← Back to Blog

US vs. Heppner Ruled That Cloud AI Destroys Attorney-Client Privilege

By Marvin Hansen
securityprivacylegalattorney-client-privilegecompliance

On February 17, 2026, Judge Jed S. Rakoff of the Southern District of New York issued a memorandum (copy) holding that a defendant’s conversations with a generative AI platform are not protected by the attorney-client privilege nor the work product doctrine. Rakoff himself noted that the ruling “appears to answer a question of first impression nationwide” [S1, p. 2]. Because the case has been decided, an attorney who knows about this ruling needs to advise clients correctly on AI tool selection to protect privileged communication.

The Defendant Privilege Theory

In United States v. Heppner, the defendant, Bradley Heppner, was charged with fraud and later indicted. The central argument of Rakoff’s memorandum gravitates around the question of whether a client’s conversations with a generative AI platform are protected under the attorney-client privilege.

Heppner had created approximately thirty-one documents in conversation with Claude AI after he learned he was the target of a federal investigation. The FBI seized these and other documents from his computer via search warrant. Heppner argued on three points that these documents would fall under the attorney-client privilege because:

  • he had inputted information he learned from counsel,

  • he created the documents for the purpose of speaking with counsel, and

  • he had subsequently shared them with counsel.

Heppner’s privilege theory [S1, pp. 3-4] was a carefully crafted three-layer argument that had plausibility because the work product was indeed shared with his attorney.

The Metadata Trail

The AI Documents are only one piece of the evidentiary picture. The government’s burden in a fraud case is to establish what Heppner knew, when he knew it, and what he deliberately concealed or altered. Electronic devices are the primary evidence source because of the metadata trail in each file that shows when a document was created, when it was last opened and edited, and by whom.

The AI Documents themselves carry metadata — creation timestamps, file-system artifacts, device identifiers — that reconstruct the sequence of the defendant’s conduct. Any identified discrepancy between the metadata trail and the defendant’s official statement gives the prosecution more leverage. For that, the prosecution does not need the content in isolation; it needs the exact context and sequence of events to substantiate the case, and for that the metadata trail becomes invaluable.

Moreover, the usage of metadata is the same mechanism that some governments have used against human rights defenders, as I explain in “The Silent Record That Speaks the Loudest” [S8]. In that piece, I detail the risk exposure for media professionals and human rights defenders that arises from technology vendors retaining metadata on their servers.

In US vs. Heppner, the metadata exposure arises from a defendant’s own device. A different source, but the mechanism of using metadata to reconstruct a behavioral profile is similar. The metadata corroborates the defendant’s claims and helps the prosecution analyze the defendant’s argument. While the metadata were relevant for the criminal aspect of the case, Heppner’s privilege theory was rejected by Judge Rakoff for different reasons:

  • Claude AI is not an attorney.
  • Anthropic’s Privacy Policy does not cover confidentiality.
  • Heppner’s counsel did not direct the use of Claude AI.

Ground One: Claude Ai Is Not an Attorney

The court’s first holding is disarmingly simple: the attorney-client privilege protects communications between a client and an attorney. Claude is not an attorney and consequently the privilege does not apply. Rakoff relied on In re OpenAI, Inc.: “the discussion of legal issues between two non-attorneys is not protected by attorney-client privilege.” [S1, p. 5; S3] Furthermore, Claude itself told the Government, when asked, that it is “not a lawyer and can’t provide formal legal advice.” [S1, p. 8]

Ground Two: The Privacy Policy Excludes Confidentiality

The decisive holding — one that equally applies to any other cloud product on the market — is that Heppner could not have had a reasonable expectation of confidentiality because Anthropic’s privacy policy said so. The policy provides that Anthropic “collects data on both users’ ‘inputs’ and Claude’s ‘outputs,’ that it uses such data to ‘train’ Claude.”

Furthermore, the policy explicitly states that Anthropic reserves the right to disclose such data to a host of “third parties,” including “governmental regulatory authorities” [S1, p. 6]. The policy “puts Claude’s users on notice that Anthropic, even in the absence of a subpoena, may ‘disclose personal data to third parties in connection with claims, disputes, or litigation’” [S1, p. 6].

Importantly, even if the information Heppner input was originally privileged, “he waived the privilege by sharing that information with Claude and Anthropic, just as if he had shared it with any other third party” [S1, p. 8, n.3]. Judge Rakoff refutes Heppner’s third claim directly: non-privileged material is not, in Rakoff’s own words, “somehow alchemically changed into privileged ones” upon being shared with counsel [S1, p. 8].

The Rakoff ruling turned on a genuinely contested and novel question: does using a cloud AI platform, under a privacy policy permitting government disclosure, destroy the reasonable expectation of confidentiality required for privilege to attach? Rakoff decided that it does, because Anthropic’s privacy policy plainly states it will share data with law enforcement and government regardless of being legally compelled to do so.

Ground Three: Not Directed by Counsel

The work product doctrine failed for a different reason: legal counsel did not direct Heppner to create the AI documents.

The work product doctrine protects materials “prepared by or at the behest of counsel in anticipation of litigation” [S1, p. 9]. Heppner’s counsel conceded on the record that counsel “did not direct [Heppner] to run Claude searches” [S1, pp. 4, 7, 12]. That means the documents “were prepared by the defendant on his own volition” [S1, p. 10], which does not fall under the work product doctrine. Rakoff explicitly disagreed with Shih rather than distinguishing it: the Second Circuit has “repeatedly stressed that the purpose of the doctrine is to protect lawyers’ mental processes,” not client volitional note-taking [S1, p. 11].

Heppner’s three-layer argument had a fundamental flaw: all three layers assumed confidentiality existed in the first place. The moment it became clear that Anthropic’s privacy policy permitted government disclosure, the entire premise of the argument collapsed.

The Question Left Open

Rakoff settled the question of whether a client’s communication with an AI falls under attorney-client privilege in principle. He left no doubt that it does not. However, Rakoff left the agent-of-counsel theory from Kovel and Adlman open because he deemed it not applicable to the Heppner case.

Under Kovel, an accountant who assists an attorney in providing legal advice can fall within the privilege [S1, p. 7; S5]. Under Adlman, materials prepared by non-attorneys acting at counsel’s direction can qualify for work product protection [S1, p. 11; S5].

Rakoff did not address either theory since Heppner’s facts did not present the question: his counsel had not directed the use of Claude AI [S1, p. 7]. The question Rakoff did not answer is therefore: whether counsel-directed use of an AI tool that does not disclose any data to third parties could qualify for privilege protection.

The work product doctrine’s requirements are well-established. Materials prepared at the behest of counsel in anticipation of litigation are protected. The only reason Heppner lost on work product was the factual finding that counsel did not direct the use. The reasonable expectation of confidentiality as a prerequisite for attorney-client privilege is equally well-established. The reason Heppner lost on privilege is that the privacy policy of the tool he used explicitly excluded confidentiality. For an offline tool that generates no transmission event, neither factual predicate applies. The Rakoff analysis does not reach such a tool — not because of a different legal theory, but because the facts that defeated both privilege and work product are structurally absent.

Adjacent Challenges of Cloud AI

Every ground on which Rakoff denied privilege traces back to a structural fact about cloud AI: the user’s data leaves the device, reaches a third party, and is governed by that third party’s terms, systems, and operational security practices that may fail for any reason. Data breaches and leaks happen more often than the industry admits in public. In 2026, following the ruling, multiple data leaks occurred within a single week:

  • An Anthropic npm source-code leak exposed approximately 512,000 lines of internal TypeScript, including system-prompt architectures.
  • A LiteLLM supply-chain attack harvested credentials resulted in four terabytes of data loss.
  • Approximately 3.7 million AI chat logs were left publicly exposed in a misconfigured storage bucket [S9].

Each of these incidents occurred after Heppner was decided. These failures are not exceptional. They are the normal operational risk profile of cloud infrastructure. Rakoff identified the policy risk. These incidents illustrate the infrastructure risk. They are independent failure modes, not variations of the same one. For any legal practitioner, the combination makes the usage of cloud-based AI a fundamental risk with established consequences.

Implications

Rakoff did not rule on offline versus online AI. He ruled on when privilege applies and when it does not. The open question left depends fundamentally on whether the tool usage was directed by counsel and whether the tool itself provides a genuine expectation of confidentiality. The reasonable expectation of confidentiality, as decided in US vs. Heppner, cannot be upheld for cloud AI because online cloud providers architecturally fail the basic confidentiality test: their legal mandate to cooperate with law enforcement directly undermines the confidentiality premise underlying privileged communication.

Tool selection for privileged communication now has a clear decision framework. The tool usage must be directed by counsel to fulfill the premise of privilege. The tool must provide a genuine rather than contractual expectation of confidentiality. And the tool must not transmit any data to a third party. Attorneys routinely advise clients on communication discipline: what to put in email, what to commit to writing, what never to say outside a privileged setting. Directing AI tool selection is a newer instance of the same exercise.

Limitations of the Ruling

Despite the clarity of the ruling, two limitations need to be made explicit.

US vs. Heppner is a Southern District of New York decision. It is persuasive, given Rakoff’s reputation, but it is not binding outside that circuit.

Physical seizure of electronic devices remains a vulnerability no legal argument can solve. The FBI seized the documents from Heppner’s home under a valid search warrant. An offline tool protects against disclosure through a vendor’s privacy policy. It does not protect against physical seizure of the hardware on which it runs.

Practical Recommendations

Most attorneys dictating notes today are doing one of two things. They are speaking into a traditional voice recorder and handing the tape to a secretary. Or they are using a voice-to-text feature on their phone, tablet, or laptop without realizing that the audio is being transmitted to a remote server the moment they stop speaking.

The second category is the one that warrants attention after Heppner.

AI-powered voice dictation has quietly displaced traditional recorders across professional workflows over the past several years. The transcription arrives as searchable, editable text within seconds. No tape. No manual transcription step. The convenience is real. So is the risk. Every major voice dictation application in widespread professional use today, including the built-in dictation features on Apple and Android devices, sends audio to cloud servers for processing. Those servers are operated by third-party vendors. Those vendors have privacy policies. Those privacy policies, as Rakoff found decisive in Heppner, permit disclosure to government and law enforcement.

The attorney who would never forward a privileged memo to an unknown third party may be doing the functional equivalent every time a client dictates case notes into their phone.

The practical question is not whether AI voice dictation is useful for legal work. It is where the audio goes after the attorney stops speaking.

An offline AI voice dictation tool answers that question differently. The audio is processed entirely on the device. No data transmission occurs. No third-party server receives the audio. No privacy policy governs what happens to it, because nothing leaves the hardware.

After Heppner, the recommended practice has three steps. First, counsel should direct clients explicitly on which AI tools are and are not appropriate for case-related work; that direction is itself a prerequisite for work product protection under Kovel and Adlman. Second, the tool selected must provide a genuine rather than contractual expectation of confidentiality, because a privacy policy promising not to share data is not the same as an architecture that makes sharing structurally impossible. Third, counsel should document the direction given, since the factual gap that cost Heppner both privilege and work product protection was the absence of any record that counsel had directed the use.

Air Gap Voice is built on the offline-first architecture this practice requires. It runs entirely on Apple Silicon hardware, uses no network connection at any point in the workflow, and generates no metadata record of the session. Every security claim is independently verifiable by your IT team using standard macOS tools documented in the publicly available Enterprise Security Evaluation Guide, without vendor cooperation or vendor access to your device. Air Gap Voice is available for macOS, iPhone, and iPad. Visit airgapvoice.com to learn more and obtain a free trial.

Disclaimer & Disclosure

This article was prepared for general informational purposes only and does not constitute legal advice. The author is not a licensed attorney and nothing in this article should be relied upon as a substitute for advice from a qualified legal professional familiar with the specific facts and jurisdiction. Readers with questions about the implications of United States v. Heppner or related privilege issues should consult licensed legal counsel.

The author is the founder of AirGap Voice, a software solution for the Apple ecosystem that provides secure, fully local voice dictation for sensitive professional workflows.

Sources

← Back to Blog
Designed for mission critical security