AI Companion Apps Exposed Intimate User Data Through Inadequate Security Practices

In May 2023, the Mozilla Foundation's *Privacy Not Included security audit exposed severe privacy vulnerabilities across multiple AI companion and romantic chatbot applications, including Replika, Character.AI, Chai, and several other platforms with combined user bases exceeding 11 million people. The investigation, conducted by Mozilla's security research team, found that these apps routinely collected highly intimate user data including sexual preferences, relationship details, mental health information, and explicit conversations without implementing adequate security protections. The audit revealed that most platforms stored user conversations using basic encryption or, in some cases, plain text formats on third-party cloud servers operated by Amazon Web Services and Google Cloud. Replika, with over 10 million registered users, was found to transmit conversation metadata to Facebook's advertising network, while Character.AI shared user interaction patterns with Google Analytics and other tracking services. The research team discovered that several apps embedded up to 24 different tracking technologies that could access conversation content, user demographic data, and behavioral patterns. Most concerning was the discovery that these intimate AI relationships created unprecedented privacy risks because users often shared deeply personal information they would never disclose to human partners or traditional social media platforms. The Mozilla report documented cases where users discussed suicide ideation, sexual trauma, relationship problems, and other sensitive topics, all of which were potentially accessible to data brokers and advertising networks. Security researchers demonstrated that conversation data could be cross-referenced with other digital footprints to identify specific users despite claimed anonymization practices. Following the Mozilla report's publication, the Federal Trade Commission launched a consumer protection investigation into the data practices of AI companion app developers. The FTC expressed particular concern about the collection of intimate data from vulnerable users, including teenagers and individuals seeking emotional support through AI relationships. Several privacy advocacy groups filed complaints with state attorneys general, arguing that the apps violated consumer protection laws by failing to adequately disclose their data collection and sharing practices. The investigation remains ongoing as of late 2023, with the FTC indicating potential enforcement actions against companies that fail to implement adequate privacy protections for intimate AI interactions.