Gemini: The Biggest Data Offender?

The Rise of AI Chatbots and the Data Privacy Dilemma

The proliferation of artificial intelligence has ushered in an era of unprecedented technological advancement, offering a wide array of tools designed to simplify and enhance various aspects of our lives. Among these innovations, AI chatbots have emerged as particularly prominent, becoming increasingly integrated into our daily routines. From answering questions and providing information to assisting with tasks and offering companionship, these conversational AI systems have rapidly gained popularity. However, this widespread adoption has also ignited a fierce debate surrounding data privacy. As AI chatbots become more sophisticated and capable of handling increasingly complex interactions, the question of how much personal information these platforms collect, and how they use it, has become paramount.

Recent concerns have often focused on AI models developed outside the United States, particularly those originating from China. DeepSeek, a Chinese AI model, has been a focal point of this scrutiny. However, a closer examination of the data collection practices of various AI chatbots reveals a surprising truth: some of the most popular US-based AI chatbots may be even more aggressive in their data collection than their counterparts from other countries. This revelation underscores the need for a more nuanced and comprehensive understanding of AI data privacy, one that transcends national borders and focuses on the specific practices of individual companies.

The DeepSeek Controversy: Concerns and Context

In January, DeepSeek, a Chinese company, launched its flagship open-source AI model. The release immediately triggered concerns within the American tech industry and government circles. Privacy and security anxieties quickly surfaced, leading to swift action by both private and public organizations to restrict the use of DeepSeek, both domestically and internationally.

The core of the apprehension stemmed from the belief that DeepSeek, due to its Chinese origins, posed a heightened risk to American users. Fears of surveillance, cyber warfare, and other national security threats were frequently cited. A specific clause in DeepSeek’s privacy policy fueled these concerns, stating: “The personal information we collect from you may be stored on a server located outside the country where you live. We store the information we collect in secure servers located in the People’s Republic of China.”

This statement, while seemingly standard for many international companies, was interpreted by some as a potential avenue for the Chinese government to access sensitive user data. The rapid advancement of global AI development, and the perceived “AI arms race” between the US and China, further amplified these concerns, creating an atmosphere of distrust and raising ethical questions about the potential misuse of AI technology.

Unveiling the Data Collection Practices: A Comparative Analysis

Amidst the controversy surrounding DeepSeek, a surprising revelation has emerged. A recent investigation by Surfshark, a reputable VPN provider, has shed light on the data collection practices of some of the most popular AI chatbot applications available on the Apple App Store. The study meticulously analyzed the privacy details of ten prominent chatbots: ChatGPT, Gemini, Copilot, Perplexity, DeepSeek, Grok, Jasper, Poe, Claude, and Pi.

The researchers focused on three key aspects of data collection:

1. Types of Data Collected: This involved identifying the specific categories of user information gathered by each application. Examples include contact information, location data, browsing history, user content, and device identifiers.

2. Data Linkage: The study examined whether any of the collected data was directly linked to the user’s identity. This is a crucial aspect of privacy, as linked data can be used to create detailed profiles of individual users.

3. Third-Party Advertisers: The researchers investigated whether the applications shared user data with external advertising entities. This practice raises concerns about the potential for user data to be used for purposes beyond the user’s knowledge or control.

Gemini’s Extensive Data Collection: A Startling Discovery

The findings of the Surfshark study were startling. Google’s Gemini emerged as the most data-intensive AI chatbot app, significantly outpacing its competitors in the sheer volume and variety of personal information it collects. The application gathers a staggering 22 out of 35 possible user data types. This includes highly sensitive data such as:

• Precise Location Data: Gemini collects the user’s exact geographical location, providing a detailed record of their movements.
• User Content: The application captures the content of user interactions within the app, including text, images, and potentially even voice recordings.
• Contacts List: Gemini accesses the user’s device contacts, potentially gaining access to a wide network of personal relationships.
• Browsing History: The application tracks the user’s web browsing activity, providing insights into their interests, preferences, and online behavior.
• Audio Data: Gemini also collects audio data.

This extensive data collection far surpasses that of other popular chatbots examined in the study. DeepSeek, the subject of much controversy, ranked fifth out of the ten applications, collecting a comparatively moderate 11 unique data types.

Location Data and Third-Party Sharing: A Cause for Concern

The study also uncovered concerning trends regarding location data and data sharing with third parties. Only Gemini, Copilot, and Perplexity were found to collect precise location data, a highly sensitive piece of information that can reveal much about a user’s movements, habits, and even their home and work addresses.

More broadly, approximately 30% of the chatbots analyzed were found to share sensitive user data, including location data and browsing history, with external entities such as data brokers. This practice raises significant privacy concerns, as it exposes user information to a wider network of actors, potentially for purposes beyond the user’s knowledge or control. Data brokers often aggregate and sell user data to advertisers, marketers, and other organizations, raising the risk of unwanted targeting, discrimination, and even potential security breaches.

Tracking User Data: Targeted Advertising and Beyond

Another alarming finding was the practice of tracking user data for targeted advertising and other purposes. Thirty percent of the chatbots, specifically Copilot, Poe, and Jasper, were found to collect data to track their users. This means that the user data collected from the app is linked with third-party data, enabling targeted advertising or the measurement of advertising effectiveness.

Copilot and Poe were found to collect device IDs for this purpose, while Jasper went even further, gathering not only device IDs but also product interaction data, advertising data, and “any other data about user activity in the app,” according to Surfshark’s experts. This level of tracking allows for the creation of highly detailed user profiles, which can be used to target users with personalized advertisements and potentially influence their behavior.

DeepSeek’s Data Collection: A Middle Ground

The controversial DeepSeek R1 model, while subject to intense scrutiny, occupies a middle ground in terms of data collection. It gathers an average of 11 unique data types, primarily focusing on:

• Contact Information: This includes names, email addresses, phone numbers, and other contact details.
• User Content: DeepSeek collects content generated by users within the app, such as text inputs and potentially other forms of interaction.
• Diagnostics: The application gathers data related to app performance and troubleshooting, which can be used to improve the service but may also contain information about user behavior.

While not the most privacy-respecting chatbot, DeepSeek’s data collection practices are less extensive than those of some of its US-based counterparts, particularly Gemini.

ChatGPT: A Comparative Perspective

For comparison, ChatGPT, one of the most widely used AI chatbots, collects 10 unique types of data. This includes:

• Contact Information
• User Content
• Identifiers
• Usage Data
• Diagnostics

It’s important to note that ChatGPT also amasses chat history. However, users have the option to utilize “Temporary chat,” a feature designed to mitigate this by not storing the conversation history. This provides users with a degree of control over their data, although it is not the default setting.

DeepSeek’s Privacy Policy: User Control and Data Deletion

DeepSeek’s privacy policy, while a source of concern for some, does include provisions for user control over chat history. The policy states that users can manage their chat history and have the option to delete it through their settings. This offers a degree of control that is not always present in other chatbot applications. However, the policy’s statement about data storage in China remains a point of contention for some users and security experts.

The Broader Context: AI Development and Geopolitical Dynamics

The concerns surrounding DeepSeek, and the broader debate about AI data privacy, are inextricably linked to the rapid acceleration of global AI development and the perceived AI arms race between the US and China. This geopolitical context adds another layer of complexity to the issue, fueling anxieties about national security and the potential for misuse of AI technologies.

The findings of the Surfshark study, however, serve as a crucial reminder that data privacy concerns are not limited to AI models developed in specific countries. The most egregious data collector among the popular chatbots analyzed is, in fact, a US-based application. This underscores the need for a more nuanced and comprehensive approach to AI data privacy, one that transcends national boundaries and focuses on the practices of individual companies and the safeguards they implement.

The Need for Transparency, User Control, and Regulation

It is imperative that users are informed about the data collection practices of the AI tools they use, regardless of their origin, and that robust regulations are put in place to protect user privacy in the rapidly evolving AI landscape. The focus should be on establishing clear standards for data collection, usage, and sharing, ensuring transparency and user control, and holding companies accountable for their data practices.

Key elements of a robust AI data privacy framework should include:

• Transparency: Companies should be required to clearly and comprehensively disclose their data collection practices, including the types of data collected, how it is used, and with whom it is shared.
• User Control: Users should have meaningful control over their data, including the ability to access, modify, and delete their data, as well as the option to opt out of data collection and sharing.
• Data Minimization: Companies should only collect the data that is strictly necessary for the provision of their services, and they should avoid collecting sensitive data unless it is absolutely essential.
• Data Security: Companies should implement robust security measures to protect user data from unauthorized access, use, and disclosure.
• Accountability: Companies should be held accountable for their data practices, and there should be effective mechanisms for enforcement and redress in cases of privacy violations.
• Independent Audits: Regular independent audits of AI systems’ data practices can help ensure compliance with privacy regulations and best practices.

The rapid advancement of AI technology presents both immense opportunities and significant challenges. Protecting user privacy in this evolving landscape is crucial not only for safeguarding individual rights but also for fostering trust in AI systems and ensuring their responsible development and deployment. A comprehensive and globally coordinated approach to AI data privacy is essential to navigate this complex terrain and harness the benefits of AI while mitigating its potential risks.