{
  "id": "NP-12-shadow-ai-copy-paste-pii-violations",
  "type": "case-study",
  "title": "Shadow AI and the Copy-Paste Problem: 223 Violations per Month",
  "description": "Employees copy-paste PII into AI chatbots 223 times per month on average. Browser extension and Office add-in intercept PII at the point of paste.",
  "url": "https://anonym.community/anonym.legal/NP-12-shadow-ai-copy-paste-pii-violations.html",
  "product": "anonym.legal",
  "driver": {
    "id": null,
    "name": ""
  },
  "breadcrumbs": [
    {
      "label": "Dashboard",
      "url": "https://anonym.community/../dashboard.html"
    },
    {
      "label": "anonym.legal",
      "url": "https://anonym.community/index.html"
    }
  ],
  "content": {
    "sections": [
      {
        "type": "summary",
        "heading": "Research Source",
        "content": "anonym.community March 2026 crawl\n\nResearch across enterprise environments found an average of 223 PII paste events per organization per month into unsanctioned AI services. Employees copy customer data, employee records, financial figures, and medical information from business applications and paste them into ChatGPT, Claude, Gemini, and other AI services. These services are not approved by IT, are not covered by DPAs, and retain conversation data for model training or improvement."
      },
      {
        "type": "summary",
        "heading": "Executive Summary",
        "content": "Employees paste PII into AI chatbots an average of 223 times per month per organization. These AI services are unsanctioned, lack data processing agreements, and may retain data for training. The copy-paste vector bypasses every network-level security control.\n\nanonym.legal's Chrome Extension and Office Add-in intercept PII at the point of paste — the exact moment employees transfer data from business systems to AI services."
      },
      {
        "type": "problem",
        "heading": "The Problem: The Copy-Paste Vector",
        "content": "Network-level security controls (firewalls, proxies, CASB) can block access to AI service domains. But blocking AI services entirely is increasingly untenable — employees need AI tools for legitimate productivity gains. The copy-paste vector operates within allowed browser sessions: an employee opens a CRM record (authorized), copies a customer's name and email (clipboard operation — invisible to network controls), switches to a ChatGPT tab (allowed through CASB), and pastes the data (keystroke — invisible to network controls). The PII moves from a protected system to an unprotected AI service through user behavior that no network control can intercept.\n\nIrreducible truth: Copy-paste is a user-level data transfer that operates below network security controls and above endpoint DLP. The only interception point is the application layer — the browser extension or office add-in where the paste occurs.",
        "atomicTruth": "Irreducible truth: Copy-paste is a user-level data transfer that operates below network security controls and above endpoint DLP. The only interception point is the application layer — the browser extension or office add-in where the paste occurs."
      },
      {
        "type": "solution",
        "heading": "The Solution: How anonym.legal Addresses This",
        "content": "The anonym.legal Chrome Extension (v1.1.37, Manifest V3) detects PII in AI chat input fields. When a user pastes text containing names, emails, phone numbers, or other PII into ChatGPT or Perplexity, the extension highlights detected entities and offers one-click anonymization. The anonymized text replaces the paste content before the user sends the message.\n\nThe Office Add-in (v5.23.25) for Microsoft Word enables users to anonymize PII in documents before copying content to AI services. Users can select text, detect PII, and anonymize within Word — then copy the anonymized content to any AI service. This shifts the anonymization step to before the copy, rather than after the paste.\n\nBoth the Chrome Extension and Office Add-in use browser-local or Office.js-local encryption key storage. Keys never leave the user's device. This means the anonymization is truly client-side — anonym.legal's servers never see the original PII or the encryption keys."
      },
      {
        "type": "compliance",
        "heading": "Compliance Mapping",
        "content": "This pain point intersects with GDPR Article 5(1)(f) (integrity and confidentiality), GDPR Article 32 (security of processing), and the concept of 'appropriate technical measures.' Network controls alone are insufficient when the data transfer vector operates at the application layer.\n\nanonym.legal's GDPR, HIPAA, PCI-DSS, ISO 27001 compliance coverage, combined with Hetzner Germany, ISO 27001 hosting, provides documented technical measures organizations can reference in their compliance documentation."
      },
      {
        "type": "specifications",
        "heading": "Product Specifications",
        "specs": {
          "Entity Types": "285+",
          "Detection": "3-layer hybrid: Presidio + NLP + Stance classification",
          "Test Coverage": "100% (419/419 tests)",
          "Languages": "48",
          "Anonymization Methods": "Replace, Redact, Mask, Hash (SHA-256/512), Encrypt (AES-256-GCM)",
          "Platforms": "Web App, Desktop, Office Add-in, Chrome Extension, MCP Server, REST API",
          "Pricing": "Free €0, Basic €3, Pro €15, Business €29",
          "Hosting": "Hetzner Germany, ISO 27001",
          "Compliance": "GDPR, HIPAA, PCI-DSS, ISO 27001"
        }
      }
    ]
  },
  "relatedLinks": [
    {
      "label": "NP-01: Browser-Level PII Anonymization for AI Chat",
      "url": "NP-01-browser-pii-anonymization-chrome-extension-ai-chat.html"
    },
    {
      "label": "NP-02: Discord E2EE Text Gap: PII Anonymization",
      "url": "NP-02-discord-e2ee-text-gap-pii-anonymization.html"
    },
    {
      "label": "NP-04: Securing MCP Servers for PII Processing",
      "url": "NP-04-mcp-server-security-pii-processing.html"
    },
    {
      "label": "NP-05: Anonymize Code Context Before AI Processing",
      "url": "NP-05-cursor-ide-privacy-mode-anonymize-code-context.html"
    },
    {
      "label": "NP-08: Blocking vs. Anonymization: Nightfall DLP",
      "url": "NP-08-blocking-vs-anonymization-nightfall-dlp.html"
    },
    {
      "label": "NP-10: Reversible Encryption for LLM Workflows",
      "url": "NP-10-reversible-encryption-llm-workflows-production.html"
    },
    {
      "label": "anonymize.solutions Case Studies",
      "url": "../anonymize.solutions/index.html"
    },
    {
      "label": "cloak.business Case Studies",
      "url": "../cloak.business/index.html"
    },
    {
      "label": "anonym.plus Case Studies",
      "url": "../anonym.plus/index.html"
    },
    {
      "label": "Back to anonym.legal Index",
      "url": "index.html"
    },
    {
      "label": "Structural Analysis",
      "url": "../structural-analysis.html"
    },
    {
      "label": "Dashboard",
      "url": "../dashboard.html"
    },
    {
      "label": "Solution Finder",
      "url": "../solution-finder.html"
    },
    {
      "label": "Coverage Matrix",
      "url": "../comparison.html"
    },
    {
      "label": "PII Scanner",
      "url": "../scanner.html"
    }
  ],
  "metadata": {
    "lastModified": "2026-03-14"
  }
}