generated documents to your lawyer *after* the fact won't shield them. The moment you hit "send" on a prompt to a public LLM, your privacy is forfeited.
ExpertThird, the idea of "de-identification" for consumer AI data is largely a legal fig leaf. The forced disclosure of 20 million ChatGPT logs in the *OpenAI MDL* proves that user privacy on consumer AI platforms cannot withstand civil discovery. AI companies will, and do, happily surrender your data to protect themselves in court.
HostFinally, there's a critical, legally recognized difference between a client independently consulting a public AI, which is discoverable, and an attorney directing the use of an enterprise, closed-universe AI tool with strict zero-retention contracts. That distinction is the only real avenue for protecting AI work product right now.
ExpertIt really makes you wonder: as these AI tools become more ubiquitous, how many people are unknowingly forfeiting their fundamental legal rights just by interacting with a chatbot?
HostAnd what happens when these same government agencies start using this data against their own citizens, while still claiming privilege for their own AI-assisted deliberations?