Tests Find ChatGPT Browser Leaves Sensitive Data – findarticles.com
Now, ChatGPT is following you onto the web — whose conveniences may come with a memory trade-off that you didn’t sign up for. Early, hands-on tests of OpenAI’s new Comet Browser found the AI assistant still hung on to details from a user’s private browsing sessions, like the name of a person’s doctor; while other researchers showcased how AI browsers can be secretly manipulated by ulterior commands. Collectively, the findings raise pressing questions about how much an AI-enhanced browser should know — and for how long.
In tests published by The Washington Post with technical assistance from the Electronic Frontier Foundation, testers found Comet’s continued memory of search history, page context, and sensitive searches persisted long after a browsing session was over. In one instance, the assistant recalled a search for abortion care that included the name of the clinician — information the user hadn’t explicitly re-entered. That’s not a bug; it’s a feature of “agentic” browsing, in which the AI maintains context to be more helpful across tasks.
The privacy implications are obvious. And since it operates at the level of your browser, an assistant like that can connect dots that regular history logs don’t, piecing together bits and pieces of your behavior into a narrative that is comparatively simple to dig up again. And even if the data housed never leaves your device, it doesn’t matter because just being able to raise it from the dead in plain language dramatically changes how you have to think about risks when researching health or legal or financial issues.
AI browsing systems generally combine three components: what’s on the page, what you type, and a memory store to maintain continuity. Under the hood, that often takes the form of information retrieval-augmented generation (IRAG) facilitated by caches or databases that transcend a single page view. The trade-off is less nagging repetition. The flip side is long-lived breadcrumbs that may contain names, addresses, appointment details, or case numbers — in other words, the sorts of data privacy law identifies as sensitive.
Some vendors claim these memories help to improve assistance, although policies can differ regarding where they live (local vs. cloud), how long they stick around, and whether they can be used to train models.
Defaults and visible controls matter. The absence of simple, global “forget” switches or per-task ephemerality means the thing that was private context is potentially a permanent reference file.
Privacy isn’t the only concern. Brave Software showed AI browsers could process dangerous instructions embedded in images — its own twist on prompt injection where what the site wants executed isn’t visible to users. Should those whispery signals be swallowed by an assistant, it might be pushed to provide a peek at prior context, leak tokens, or take action beyond the page’s intention. Security researchers have been concerned about prompt injection ever since a few large language models started reading live web content; putting commands in media ups the ante and reduces chances of detection.
Here’s where it gets interesting, because memory plus injection equals amplification. But an attacker isn’t just trying to gain a one-off reply — they can tempt the assistant into pulling up whatever it “remembers” about you and sending it off elsewhere. Standard browser protections were not created with this new layer of machine-readable instructions that exists alongside human-readable content.
Consumer tech is largely not covered by medical privacy laws, and HIPAA typically does not apply to browsers or AI assistants. Regulators have already fined health and wellness apps for selling sensitive data to advertisers; the Federal Trade Commission’s case against GoodRx highlighted how rapidly “researching care” becomes a data trail. If an AI browser maintains memory of your condition, clinic, and doctor, then that profile potentially has more depth than what is possible from a classic cookie log — even with no ad network in play.
EU and UK data protection authorities have similarly emphasized data minimization as a safeguard in generative AI, consistent with the NIST AI Risk Management Framework’s instruction to restrict collection and retention.
An aide that remembers far too personal browsing details by default is difficult to reconcile with those principles.
Safety-by-default needs to replace convenience-by-default. That means temporary memory unless a user chooses to opt in, visual cues when context is being saved, and one-click purges that really do delete stored knowledge. Security-wise, when handling untrusted pages, assistants should render in hardened sandboxes, strip or quarantine machine instructions/prompts from media files, and adopt off-the-shelf prompt-injection countermeasures from upcoming industry playbooks.
AI on the browser can be revolutionary. But even your roughest sketch of disapproval should snap into focus if a mere casual visit to a medical website turns up in an assistant’s biography of you. Until vendors harden defaults and defenses, treat AI browsing like a live microphone: speak with caution or just mute the thing altogether when the stakes are high.
