Your latest chat transcript could be bought and sold. Data brokers are selling access to sensitive personal data captured during chatbot conversations, despite claims that the data is anonymized and obtained with consent.

Lee S Dryburgh, an expert in AI visibility for consumer health and longevity brands, explained how this works in a report provided to The Register.

People install browser extensions that purport to offer free VPN service or ad blocking or some other capability, likely without reading or understanding the extension's privacy policy.

These extensions may silently intercept users' communications with AI services like ChatGPT, Gemini, Claude, and DeepSeek. They can do so by overriding the browser's native fetch() and XMLHttpRequest() functions in order to capture every prompt and every response.

"This data is captured from real people's private AI conversations via browser extensions, stored in a vector database, and exposed via API to authenticated customers," said Dryburgh in his report. "The panelists have pseudonymized IDs (SHA-256 hashes) but the content of their conversations is stored verbatim and searchable — and many prompts contain real names, dates of birth, medical record numbers, and diagnosis codes."

It's a technique that Dryburgh discussed with The Register in September 2025 and that Koi Security documented in December 2025 in its report titled "8 Million Users' AI Conversations Sold for Profit by 'Privacy' Extensions."

The companies that aggregate this web clickstream data insist that their data handling is lawful and the data is anonymized. That isn't much of a consolation given that it has long been known that anonymized profiles can sometimes be re-identified by connecting a few data points, a process that AI assistance has made much easier. And, in any event, Dryburgh claims to have found many conversations that reveal names and other sensitive details.

Dryburgh said he had access to a major VC-backed generative engine optimization platform and, through that platform, was able to examine the aggregated clickstream data made available to customers.

He said he made 205 queries to the platform using the platform's own semantic search and received ~490 unique prompts from ~435+ unique panelists across 20 sensitive categories.

• AWS says drones hit two of its datacenters in UAE, urges users to move resources to different regions
• Lawmakers take pick to ICE's warrantless location tracking purchases
• AWS backs Open VSX as Rust survey shows VS Code decline
• Chrome Gemini panel became privilege escalator for rogue extensions

One set of queries returned conversations about depression, suicide, self-harm, medication, abuse, and eating disorders. A second provided access to chat about substance abuse, medical diagnoses, financial vulnerability, children, sexuality, and immigration. A third covered HIV/STDs, cancer, fertility/pregnancy, children, sexual violence, financial crisis, and medical diagnoses. And a fourth provided chats about clinical HIPAA notes, legal PII, relationships, gender identity, criminal records, workplace harassment, and religious identity.

The most damning finding, he said in his report, is that "healthcare workers are pasting real patient data into AI chatbots, and that data is now a commercial database."

The report cites examples of these conversations, such as this one with a first name and date of birth: "Am I pregnant? [first name withheld] [birth date withheld] I know these aren't questions you'd like to answer but I'm terrified…"

It also describes conversations that appear to come from undocumented immigrants and asylum seekers who have posed questions to chatbots about their legal status. Having this information available in a commercial database creates serious legal risk in the current political climate, Dryburgh argues.

The result, the report claims, is that customers of these data brokers can search and find conversations about suicide, medical records that may enable identification, HIV lab results, abortion clinic searches, immigration status disclosures, domestic violence narratives, and children's conversations.

Dryburgh said he was struck by two things during his research. One is that a lot of conversations involve people pasting internal corporate information into chatbots for rewrites and summaries. 

The other is that a portion of these conversations appears to come from accounts that have been shared in violation of terms of service. Dryburgh explained that remote workers doing work for Western clients may rely on third-party services that sell groups of people access to a single chatbot account, because those workers cannot afford to pay for a single subscription. The workers who pay for these cheap AI services, he speculates, are likely to use the sorts of free VPNs that capture clickstream data. ®