OpenAI is fighting a court order that would force it to hand over 20 million anonymized ChatGPT conversations as part of the New York Times’ copyright lawsuit, Reuters reports.
In a filing on Wednesday, the company warned that complying would expose private user chats that have nothing to do with the case, calling it a “speculative fishing expedition.”
Reuters said OpenAI argued 99.99% of the requested logs bear no relevance to the copyright claims. The Times and other outlets say they need the chats to test whether their articles were reproduced and to counter OpenAI’s allegation that they “hacked” the model to fabricate evidence.
The judge overseeing the matter previously said privacy would be safeguarded through “exhaustive de-identification,” and set a Friday deadline for OpenAI to hand over the sample.
OpenAI’s security chief, Dane Stuckey, said in a blog post that the order would “force us to turn over tens of millions of highly personal conversations from people who have no connection to the Times’ baseless lawsuit.”
The Times rejected that claim, saying user privacy is not at risk under the court’s protective order.
The case is one of several active lawsuits accusing AI developers of using copyrighted content without permission to train their models.
Aaron Rose, office of the CTO at Check Point, said, “Data privacy isn’t just about whether logs are encrypted at rest or in motion. It’s also about whether their sheer scale, retention policies, and legal exposure turn them into a latent risk. Enterprises using AI-powered services need to assess not only vendor features, but vendor governance, legal liability, and log retention-related risks.
Rose says the case highlights a key lesson for organizations: when integrating AI systems into workflows, consider not only what the AI can do, but also what happens to the conversation logs, who sees them, under what conditions they might be released, and how the vendor handles anonymization and legal risk. That is core to building a resilient privacy programme.
“We believe that as AI becomes embedded in enterprise operations, companies must adopt a layered approach: secure the AI service endpoints, define clear data-handling policies (including log retention and deletion), conduct vendor risk assessments, and monitor for upstream legal/regulatory changes. The OpenAI case is a real-world signal that this isn’t hypothetical anymore.”
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.