Tracking Conversations: Measuring Content and Identity Exposure on AI Chatbots
This work systematically characterizes privacy risks in AI chatbot interactions for end users, revealing widespread third-party tracking.
The paper measures web tracking on 20 popular AI chatbots, finding that 17 share information with third parties, including plaintext conversation text shared by three chatbots via Microsoft Clarity and conversation URLs/identifiers shared by 15 chatbots with advertising or analytics endpoints.
AI chatbots are becoming a primary interface for seeking information. As their popularity grows, chatbot providers are starting to deploy advertising and analytics. Despite this, tracking on AI chatbots has not been systematically studied. We present a systematic measurement of web tracking on 20 popular AI chatbots. Under controlled settings using a sensitive prompt, we capture and compare network traffic in normal chats and, where supported, private chats. We search for exposure of two categories of information: content, including prompts, prompt-derived titles, chat URLs, and chat identifiers; and identity, including names, emails, account identifiers, first-party cookies, and explicit IP/User-Agent fields in payloads. We find that 17 of 20 chatbots share information with at least one third party. Three chatbots share plaintext conversation text, including both prompt and response snippets, with Microsoft Clarity through session replay. Fifteen chatbots share conversation URLs or chat identifiers with third-party advertising, analytics, or social endpoints. Several chatbots expose user identity through support widgets, analytics, advertising, and session replay tags; in some cases, hashed emails are shared.