Google announced Gemini would power features across 3 billion Android devices this week. The same system was surfacing strangers' phone numbers.
This is the paradox at the heart of Google's AI ambitions. Gemini now handles keyboard suggestions, mouse interactions, and search across the entire Android ecosystem. It is, by any measure, a remarkable expansion of AI capability. It is also a remarkable expansion of what can go wrong.
In mid-March, Daniel Abraham, a 28-year-old software engineer in Israel, received a WhatsApp message from an unknown number. The sender was looking for customer support from a company Abraham had never worked for. Google's AI had mistakenly included his personal number in fabricated service instructions. He was not the only one.
A Reddit user reported that for approximately one month, their phone had been flooded with calls from strangers seeking a lawyer, a product designer, a locksmith. All had been directed by a Google chatbot. In April, a PhD candidate at the University of Washington discovered Gemini could generate a colleague's personal cell number on command.
Google attributes these failures partly to training data containing personally identifiable information. That explanation is technically plausible but practically hollow. A system deployed to 3 billion devices cannot cite training methodology as an excuse when it hands out real phone numbers to strangers. The privacy protection must live in the product itself, not in promises about where the data came from.
DeleteMe, a privacy service that removes personal information from the internet, reports a 400% increase in AI-related inquiries over the past seven months. Of those concerns, 20% specifically mention Gemini. Customers report two distinct failure modes: chatbots accurately surfacing information users never intended to share, and chatbots generating plausible-but-wrong contact details that real people must then contend with.
"The customer may be confronted with and report the exposure of someone else's personal data," says Rob Shavell, DeleteMe's cofounder and CEO. "Or the chatbot generates plausible-but-wrong contact information." Either way, the victim has no recourse.
What makes this particularly troubling is that Google's AI integration is accelerating. Gemini now lives inside the keyboard, suggesting completions as users type. It powers smart features on Android mice. This week, Google announced capabilities that Apple had originally planned for iOS—suggesting competitive pressure is pushing both companies to embed AI deeper into their ecosystems faster than privacy safeguards can follow.
The fundamental conflict is not incidental. Google's AI convenience depends on access to personal data—phone numbers, message patterns, location signals, usage habits. That same access is what creates the attack surface for exposure. There is no version of Gemini that reads your messages for helpful suggestions that also guarantees those messages never surface elsewhere. The product is the vulnerability.
Users can delete their browser history. They can opt out of certain tracking features. They cannot easily opt out of a system integrated into the operating system of 3 billion phones. The privacy exposure from Gemini is not a bug that can be patched. It is a consequence of the product working exactly as designed.