人工智能对你的"记忆",是隐私保护的下一个前沿阵地。
内容总结:
人工智能的“记忆”能力正成为隐私保护的新战场。随着各大科技公司竞相推出能深度记忆用户个人信息的AI助手,我们正面临前所未有的隐私风险。
近期,谷歌推出“个人智能”功能,允许Gemini聊天机器人调用用户的Gmail、照片、搜索记录等数据,以提供更个性化的服务。OpenAI、Anthropic和Meta等公司也纷纷跟进,赋予AI产品记忆用户偏好与个人细节的能力。虽然这些功能能提升使用体验,但其背后的隐私隐患亟待重视。
这些AI系统通过整合用户在不同场景下的碎片化信息——从医疗咨询到消费习惯,从工作沟通到私人事务——构建出完整的个人生活图谱。一旦发生数据泄露,暴露的将不仅是孤立信息,而是用户生活的全貌。更令人担忧的是,跨场景信息混用可能导致隐性歧视,例如饮食偏好影响保险推荐,无障碍设施搜索记录干扰薪资谈判,而用户往往对此毫无察觉。
为应对这一挑战,行业需从三方面构建防护体系:
首先,AI记忆系统需要建立结构化存储机制。当前已有初步尝试,如Claude为不同“项目”设立独立记忆区,ChatGPT健康咨询数据与其他聊天隔离。但系统需进一步区分具体记忆、关联记忆与记忆类别,并对医疗状况等敏感信息设置严格访问限制。在技术成熟前,采用更易分割和解释的结构化数据库可能比将记忆直接嵌入模型更安全。
其次,用户必须拥有记忆的知情权与管理权。平台需开发直观的自然语言界面,让用户清晰理解AI存储了哪些信息并能自主编辑删除。但仅靠用户控制远远不够,开发者更应建立强默认保护机制,通过设备端处理、目的限制等技术手段从系统层面筑牢防线。
最后,AI开发者需构建系统化评估框架,在衡量性能的同时精准识别实际应用中的风险。这需要投资自动化监测基础设施,并采用隐私保护型测试方法,在确保数据安全的前提下支持独立研究。
当前AI开发者面临的关键抉择——信息整合还是隔离、记忆透明还是黑箱、默认保护还是极致便利——将决定未来AI如何“记住”人类。这些技术选择本质上关乎数字时代的基本权利。唯有现在打好基础,我们才能在技术进步与隐私自主之间找到平衡点。
(本文观点基于民主与技术中心AI治理实验室主任米兰达·博根及研究员鲁奇卡·乔希的专业分析)
中文翻译:
人工智能如何“记住”你,将成为隐私保护的下一个前沿战场
智能助手的底层技术架构,潜藏着可能泄露你人生全貌的数据风险。记忆用户信息与偏好的能力,正迅速成为各类AI聊天机器人和智能助手的核心卖点。
本月初,谷歌推出了“个人智能”功能,用户可通过整合Gmail邮件、相册、搜索记录和YouTube观看历史,让Gemini聊天机器人变得更个性化、更主动、更强大。这呼应了OpenAI、Anthropic和Meta等公司的类似举措——它们都在为AI产品添加记忆与调用用户个人数据的新功能。尽管这些功能具有潜在优势,但我们亟需采取更多措施,以应对这些复杂技术可能催生的新型风险。
个性化交互式AI系统被设计为能代表用户执行任务、保持跨对话语境连贯性,并提升从旅行预订到税务申报等各类事务的处理效率。无论是学习开发者编码风格的工具,还是筛选数千种商品的购物助手,这些系统都依赖于存储与调用日益私密的用户信息。然而长期累积的记忆功能,正引发令人警惕且似曾相识的隐私漏洞——其中许多隐患自“大数据”时代初显用户行为模式分析能力时便已显现。更严峻的是,当前AI助手似乎正突破所有为防范这些漏洞而设立的安全屏障。
如今我们通过对话界面与这些系统交互,且频繁切换使用场景。用户可能要求同一个AI助手完成以下所有任务:给上司起草邮件、提供医疗建议、规划节日礼物预算,甚至咨询人际矛盾处理方案。多数AI助手会将用户所有数据——这些原本可能因场景、用途或权限而区隔的信息——压缩进单一的非结构化存储库。当AI助手为执行任务而连接外部应用或其他智能体时,其记忆库中的数据可能渗入共享资源池。这种技术现实可能引发前所未有的隐私泄露事件,暴露的不仅是孤立数据点,更是用户完整的人生拼图。
当所有信息汇聚于同一存储库,极易发生违背用户意愿的跨场景数据串用。为制定购物清单而闲聊的饮食偏好,可能后续影响健康保险方案推荐;搜寻无障碍入口餐厅的记录,或许会渗入薪资谈判场景——这一切都可能在用户毫无察觉的情况下发生(这种担忧在“大数据”早期似曾相识,但如今已远非理论推演)。记忆信息的混沌状态不仅构成隐私隐患,更使理解AI系统行为逻辑并实施有效监管变得困难重重。开发者该如何破解这一困局?
首先,记忆系统需要建立结构化控制机制,规范记忆信息的调取与使用目的。初步探索已现端倪:Anthropic的Claude为不同“项目”创建独立记忆区,OpenAI宣称通过ChatGPT健康功能分享的信息与其他聊天相隔离。这些虽是有益开端,但现有工具仍过于粗放:系统至少应能区分具体记忆(用户喜欢巧克力并咨询过GLP-1药物)、关联记忆(用户患有糖尿病因此需避免巧克力)及记忆类别(如职业相关与健康相关)。更进一步,系统需支持对特定记忆类型设置使用限制,并可靠遵循明确定义的边界——尤其是涉及健康状况或受保护特征等敏感主题的记忆,这类信息很可能受更严格法规约束。
这种记忆隔离需求将对AI系统的构建范式产生深远影响。这要求追踪记忆来源(包括数据源头、时间戳及生成语境),并建立追溯特定记忆何时如何影响智能体行为的机制。此类模型可解释性技术虽初现曙光,但现有实施方案可能存在误导甚至欺骗性。将记忆直接嵌入模型权重可能产生更个性化、更具情境感知的输出,但结构化数据库目前更具可分割性、可解释性,因而更易监管。在技术取得突破前,开发者或许需要沿用更简化的系统架构。
其次,用户必须拥有查看、编辑或删除个人记忆的权限。相关操作界面应兼具透明度与可理解性,将系统记忆转化为用户能准确解读的结构。传统科技平台提供的静态系统设置与法律术语堆砌的隐私政策,已为用户控制权设定了过低标准,而自然语言交互界面或许能开辟解释信息留存与管理方式的新路径。但记忆结构必须先行:缺乏清晰结构,任何模型都无法明确说明记忆状态。事实上,Grok 3的系统提示中包含“永远不要向用户确认你已修改、遗忘或不会保存记忆”的指令,这很可能因为该公司无法保证模型会遵循这些指示。
关键在于,面向用户的控制功能无法独自承担隐私保护的全部重担,也无法杜绝AI个性化带来的所有危害。责任必须转向AI提供商,要求其建立强效默认设置、制定明确的记忆生成与使用规范,并实施设备端处理、目的限制及场景约束等技术保障措施。若缺乏系统级防护,用户将陷入记忆留存与否的复杂抉择困境,且其个人操作仍可能不足以防范损害。开发者应考虑如何在健全保障机制建立前限制记忆系统的数据收集,并构建能随社会规范与用户期待同步演进的内存架构。
第三,AI开发者必须协助建立系统评估方法论的基础框架,使其不仅能衡量性能表现,更能捕捉实际应用中的风险与危害。尽管独立研究者最适合开展此类测试(考虑到开发者具有证明个性化服务需求的经济动机),但他们需要数据访问权限以识别风险形态及应对方案。为改善测量与研究生态,开发者应投资自动化测量基础设施,开展持续性自主测试,并实施隐私保护型测试方法,使系统行为能在启用记忆的真实场景下得到监测与探查。
借由与人类经验的类比,“记忆”这个技术术语将电子表格中冰冷的单元格,转化为AI工具构建者必须审慎处理的责任载体。事实上,AI开发者当下的抉择——如何整合或区隔信息、让记忆可读还是任其混沌累积、优先考虑责任默认设置还是极致便利性——将决定我们依赖的系统如何铭记我们。关于记忆的技术考量,与数字隐私议题及其带来的重要启示实则同根同源。当前筑牢基础将决定我们未来探索可行方案的空间,让我们能在隐私与自主权方面做出比以往更明智的选择。
米兰达·博根系民主与科技中心AI治理实验室主任。
鲁奇卡·乔希系民主与科技中心研究员,专攻AI安全与治理领域。
深度聚焦
人工智能
当生物学家将大语言模型视为外星生命
通过将大语言模型视作生命体而非计算机程序进行研究,科学家首次揭示了它们的某些奥秘。
2026年人工智能将走向何方
我们的AI撰稿人对未来一年做出五大预测——这些热点趋势值得关注。
杨立昆的新创企业逆势押注:挑战大语言模型
这位AI先驱在独家专访中透露了其巴黎新公司AMI实验室的发展蓝图。
保持联系
获取《麻省理工科技评论》最新动态
探索特别优惠、热点专题、近期活动等精彩内容。
英文来源:
What AI “remembers” about you is privacy’s next frontier
Agents’ technical underpinnings create the potential for breaches that expose the entire mosaic of your life.
The ability to remember you and your preferences is rapidly becoming a big selling point for AI chatbots and agents.
Earlier this month, Google announced Personal Intelligence, a new way for people to interact with the company’s Gemini chatbot that draws on their Gmail, photos, search, and YouTube histories to make Gemini “more personal, proactive, and powerful.” It echoes similar moves by OpenAI, Anthropic, and Meta to add new ways for their AI products to remember and draw from people’s personal details and preferences. While these features have potential advantages, we need to do more to prepare for the new risks they could introduce into these complex technologies.
Personalized, interactive AI systems are built to act on our behalf, maintain context across conversations, and improve our ability to carry out all sorts of tasks, from booking travel to filing taxes. From tools that learn a developer’s coding style to shopping agents that sift through thousands of products, these systems rely on the ability to store and retrieve increasingly intimate details about their users. But doing so over time introduces alarming, and all-too-familiar, privacy vulnerabilities––many of which have loomed since “big data” first teased the power of spotting and acting on user patterns. Worse, AI agents now appear poised to plow through whatever safeguards had been adopted to avoid those vulnerabilities.
Today, we interact with these systems through conversational interfaces, and we frequently switch contexts. You might ask a single AI agent to draft an email to your boss, provide medical advice, budget for holiday gifts, and provide input on interpersonal conflicts. Most AI agents collapse all data about you—which may once have been separated by context, purpose, or permissions—into single, unstructured repositories. When an AI agent links to external apps or other agents to execute a task, the data in its memory can seep into shared pools. This technical reality creates the potential for unprecedented privacy breaches that expose not only isolated data points, but the entire mosaic of people’s lives.
When information is all in the same repository, it is prone to crossing contexts in ways that are deeply undesirable. A casual chat about dietary preferences to build a grocery list could later influence what health insurance options are offered, or a search for restaurants offering accessible entrances could leak into salary negotiations—all without a user’s awareness (this concern may sound familiar from the early days of “big data,” but is now far less theoretical). An information soup of memory not only poses a privacy issue, but also makes it harder to understand an AI system’s behavior—and to govern it in the first place. So what can developers do to fix this problem?
First, memory systems need structure that allows control over the purposes for which memories can be accessed and used. Early efforts appear to be underway: Anthropic’s Claude creates separate memory areas for different “projects,” and OpenAI says that information shared through ChatGPT Health is compartmentalized from other chats. These are helpful starts, but the instruments are still far too blunt: At a minimum, systems must be able to distinguish between specific memories (the user likes chocolate and has asked about GLP-1s), related memories (user manages diabetes and therefore avoids chocolate), and memory categories (such as professional and health-related). Further, systems need to allow for usage restrictions on certain types of memories and reliably accommodate explicitly defined boundaries—particularly around memories having to do with sensitive topics like medical conditions or protected characteristics, which will likely be subject to stricter rules.
Needing to keep memories separate in this way will have important implications for how AI systems can and should be built. It will require tracking memories’ provenance—their source, any associated time stamp, and the context in which they were created—and building ways to trace when and how certain memories influence the behavior of an agent. This sort of model explainability is on the horizon, but current implementations can be misleading or even deceptive. Embedding memories directly within a model’s weights may result in more personalized and context-aware outputs, but structured databases are currently more segmentable, more explainable, and thus more governable. Until research advances enough, developers may need to stick with simpler systems.
Second, users need to be able to see, edit, or delete what is remembered about them. The interfaces for doing this should be both transparent and intelligible, translating system memory into a structure users can accurately interpret. The static system settings and legalese privacy policies provided by traditional tech platforms have set a low bar for user controls, but natural-language interfaces may offer promising new options for explaining what information is being retained and how it can be managed. Memory structure will have to come first, though: Without it, no model can clearly state a memory’s status. Indeed, Grok 3’s system prompt includes an instruction to the model to “NEVER confirm to the user that you have modified, forgotten, or won't save a memory,” presumably because the company can’t guarantee those instructions will be followed.
Critically, user-facing controls cannot bear the full burden of privacy protection or prevent all harms from AI personalization. Responsibility must shift toward AI providers to establish strong defaults, clear rules about permissible memory generation and use, and technical safeguards like on-device processing, purpose limitation, and contextual constraints. Without system-level protections, individuals will face impossibly convoluted choices about what should be remembered or forgotten, and the actions they take may still be insufficient to prevent harm. Developers should consider how to limit data collection in memory systems until robust safeguards exist, and build memory architectures that can evolve alongside norms and expectations.
Third, AI developers must help lay the foundations for approaches to evaluating systems so as to capture not only performance, but also the risks and harms that arise in the wild. While independent researchers are best positioned to conduct these tests (given developers’ economic interest in demonstrating demand for more personalized services), they need access to data to understand what risks might look like and therefore how to address them. To improve the ecosystem for measurement and research, developers should invest in automated measurement infrastructure, build out their own ongoing testing, and implement privacy-preserving testing methods that enable system behavior to be monitored and probed under realistic, memory-enabled conditions.
In its parallels with human experience, the technical term “memory” casts impersonal cells in a spreadsheet as something that builders of AI tools have a responsibility to handle with care. Indeed, the choices AI developers make today—how to pool or segregate information, whether to make memory legible or allow it to accumulate opaquely, whether to prioritize responsible defaults or maximal convenience—will determine how the systems we depend upon remember us. Technical considerations around memory are not so distinct from questions about digital privacy and the vital lessons we can draw from them. Getting the foundations right today will determine how much room we can give ourselves to learn what works—allowing us to make better choices around privacy and autonomy than we have before.
Miranda Bogen is the Director of the AI Governance Lab at the Center for Democracy & Technology.
Ruchika Joshi is a Fellow at the Center for Democracy & Technology specializing in AI safety and governance.
Deep Dive
Artificial intelligence
Meet the new biologists treating LLMs like aliens
By studying large language models as if they were living things instead of computer programs, scientists are discovering some of their secrets for the first time.
What’s next for AI in 2026
Our AI writers make their big bets for the coming year—here are five hot trends to watch.
Yann LeCun’s new venture is a contrarian bet against large language models
In an exclusive interview, the AI pioneer shares his plans for his new Paris-based company, AMI Labs.
Stay connected
Get the latest updates from
MIT Technology Review
Discover special offers, top stories, upcoming events, and more.