When You Upload, What Have You Disclosed? AI, Confidentiality and the Embedded Document

Latest PostWhen You Upload, What Have You Disclosed? AI, Confidentiality and the Embedded Document

By Dr Peter Fields, Barrister, The Barrister Group

A barrister’s guide to what actually happens when a confidential document meets an AI tool, and why the answer should change how we read Munir.

A sentence in a recent Upper Tribunal judgment ought to cause every practitioner to pause for thought. In Munir v Secretary of State for the Home Department [2026] UKUT 81 (IAC), the Tribunal observed that uploading confidential documents into an open-source AI tool “is to place this information on the internet in the public domain, and thus to breach client confidentiality and waive legal privilege”. If that is right, much of what now happens quietly in chambers and solicitors’ offices is a daily haemorrhage of privilege.

So is it right?

The proposition rests on a factual premise about how the technology behaves. I want to do three things here: explain in plain terms what an AI tool does with a document when uploaded; sort the arguments against the Munir proposition into those that fail and those that hold; and end with a rule of thumb that is defensible and easy to apply.

What AI actually does

Start with the thing most lawyers get wrong: when you paste a witness statement into a chatbot, the model does not store it. It keeps no copy in any form a person could open and read. What it does is convert your text into numbers.

The process runs in stages using layers of applications including machine learning, natural language processing, large-language models, and Retrieval-Augmented Generation. First the text is broken into “tokens”, fragments roughly the size of a syllable or short word. Each token is then turned into a long list of numbers, a “vector”, which encodes not the letters but the ‘meaning’ as the position of that fragment in a vast space of learned associations. A document becomes a great many of these vectors. These are called “embeddings” as the document has been embedded into a numerical space where proximity represents similarity of meaning.

The key point is that the original text is not what sits in the system. What sits there, if anything, is geometry. Your client’s letter has become a constellation of coordinates.

That sounds reassuring and founds the most popular argument for saying uploading is not disclosure. This is that you cannot open a vector and read it, so nothing has been disclosed. Unfortunately, this does not survive contact with the evidence.

The arguments that fail

The “it is not human-readable” point fails for the same reason that handing your opponent an encrypted hard drive, with the password, would not preserve confidentiality. Disclosure has never required that the recipient read the material with the naked eye. It asks whether confidential information has passed out of your control to a third party. Opacity to a human reader is beside the point if the information can be recovered… and it can.

The process is called “embedding inversion” and, since its origins in 2023, researchers at Cornell have reconstructed text from its embedding vectors with no access to the original document and, in the most recent work, no access even to the model that produced them. Given only a database of vectors, their method recovered sensitive content from corporate emails and medical records: names, dates, financial details, the subject matter. The reconstructions were not always word-perfect. They did not need to be. When an independent model was asked whether the recovered text leaked information from the original, the answer was yes for the large majority of documents, in some cases over eighty per cent.

Unfortunately, the comforting picture, vectors as a kind of one-way shredding, is false. A vector is closer to a photograph taken in poor light: imperfect, but often enough to identify the subject. The “it is encrypted” and “it cannot be read” arguments should be retired. A barrister who runs them risks correction by the other side’s expert, and looking naive in the process.

A second tempting argument also fails. It is said that even if uploaded documents feed back into training, an individual document dissolves into a model trained on billions of others and can never be retrieved. As a description of training, that is broadly fair, but it answers a question nobody is asking. The disclosure that matters happens at the moment of upload, when the material leaves your control and enters a third party’s hands on that party’s terms. What the provider later does in training is a separate problem; the privilege point bites earlier.

The arguments that hold

If those are the losing arguments, what are the winning ones? They are quieter, and they do not claim that uploading is never disclosure. They say something narrower: whether uploading amounts to disclosure depends on where the document goes and on what terms, and that is precisely the distinction the courts themselves are drawing.

Reading the actual passage in Munir, the observation is obiter in the fullest sense. The case was about hallucinated citations and the supervision of junior fee-earners; the Tribunal said as much, calling the matter “principally about supervision”. No party argued the confidentiality point. No evidence was given on how the technology works. The Tribunal simply “observe[d]” the consequence in passing. A bare assertion about a technical matter, unargued and unsupported by evidence, is the most fragile kind of dictum there is and the High Court is not bound by it. That has not stopped it travelling with the BSB’s 2026 guidance and the Law Society’s material on generative AI both citing the warning. This is precisely why getting the premise right matters.

The Tribunal then drew its own line. Closed-source tools, it said, “which do not place information in the public domain, such as Microsoft Copilot, are available for tasks such as summarising without these risks”. So Munir does not hold that AI use waives privilege. It holds that placing information in the public domain waives privilege, and it assumes, without deciding, that open consumer tools do so while closed enterprise tools do not. The whole battleground is the factual question of whether a given tool places your material in the public domain. That is a question about the tool’s architecture but, more importantly, the contractual terms.

The American courts reached the topic earlier from another direction. In United States v Heppner, decided in February 2026, Judge Rakoff held that a criminal defendant’s exchanges with a consumer AI platform were not privileged. The defendant had used the tool on his own initiative, not at his lawyer’s direction, and that fact sank two of the court’s three grounds. Both turned on whether an attorney-client relationship existed, a doctrine that does not map neatly onto English law. The middle ground is the one that extends to English law. The communications were not confidential, the court reasoned, because the platform’s own privacy policy told users it collected their inputs and reserved the right to disclose them to third parties. The decisive fact was not that the technology is opaque, nor that vectors might one day be inverted. It was that the user had consented to onward disclosure. Confidentiality was lost at the level of the contract, not the code.

That is the key that unlocks the whole problem. Both Munir and Heppner, for all their differences, fix on the same thing: has the user agreed to let a third party see, keep, or reuse the material? Where the answer is yes, confidentiality is hard to maintain, and the inversion research sharpens the point by showing that whoever later acquires the vectors can recover the gist. Where the answer is no, the analysis runs the other way.

Consider what a properly closed deployment looks like, and resist the tempting shorthand that the data simply stays put. It does not. Take Microsoft Copilot, the very tool the Tribunal blessed. The model still runs on cloud infrastructure outside the firm’s own systems, and the prompt and document are processed there rather than on a machine the firm controls. The document leaves the building.

What distinguishes Copilot from the public chatbot is therefore not isolation but contract. The enterprise terms bar the provider from retaining the data, from training on it, and from exposing it to human review. Processing under binding confidentiality is not disclosure. The residual risk remains that an attacker breaches the system and steals the vectors, but that is the ordinary risk of cloud storage we already accept. The law has never treated vulnerability to theft as waiver.

The inversion research, properly understood, supports rather than undermines this distinction. Its attacks assume either query access to the model or a compromised vector database. Strip those assumptions away, as a closed deployment does, and the attack has nothing to work with. The science explains exactly why the open and closed cases differ, and why the line the courts are feeling towards is a principled one.

This matters more than it might appear, and it exposes something uncomfortable. The Tribunal commended Copilot as a tool that does not place information in the public domain, yet every time it is used the firm’s document is processed on infrastructure the firm does not control. The observation was not wrong, but it was right by accident: the protection lies in contractual terms the Tribunal did not examine, not in the architectural confinement it seems to have assumed.

One cannot help wondering whether the bench, and the regulators now drafting guidance in its wake, fully grasp what these tools are doing beneath the bonnet. The distinctions that decide privilege are technical and contractual, and not always visible to those asked to draw them. The concern is that a doctrine built on assumptions about the technology will be only as sound as the assumptions, and here at least one was shaky.

A rule a barrister can actually use

Where does this leave the practitioner who wants to use these tools, as increasingly we all must, without exposing the client? Not with the comfortable conclusion that AI use is harmless, nor the panicked one that it is fatal. Disclosure turns on the terms, and the terms are usually knowable. The single most useful question to ask of any tool, before a confidential document goes near it, is this: does the provider reserve the right to let a human see my data, whether to train its models, to review for safety, or to share with others?

If the answer is yes, as it is for the free, public versions of the best-known chatbots, then Munir and Heppner both bite, the privacy policy is doing the damage, and confidential material should stay out. Deleting the thread afterwards does not rescue you: waiver is permanent. If the answer is no, because you are within a closed, contractually ring-fenced environment in which no human review and no training is permitted, then the disclosure analysis falls away and the residual risk is no greater than the ubiquitous cloud storage we already accept.

The dividing line, in short, is not “AI” against “no AI”. It is “a tool that is permitted to show your document to a human” against “a tool that may not”. Read that way, Munir is less alarming than it appears. It is, if anything, a signpost to a workable rule: by all means upload, but never to a tool that reserves the right to disclose your client’s confidence to someone else.

___________________________________________________________________________________

About Peter Fields:

Peter is a civil practitioner specialising in complex technical and commercial disputes. In addition to being a practising barrister, he holds a PhD in chemical engineering, has a degree in psychology, and has 30 years of business experience. Peter has built and programmed computers since long before Windows existed and was a very early AI adopter. He started building his own AI tools in January 2023 and holds a National Archives licence to process judgments downloaded from the Find Case Law archives using AI. He codes his own Python script to routinely extract and analyse the 78,000 judgments currently held on the archive.

 

He is also co-author of: “A Practical Guide to Effective Dispute Resolution: Methods and Clauses”, Sweet & Maxwell, 23 Sept. 2024

 

 

 

 

Check out our other content

Most Popular Articles