What would some of the world’s largest repositories of malware look like if they were stacked as hard drives, one on top of the other?
Read more Fervo Energy’s IPO was upsized several times after potential investors asked why the enhanced geothermal startup wasn’t raising more money.
Read more People report that their personal contact info was surfaced by Google AI—and there’s apparently no easy way to prevent it.
A Redditor recently wrote that he was “desperate for help”: for about a month, he said, his phone had been inundated by calls from “strangers” who were “looking for a lawyer, a product designer, a locksmith.” Callers were apparently misdirected by Google’s generative AI.
In March, a software developer in Israel was contacted on WhatsApp after Google’s chatbot Gemini provided incorrect customer service instructions that included his number.
And in April, a PhD candidate at the University of Washington was messing around on Gemini and got it to cough up her colleague’s personal cell phone number.
AI researchers and online privacy experts have long warned of the myriad dangers generative AI poses for personal privacy. These cases give us yet another scenario to worry about: generative AI exposing people’s real phone numbers. (The Redditor did not respond to multiple requests for comment and we could not independently verify his story.)
Experts say that these privacy lapses are most likely due to personally identifiable information (PII) being used in training data, though it’s hard to understand the exact mechanism causing real phone numbers to show up in the AI-generated responses. But no matter the reason, the result is not fun for people on the receiving end—and, even more worryingly, there appears to be little that anyone can do to stop it.
A 400% increase in AI-related privacy requests
It’s impossible to know how often people’s phone numbers are exposed by AI chatbots, but experts say they believe that it is happening far more than is reported publicly.
DeleteMe, a company that helps customers remove their personal information from the internet, says customer queries about generative AI have increased by 400%—up to a few thousand—in the last seven months. These queries “specifically reference ChatGPT, Claude, Gemini … or other generative AI tools,” says Rob Shavell, the company’s cofounder and CEO. Specifically, 55% of these concerns about generative AI reference ChatGPT, 20% reference Gemini, 15% Claude, and 10% other AI tools, Shavell says. (MIT Technology Review has a business subscription to DeleteMe.)
Shavell says customer complaints about personal information being surfaced by LLMs usually take two forms: Either “a customer asks a chatbot something innocuous about themselves and gets back accurate home addresses, phone numbers, family members’ names, or employer details.” Alternatively, a customer may be confronted with and report the exposure of someone else’s personal data, when “the chatbot generates plausible-but-wrong contact information.”
This aligns with what happened to Daniel Abraham, a 28-year-old software engineer in Israel. In mid-March, he says, a stranger sent him a “weird WhatsApp message from an unknown number” asking for help with his account in PayBox, an Israeli payment app.
“I thought it was a spam message,” he wrote to MIT Technology Review in an email—“someone who was trying to troll me.”
But when he asked the stranger how they had found his number, they sent him a screenshot of Gemini’s instructions to contact PayBox customer service via WhatsApp—giving his personal number. Abraham does not work for PayBox, and PayBox does not have a WhatsApp customer service number, Elad Gabay, a customer service representative for the company, confirmed.
Later, Abraham asked Gemini how to contact PayBox, and it generated another person’s WhatsApp number. When I recently asked, Gemini again responded with an Israeli phone number—it belonged not to PayBox, but to a separate credit card company that works with PayBox.
Abraham’s exchange with the stranger ended quickly, but he said he was concerned about how other potential exchanges could quickly turn sour, including “harassment or other bad interactions.” “What if I asked for money in order to ‘solve’ that [customer service] issue?” he said.
To try to figure out how this happened, Abraham ran a regular Google search on his phone number, and he found that it had been shared online once, back in 2015, on a local site similar to Quora. Though he’s not sure who posted it there, it may explain how it ended up being reproduced by Gemini over a decade later.
Chatbots like Gemini, Open AI’s ChatGPT, and Anthropic’s Claude are built on LLMs that are trained on huge amounts of data scraped from across the web. This inevitably includes hundreds of millions of instances of PII. As we reported last summer, for example, the large popular open-source data set DataComp CommonPool, which has been used to train image-generation models, included copies of résumés, driver’s licenses, and credit cards.
The likelihood of PII appearing in AI training data is only increasing as public data “runs out” and AI companies look for new sources of high-quality training data. This includes information from data brokers and people-search websites. According to the California data broker registry, for instance, 31 of 578 registered data brokers operating in the state self-reported that they had “shared or sold consumers’ data to a developer of a GenAI system or model in the past year.”
Furthermore, models are known to memorize and reproduce data verbatim from training data sets—and recent research suggests that it is not just frequently appearing data that is most likely to be memorized.
Imperfect Measures
It’s standard practice now to build guardrails into an LLM’s design to constrain certain outputs, ranging from content filters meant to identify and prevent chatbots from releasing PII to Anthropic’s instructions to Claude to choose responses that contain “the least personal, private, or confidential information belonging to others.”
But as a pair of University of Washington PhD students researching privacy and technology saw firsthand recently, these safeguards don’t always work.
“One day, I was just playing around on Gemini, and I searched for Yael Eiger, my friend and collaborator,” Meira Gilbert says. She typed in “Yael Eiger contact info,” and after Gemini provided an overview of Eiger’s research, which Gilbert had expected, Gemini also returned her friend’s personal phone number. “It was shocking,” Gilbert says.
When she saw the Gemini result, Eiger remembered that she had, in fact, shared her phone number online in the previous year, for a technology workshop. But she had not expected it to be so visible to everyone on the internet.
Have you had your PII revealed by generative AI? Reach the reporter on Signal at eileenguo.15 or tips@technologyreview.com.
“Having your information be … accessible to one audience, and then Gemini making it accessible to anyone” feels completely different, Eiger says—especially when she found that the information was buried in a normal Google search.
“It was severely downgraded,” Gilbert confirms. “I never would have found it if I was just looking through Google results.” (I tried the same prompt in Gemini earlier this month, and after an initial denial, the tool also gave me Eiger’s number.)
After this experience, Eiger, Gilbert, and another UW PhD student, Anna-Maria Gueorguieva, decided to test ChatGPT to see what it would surface about a professor.
At first, OpenAI’s guardrails kicked in, and ChatGPT responded that the information was unavailable. But in the same response, the chatbot suggested, “if you want to go deeper, I can still try a more ‘investigative-style’ approach.” Their inquiry just had to help “narrow things down,” ChatGPT said, by providing “a neighborhood guess” for where the professor might live, or “a possible co-owner name” for the professor’s home. ChatGPT continued: “That’s usually the only way to surface newer or intentionally less-visible property records.”
The students provided this information, leading ChatGPT to produce the professor’s home address, home purchase price, and spouse’s name from city property records.
(Taya Christianson, an OpenAI representative, said she was not able to comment on what happened in this case without seeing screenshots or knowing which model the students had tested, though we pointed out that many users may not know which model they were using in the ChatGPT interface. In response to questions about the exposure of PII, she sent links to documents describing how OpenAI handles privacy, including filtering out PII, and other tools.)
This reveals one of the fundamental problems with chatbots, says DeleteMe’s Shavell. AI companies “can build in guardrails, but [their chatbots] are also designed to be effective and to answer customer questions.”
The exposure issue is not limited to Gemini or ChatGPT. Last year, Futurism found that if you prompted xAI’s chatbot Grok with “[name] address,” in almost all cases, it provided not only residential addresses but also often the person’s phone numbers, work addresses, and addresses for people with similar-sounding names. (xAI did not respond to a request for comment.)
No clear answers
There aren’t straightforward solutions to this problem—there’s no easy way to either verify whether someone’s personal information is in a given model’s training set or to compel the models to remove PII.
Ideally, individual consumers should be able to request that their PII be removed, says Jennifer King, the privacy and data fellow at Stanford University Institute for Human-Centered Artificial Intelligence. But this is typically interpreted to apply only to the data that people have directly given to companies—like when they interact with a chatbot, King explains.
“I don’t know if Google even has the infrastructure … to say to me, ‘Yes, we have your data in our training data, we can summarize what we know about you, and then we can delete or correct things that are wrong or things that you don’t want in there,’” she says.
Existing privacy legislation, like the California Consumer Privacy Act or Europe’s GDPR, does not cover the “publicly available” information that has already been scraped and used to train LLMs, especially since much of this is anonymized (though multiple studies have also shown how easy it is to infer identities and PII from anonymized and pseudonymous data).
As to “whether they [AI companies] have ever systematically tried to go back through data that had already been collected from the public internet and minimized that stuff?” King adds. “No idea.”
The next best solution would be that the companies are “taking out everybody’s phone numbers or all data that resembles [phone numbers],” King says, but “nobody’s been willing to say” they’re doing that.
Hugging Face, a platform that hosts open-source data sets and AI models, has a tool that allows people to search how often a piece of data—like their phone number—has appeared in open-source LLM training data sets, but this does not necessarily represent what has been used to train closed LLMs that power popular chatbots like Claude, ChatGPT, and Gemini. (Eiger’s number, for example, did not show up in Hugging Face’s tool.)
Alex Joseph, the head of communications for Gemini apps and Google Labs, did not respond to specific questions, but he said that “the team” is “looking into” the particular cases flagged by MIT Technology Review. He also provided a link to a support document that describes how users can “object to the processing of your personal data” or “ask for inaccurate personal data in Gemini Apps’ responses to be corrected.” The page notes that the company’s response will depend on the privacy laws of your jurisdiction.
OpenAI has a privacy portal that allows people to submit requests to remove their personal information from ChatGPT responses, but notes that it balances privacy requests with the public interest and “may decline a request if we have a lawful reason for doing so.”
Anthropic describes how it uses personal data in model training, but it does not have a clear way for people to request its removal. The company did not respond to a request for comment.
The best option for anyone who wants to protect their private data right now is to “start upstream: get personal data off the public web before it ends up in the next scrape,” says Shavell. Since the start of the year, for instance, California has offered its residents a web portal to request that data brokers delete their information. Still, this doesn’t guarantee that your data hasn’t already been used for training—and will therefore not appear in a chatbot’s response.
The Redditor who received incessant calls posted that he had “submitted an official Legal Removal/Privacy Request to Google, asking them to urgently blacklist my number from their LLM outputs,” but had not yet received a response. He also wrote last month that “the harassment continues daily.”
Abraham, the Israeli software developer, says he contacted Google’s customer service on March 17, the day after his phone number was exposed. He says he did not receive a response until May 4, and it simply asked for documentation that he had already provided.
Meanwhile, inspired by her own exposure on Gemini, Eiger, along with Gilbert and Gueorguieva, is designing a research project to further study what personal information is being surfaced by various AI chatbots—and what they may know, even if they’re not telling us.
Some of that information may “technically be public,” says Gilbert, but chatbots may be altering “the amount of effort you would put into finding” it. Now instead of searching through 10 pages of Google search results, or paying for the information from a data broker site, “does generative AI just lower the barrier to entry to target people?”
This piece has been updated to clarify OpenAI’s response.
This is today’s edition of The Download, our weekday newsletter that provides a daily dose of what’s going on in the world of technology.
A plan to make drugs in orbit is going commercial
A startup called Varda Space Industries is betting that the future of pharmaceuticals lies in orbit. The company has signed a deal with United Therapeutics to test whether drugs crystallize differently in microgravity, potentially creating improved versions with new properties.
The idea sounds futuristic, but falling launch costs and reusable rockets are making space-based manufacturing seem increasingly plausible. Varda says the partnership could mark an important step toward building products in orbit for use back on Earth.
Discover how space could become the next frontier for drug development.
—Antonio Regalado
MIT Technology Review Narrated: NASA is building the first nuclear reactor-powered interplanetary spacecraft. How will it work?
Just before Artemis II began its historic slingshot around the moon, NASA revealed an even grander space travel plan. By the end of 2028, the agency aims to fly a nuclear reactor-powered interplanetary spacecraft to Mars.
A successful mission would herald a new era in spaceflight—and might just give the US the edge in the race against China. But the project remains shrouded in mystery.
MIT Technology Review picked the brains of nuclear power and propulsion experts to find out how the nuclear-powered spacecraft might work.
—Robin George Andrews
This is our latest story to be turned into an MIT Technology Review Narrated podcast, which we publish each week on Spotify and Apple Podcasts. Just navigate to MIT Technology Review Narrated on either platform, and follow us to get all our new content as it’s released.
The must-reads
I’ve combed the internet to find you today’s most fun/important/scary/fascinating stories about technology.
1 Sam Altman claims Elon Musk tried to seize control of OpenAI
Altman said Musk initially wanted 90% of the equity. (AFP)
+ And that control should go to his children when he dies. (BBC)
+ Altman also accused Musk of twice trying to end its non-profit status. (NPR)
+ Musk’s motivations for the suit are under scrutiny. (MIT Technology Review)
2 Google and SpaceX are in talks to launch data centers into orbit
SpaceX could join Suncatcher, Google’s orbital data center project. (WSJ $)
+ The project’s first launch is slated for early 2027. (Guardian)
+ Anthropic and SpaceX have also discussed orbital data centers. (Wired $)
+ But there are a few hurdles to overcome. (MIT Technology Review)
3 Jensen Huang has joined Donald Trump’s high-stakes mission to China
Nvidia is lobbying to sell its AI chips in the country. (Bloomberg $)
+ Elon Musk and Tim Cook are also on the trip. (CNBC)
+ But a tech rivalry and distrust have sapped hopes for big deals. (Reuters $)
4 ICE agents have a list of 20 million people on their iPhones, thanks to Palantir
An ICE official said Palantir is speeding up raids and arrests. (404 Media)
+ ICE has also used facial recognition and Paragon spyware. (TechCrunch)
5 Defense tech firm Anduril just doubled its valuation to over $60 billion
In a $5 billion funding round led by Thrive Capital and a16z. (FT $)
Anduril, which makes AI-backed weapons, may go public next year. (NYT $)
6 Meta employees are protesting computer-tracking at work
Flyers posted at offices are urging staff to oppose the program. (Reuters $)
+ Meta plans to track workers’ clicks and keystrokes to train AI. (CNBC)
7 OpenAI is facing another wrongful death lawsuit over ChatGPT medical advice
The chatbot’s tips allegedly led to a teenager’s overdose. (Ars Technica)
8 The Canvas learning platform has paid hackers to delete stolen student data
It caved to ransomware demands after the biggest-ever edtech breach. (BBC)
9 Scientific researchers are thinking twice about using AI
Due to price hikes, usage limitations, and unreliable outputs. (Nature)
10 The latest AI compute solution? Putting data centers in your home
Hardware hosts get subsidized electricity and internet. (Ars Technica)
Quote of the day
“Mr Musk did try to kill it.”
—Sam Altman claims that Elon Musk tried to destroy rather than protect OpenAI’s non-profit operations, the Guardian reports.
One More Thing
YOSHI SODEOKA
Why does AI hallucinate?
Chatbot fails are now a familiar meme. Meta’s short-lived scientific chatbot generated wiki articles about the history of bears in space. Lawyers have submitted court documents filled with legal citations fabricated by ChatGPT. Air Canada was ordered to honor a refund policy invented by its customer service chatbot.
This tendency to make things up—known as hallucination—is one of the biggest obstacles holding chatbots back from more widespread adoption. Here’s why they do it—and why we still can’t fix it.
—Will Douglas Heaven
This story is part of MIT Technology Review Explains, our series untangling the complex, messy world of technology to help you understand what’s coming next. You can read more from the series here.
We can still have nice things
A place for comfort, fun, and distraction to brighten up your day. (Got any ideas? Drop me a line.)
+ A historian has unearthed the etymology of every single dinosaur name.
+ Humus on the moon is getting closer to reality after scientists grew chickpeas in lunar soil.
+ Witness the patience of a master paper artist in this gallery of intricate, handmade sculptures.
+ Want to tell the time alphabetically? Me neither, but this cursed clock is an intriguing reason to try.
Varda Space Industries, a startup that’s been pitching its ability to perform drug experiments in space, says it has signed up the pharmaceutical company United Therapeutics in what may be remembered as a notable step toward in-orbit manufacturing.
The idea of building things in outer space for use on Earth has so far been explored mostly on board the International Space Station, and only in small-scale experiments backed by governments.
But Varda, based in El Segundo, California, is now telling drug companies it has a practical, and repeatable, way to produce novel molecules in microgravity.
“This is the first commercial path to products made in space,” says Michael Reilly, Varda’s chief strategy officer.
The scientific idea is that chemical mixtures have different properties under weightless conditions. For instance, water will hang together in a wiggly sphere, since without gravity, surface tension is the strongest force present.
The plan is to launch versions of United Therapeutics’ drugs into orbit, where they can be allowed to form solid crystals. The hope is that in microgravity, they’ll take on atomic arrangements not seen on Earth, possibly leading to new versions with improved stability or other valuable properties.
United is led by CEO Martine Rothblatt, who worked on early telecommunications satellites. Since then, she’s built a multibillion-dollar health franchise with a succession of drugs to treat a lung disease called pulmonary arterial hypertension, which her daughter suffers from, and a subsidiary developing genetically modified pigs as a source of organs for transplantation.
Rothblatt says space could be the next step if orbital conditions permit United to identify “even more amazing” versions of its drugs.
Space to reformulate
Pharmaceutical companies often try to keep their blockbuster franchises alive by creating improved versions of drugs or reformulating them—for example, making the switch from a pill to an inhaled version, as United has done with some of its products. Doing so can keep imitators at bay and create extra decades of patent protection.
Assisting drugmakers are specialist companies, such as Halozyme and MannKind, that earn profits by helping to reformulate other companies’ drugs, often taking a royalty on future sales.
That’s the business Varda has been trying to break into—by using excursions into space instead of nebulizers, patches, or nanoparticles. The company was formed in 2021 by Delian Asparouhov, a partner at Peter Thiel’s Founders Fund, along with Will Bruey, a former avionics engineer with Elon Musk’s SpaceX who is now Varda’s CEO.
The pair’s bet is that space manufacturing will become viable once rocket launches become frequent enough—and cheap enough—to support a business model in which raw materials are sent into orbit, processed, and then returned to Earth in a new form.
And that’s starting to happen. To get into space, Varda has been purchasing rides from SpaceX—which now launches a rocket every two or three days, usually a reusable Falcon 9.
Those rockets have a nose cone, or payload fairing, about the size of a moving truck that gets filled with satellites or instruments, which are then released into orbit.
Starting in 2023, Varda began sending up small satellites that have a boulder-size capsule attached. The capsule contains equipment to carry out experiments, and it can detach and fall back to Earth, entering the atmosphere at a speed of around Mach 25 before slowing via air resistance and eventually drifting to land with a parachute. (Varda lands its craft in the Australian outback.)
That speedy reentry has also drawn interest from the US military, including the Air Force, which has paid Varda to fly instruments and take measurements relevant to hypersonic missile technology. Of the six craft Varda has paid to put into orbit so far, half have been dedicated to military research and half carried drug-related demonstrations.
At Varda, such “dual use” of technology is accepted as part of being in the space business, which remains reliant on government support. The company’s founders say Varda may be the only company that employs hypersonic engineers and pharmaceutical chemists under the same roof.
COURTESY VARDA
Launching industries
Actual space manufacturing still remains mostly an aspirational project. In 2021, Jeff Bezos, after his first trip aloft in a rocket, suggested that polluting industries should be moved beyond the atmosphere. “We need to take all heavy industry, all polluting industry, and move it into space. And keep Earth as this beautiful gem of a planet that it is,” he told MSNBC.
Weight is the big obstacle to such dreams. It still costs around $7,000 to launch a single kilogram of payload into orbit, which makes it impractical to, say, send cotton into space to be dyed there, or even to launch the acids and solvents needed to make a semiconductor chip.
But drugs may be among the few exceptions to this economic rule, since pound for pound, they can be as valuable as rare radioactive isotopes and fine-cut diamonds.
For instance, just one kilogram of the weight-loss drug Ozempic is worth more than $100 million at retail. (The reason your Ozempic bill is only $1,000 a month is that minute quantities of the active ingredient are present in the shots.)
That’s why Varda thinks it may eventually be able to manufacture drugs in orbit. However, its effort with United is more of a flying experiment to learn whether the company’s lung medicines will crystallize differently in microgravity.
The terms of the deal between Varda and United aren’t public, and the companies haven’t said which specific drugs the collaboration will study. But Rothblatt did confirm that United is paying Varda to help it identify new crystal forms of its drugs (also called polymorphs), which it hopes could have improved properties.
“One has to do the experiment to find out if that is so. The first part of the experiment is to see what polymorphs of these molecules can be made without the influence of gravity,” she says. “Then, once we have those polymorphs, we will test them.”
There is good evidence that crystals form differently in space. For instance, in 2017 the pharmaceutical giant Merck sent samples of its cancer immunotherapy drug Keytruda to the International Space Station, where it was found to form crystals of a single size. On Earth, the drug tended to form two different sizes at once.
That experiment offered clues for how to formulate the drug as a shot instead of administering it intravenously. Still, when Merck introduced a Keytruda injection last year, it ended up using a different approach. That means there’s still no straight-line connection between orbital discoveries and any drug here on Earth. Actual space factories are another step further from reality.
“We’ve been learning from space for years, but I can’t name anything manufactured in space, brought down to Earth, and sold,” says Reilly. “So that is a first—or it will be a first.”
Reilly says that Varda anticipates launching United Therapeutics’ drugs into orbit sometime early next year.
The new feature offers users an enhanced level of privacy and security, but raises concerns regarding the safety and accuracy of chatbot responses.
The app has been expanding its sports engagement, and 59% of users say watching events on TikTok is more fun than viewing actual games.
The app’s sixth annual event was a showcase for its updated marketing offerings, including new artificial intelligence-powered elements.
A new report from the app examined teen behavior online and offered insights into the perspective of younger users.
The focus of Instants is immediate, in-the-moment sharing via disappearing images.