Your ChatGPT Chats Are Now Private By Default
In a significant move to address growing privacy concerns, OpenAI has removed a feature from ChatGPT that allowed users to make their shared conversations discoverable by search engines. This change ensures that any chat links you create are now private by default, preventing the accidental public exposure of sensitive information.
How a Simple Checkbox Exposed Sensitive Data
The now-removed feature presented users with a checkbox labeled 'Make this chat discoverable' after they chose to share a conversation. While this was an opt-in choice, its implications were not immediately clear to everyone. Ticking this box allowed search engines like Google and Bing to index the shared chat's unique URL, making it publicly searchable.
The primary risk was to user privacy. Many users, either unintentionally or by misunderstanding the feature, shared conversations containing highly sensitive personal data. This included resumes, confidential job applications, discussions about mental health, and private medical questions. Using a simple search operator like site:chatgpt.com/share, anyone could easily find and read these private conversations.
Investigation Uncovers Widespread Leaks
The potential for data leaks became a reality, as highlighted by an investigation from Henk van Ess, an expert in online research. His probe uncovered more than 500 publicly indexed chats. The contents were often alarming, containing everything from corporate secrets and admissions of insider trading to plans for cyberattacks and disturbing user prompts.
A Flawed and Confusing Design
The issue was compounded by what many users described as a confusing and misleading user interface. The prompt for sharing conversations did not explicitly state that making a chat 'discoverable' meant it would be indexed by major search engines. Some users reported clicking the box by mistake, believing it was a necessary step to generate the shareable link in the first place, as detailed in some reports.
Search engines, for their part, simply index what is made available to them. A Google spokesperson clarified their role in a statement to TechCrunch, stating, “Publishers of these pages have full control over whether search engines index them.”
OpenAI's Response and Path Forward
Recognizing the severity of the issue, OpenAI has not only removed the 'Make Discoverable' checkbox but has also disabled the indexing feature entirely. The company announced it is actively collaborating with search engines to de-index the previously shared links and remove them from public search results, although some may temporarily remain visible on platforms like Bing and DuckDuckGo.
In a post on X, OpenAI's Chief Information Security Officer, Dane Stuckey, described the feature as a “short-lived experiment” that ultimately created too much risk. “Ultimately, we think this feature introduced too many opportunities for folks to accidentally share things they didn’t intend to, so we’re removing the option,” Stuckey stated. He reaffirmed the company's commitment to user privacy, adding, “Security and privacy are paramount for us, and we’ll keep working to maximally reflect that in our products and features.”
