Overview
- Microsoft researchers showed that analyzing encrypted packet sizes and timing from token‑streamed replies can let observers infer AI chat topics without breaking TLS.
- Classifiers trained on network metadata topped 98% accuracy in tests and, in simulations, found one sensitive chat among 10,000 with zero false positives in many runs.
- OpenAI, Microsoft/Azure, Mistral, and xAI added obfuscation or padding to streaming, and Microsoft verified Azure’s fix lowers risk to non‑practical levels in current testing.
- Some services, including models from Anthropic, AWS, Google, and DeepSeek, have not rolled out fixes according to Microsoft’s researchers, who report no attacks in the wild but note offline analysis is feasible for saved traffic.
- Experts warn that ISPs, local network snoops, or shared Wi‑Fi peers could attempt the attack, and recommend VPN use, avoiding sensitive topics on untrusted networks, or opting for non‑streaming responses for higher‑risk conversations.