Skip to content
Clawdemy

References: Why your worry is rational: three things to actually worry about

Citations in this lesson are accurate as of the capture date noted on each source. Vendor privacy policies and architectural details may have changed since capture. For current information, follow the linked sources to the live document.

Source material

Section titled “Source material”
Source material:
• Electronic Frontier Foundation (EFF)
  "AI Chatbot Companies Should Protect Your Conversations From Bulk Surveillance"
  https://www.eff.org/deeplinks/2025/12/ai-chatbot-companies-should-protect-your-conversations-bulk-surveillance
  License: Creative Commons Attribution (CC BY)


• Electronic Frontier Foundation (EFF)
  "Privacy First: A Better Way to Address Online Harms"
  https://www.eff.org/wp/privacy-first-better-way-address-online-harms
  License: Creative Commons Attribution (CC BY)


• Mozilla Foundation
  "How to protect your privacy from ChatGPT and other AI chatbots"
  (Mozilla Privacy Not Included, curated article)
  https://foundation.mozilla.org/en/privacynotincluded/articles/how-to-protect-your-privacy-from-chatgpt-and-other-ai-chatbots/
  License: Mozilla Foundation publication; not under CC BY; cited for attribution


• Mozilla Foundation blog
  "AI privacy: ChatGPT, Claude, Copilot data handling"
  https://foundation.mozilla.org/en/blog/ai-privacy-data-chatgpt/
  License: Mozilla Foundation publication; not under CC BY; cited for attribution


This lesson is original Clawdemy authorship. The three-worry framework, the
postcard-test framing, the what-if-leaked-tomorrow framing, and the no-helplessness
structure are original editorial work. The lesson draws on EFF and Mozilla public
commentary as background research and for the verbatim quotes attributed in the
lesson body. All rights to the original publications remain with EFF and Mozilla
Foundation respectively.

Going deeper

Section titled “Going deeper”

A short list of durable resources for readers who want more than the lesson covers.

  • EFF: “AI Chatbot Companies Should Protect Your Conversations From Bulk Surveillance”. The EFF article that grounds the Surveillance section of this lesson. Goes further than the lesson does on specific demands EFF makes of chatbot providers: end-to-end encryption, no bulk retention, transparency on law-enforcement requests. The lesson borrows EFF’s framing of intimacy (“most sensitive information”); the article gives the full context, including which provider behaviors EFF considers unacceptable and why.

  • EFF: “Privacy First: A Better Way to Address Online Harms”. EFF’s longer white paper on privacy as a first principle in technology design. Useful background for the Vendor lock-in section: the paper makes the argument that architectural choices (what a system is built to retain) matter more than promises. If you want the full reasoning behind “prefer tools whose privacy posture is architectural,” this is where it comes from.

  • Mozilla: “How to protect your privacy from ChatGPT and other AI chatbots”. The Mozilla Privacy Not Included curated article that grounds the Storage and Vendor lock-in sections. Covers the multi-layer settings problem (account-level, app-level, browser-level, feature toggles) the lesson introduces in the Common pitfalls section. Mozilla updates this article periodically as vendor policies change.

  • Mozilla Foundation blog: “AI privacy: ChatGPT, Claude, Copilot data handling”. The Mozilla Foundation blog post that grounds the “18 privacy documentation links” observation in the Vendor lock-in section. Shows the documentation complexity problem concretely across multiple major providers, including the verbatim researcher quote the lesson cites. Useful if you want to see the full researcher commentary this lesson draws from.

  • EFF Surveillance Self-Defense: “Your Security Plan”. EFF’s plain-language guide to building a personal threat model. More general than AI tools specifically, but the underlying structure (who are you protecting information from, what information, what are the consequences) is exactly what lesson 1.2 of this track asks you to practice. Worth reading before or after the lesson 1.2 exercise.

Source limitations

Section titled “Source limitations”

These sources are good. Naming what each one is weaker on helps you use them well.

EFF: “AI Chatbot Companies Should Protect Your Conversations From Bulk Surveillance” (December 2025 article). This article frames its specific demands of chatbot providers (end-to-end encryption, no bulk retention, transparency on law-enforcement requests) primarily for the U.S. legal context. Readers outside the U.S. should treat the legal-remedy framing as illustrative; the technical demands (encryption, retention limits) are jurisdiction-neutral. The article is also an advocacy piece, not a neutral survey: it foregrounds the worst-case bulk-surveillance scenario more than the typical-day usage pattern. Read it for what providers should do, not for a balanced picture of what most providers actually do today.

EFF: “Privacy First: A Better Way to Address Online Harms” (white paper). This is a longer-form argument for privacy as a first principle in technology design. Its scope is broader than AI specifically; the architectural-vs-promise framing this lesson borrows is a small piece of a larger argument about platform regulation. Readers expecting a focused AI-tool analysis will need to filter the AI-relevant parts from the broader policy argument. The paper is also U.S.-centric in its legal references.

Mozilla Privacy Not Included: “How to protect your privacy from ChatGPT and other AI chatbots” (curated article). This article is a snapshot of the AI-tool privacy landscape at one point in time. Vendor policy updates happen faster than Mozilla’s review cycles, so any specific settings-path instruction it gives may be partially out of date for any given product by the time you check. Treat its framework (the multi-layer settings problem, the documentation-complexity problem) as durable; treat its per-product specifics as a starting point for your own verification against the vendor’s current documentation.

Mozilla Foundation blog: “AI privacy: ChatGPT, Claude, Copilot data handling”. This blog post grounds the documentation-complexity observation (the eighteen-document figure) and the researcher commentary the lesson quotes. The figure is a snapshot; documentation counts shift as vendors add, remove, and consolidate policy pages. The lesson cites the figure as a useful illustration of the complexity, not as a stable count. The blog post also leans advocacy in tone, like the broader Mozilla Privacy Not Included program; read it for the diagnosis of the complexity problem, not as a neutral comparison of vendors.

EFF Surveillance Self-Defense: “Your Security Plan”. This is EFF SSD’s introduction to personal threat modeling; it is the source lesson 1.2 builds on directly. For the purposes of this lesson 1.1 (which only forward-references it), the limitation worth naming is that SSD is one well-considered framework, not the only valid one. Other personal threat-modeling frameworks exist (enterprise standards, journalist-specific guides) and would name the same underlying concepts differently. SSD is also U.S.-centric in its worked examples even though the underlying concepts are jurisdiction-neutral.

Adjacent lessons

Section titled “Adjacent lessons”

Topics this lesson connects to in the rest of the track.

  • Lesson 1.2: Your starting point. The immediate next lesson. Takes the three worries you can now name and turns them into the seed of your personal threat model. One paragraph exercise: what am I protecting, and from whom?

  • Phase 3: Threat models in plain language. The phase that formalizes the vocabulary this lesson introduces informally. After Phase 3, you will have a four-category vocabulary for the threats this lesson lumps together as “storage and leak risk” and “vendor lock-in” (vendor retention, training-data inclusion, breach exposure, and government subpoena or bulk surveillance), each with distinct defenses.

  • Phase 4: The five-question vendor rubric. Gives you a ten-minute repeatable check for any AI tool. The rubric operationalizes the three worries (especially the Vendor lock-in worry) into specific questions you can ask every time a new tool enters your workflow.

  • Lesson 6.6: Your complete privacy plan. The final lesson in this track. Returns to the paragraph you write in lesson 1.2 and builds it into a full personal plan. The three worries you named here become the top-level categories of that plan.