FARADEX / ARTICLES / LEGAL PROFESSION AND AI

Your AI Conversations Are Discoverable: What Heppner Means for Law Firms

Your AI conversations may not be private. Based on a recent district court ruling, they may not be protected by attorney-client privilege. They can be subpoenaed, seized under warrant, and used as evidence, even conversations the provider told you were deleted. If your firm uses ChatGPT, Claude, Copilot, Harvey, or CoCounsel, this article examines recent court decisions and their implications for your client data.

Here is what you need to know, and why Faradex is fundamentally different.

What happened

United States v. Heppner, S.D.N.Y. (Feb. 2026)

Bradley Heppner was indicted on federal securities and wire fraud charges. Before his arrest, he used Anthropic's Claude (the free, consumer version) to research legal issues, outline defense strategy, and organize information he had learned from his attorneys. The FBI seized his devices, recovered 31 AI-generated documents, and moved to use them as evidence.

Judge Jed S. Rakoff granted the government's motion. The court held that the AI-generated documents were protected by neither attorney-client privilege nor the work product doctrine. Three findings drove the ruling:

• Claude is not an attorney. Communications between a client and a non-attorney third party are not privileged. The court found this alone was dispositive.
• There was no reasonable expectation of confidentiality. The court cited Anthropic's privacy policy, which permits the company to collect user inputs and outputs, use them for model training, and disclose them to third parties, including government regulatory authorities.
• The work was not directed by counsel. Heppner acted on his own initiative. Materials generated without attorney direction do not qualify as work product, even if later shared with counsel.

This is the first federal district court ruling to squarely address privilege in the context of consumer AI tools. It is a single-judge opinion from the Southern District of New York, persuasive authority rather than binding precedent outside that district, and it has not been tested on appeal. That said, the reasoning is straightforward and likely to be followed by other courts considering similar facts.

Sources: Proskauer analysis · Gibson Dunn analysis · Harvard Law Review commentary

OpenAI ordered to preserve deleted conversations (May 2025)

In The New York Times Company v. Microsoft Corporation, a federal court ordered OpenAI to stop deleting ChatGPT conversation logs, including conversations users had already deleted under OpenAI's 30-day retention policy. The court reasoned that deleted chats could contain evidence of copyright infringement.

The order affects users of ChatGPT Free, Plus, Pro, and Team, as well as API customers without a Zero Data Retention agreement. OpenAI's COO confirmed the company would comply.

The implication: "deleted" does not mean gone. If the data existed on the provider's infrastructure at any point, it can be subject to a preservation order, a litigation hold, or a subpoena.

Sources: Malwarebytes coverage · SiliconANGLE coverage

Court orders production of 20 million ChatGPT logs (Jan. 2026)

The same litigation produced a far more dramatic order six months later. In January 2026, U.S. District Judge Sidney Stein ordered OpenAI to produce 20 million ChatGPT conversation logs as evidence in the publishers' copyright claims. The users whose conversations were handed over received no advance notice and had no opportunity to object.

The court relied on removing identifying information as a privacy safeguard. But anonymization of AI conversation logs has already proven unreliable. When The Washington Post examined 47,000 leaked ChatGPT logs, analysts found that email addresses, phone numbers, and intimate personal details remained visible in the data, making re-identification straightforward despite name removal.

This is the trajectory: first the court said "stop deleting." Then the court said "hand over 20 million conversations to the opposing party." The direction is clear, and it is accelerating. Any data that exists on a provider's infrastructure is reachable, and the courts are increasingly willing to reach for it.

Source: GBlock analysis

The CLOUD Act makes this worse

The Clarifying Lawful Overseas Use of Data Act (2018) requires any provider of electronic communication services or remote computing services to comply with a U.S. law enforcement warrant or subpoena to produce data within its "possession, custody, or control," regardless of where that data is physically stored.

The CLOUD Act applies when three conditions are met: a U.S. court has jurisdiction over the entity, the entity qualifies as an electronic communication or remote computing service provider, and the entity has possession, custody, or control over the data being sought.

Every major AI platform (OpenAI, Anthropic, Google, Microsoft, Harvey, CoCounsel) meets all three conditions. They are U.S.-based or U.S.-subject service providers. They retain user data for some period. They have possession and control of that data during the retention window.

Harvey AI has publicly discussed this exposure, noting that its short retention windows reduce the practical risk of a CLOUD Act demand. That may be true as a practical matter, but reduced risk is not eliminated risk. During any retention window (Harvey's minimum is three hours), the data exists, the provider controls it, and it is reachable by warrant.

Sources: CLOUD Act text (Congress.gov) · AWS CLOUD Act FAQ · Harvey blog on data sovereignty

"But we use enterprise tools, not free ChatGPT"

The most common reaction to Heppner from law firms is: "That case involved a criminal defendant using free consumer AI without his lawyer's involvement. We use paid enterprise platforms with confidentiality agreements. It doesn't apply to us."

This distinction is partially legitimate on its facts. But it does not provide the comfort firms think it does.

What is different about enterprise use

• Heppner was a client acting alone, without attorney direction. When a lawyer uses an AI tool as part of active case preparation, the work product analysis is stronger.
• Enterprise agreements typically contain explicit confidentiality obligations that consumer terms of service do not. This helps on the "reasonable expectation of confidentiality" prong.
• Enterprise platforms like Harvey operate under shorter retention windows and stricter data handling commitments than consumer tools.

What is not different

• The court's first holding, that an AI platform is a non-attorney third party, has nothing to do with price or subscription tier. Harvey is not an attorney. CoCounsel is not an attorney. Claude Enterprise is not an attorney. The "communications with a non-attorney third party are not privileged" analysis applies to every AI platform on the market, regardless of what you pay for it. Paying more does not transform software into a member of the bar.
• Enterprise platforms still retain data, even briefly. They still have technical access to it during processing. Their privacy policies still reserve the right to disclose under legal process. A contractual promise of confidentiality improves your position, but courts look at the totality of circumstances. If the platform can technically access your data, and its terms permit disclosure under legal compulsion, the "reasonable expectation" argument has a crack in it.
• The work product doctrine protects against discovery by an adversary. It does not protect against subpoenas directed at the platform itself. Even if your work qualifies as attorney work product, a court can still compel the platform to produce it in response to a third-party subpoena, as the OpenAI production order demonstrates.

The honest assessment: Heppner involved the worst possible facts for privilege. Your firm's facts are better. But the structural vulnerability remains. Enterprise agreements reduce your exposure on the confidentiality prong but do not eliminate it. The only way to fully close the gap is to ensure no data exists to be compelled in the first place.

Why Faradex is different

Every platform discussed above shares a common vulnerability: they write your data to disk. Whether they keep it for three hours or thirty days, that act of persistence is what creates legal exposure. Once data hits a filesystem or database on the provider's infrastructure, it can be subpoenaed, preserved under court order, or compelled under the CLOUD Act. The retention window is a question of degree, not kind.

Faradex is fundamentally different. It is, as far as we are aware, the only AI platform built from the ground up so that your data never touches persistent storage.

Everything runs in volatile memory. Nothing is written to disk. Faradex maintains a database, files, and records of your conversations while you are working. But all of it lives exclusively in RAM. There is no disk write, no filesystem persistence, no database commit to durable storage. When your session ends, that memory is released. The data does not get deleted. It was never stored in the first place. This is not a retention policy. It is a hardware-level architectural constraint.

Why this matters legally: A subpoena or CLOUD Act demand can only compel production of data within the provider's "possession, custody, or control." Data that exists only in volatile memory during active processing, and is never written to any persistent medium, is not data that Faradex or Amazon Web Services could retrieve and hand over after the fact. There is no backup to restore, no database to query, no log to pull. The architecture makes compliance with a production demand for historical conversation content a factual impossibility, not a policy choice.

This is not how other platforms work. Most AI providers write your inputs and outputs to disk the moment they arrive, then promise to delete them later. Some promise deletion after 30 days. Some after three hours. But the act of writing to persistent storage is itself the problem: it creates data that can be frozen by a litigation hold, reached by a warrant, or preserved under court order before the deletion window closes. Faradex never creates that data in the first place.

The AI never reaches Anthropic or OpenAI. Faradex uses the same frontier AI models you've heard of — currently Claude Opus 4.7 — but accesses them through Amazon Bedrock, AWS's hosted offering of those models. Under Bedrock's Zero Data Retention configuration, your prompts and documents are processed by an isolated copy of the model running entirely inside AWS. Anthropic does not see your data. OpenAI does not see your data. The model providers are never in the loop, because the models you're using are hosted by Amazon, not by them.

This matters because the AI labs are young companies whose retention practices have already been compelled in federal court (Heppner, NYT v. Microsoft) and whose internal security has produced documented incidents in the past year. Amazon, by contrast, is the company already hosting the regulated workloads of U.S. banks, hospitals, defense agencies, and the federal government — with two decades of HIPAA, FedRAMP, and SOC 2 history. Faradex puts your AI inside that trust boundary instead of the AI labs'.

Dedicated, single-tenant infrastructure. Your Faradex environment runs on its own isolated AWS instance. No shared infrastructure, no multi-tenant commingling, no lateral exposure. This is a separate server, not a logical partition within a shared cluster.

We can be subpoenaed. We designed the system so there is nothing responsive to produce. Faradex is a U.S.-based service provider running on AWS. We are subject to the same legal process as any other company. A court could issue a warrant, a subpoena, or a CLOUD Act order directed at Faradex, and we would be obligated to comply. The difference is what compliance looks like. For the substance of your legal work (your prompts, your documents, the AI's analysis), there is nothing to produce. That content existed in RAM during your session and nowhere else. It cannot be recovered after the fact by us or by Amazon.

Other platforms argue they are unlikely targets. We don't make that argument. We assume we will be targeted. We built the architecture so it doesn't matter.

For lawyers specifically, this architecture solves the Heppner problem at its root. The court in Heppner found no reasonable expectation of confidentiality because Anthropic's privacy policy allowed collection, retention, and disclosure of user data. Faradex cannot collect, retain, or disclose conversation content, because the system is physically incapable of doing so. You cannot subpoena what does not exist. You cannot preserve what was never stored.

What this means for your firm

Though not yet binding precedent, the Heppner ruling is a strong signal that AI platforms are third-party intermediaries whose privacy policies do not create a reasonable expectation of confidentiality sufficient to support privilege. The OpenAI orders confirmed the corollary: data you believe is deleted may still exist, and courts are willing to compel its production on a massive scale without notifying the affected users.

For law firms, the exposure is not limited to criminal defense. Any client matter processed through a consumer or enterprise AI tool (contract review, M&A due diligence, IP analysis, regulatory research) creates data that could be discoverable in litigation, subject to a preservation hold, or producible under subpoena. The "we use enterprise tools" defense narrows the exposure but does not close it.

Faradex was built for firms that cannot accept that residual risk. Your prompts, your documents, your outputs: the substantive content of your legal work exists in volatile memory during processing and nowhere else. When the work is done, the data is gone. Not because we promise to delete it. Because it was never written to disk.