Study: AI chatbots leak chats to Meta, TikTok and Google

Researchers at the IMDEA Networks Institute report that four major AI chat platforms embed third-party trackers that send conversation URLs and user data to advertising and analytics services including Meta, Google and TikTok. The study, published May 4 under the name LeakyLM, identified more than 13 trackers across ChatGPT, Claude, Grok and Perplexity.

The paper finds trackers can transmit advertising cookies, page URLs that point to specific chats and, in at least one case, verbatim message content. Grok guest conversations are publicly accessible by default, and the researchers report TikTok’s tracker received Open Graph metadata for chat links that included message text used to build link previews.

The LeakyLM project says none of the detected third-party integrations are described to users in plain language. The report warns that when chat permalinks are public, sending those links to ad systems can give external companies the ability to access full conversations.

Grok, the chatbot from xAI, was identified as the most exposed platform in the study. Guest conversations on Grok can be read by anyone with a permalink without logging in. IMDEA’s tests showed TikTok’s tracking code captured link preview metadata that may contain the text of a chat.

Anthropic’s Claude and OpenAI’s ChatGPT apply stronger default access controls so conversations are not automatically public, but the study found both platforms still transmit conversation permalinks and identifying data to major ad and analytics services. For Claude, the report documents data forwarded to 11 advertising platforms via Anthropic’s servers rather than directly from the browser, a design the researchers say can bypass browser ad blockers. Perplexity removed a Meta tracker in the month before testing began.

The authors do not present evidence that staff at Meta, Google or TikTok read users’ chats, but they describe data flows and infrastructure that would enable access. The report states, “Leaking a URL is not just metadata — it can be equivalent to leaking the conversation itself.”

The IMDEA team submitted its findings to Data Protection Authorities on April 13, 2026, and notified xAI on April 17. As of the report’s publication, the researchers report no responses from the companies named in the paper.

The study compares how platforms handle cookies and analytics. In the researchers’ tests, rejecting non‑essential cookies on Claude disabled a Meta Pixel. On ChatGPT, rejecting cookies where possible reduced some exposure, while Google Analytics continued to run for free logged‑in users. The paper lists platform settings that change visibility, such as altering Grok conversation visibility and setting Perplexity chats to private, and notes those measures do not remove all third‑party data flows.

The authors plan to extend testing to Meta AI, Microsoft Copilot and Google Gemini. Those services were excluded from this phase because they operate chat services while also running advertising ecosystems, a configuration the paper says complicates the study’s threat model.

The report calls for clearer disclosures about third‑party integrations and for providers to review default settings that expose chat links to external analytics and advertising systems. The paper adds, “The studied LLMs offer privacy controls to limit conversation visibility, but may mislead users by implying stronger protections than are actually enforced.”