Microsoft has disclosed a newly identified side-channel attack technique, codenamed Whisper Leak, that allows adversaries to infer the topics of conversations between users and AI chat models, even when the communication is protected with HTTPS encryption.
This issue specifically affects streaming-mode large language models (LLMs), where responses are sent gradually as they are generated. While the content of the messages remains encrypted, traffic metadata—such as packet size and timing—can unintentionally reveal patterns that correlate with the topic of discussion.
How Whisper Leak Works
In a typical encrypted session, the text itself is protected, but the transmission behavior of the data is still visible. Whisper Leak exploits:
- The size of encrypted packets
- The timing between transmitted chunks
- Patterns created by the incremental streaming of LLM responses
An attacker monitoring network traffic—whether on a shared Wi-Fi network, local network, ISP infrastructure, or nation-state surveillance system—can train machine learning models to recognize whether conversations match targeted topics.
This does not reveal the exact words, but it can reliably identify what category of topic is being discussed. For example:
- Political dissent
- Guidance on financial crimes
- Discussions involving sensitive or restricted technologies
High Accuracy Across Major Models
To validate the technique, Microsoft trained classification models such as LightGBM, Bi-LSTM, and BERT on streaming traffic patterns.
Testing showed over 98% accuracy across models from:
- OpenAI
- Mistral
- xAI
- DeepSeek
Additionally, the more data an attacker gathers, the more accurate the classification becomes — meaning Whisper Leak could become increasingly practical over time.
Why Streaming Models Are Most Vulnerable
Streaming makes LLM responses feel more conversational and immediate. However, this mode also introduces distinctive packet rhythms based on:
- Token generation rate
- Output structure
- Model inference patterns
These reflection patterns differ by topic complexity, unintentionally forming a detectable fingerprint.
Mitigations Already Deployed
In response to the disclosure, OpenAI, Microsoft, and Mistral have started implementing countermeasures. A key defense involves:
- Inserting random, variable-length filler text into responses to blur the token-to-packet correlation.
This makes traffic patterns less predictable, disrupting topic inference models.
Further protections include architectural adjustments at the server level to normalize packet sizes and timing.
Recommendations for Users and Organizations
Users concerned about privacy when communicating with AI systems can take a few precautions:
- Avoid discussing highly sensitive topics on public or untrusted networks.
- Use a VPN to reduce metadata visibility.
- Prefer non-streaming LLM responses for confidential queries.
- Choose AI providers that have confirmed Whisper Leak mitigation deployment.
Organizations integrating LLMs into workflows should also perform AI red-team testing, strengthen input/output filtering controls, and ensure that topic confidentiality requirements are explicitly considered in procurement and deployment.
Conclusion
Whisper Leak illustrates that encryption alone does not fully guarantee privacy when metadata remains observable. As LLMs continue to shape business operations and personal communications, defending against such side-channel vulnerabilities becomes critical.
Ensuring private, secure, and trustworthy AI interactions will require ongoing research, robust deployment controls, and continuous security evaluation — not just strong cryptography.