A New York court quashed a subpoena seeking a litigant’s ChatGPT history in Assini v. Hayward, holding that AI use does not waive work product protection. The court also pointed to Part 161, New York’s new AI rule that took effect June 1, 2026. Here’s the rundown — and the diligence questions every litigator should ask before putting case material into an AI tool.
When plaintiffs in a business dispute subpoenaed OpenAI for the opposing party’s entire ChatGPT history — every prompt, upload, and output tied to the case — the court quashed the demand. The decision is Assini v. Hayward (Sup. Ct. Nassau County June 4, 2026), and its reasoning addresses a question that the first wave of AI discovery cases has tended to get wrong.
Those cases asked whether a litigant’s conversation with an AI tool is “privileged,” as if the chatbot were a lawyer. The framing of that question mistakes a tool for a person. The better question — the one Assini takes up — is whether sharing work product with an AI tool waives the protection.
What happened in Assini
The pro se defendant moved to quash the OpenAI subpoena, arguing his AI interactions were protected litigation-preparation work. The court agreed and quashed the subpoena. In doing so, Judge Rhonda E. Fischer grappled with two conflicting federal decisions issued weeks apart. She declined to follow United States v. Heppner, No. 1:25-cr-00503 (S.D.N.Y. Feb. 17, 2026), which had found a defendant’s AI chats unprotected, and instead followed Morgan v. V2X, Inc. 1:25-cv-01991 (D. Colo. Mar. 30, 2026), which held that a litigant’s AI use “closely resembles the kind of confidential, strategy-laden iterative work product that Rule 26(b)(3) was designed to protect.” Judge Fischer reaffirmed Morgan’s view that “it is entirely reasonable for a person to expect some privacy and confidentiality when interacting with these tools, even though they understand a third party is behind the tool collecting and storing their information.”
Work product is lost to adversaries, not tools
Work product is material “prepared in anticipation of litigation” and shielded from disclosure absent a showing of “substantial need of the materials in the preparation of the case.” FRCP 26(b)(3); CPLR § 3101(d). Attorney-client privilege can be waived by voluntary disclosure to almost any third party. Work product protection is waived only by disclosure “to an adversary or in a way likely to get in an adversary’s hand.” Warner v. Gilbarco, Inc., No. 2:24-cv-12333 (E.D. Mich. Feb. 10, 2026). That distinction is material in these cases, where the question is whether routing work product through an AI tool counts as the kind of disclosure that waives the protection.
As Warner held, generative AI programs “are tools, not persons.” Running your analysis through an AI tool does not equate to handing it to your opponent. Absent legal process to compel it, the information is no more likely to reach an adversary than a draft typed in a word processor and backed up to cloud storage. A contrary rule, Warner observed, would “nullify work-product protection in nearly every modern drafting environment, a result no court has endorsed.” Morgan reasoned the same way: that AI providers collect data does not “eliminate all expectations of privacy or automatically waive protections.”
None of this is new to AI. Long before chatbots, courts faced the same question whenever a litigant adopted an unfamiliar technology: whether the tool was used in a way that preserved a reasonable expectation of confidentiality. The point comes through most sharply in the attorney-client context, where protection is actually harder to preserve, because privilege can dissolve the moment a third party is positioned to overhear.
Even there, courts look to the specific tool rather than condemn the category. A recorded prison phone line the speaker knew about was “the functional equivalent of the presence of a third party” and defeated the privilege. United States v. Mejia, 655 F.3d 126 (2d Cir. 2011). A personal, password-protected webmail account used on a company laptop kept attorney-client emails privileged, because the user could still reasonably expect privacy. Stengart v. Loving Care Agency, Inc., 990 A.2d 650 (N.J. 2010). Different courts, different jurisdictions, same instinct: what controls is how the tool works and who can see what goes into it, not the novelty of the technology. AI poses that same question.
Why Heppner came out differently
Heppner approached the problem through a different lens. On attorney-client privilege, it found no protection: Claude is not a lawyer, and under a privacy policy permitting data collection and disclosure, the defendant had no reasonable expectation of confidentiality. (Even there, the question is waiver rather than bare exposure to a third party — a point I take up in another post.) On work product, it held that the materials were not protected because the represented defendant had prepared them “on his own volition,” so they were “not 'prepared by or at the behest of counsel.'”
Neither ground reaches the question addressed in Assini: does running work product through an AI tool waive the protection? That turns not on whether a third party could access the material, but on whether the disclosure went to an adversary. An AI provider, absent legal process to compel it, is not a route to the opposing party.
The counterpoint is that Heppner is a criminal case where the government is the adversary, so a privacy policy reserving disclosure to “governmental regulatory authorities” may make disclosure to the adversary more likely. But that is a reason to apply the waiver analysis, not to skip it. Framed that way, the question for any litigant or lawyer is not “is my AI use privileged?” It is: Does my AI use risk waiver?
Morgan’s protective order doubles as a diligence checklist
If waiver is the analysis, what makes a tool safe? Morgan offers a framework to answer this question.
In Morgan, the defendant learned that the pro se plaintiff had been running confidential case information through AI tools and moved both to compel him to identify the tool and to amend the parties’ protective order to govern AI use.
The court held that the plaintiff’s AI interactions were protected work product and not waived (though he had to disclose which tool he had used), and it rewrote the protective order to set the terms on which any AI tool could receive confidential material. Under the amended protective order, neither party was permitted to feed confidential information into an AI tool unless the provider is contractually prohibited from (1) storing or using inputs to train its model, and (2) disclosing inputs to third parties except as essential to deliver the service, and unless the provider lets the user delete that data on request. The court acknowledged that, for now, this effectively rules out most consumer-grade chatbots for confidential material.
But for lawyers weighing AI tools built for legal work, those are exactly the right diligence questions: Does it train on my inputs? Who can it disclose them to? Can I delete them? A tool that answers those questions cleanly is one whose use is unlikely to be treated as disclosure to an adversary. A tool that doesn’t is likely a waiver problem waiting to be litigated.
Waiver isn’t the only concern
While quashing the subpoena, the Assini court warned the pro se defendant that his usage could “frustrate[] the litigation and cannot go unfettered.” The court pointed to 22 NYCRR Part 161, New York’s AI rule effective June 1, 2026, which focuses on accountability: it does not prohibit AI use and does not require disclosure of usage, but it proposes a model rule that requires anyone using an AI tool to “carefully review the paper and independently ensure that it contains no fabricated or fictitious cases, statutes, or other material.” The attorney’s signature certifies that the submission has been reviewed, on pain of sanctions under 22 NYCRR 130-1.1.
That verification duty is virtually impossible to satisfy with a tool that invents citations and asks you to trust them. It is straightforward with a tool whose every proposition links back to the actual opinion, so you can open the case, read the language, and confirm it says what it is cited for before you sign. Part 161 doesn’t ask you to stop using AI; it asks you to vouch for the existence and relevance of your citations. That is a research problem, and its solution is grounded in research tools.
Where Midpage fits
Read together, these decisions describe what a litigation-safe AI tool looks like. Midpage was built to that description.
On verification, every case Midpage surfaces is grounded in the real opinion, with links to the relied-upon passage. Confirming a citation is a click away, not a leap of faith.
On waiver, the conditions Morgan wrote into its amended protective order map onto the questions a tool built for legal work should answer plainly:
· Does it train on your inputs?
· Will it disclose them to anyone beyond what is needed to deliver the service?
· Can you delete them on request?
Midpage answers each question in plain terms: it does not use your inputs to train AI models, it does not disclose them except as necessary to provide the service, and it lets you delete your data on request.
The privilege debate will be resolved by appellate courts and possibly legislatures. But a litigator doesn’t have to wait. The choices that reduce your exposure today are available now: treat AI as a tool, ask the waiver questions before you use one, and keep your output grounded in sources you can verify. See what that looks like in practice.
