 Hackers can read private AI assistant chats even though they're encrypted. Because it's from researchers, not malicious actors, this is a fun example. The methods depend on a quirk in the way large language models work. Each token is a little different than each other token based on what part of the word it represents. So the token for sorry is going to be a little bigger. It's going to take up a little more data than a token for just the exclamation point. They taught their own large language model to guess what the likely words would be based on the sequence of different sized packets. Once they had a model that could actually accurately predict the opening sentence, they then trained their own second model to use the context of that first sentence. They used LLMs to fight LLMs. So how good was this method? The models could only match specific words 29% of the time. However, they could accurately guess the topic of the conversation 55% of the time.