Guardrails for Everyday Chat Helpers: What a UK Survey Reveals About Security and Privacy Risks with Conversational Agents
If you’ve chatted with a chatbot lately, you’re not alone. In just a few years, AI-powered conversational agents (CAs) have exploded from novelty to daily toolkits for work and life. They help you draft emails, pull up codes, brainstorm ideas, and even read your calendar. But with convenience comes a hidden side: real, everyday security and privacy risks that pop up when real people use these tools in the real world. A UK-wide study from 2024 takes a closer look at how people actually interact with CAs—and how those behaviors could open doors to mischief, leaks, or worse. Here’s what the research found, explained in plain language, with practical ideas you can actually use.
Introduction: Why this topic matters
Big language models and multimodal models (the “brains” behind chatbots) can be incredibly useful—sometimes even life-saving for developers, researchers, and everyday users. They can write code, summarize long documents, or help plan a trip. But they also carry security and privacy vulnerabilities. Tiny missteps by users—like uploading a sensitive file or revealing a password in a chat—can unintentionally create openings for attackers or for model training data to leak back out later.
This study is special because it’s not just about whether people like chatbots or find them useful. It’s about what people actually do with them in the wild, in real homes and real offices. The researchers surveyed a representative sample of 3,270 UK adults in 2024, focusing on those who used CAs at least weekly. They then looked at three key risk areas: insecure inputs, jailbreak-like behaviors, and sharing or exposing sensitive data.
What counts as a “risk” in this study?
- Insecure inputs: When a user shares content that isn’t their own or feeds a CA with information that could help someone misuse the system (for example, documents or websites that the CA then repeats or acts on). This is the classic “prompt injection” idea where the wrong kind of input could ripple into other programs or data.
- Program access: When a CA is given access to other programs (like your calendar, email, or coding editor). If a chat tool can poke at your calendar or open documents, a misstep could expose more than you intended.
- Privacy behaviors: Whether users redact or alter inputs to avoid exposing sensitive data, and whether they know that their data can be used to train models or be opted out of that training.
Key takeaways from the study (in plain language)
- People are using CAs a lot, but many aren’t fully aware of privacy tricks and risks baked into the tools they’re using. About one in three UK adults used CAs at least weekly.
- Lots of risky inputs are happening in real life. Roughly 35% of users who shared content did so with information that wasn’t created by them (non-self-created content). That includes text, documents, or images from the internet.
- A notable minority give CAs access to other programs. About 16% of leisure users and 24% of work users granted access to at least one program (like calendars or email), and some gave access in both contexts.
- Jailbreak-ish behavior is common. Around 28% of participants said they had tried to nudge the CA to output something it initially refused, for reasons like entertainment, curiosity, or information seeking. This is not just a niche thing; it’s fairly widespread.
- Privacy awareness is uneven. Most users don’t know that their inputs can be used to train models, and many aren’t sure they can opt out. A large chunk isn’t sure about data usage policies, and a majority doesn’t know how or if they can opt out of training data usage.
- Work contexts tend to be riskier than leisure contexts. People in work settings were more likely to share non-self-created content and give program access, and to edit inputs for privacy more often in work than in leisure time.
- Predicting who will take these risks is hard. Even with a large sample and many demographic factors, the researchers didn’t find reliable predictors that make it easy to single out “who will” engage in high-risk behaviors.
Let’s break down the findings in digestible parts.
1) Insecure inputs: sharing content that isn’t their own
- What happened: In both work and leisure settings, a substantial share of users uploaded or pasted content that wasn’t created by them. This could be text, documents, or images.
- The numbers (approximate):
- Work: around 40% shared non-self-created content (out of those who loaded content into the CA).
- Leisure: around 35% did so.
- In both contexts, about half the time the shared content was non-self-created.
- Why it matters: If you feed a CA a document or a link that isn’t yours, anything that the AI sees or stores could be exposed to the wrong people, or the model could be trained on that content if the provider uses inputs to improve the model. If that content is sensitive, the risk compounds, especially if the CA can then act on that data or share it with other programs.
2) Program access: letting CAs reach into other tools
- What happened: Users granted CAs access to other programs, like calendars, emails, or coding editors.
- The numbers:
- Work: about 24% gave access to at least one program.
- Leisure: about 16% did so.
- A notable subset did this in both contexts.
- Why it matters: If a CA can read your calendar or open your email, any mistakes could reveal private information or lead to accidental data exposure. And if a malicious input could trigger the CA to perform actions in those programs, the risk is even bigger.
3) Jailbreaking and exploring capabilities
- What happened: Jailbreaking, in the study’s terms, means trying to get the CA to output something it refused to do. People reported experimenting for entertainment, boundary-pushing, or to obtain desired information.
- The numbers:
- About 28% of participants reported attempting jailbreaks.
- Motivations were roughly evenly split among entertainment, boundary exploration, and information seeking.
- Why it matters: Jailbreak-like behaviors aren’t just academic concerns—they’re happening in everyday use. They raise practical questions about guardrails, model safety, and whether the benefit of flexibility outweighs the risk of exposing sensitive data or enabling misuses.
4) Privacy awareness and data usage: what users know (or don’t know)
- What happened: A big chunk of users didn’t know that their data could be used to train models, and many were unsure whether they could opt out.
- The numbers:
- About 54% did not know their data could be used to improve a model.
- Roughly 76% were unsure whether they could opt out of that training.
- Why it matters: If users don’t know, they can’t make informed decisions about what they share. This information asymmetry between providers and users makes it easy to inadvertently share sensitive data or to assume privacy protections that aren’t in place.
5) Work vs. leisure: context matters
- The study found several context-specific patterns:
- Work users were more likely to share non-self-created content and to grant program access than leisure users.
- People tended to edit inputs for privacy more often at work than in their free time.
- Takeaway: If you’re using a CA in a professional setting, treat it as part of your security posture. Guardrails, policies, and training matter more in professional environments.
6) Predicting who takes risks: a tough nut to crack
- Even with a large, varied sample and several features (tech savviness, early usage, concerns about privacy), the researchers didn’t find strong, reliable predictors for who will engage in these risky behaviors. Some differences appeared (e.g., more male users reported jailbreaks, or certain patterns with early vs. late adopters), but nothing that could reliably forecast risk in a practical way.
- Practical sense takeaway: Relying on demographics alone to decide who should use CAs (or how to monitor their usage) isn’t enough. You need universal guardrails and user education, not just targeted policies.
Implications: what this means for people, companies, and policymakers
- For individuals:
- Be cautious about what you share. If a document or password-like information isn’t yours, don’t feed it to a CA. Redact sensitive data where possible, and consider whether you really need to upload files or give program access.
- Remember that data used in training can be extracted later. If you care about privacy, ask questions about how your data is used and whether you can opt out.
- Treat jailbreaking as a signal to review safeguards. Curiosity is normal, but if you’re hitting refusal messages, step back and assess what information you’re trying to obtain and whether the context is appropriate.
- For workplaces and organizations:
- Implement guardrails and policies that limit exposure. If CAs can access calendars, emails, or other sensitive apps, you’ll want strict “need-to-know” controls and robust monitoring.
- Educate employees. Clear guidance on what not to share, how to redact inputs, and how data can be used for training can reduce risky behavior.
- Use a layered approach to security. Combine user education with technical controls (prompt sanitization, data minimization, and explicit opt-out options) and with vendor transparency about how data is used.
- For CA vendors and policymakers:
- Increase transparency about data usage and training. Default settings should be privacy-preserving, with easy-to-find opt-out options.
- Build stronger guardrails into products, especially for enterprise editions. If a CA is connected to critical apps, it should operate under stricter security constraints.
- Invest in UX that makes privacy choices obvious. Warnings, clear explanations, and simple controls can empower users to make safer choices without slowing down productive work.
Practical tips you can apply right away
- Before you share, ask: Is this something I’d be comfortable storing in a shared drive or sending to a coworker? If not, don’t paste it.
- When possible, work with redacted content. If you must discuss a document, summarize what you need instead of uploading the whole file.
- Be mindful of what your CA can access. If you don’t need it to connect to calendars or emails, keep those connections off.
- Check the data usage policy and opt-out options. If you’re using a consumer CA, look for privacy settings that specify whether your inputs can be used to train models and whether you can opt out.
- In a workplace, advocate for clear guidelines: what kinds of data can be shared with CAs, which programs can be accessed, and how incidents should be reported.
- Practice a “privacy-first” workflow: draft prompts that achieve your goal without revealing sensitive details; use anonymized or synthetic data for testing and brainstorming.
- If you’re curious about jailbreaking, channel that curiosity into a controlled testing environment (e.g., in a sandbox or with test accounts) where you’re not exposing real data or access to critical systems.
Limitations and what the study can (and cannot) tell us
- The study provides a descriptive snapshot from mid-2024 and focuses on UK adults who use CAs at least weekly. It captures what people report doing, not necessarily all hidden or unconscious behaviors.
- Self-report data can be influenced by memory biases or social desirability. The anonymous design helps, but it can’t capture every nuance of real-world behavior.
- The research highlights that there’s a wide risk surface, but it doesn’t claim that all those risks are actively exploited in the wild. It’s about potential risk surfaces, not a tally of actual breaches.
Conclusion: a call for proactive guardrails and better information
The big takeaway is simple: conversational agents are now a common part of how we work and live. That ubiquity comes with a hidden layer of risk that isn’t going away simply because the technology is impressive. The study’s findings suggest three priorities:
- Build and deploy guardrails that reduce the risk of insecure inputs and unintended data exposure.
- Increase transparency and user education about data usage and opt-out options.
- Tailor organizational policies to ensure that work-related CA use follows secure practices, especially when CAs have access to sensitive programs or data.
If you’re building, using, or governing CA-enabled tools, treat this as a reminder to put security and privacy at the design and usage level, not as an afterthought. The aim isn’t to stifle curiosity or innovation, but to keep the benefits of conversational agents intact while minimizing the potential harms.
Key Takeaways
- Everyday risk exists: A sizable portion of regular CA users share non-self-created content and grant program access, both of which can open security and privacy gaps.
- Jailbreaking is common but nuanced: About a quarter to a third of users attempt to coax CAs into outputs they were refused, highlighting a tension between exploration and safety.
- Privacy awareness is uneven: Many users don’t know their data can be used to train models or how to opt out, creating information gaps that could lead to careless sharing.
- Work context matters: Professional use tends to involve more risky behaviors (more data sharing, more program access) than personal use.
- Stronger guardrails are needed: Vendors should improve transparency and default privacy protections, while organizations should implement policies and training to reduce risk.
- Practical steps you can take: Be mindful of what you upload, limit what you connect to, seek clear privacy options, and push for education and governance around CA usage in your settings.
If you want to get better at prompting while staying on the safe side, start with a privacy-first mindset: assume that anything you paste into a CA could be seen by someone else or used to train a model, and design prompts that achieve your goal with the least sensitive data possible. That small shift can go a long way toward making your conversations with chatbots productive and safe.
