
No Privilege, No Protection: What US v. Kim and Rakoff's Heppner Opinion Mean for Your AI Privacy
Two federal rulings out of the Southern District of New York have now confirmed what many of us building in the AI space quietly feared: your conversations with AI tools carry no meaningful privacy protection against subpoena, search warrant, or discovery demand. If you use AI for legal research, medical questions, financial planning, or anything else you'd rather keep confidential, the law does not treat those conversations the way you probably assume it does. Two independent legal doctrines, two different judges, one conclusion.
Key Takeaways
- In United States v. Heppner, Judge Rakoff held that AI-generated documents are not privileged because an AI is not an attorney, and provider terms of service destroy any reasonable expectation of confidentiality.
- In United States v. Kim, Judge Schofield ruled that a user cannot quash a search warrant served on an AI provider under the Stored Communications Act, treating AI chat logs the same as email or cloud storage.
- Feeding attorney-client communications into a consumer AI tool may waive privilege over those original communications, not just the AI outputs.
- No court has yet confirmed that enterprise-tier AI tools preserve privilege. The speculation exists in law firm memos, but it remains untested.
- Architecture decisions made at the product level (what gets logged, what gets trained on, who can be compelled to produce what) now directly determine legal exposure for every user.
What Did Judge Rakoff Actually Hold in Heppner?
On February 17, 2026, Judge Jed Rakoff issued a written opinion holding that documents a criminal defendant created using a publicly available AI chatbot were neither protected by attorney-client privilege nor by the work-product doctrine. The defendant, Heppner, had used an AI tool to generate legal analysis and then transmitted those outputs to his lawyers. The government sought production. Heppner resisted, claiming privilege.
Rakoff's reasoning was straightforward. Attorney-client privilege requires a communication between a client and an attorney, grounded in what Rakoff called "a trusting human relationship" with a licensed professional who owes fiduciary duties and is subject to professional discipline. An AI chatbot is none of those things. When the government tested this by asking the AI tool to provide legal advice, the tool itself responded that it could not.
But the privilege analysis was only half the opinion. The confidentiality analysis is what should concern you more.
Why Do Provider Terms of Service Matter for Privilege?
They matter because privilege requires a reasonable expectation of confidentiality, and the terms you clicked "agree" on likely destroy that expectation. Rakoff examined the AI provider's policies and found they expressly permit disclosure of user prompts and outputs to governmental regulatory authorities and allow the use of conversations for model training. Under those terms, the court found there was simply no reasonable expectation of confidentiality.
This is not a quirk of one provider's policies. Comparable provisions exist across major AI platforms, permitting both training use and legal disclosure. The distinction between free and paid consumer plans matters less than most people assume: both tiers typically use conversations for training by default unless you affirmatively opt out, and even opting out of training does not eliminate the provider's right to comply with legal process.
So the structure is this: you type something sensitive into a consumer AI tool. The provider's terms grant them the right to disclose it. A court then asks whether you had a reasonable expectation of confidentiality. The answer, per Rakoff, is no.
Can You Fix Privilege After the Fact by Sending AI Outputs to Your Lawyer?
No. Rakoff addressed this directly. Heppner created documents using AI before transmitting them to counsel, and the court applied the long-settled principle that pre-existing documents cannot be retroactively cloaked in privilege by sending them to a lawyer after the fact. This is not a new rule. It is an old rule applied to a new technology. Creating a document in a non-privileged setting and then forwarding it to counsel does not transform it into privileged material.
What About Feeding Privileged Attorney Communications into AI?
This is arguably the most dangerous finding in the opinion. Heppner had taken information received from his attorneys and fed it into the AI tool as part of his prompts. Rakoff agreed with the government that sharing privileged communications with a third-party AI platform may constitute a waiver of privilege over the original attorney-client communications themselves. Not just the AI outputs. The underlying privileged material.
Read that again. If you paste your lawyer's advice into an AI chatbot to get a second opinion or to summarize it, you may have waived privilege over what your lawyer told you. The AI interaction is the disclosure to a third party, and voluntary disclosure to a third party has always been a classic path to privilege waiver.
What Did Kim Decide, and Why Does It Compound the Problem?
Kim addresses a different legal mechanism but reaches the same practical result. In United States v. Kim, the defendant sought to quash a search warrant the government had served on an AI provider under the Stored Communications Act in connection with a securities fraud proceeding. Judge Lorna Schofield ruled that Kim had no standing to seek to quash the warrant. His only remedy was to try to suppress the evidence after production, citing Supreme Court precedent and lower-court authority on third-party records.
The SCA governs disclosure of stored electronic communications: emails, cloud-stored documents, chat histories. AI conversation histories are now treated like emails or cloud storage under this framework, with providers required to produce communications, account records, and metadata, and with only limited ability to object (for instance, on burden grounds).
This matters because Kim and Heppner attack from different doctrinal directions. Heppner says your conversations are not privileged. Kim says even if you wanted to fight production of those conversations, you lack the procedural mechanism to do so before they are handed over. Two doors, both locked from the outside.
What About the 20 Million ChatGPT Logs Ruling?
A third data point reinforces the pattern. Judge Sidney Stein affirmed a magistrate judge's order compelling an AI provider to produce its entire 20-million-log sample in the New York Times copyright MDL. The provider raised user privacy objections. The court found that users had "voluntarily submitted their communications" to the platform, distinguishing them from wiretap subjects. That distinction was fatal to the privacy argument.
Twenty million conversation logs. Not targeted at a specific individual. A mass production order in civil litigation. The court treated it as routine discovery from a software vendor.
This is relevant context for anyone who views their AI conversations as inherently personal. The provider's CEO has publicly acknowledged that people use AI tools "like a therapist, lawyer, or priest," calling that "very screwed up" precisely because those conversations can be subpoenaed.
Is There a Contrary Ruling?
Yes, and it appeared the same week as Heppner. Magistrate Judge Anthony Patti in the Eastern District of Michigan held, in a case called Warner, that a pro se civil litigant's AI queries and the AI's responses were protected by the work-product doctrine. Judge Patti treated the AI tool as just that: a tool, more like a word processor than a human consultant who "receives" legal strategy.
This creates a real doctrinal split. Rakoff treated the AI as a third party whose terms of service defeat confidentiality. Patti treated it as a passive instrument that does not meaningfully "receive" information in the way the third-party disclosure doctrine contemplates. Commentary has framed this as a genuine fork in the law, and there is no appellate resolution yet.
If you are trying to decide how to operate right now, the prudent answer is to assume Heppner controls, because Rakoff's opinion is more thoroughly reasoned, comes from a more prominent court, and (importantly) is the one that prosecutors and enforcement agencies will cite when they want your logs.
Does Using an Enterprise AI Tier Preserve Privilege?
Nobody knows. Several law firm memos, including from Debevoise and Jones Walker, speculate that enterprise AI tools with no-training commitments and enhanced confidentiality terms "should" preserve privilege. But no court has tested this. It is dicta at best and hope at worst.
Privilege depends on actual confidentiality and attorney direction, not on the name of the pricing tier. Architecture matters: whether data is used for training, whether logs persist, whether the vendor can be compelled to produce records. But a paid plan alone is legally meaningless. Rakoff's opinion focused on the provider's disclosure rights under its own terms. An enterprise agreement that contractually eliminates those rights is a better position, but "better" is not "tested" and "tested" is not "settled."
Harvard Law Review's blog has noted that courts do not typically ask whether using a cloud document editor or email service to communicate with counsel defeats privilege. The Heppner court assumed, without extensive analysis, that an AI chatbot is more like a non-attorney human than a passive tool. That assumption is debatable. But it is the assumption that currently controls in SDNY.
What Is the Kovel Doctrine and Could It Help?
Under the Kovel doctrine, communications with non-attorney agents (accountants, translators, consultants) can be privileged if counsel directs the use of those agents in furtherance of legal advice. Rakoff left open the question of whether the outcome would differ if counsel had directed the defendant to use the AI tool, rather than the defendant using it on his own initiative.
This is not a solution. It is a narrow doctrinal opening that remains untested. But it does suggest a design pattern: if AI use is documented as occurring under attorney direction, within an access-controlled environment, with the provider contractually bound to confidentiality and unable to train on inputs, a future court might reach a different result. Might. The gap between "might preserve privilege" and "does preserve privilege" is exactly the gap where enforcement agencies will operate.
What Does This Mean If You Do Sensitive Work Through AI?
It means that right now, your AI conversations are treated by at least two federal courts as non-privileged third-party records that can be obtained through a subpoena, search warrant, or discovery request, with you having limited procedural ability to intervene before production occurs.
The practical implications break down across several dimensions:
Legal professionals: If you or your client use consumer AI tools to draft legal analysis, summarize case strategy, or explore arguments, those interactions are likely discoverable. If privileged attorney-client communications are included in prompts, the privilege over those underlying communications may be waived. The New York State Bar Association has flagged this explicitly.
Medical and mental health contexts: AI conversations about symptoms, diagnoses, or treatment are stored by providers and producible under legal process. There is no therapist-patient privilege analogue for AI interactions, regardless of how personal the content feels.
Financial and regulatory contexts: State attorneys general are increasingly active in seeking AI-generated data through civil investigative demands, and Heppner gives them a clear basis for piercing privilege and work-product claims. If you used AI to model a transaction, analyze compliance exposure, or draft regulatory responses, that history is reachable.
Journalism and activism: Source-protection doctrines already vary by jurisdiction. AI conversations about sensitive sources or investigations enjoy none of the limited protections that some states extend to reporter-source communications.
How Should You Think About Architecture Given These Rulings?
We build Selina, so we have thought about this from the product side for a long time. Not in response to Heppner, but as the starting premise of the threat model.
When you threat-model a personal AI product, the question is not just "can we encrypt the data?" It is "who can be compelled to produce what, under what legal process, and what will the data look like if they do?" Encryption at rest protects against data breaches. It does not protect against a lawful subpoena served on the entity that holds the decryption keys. The legal analysis and the cryptographic analysis are separate problems, and conflating them is how products make promises they cannot keep.
Here is what we actually do, stated plainly with the limits included:
Files and transfers through SelinaSEND are end-to-end encrypted, meaning we cannot read them even under compulsion. Memory is not end-to-end encrypted. Memory is encrypted at rest, but a slice of each request reaches a frontier provider at inference time. We use a stack of frontier models, routed per task. This means memory content is not zero-knowledge. We are honest about that because the distinction matters, and it matters more now that courts are treating AI conversation logs as producible records.
Non-content operational metadata is kept for a short retention window. The account itself is protected. Content is encrypted. Delete means gone. Actually gone.
But none of this constitutes a legal privilege. We do not claim that using Selina creates attorney-client privilege. No product can make that claim, because privilege is a legal doctrine that depends on the relationship between the communicating parties and the circumstances of the communication, not on the encryption scheme of the intermediary tool. What architecture can do is reduce the attack surface: minimize what exists to be produced, ensure that what is produced is limited in scope, and create the conditions under which a Kovel-type argument (counsel-directed, access-controlled, contractually confidential) has its best chance of succeeding if and when a court considers it.
That is a narrower claim than "your data is safe." It is also an honest one.
Why Do Two Separate Doctrines Converging on the Same Result Matter More Than Either Ruling Alone?
Because it closes both exits. Most commentary treats Heppner (privilege doctrine) and Kim (Stored Communications Act, Fourth Amendment third-party access) as separate stories. They are, doctrinally. But the practical convergence is the point. If a prosecutor or civil litigant wants your AI conversation logs, Heppner tells them the content is not privileged. Kim tells them the provider can be compelled to produce it via search warrant and you lack standing to intervene before production. The 20-million-log ruling tells them that mass, untargeted production orders are also available in civil litigation.
Three rulings. Three different procedural postures. All from SDNY. All pointing in the same direction. The only contrary authority is a magistrate judge's opinion from a different circuit, in a civil case, applying work-product doctrine rather than privilege, and reaching the opposite conclusion on a narrower question. That is not a robust basis for assuming your AI conversations are protected.
What Might Change This?
Congress could act. At least one major AI company's chief strategy officer has publicly called for a new form of "AI privilege" to protect user-chatbot conversations from subpoenas. That call has been met, so far, with judicial indifference. The January 2026 ChatGPT-logs ruling effectively rejected the concept, placing AI interactions on the same level as standard enterprise software and subjecting AI developers to the same discovery rules as any other software provider.
Appellate courts could also intervene. The Heppner/Warner split creates a question that the Second and Sixth Circuits (or others) may eventually resolve. Rakoff himself flagged the novelty of the question and highlighted issues his opinion did not resolve, such as whether counsel-directed AI use would change the outcome.
Until then, the operational posture is clear: treat every AI conversation as potentially producible. Structure AI use under attorney direction if you want any chance of a privilege argument. Choose tools whose architecture minimizes what can be compelled, rather than tools whose marketing says "private" while their terms of service say otherwise.
What Specifically Should You Do Right Now?
Four concrete steps, none of which require waiting for legislative or appellate action:
- Audit your AI terms of service. Read the disclosure and training provisions of every AI tool you use for sensitive work. If the terms permit disclosure to governmental authorities or use of inputs for training, the Heppner analysis applies to you. Opting out of training is necessary but not sufficient, because it does not eliminate disclosure rights.
- Do not paste privileged communications into AI tools. This is the single highest-risk behavior identified in Heppner. If you feed your lawyer's advice into a chatbot, you may waive privilege over the advice itself. Not the summary. The original communication.
- If AI use is part of legal work, document attorney direction. The Kovel doctrine opening, while untested for AI, depends on the AI being used at counsel's direction as an agent in furtherance of legal advice. Undocumented, self-directed AI use has no chance of qualifying.
- Choose tools based on what can be compelled, not what is marketed. The relevant questions are: Does the provider retain conversation logs? Can the provider decrypt them? Are the provider's terms of service structured to permit or resist disclosure? Is the product designed so that a production order yields as little usable content as possible? These are architecture questions, not branding questions.
We are not the only product thinking about this. But we have built our architecture around the assumption that legal process will eventually reach the provider, because it will. The question is what the provider has to hand over when it does.
If you want to see how that architecture works in practice: start a free 7-day trial, no card required.
Frequently Asked Questions
Did Judge Rakoff find that AI-generated documents are protected by attorney-client privilege?
No. In United States v. Heppner, Judge Rakoff held that AI-generated documents are not privileged because an AI chatbot is not an attorney and lacks the trusting human relationship, fiduciary duties, and professional discipline that privilege requires.
Why do AI provider terms of service undermine confidentiality claims?
Rakoff found that provider terms typically permit disclosure of prompts and outputs to regulators and allow use of conversations for model training, which destroys any reasonable expectation of confidentiality needed for privilege, and this applies across both free and paid consumer tiers.
Can pasting a lawyer's advice into an AI chatbot cause you to lose privilege over that original advice?
Yes. Rakoff found that feeding privileged attorney-client communications into a third-party AI tool may waive privilege over the original communications themselves, not just the AI-generated outputs, since it counts as voluntary disclosure to a third party.
What did United States v. Kim decide about fighting a subpoena or warrant served on an AI provider?
Judge Schofield ruled that a user has no standing to quash a search warrant served on an AI provider under the Stored Communications Act, treating AI chat logs like email or cloud storage, so the only remedy is trying to suppress the evidence after it has already been produced.
Is there any court ruling that goes the other way on AI privilege, and does using an enterprise AI plan guarantee protection?
Yes, Magistrate Judge Patti in Warner held that a pro se litigant's AI queries and responses were protected by work-product doctrine, treating the AI as a passive tool rather than a third party, creating a genuine doctrinal split with no appellate resolution yet. As for enterprise tiers, no court has tested whether their no-training and confidentiality terms preserve privilege, so law firm claims that they "should" protect privilege remain untested speculation.
Sources & References
- The Intersection of AI and Attorney-Client Privilege—A Cautionary Tale - Ogletree
- Dentons - Court Rules AI-Generated Documents Lack Privilege Protection
- United States v. Heppner Harvard Law Review
- SDNY Rules AI-Generated Documents Are Not Protected by Privilege – Debevoise Data Blog
- AI, Privilege, and the Heppner Ruling: What the Court Actually Held—And How to Structure AI Use Safely | Insights | Venable LLP
- Federal Judge Holds Generative AI Communications Are Not Privileged in Decision Likely to Impact Litigation and Regulatory Enforcement | Regulatory Oversight
- US judge finds no privilege in AI-generated documents: How do English law principles compare? | DLA Piper
- 1-United-States-v.-Heppner.pdf
- Court Rules AI Conversations Are Not Privileged: What United States v. Heppner Means for You
- Loose AI Prompts Sink Ships: How Heppner Shook the Legal Community - New York State Bar Association
- Courts Grapple with Privilege Implications of AI | Publications | Cleary Gottlieb
- Your AI Conversations Are Not Privileged: What a New SDNY Ruling Means for Every Lawyer and Client | Jones Walker LLP
- Your AI Chatbot is Not Your Lawyer: AI Privilege Issues in Litigation | Freshfields
- Update: Judge Rakoff Issues Written Opinion that AI-Generated Documents Are Not Protected by Privilege – Debevoise Data Blog
- ChatGPT for Lawyers in 2026: What's Safe, What's Not, and What Heppner Changed — GC AI
- Is ChatGPT or Claude Privileged? What United States v. Heppner Means for Every Lawyer (2026)
- Same Week, Different Frameworks: Why Heppner and Warner Both Got It Right on AI Privilege — and Why That's the Problem
- Surprise, Surprise: More Evidence That What You Say To Your Chatbot Isn’t Always Private - Above the Law
- OpenAI Must Turn Over 20 Million ChatGPT Logs, Judge Affirms
- OpenAI Loses Privacy Gambit: 20 Million ChatGPT Logs Likely Headed to Copyright Plaintiffs
- OpenAI Court Case: Can Your ChatGPT Logs Be Subpoenaed? 20M Chats Ordered | Terms.Law
- OpenAI Loses Privacy Gambit: 20 Million ChatGPT Logs Likely Headed to Copyright Plaintiffs | Jones Walker LLP
- Court ruling against OpenAI: 20 million ChatGPT logs must be disclosed - NotebookCheck.net News
- Your ChatGPT Conversations Could End Up in Court ... - Gblock
- OpenAI Ordered to Hand Over 20M ChatGPT Logs
- OpenAI Discovery Breach: 20M Chat Logs Mandated in SDNY (2026 Analysis)
- ChatGPT creator must turn over 20M chat logs in copyright litigation, federal judge says
