Using AI safely as a journalist: Stand-alone AI tools

With artificial intelligence seemingly integrated into everything these days, the stakes around using it can feel really high. And while there are very real concerns about the potential for AI’s broader societal impacts, the simple fact that something is — or uses — artificial intelligence doesn’t inherently make it insecure. As with other technological concepts, it is the specifics of the AI system or tools you’re using, and the context in which they are being deployed, that will determine whether any privacy and security risks outweigh the benefits.

To help journalists better understand these risks and set boundaries around which AI systems and tools make sense to use, adjust, or avoid, we’ve put together a series of guides on the most common ways in which you, and your sensitive data, are likely to interact with AI.

First up: stand-alone AI tools.

The simplest way many journalists leverage AI is by submitting data directly to an AI model for processing, typically through a stand-alone website or app. For example, they turn to ChatGPT or Claude to brainstorm interview questions, help with the first draft of an article, or summarize large documents. Or they rely on an AI transcription tool like Otter.ai to quickly generate an interview transcript.

For the sake of reference, we’ll refer to these as stand-alone AI tools.

Similar to most services out there, stand-alone AI tools are typically cloud-based and don’t use end-to-end encryption. The service provider may access the data you submit. It may also be compelled to share it in response to a valid request.

Keep in mind that you may be sharing with the service provider not just content (e.g., written prompts or audio files), but a large amount of metadata, such as your account information, device ID, IP address, and the date/time of submission.

So if you do use these sorts of tools, don’t share or upload any data that you wouldn’t want the service provider to see (or hear), or that you wouldn’t want potentially exposed to other entities via legal demands or data breaches.

Submitting data to these systems also often means that your content is used to further train the underlying AI model. For generative AI tools in particular, this presents a risk that the tool could accidentally expose (or be tricked by an attacker into exposing) content — including prompts and chat histories — that’s been previously used to train the system.

This type of reverse-prompting attack is not something we’ve seen happen meaningfully in the real world. However, there is little an average user can do to remove data from an AI model once it’s been “learned.” So it’s worth keeping highly sensitive information (such as identifying information about a source who would need to remain private indefinitely, or off-the-record conversations) out of publicly accessible generative AI models entirely — even if you trust the service provider.

At the very least, adjust the settings, if possible, so that your inputs are not used to further train the model.

If you are looking to use generative AI capabilities but would like to reduce these risks, consider trying an AI tool with end-to-end encryption, such as Confer.to, or alternatively, a tool that works offline and locally on your device, like the open source GPT4All or Ollama.

Using an end-to-end encrypted service or running models locally on your own device requires a bit more setup and technical know-how, but you control your prompts and your data.

On top of these data privacy risks, conversational AI systems are also susceptible to prompt injection attacks. Prompt injection is a type of attack in which a website, message, or other piece of data that an AI system comes across is maliciously crafted to trick the AI into taking an undesired action.

The good news is that the impact of prompt injections against most stand-alone AI tools is relatively well contained, thanks to improved security standards and because these tools are not designed to take autonomous actions or connect to external systems. With that said, prompt injection attacks against a stand-alone chatbot could lead to malicious results, such as spewing misinformation or directing users to phishing links instead of legitimate sites. So always be sure to carefully examine content, links, and any suggested actions recommended by a stand-alone AI tool.

To read more about prompt injection attacks and other AI risks, take a look at the other pieces in our series, focusing on AI enhancements to existing tools, and AI agents and operating system integrations.