The Catalan Cybersecurity Agency has warned that sharing personal data with generative artificial intelligence assistants such as ChatGPT, Gemini, Claude, Grok, or Meta AI carries risks for user privacy.
The alert affects tools that are becoming increasingly commonplace, but the agency dependent on the Generalitat de Catalunya warns that these systems collect everything from identifying information to clinical history, location, personal relationships, phone number, IP address, and all content generated by the user in the conversation.
The Agency warns that chats can end up with third parties or on the black market
The agency points out that the data entered into these platforms are not only used to obtain an immediate response. They can also be used to train and personalize the systems, which expands the trail of information that the user leaves in each interaction.
Furthermore, the Catalan Cybersecurity Agency warns of subsequent use of this data outside the control of those who provide it.
"The data can be sold to third parties, used for commercial purposes, and even end up leaked to the Internet black market" - Catalan Cybersecurity Agency, an agency of the Generalitat de Catalunya
Based on this information, third parties can create behavioral profiles that can be exploited by companies, feed mass surveillance or facial recognition systems, or facilitate leaks to malicious actors who then commit scams and identity theft.
The agency recommends deleting sensitive content and limiting device permissions
The Agency asks not to share personal information with these types of assistants. It also recommends reviewing account settings to reduce the exposure of data already provided.
Specific measures include disabling chat history and deleting sensitive material previously shared. The agency also advises limiting access permissions to the device's camera and microphone.
Along with these precautions, the Agency suggests taking action against the companies that manage these services. The recommendation is to send an objection request to prevent them from training their systems with user information.
It also advises requesting the deletion of already stored records by exercising the right to be forgotten.