| On February 10, 2026, Judge Jed Rakoff of the Southern District of New York ruled from the bench that neither the attorney-client privilege nor the work product doctrine protected documents a criminal defendant generated using the consumer version of Anthropic’s Claude chatbot. A week later, he issued a written opinion in United States v. Heppner calling it a matter of “nationwide” first impression. The legal commentary that followed has focused almost entirely on a single proposition: that consumer AI conversations are not confidential. | | That proposition is probably correct as a practical matter. But the reasoning the court used to get there—and the reasoning it failed to use—should trouble anyone who cares about how privilege doctrine adapts to new technology. Heppner reached the right result on solid grounds, then bolted on a confidentiality analysis that was unnecessary, incompletely reasoned, and affirmatively wrong in its method. Unfortunately, that unnecessary analysis is the part future courts are most likely to cite, and it rests on a factual record the opinion never bothered to develop. | | Facts and Holding | | Bradley Heppner, the founder and former CEO of Beneficient, a financial services company, faces a five-count federal indictment for securities fraud, wire fraud, conspiracy, making false statements to auditors, and falsification of records—charges arising from an alleged scheme to defraud investors in the publicly traded company GWG Holdings through self-dealing transactions involving Beneficient. After receiving a grand jury subpoena and learning he was a target of the investigation, but before his November 2025 arrest, Heppner used the consumer version of Claude to analyze his legal exposure and develop defense theories. When federal agents executed a search warrant at his home, they seized numerous documents and electronic devices. Defense counsel later identified approximately thirty-one of the seized materials as AI-generated documents. The government moved for a ruling that the documents were not privileged; Heppner resisted, invoking attorney-client privilege and the work product doctrine. Because this is a criminal case—where the government’s interest in access to evidence is at its strongest and courts construe privilege claims narrowly—the procedural deck was already stacked against Heppner’s claims. | | Judge Rakoff rejected the privilege claim on what he described as “at least two, if not all three” elements of the governing test. Federal courts define attorney-client privilege as protecting communications (1) between a client and an attorney, (2) that are intended to be, and in fact were, kept confidential, (3) for the purpose of obtaining or providing legal advice. On the first element, the court held that Claude is not an attorney: it holds no law license, owes no fiduciary duties, and cannot form an attorney-client relationship. On the second, the court held that Heppner had no reasonable expectation of confidentiality because Anthropic’s privacy policy disclosed that Anthropic could use user inputs for model training and share them with third parties, including “governmental regulatory authorities.” On the third—which the court acknowledged “perhaps presents a closer call”—Heppner did not communicate with Claude for the purpose of obtaining legal advice from an attorney. Claude’s terms of service disclaim providing legal advice, and Heppner’s lawyers neither directed nor supervised his use of the tool. The court noted that had counsel directed Heppner to use Claude, it might have “functioned in a manner akin to a highly trained professional” who could act within the privilege under the Kovel doctrine. However, because Heppner acted on his own, the question was whether he intended to obtain legal advice from Claude, and Claude disclaims providing it. In a footnote, the court added that “even if certain information that Heppner input into Claude was privileged, he waived the privilege by sharing it with Claude and Anthropic, just as if he had shared it with any other third party.” | | On work product, the court held that protection never attached. Defense counsel conceded that Heppner created the documents “of his own volition” and that the legal team “did not direct” him to use Claude. Judge Rakoff held that materials not prepared by or at the behest of counsel do not qualify as work product, expressly disagreeing with Shih v. Petal Card, Inc., which had recognized work product protection for a party’s own litigation-preparation materials regardless of attorney direction. The court also found Fed. R. Crim. P. 16(b)(2)(A) inapplicable on its face because the documents were seized under a search warrant rather than produced in pretrial discovery. | | Where the Opinion Overreaches | | The first and third grounds of the privilege analysis—no attorney-client relationship with an AI, no communication made for the purpose of obtaining legal advice from an attorney—are each independently sufficient to defeat the privilege claim, and they rest on doctrinal foundations that no one seriously disputes. An AI tool is not a lawyer. Heppner was not seeking legal advice from an attorney when he typed queries into Claude. Whether the work product result is correct depends on which view of the doctrine controls, and as discussed below, the court’s narrow view is not the consensus position. | | The confidentiality holding is where the opinion’s method fails. Judge Rakoff treated Anthropic’s privacy policy as establishing that Heppner could have “no reasonable expectation of confidentiality” in his AI conversations. The court cited an archived version of the policy dated February 2025 and pointed to provisions permitting Anthropic to collect user inputs and outputs, use that data to train Claude, and disclose it to third parties. But the opinion never identified the terms that actually governed Heppner’s use—and those terms were changing during the relevant period. In August 2025, Anthropic updated its consumer terms, giving users the ability to control whether Anthropic would use their data for model training. Existing users had until October 8, 2025, to accept the new terms and select their preference; new users choose during signup. The operative language in the consumer terms of service states that Anthropic may use user materials for model training “unless users opt out”—placing the default in Anthropic’s favor—though Anthropic’s own blog post announcing the change described it as “allowing users on Claude Free, Pro, and Max plans to opt-in for data usage,” framing the default in the opposite direction. The tension between the legal text and the public announcement only underscores the need for courts to examine the actual operative terms rather than relying on broad characterizations. Heppner used Claude in 2025 before his November arrest, meaning either the old or the new terms may have governed his conversations depending on when they occurred. The court never asked what version governed, whether Heppner had opted out of training, or what product tier he was on. It treated the broadest possible reading of the consumer terms as conclusive—without examining what the user actually agreed to or configured. | | That approach is more formalistic than existing precedent supports. Privilege law has historically asked whether a party could reasonably expect confidentiality based on the totality of the circumstances, not whether a provider’s boilerplate reserves some theoretical right of access. Even the ABA’s own ethics guidance recognizes the training question as central to confidentiality. Formal Opinion 512 (2024) warns that “self-learning” generative AI tools—those that train on user inputs—pose distinct confidentiality risks because information a lawyer enters for one client’s representation may influence outputs the tool provides to others, and requires informed client consent under Model Rule 1.6 before a lawyer enters any client information into such a tool. Opinion 512’s core insight—that whether a tool trains on user data is the question that matters for confidentiality—is exactly the inquiry Heppner skipped. And that gap is what makes the opinion dangerous. Lawyers reading Heppner are not worried about the unremarkable proposition that AI chatbots are not attorneys. They are worried about the broad suggestion that any use of a consumer AI platform negates a reasonable expectation of confidentiality—a holding that, if applied uncritically, would reach every lawyer who has ever pasted a case summary into ChatGPT. | | The work product holding presents a different problem. The court’s position—that materials must be prepared by or at the direction of counsel to qualify—expressly rejected Shih and goes well beyond a procedural ruling on Fed. R. Crim. P. 16’s scope. But the weight of authority in the circuit does not support that narrow view. The traditional Second Circuit formulation protects “materials prepared by or at the behest of counsel in anticipation of litigation or for trial,” In re Grand Jury Subpoenas Dated March 19, 2002 and August 2, 2002. The civil analog, Fed. R. Civ. P. 26(b)(3)(A), protects materials prepared “by or for another party or its representative”—language broad enough to cover a party acting on its own initiative. In United States v. Stewart, the district court observed that “the work product doctrine (which appears, for the most part, to have lost the adjective 'attorney’) now protects a great deal more material than Hickman contemplated” and held that an email the defendant herself composed qualified as work product. That reasoning points toward the broader view, though Stewart’s facts did not require the court to reach the question—because Stewart’s attorneys had directed her to compile the information. The work product doctrine also has a common-law basis that exists independently of either procedural rule, and the Heppner court’s broader holding is not the consensus position. The opinion’s reasoning on this point signals that the question remains open. | | The Harder Questions | | The second element of the privilege test asks whether communications were “intended to be, and in fact were, kept confidential.” The Heppner opinion treats that question as answered by pointing to a platform’s contractual permission to use data—but never examines whether the platform’s actual data practices supported or undermined the reasonableness of Heppner’s expectation of confidentiality. Anthropic’s own privacy documentation states that “by default, Anthropic personnel cannot view conversations” unless the user consents to sharing feedback or the company needs to review content for policy enforcement, and that even in the latter case only designated Trust & Safety team members may access data on a necessity basis. Whether a remote, contractual possibility of disclosure should defeat a reasonable expectation of confidentiality is a genuinely difficult question, and it implicates decades of privilege law concerning inadvertent disclosure and third-party intermediaries. | | Judge Rakoff anticipated a version of this argument. The opinion acknowledged commentators who liken AI inputs to the use of cloud-based software, then dismissed the analogy on the ground that “the use of such applications is not intrinsically privileged in any case” and that all recognized privileges require “a trusting human relationship.” But that reasoning conflates two distinct questions: whether AI use creates privilege (it does not, as the first and third grounds establish) and whether transmitting information through an AI platform negates the reasonable expectation of confidentiality that the second element requires. The cloud analogy goes to the second question, and the court never engaged with it on those terms. | | Law firms routinely store privileged documents on third-party servers operated by companies whose terms of service reserve some right to access stored content for maintenance, compliance, or legal process. The ABA addressed this in Formal Opinion 477R (2017), which applied a fact-specific “reasonable efforts” standard: lawyers may transmit confidential information electronically so long as they assess the sensitivity of the information, the likelihood of disclosure, and the available safeguards—and take steps proportionate to the risk. No court has held that storing privileged documents on a cloud server destroys privilege simply because the provider’s terms of service reserve some right of access. The question has always been whether the risk of disclosure is sufficiently real and foreseeable to negate a reasonable expectation of confidentiality—not whether the risk is theoretically possible under the fine print. | | AI platforms differ from conventional cloud storage in one important respect: consumer-tier providers may use conversation data for model training, which means that the substance of a user’s input may, in a statistical sense, influence the model’s future behavior. But this is not “disclosure” in any sense that privilege law has traditionally recognized. No human reads the conversation. Providers process the data computationally, often in aggregate and in de-identified form. The model does not, in the ordinary course, reproduce specific inputs. Whether this kind of machine processing constitutes the breach of confidence that privilege doctrine exists to prevent is a question worth taking seriously—and Heppner does not take it seriously at all. | | Gmail shows where Heppner’s reasoning leads. Google’s privacy policy (effective December 11, 2025; other versions may differ slightly) states that Google “collect[s] the content you create, upload, or receive from others when using our services,” including “email that you write and receive.” It uses “automated systems that analyze your content” for service delivery, abuse detection, and personalization. It shares personal information outside Google “for legal reasons” when Google has “a good-faith belief that disclosure of the information is reasonably necessary to” respond to “any applicable law, regulation, legal process, or enforceable governmental request.” It restricts employee access to those who “need that information in order to process it”—subject to “strict contractual confidentiality obligations.” These provisions are structurally indistinguishable from those in Anthropic’s privacy policy. If courts adopted Heppner’s method—reading a provider’s privacy policy for the broadest reserved rights and treating those rights as negating any reasonable expectation of confidentiality—Google’s terms would strip the privilege from every privileged communication that passes through Gmail. No court has reached that conclusion. And notably, Google does not offer any equivalent to Anthropic’s training opt-out: a Gmail user cannot prevent Google from applying automated analysis to email content, whereas an Anthropic consumer user can affirmatively opt out of model training. A user who exercised that option—which the Heppner court never asked about—would have an even stronger claim to confidentiality than any Gmail user. | | A separate question lurks in Heppner’s work product holding. If the court’s narrow view is wrong—and, as discussed above, the weight of authority suggests it is—then a defendant who prepares litigation materials using an AI tool has work product protection, and the question becomes whether disclosing those materials to the platform waived it. Attorney-client privilege and work product apply different waiver standards. For privilege, any voluntary disclosure to a third party waives the privilege. For work product, the test is more forgiving. In Stewart, the court held that Martha Stewart’s forwarding of a work-product-protected email to her daughter waived attorney-client privilege but did not waive work product protection because the disclosure did not “substantially increase the risk that the Government would gain access to materials prepared in anticipation of litigation.” That framework maps directly onto the AI context: the relevant question is whether submitting prompts to an AI platform substantially increases the risk that the prosecution will gain access to a defendant’s litigation-preparation materials. Heppner never asks it, because it never recognized the work product protection that would make the question necessary. | | More broadly, future courts will need to grapple with whether algorithmic processing of data constitutes “disclosure to a third party” for privilege purposes, or whether it is more analogous to the kind of intermediary handling that courts have long tolerated—postal carriers, telephone companies, cloud providers—without finding waiver. The answer may depend on the specific technical architecture of the platform in question, but Heppner skips the question entirely. | | What Courts Should Do Differently | | Future courts will cite Heppner for the proposition that consumer AI conversations are not confidential. That framing is too broad—it ignores user training preferences, conflates contractual permission with practical disclosure risk, and goes beyond what the court’s holding required. But it captures something real: consumer AI platforms were not designed with legal privilege in mind, and users who rely on them for sensitive work accept risks they likely do not understand. | | Courts confronting AI privilege questions should do what Heppner did not: examine the specific terms, settings, and product tier a user actually employed before concluding that the user had no reasonable expectation of confidentiality. A blanket rule that “consumer AI use destroys privilege” would be both doctrinally unsound and practically unworkable in a profession where AI adoption is accelerating rapidly. Courts have not held that storing privileged documents on a cloud server destroys privilege simply because the provider’s terms reserve some right of access. The analysis has always required a more granular inquiry into the actual risk of disclosure, and AI should be no different. The information needed to conduct that inquiry is publicly available; every major provider documents it. The problem Heppner exposes is not that the information is hidden—it is that almost nobody in the courtroom had read it. | | In the meantime, lawyers should advise their clients to keep privileged work off consumer AI platforms—not because Heppner’s confidentiality analysis is correct, but because it exists. |
|
Have friends who like law? Forward this email. 
Like Verdict for legal discussions on Facebook. 
Follow @verdictjustia for news and updates on Twitter. 
