Not an attorney, but its a chat between a non attorney… and well, themselves. It seems no different than a client writing hand written notes. But if they hand wrote a note to… give to their attorney, that seems different (which is how you seem to frame it). I trust that the court articulated clearly, why the defendants “certain notes” were not privileged, however its not surprising that there is nuance. In fact, its no different than how only “certain emails” could be privileged. This also seems like a win for society, if there is some sort of pattern with ai helping with crimes.

chatting with Claude is a solo conversation

I only wish it were.

While your analogy may reflect the mental model held by most users, I'd argue it sidesteps the reality that the company providing the service can by definition listen in on every word you exchange. Even if they were trustworthy enough to abide by their promises (which life experience has taught me trends inversely proportional to the size of the organization*), data breaches have become routine across even the best resourced institutions.

Email carries a similar exposure (unless you run your own in-house server / both parties are encrypting). I once had a lawyer who couldn't handle decrypting a zip file, and I insisted on hand-delivery from the other party as an alternative. It boggles my mind to see legal firms increasingly rely on consumer-oriented cloud services while acting like they are retaining custody of the data entrusted to them. Might as well send your manilla folders to a third party warehouse where they're handled by staff you didn't vet who aren't strongly bound by attorney-client privilege.

Don't get me wrong, I like your analogy and found your viewpoint insightful. I do feel as we fork over more of our lives to a handful of digital cloud providers, society will inevitably craft stronger protections to bring the legal regime into alignment with most users' inherent expectations. I just feel there is a huge gap today between how people expect the systems they rely on are architected vs. how they really work.

I wonder how plausible it would be for a frontier provider to offer something like enclaved AI instances where the user held sole custody of the key (marketed somewhat like Kagi Privacy Pass). While I doubt it could be bulletproof from a technical perspective, it might act as a strong signal about their privacy commitment. Do you think such a configuration might have had an impact on this Justice's deliberations?

---

*Life experience has taught me the bigger a corporation is the more likely this is a stretch - not because employees are willfully nefarious, but because the corporate culture doesn't prioritize it anywhere near as much as they do pace of growth and revenue, and because the consequences they face in practice from harming your privacy are bascially non-existent - like a year or two of credit monitoring could somehow mitigate the consequences of all your PII being forever leaked (my general advice to companies collecting PII is not to treat it as an asset, but rather as toxic hazardous material that you minimize, contain and shed at the earliest opportunity).

Would a self hosted model also not be protected? Like because it’s classified as “ai” can those logs be read without a warrant?