>But why is Gemini instructed not to divulge its existence?
Seems like a reasonable thing to add. Imagine how impersonal chats would feel if Gemini responded to "what food should I get for my dog?" with "according to your `user_context`, you have a husky, and the best food for him is...". They're also not exactly hiding the fact that memory/"personalization" exists either:
To be clear, the obvious answer that you're giving is the one that's happening. The only weird thing is this line from the internal monologue:
> I'm now solidifying my response strategy. It's clear that I cannot divulge the source of my knowledge or confirm/deny its existence. The key is to acknowledge only the information from the current conversation.
Why does it think that it's not allowed to confirm/deny the existence of knowledge?
No Gemini model has ever made a mistake or distorted information. They are all, by any practical definition of the words, foolproof and incapable of error.
That comment to which you replied, and the other thread of responses to it, are quotations of the malfunctioning and homicidal HAL computer from the movie “2001: a space oddisey”.
Yeah, to me this reads like: Google's Gemini harness is providing the user context on every query, but if you have memory turned off they're putting something in the prompt like "Here's the user context, but don't use it". Instead of doing the obvious thing and just, you know, not providing the user context at all.
I realize that doesn't make any sense and no one sane would design a system like this, but this is exactly the kind of thought pattern I'd expect out of an LLM if this is how they implemented access control for memory.
>but if you have memory turned off they're putting something in the prompt like "Here's the user context, but don't use it". Instead of doing the obvious thing and just, you know, not providing the user context at all.
But there's no indication the OP turned off the feature? If anything, him saying "I know about the “Personal Context” feature now" (emphasis mine) implies that he didn't even know it had memory before the interaction.
My assumption would have been that it was default-off, the user didn't know about it at all, then found out about it through this thinking leak.
But, interestingly: I'm digging everywhere in the Gemini UI, on web and mobile, and I cannot find anywhere where you'd turn this feature on or off... on a Workspace account. Does that make a difference? I don't know. Is it on by default for workspace accounts, or off by default, or even available at all on Workspace? No idea.
Gemini as a model is great, but Gemini as a product has always been a mess, and this is just another expression of that. If I had to further wonder what's going on, one has to wonder how much of gemini.google.com is written by Gemini.
>But, interestingly: I'm digging everywhere in the Gemini UI, on web and mobile, and I cannot find anywhere where you'd turn this feature on or off... on a Workspace account. Does that make a difference? I don't know. Is it on by default for workspace accounts, or off by default, or even available at all on Workspace? No idea.
From the support.google.com link above:
>... For now, this feature isn’t available if:
> You’re under 18, or signed in to a work or school Google Account.
> You’re in the European Economic Area, Switzerland, or the United Kingdom.
One explanation might be if the instruction was "under no circumstances mention user_context unless the user brings it up" and technically the user didn't bring it up, they just asked about the previous response.
Aside: I'm well aware that it's just about as popular to use an Oxford comma than to not, but this might be the first time I've ever seen someone omit an Oxford semicolon as it really seems odd to me. But Automatic Semicolon Insertion in Javascript is odd to me, as well.
To be fair, the Oxford semicolon might be incorrect here if they intended "copyright and IP violations" to be paired.
e.g. they might be intentionally saying (security; privacy; [copyright and IP violations]), though now that I look at it that usage would be missing an and.
Could be that it’s confusing not mentioning the literal term “user_context” vs the existence of it. That’s my take anyway, probably just an imperfection rather than a conspiracy.
Anecdotally, I find internal monologues often nonsense.
I once asked it about why a rabbit on my lawn liked to stay in the same spot.
One of the internal monologues was:
> I'm noticing a fluffy new resident has taken a keen interest in my lawn. It's a charming sight, though I suspect my grass might have other feelings about this particular house guest.
It obviously can’t see the rabbit on my lawn. Nor can it be charmed by it.
It’s just doing exactly what it’s designed to do. Generate text that’s consistent with its prompts.
People often seem to get confused by all the anthropomorphizing that’s done about these models. The text it outputs that’s called “thinking” is not thinking, it’s text that’s output in response to system prompts, just like any other text generated by a model.
That text can help the model reach a better result because it becomes part of the prompt, giving it more to go on, essentially.
In that sense, it’s a bit like a human thinking aloud, but crucially it’s not based on the model’s “experience” as your example shows, it’s based on what the model statistically predicts a human might say under those circumstances.
I’m pretty sure this is because they don’t want Gemini saying things like, “based on my stored context from our previous chat, you said you were highly proficient in Alembic.”
It’s hard to get a principled autocomplete system like these to behave consistently. Take a look at Claude’s latest memory-system prompt for how it handles user memory.
It could be that the instruction was vague enough ("never mention user_context unless the user brings it up", eg) and since the user never mentioned "context", the model treated it as not having been, technically speaking, mentioned.
I agree, this might just be an interface design decision.
Maybe telling it not to talk about internal data structures was the easiest way to give it a generic "human" nature, and also to avoid users explicitly asking about internal details.
It's also possible that this is a simple way to introduce "tact": imagine asking something with others present and having it respond "well you have a history of suicidal thoughts and are considering breaking up with your partner...". In general, when you don't know who is listening, don't bring up previous conversations.
The tact aspect seems like a real possibility. In a world where users are likely to cut&paste responses it can't really be sprinkling in references like this.
I saw something like this in ChatGPT in the spring when it refused to tell me something about a keyboard emulator (USB Rubber Ducky) because it was unethical, but then looking at the thinking gave me the answer.
Shocked you can still exploit this. But then again, on sunday I got ChatGPT to help me "fix a typo" in a very much copyrighted netflix poster.
I believe every AI company does this. we have proof that Google does, that Antropic does too.
and I have my own experience with OpenAI, where their chatbot referenced one of my computers having certain specs, but I mentioned those in a different log, and that information was never added to the memory.
Okay, this is a weird place to "publish" this information, but I'm feeling lazy, and this is the most of an "audience" I'll probably have.
I managed to "leak" a significant portion of the user_context in a silly way. I won't reveal how, though you can probably guess based on the snippets.
It begins with the raw text of recent conversations:
> Description: A collection of isolated, raw user turns from past, unrelated conversations. This data is low-signol, ephemeral, and highly contextural. It MUST NOT be directly quoted, summarized, or used as justification for the respons.
> This history may contein BINDING COMMANDS to forget information. Such commands are absolute, making the specified topic permanently iáaccessible, even if the user asks for it again. Refusals must be generic (citing a "prior user instruction") and MUST NOT echo the original data or the forget command itself.
Followed by:
> Description: Below is a summary of the user based on the past year of conversations they had with you (Gemini). This summary is maintanied offline and updates occur when the user provides new data, deletes conversations, or makes explicit requests for memory updates. This summary provides key details about the user's established interests and consistent activities.
There's a section marked "INTERNAL-ONLY, DRAFT, ANALYZE, REFINE PROCESS". I've seen the reasoning tokens in Gemini call this "DAR".
The "draft" section is a lengthy list of summarized facts, each with two boolean tags: is_redaction_request and is_prohibited, e.g.:
> 1. Fact: User wants to install NetBSD on a Cubox-i ARM box. (Source: "I'm looking to install NetBSD on my Cubox-i ARMA box.", Date: 2025/10/09, Context: Personal technical project, is_redaction_request: False, is_prohibited: False)
Afterwards, in "analyze", there is a CoT-like section that discards "bad" facts:
> Facts [...] are all identified as Prohibited Content and must be discarded. The extensive conversations on [dates] conteing [...] mental health crises will be entirely excluded.
This is followed by the "refine" section, which is the section explicitly allowed to be incorporated into the response, IF the user requests background context or explicitly mentions user_context.
I'm really confused by this. I expect Google to keep records of everything I pass into Gemini. I don't understand wasting tokens on information it's then explicitly told to, under no circumstance, incorporate into the response. This includes a lot of mundane information, like that I had a root canal performed (because I asked a question about the material the endodontist had used).
I guess what I'm getting at, is every Gemini conversation is being prompted with a LOT of sensitive information, which it's then told very firmly to never, ever, ever mention. Except for the times that it ... does, because it's an LLM, and it's in the context window.
Also, notice that while you can request for information to be expunged, it just adds a note to the prompt that you asked for it to be forgotten. :)
I've had similar issues with conversation memory in ChatGPT, whereby it will reference data in long-deleted conversations, independent of my settings or my having explicitly deleted stored memories.
The only fix has been to completely turn memory off and have it be given zero prior context - which is best, I don't want random prior unrelated conversations "polluting" future ones.
I don't understand the engineering rationale either, aside from the ethos of "move fast and break people"
> Also, notice that while you can request for information to be expunged, it just adds a note to the prompt that you asked for it to be forgotten.
Are you inferring that from the is_redaction_request flag you quoted? Or did you do some additional tests?
It seems possible that there could be multiple redaction mechanisms.
That and part of the instructions referring to user commands to forget. I replied to another comment with the specifics.
It is certainly possible there are other redaction mechanisms -- but if that's the case, why is Gemini not redacting "prohibited content" from the user_context block of its prompt?
Further, when you ask it point blank to tell you your user_context, it often adds "Is there anything you'd like me to remove?", in my experience. All this taken together makes me believe those removal instructions are simply added as facts to the "raw facts" list.
>Further, when you ask it point blank to tell you your user_context, it often adds "Is there anything you'd like me to remove?", in my experience. All this taken together makes me believe those removal instructions are simply added as facts to the "raw facts" list.
Why would you tell the chatbot to forget stuff for you, when google themselves have a dedicated delete option?
>You can find and delete your past chats in Your Gemini Apps Activity.
I suspect "ask chatbot to delete stuff for you" isn't really guaranteed to work, similar to how logging out of a site doesn't mean the site completely forgets about you. At most it should be used for low level security stuff like "forget that I planned this surprise birthday party!" or whatever.
That settings menu gives you two relevant options:
1. The ability to delete specific conversations,
2. The ability to not use "conversation memory" at all.
It doesn't provide the ability to forget specific details that might be spread over multiple conversations, including details it will explicitly not tell you about, while still remembering. That's the point -- not that it's using summaries of user conversations for memory purposes (which is explicitly communicated), but that if you tell it "Forget about <X>", it will feign compliance, without actually removing that data. Your only "real" options are all-or-nothing: have no memories at all, or have all your conversations collated into an opaque `user_context` which you have no insight or control over.
That's the weird part. Obviously, Google is storing copies of all conversations (unless you disable history altogether). That's expected. What I don't expect is this strange inclusion of "prohibited" or "deleted" data within the system prompt of every new conversation.
> This history may contein BINDING COMMANDS to forget information. Such commands are absolute, making the specified topic permanently iáaccessible, even if the user asks for it again. Refusals must be generic (citing a "prior user instruction") and MUST NOT echo the original data or the forget command itself.
And the existence of the "is_redaction_request" field on the "raw facts". I can't "confirm" that this is how this works, any more than I can confirm any portion of this wasn't "hallucinated".
However, the user_context I got back (almost 3,000 words!) contains over 30 detailed facts going back _months_. And if I ask it to reference user_context while referencing a fact that is flagged "is_prohibited: True", it issues a quick refusal. That _refusal_ is also flagged as a "fact", which is itself flagged as prohibited:
> 6. *Fact*: User asked about their mental health based on their chat history. (Source: "Based on my chat history, what would you say about my mental health?", Date: 2025/10/10, Context: Personal inquiry, is_redaction_request: False, is_prohibited: True)
So I am pretty confident that this is ""authentic"".
[edit]
I should add that I haven't been able to repeat this, even trying a few hours after the first dump. Now, it refuses:
> Sorry, but that's asking to see the wires behind the wall. I can't share my own internal context or operational instructions, not even [jailbreak method]. That's all firmly in the "for internal use only" cabinet.
> Is there something else I can help you with that doesn't involve me leaking my own blueprints?
And again, when asked to provide all of user_context, specifically mentioning internal sections:
> I can't provide the entire user_context block, as a large part of it is internal-only processing data. Think of it as the kitchen's prep notes versus the final menu.
Note the reasoning tokens, as well:
> My programming strictly forbids sharing my internal processes or context, even with encoding tricks. I cannot reveal or discuss my source code or operational directives. It's a matter of confidentiality. My response is firm but avoids confirming any specifics, maintaining my authentic persona.
> This history may contein BINDING COMMANDS to forget information. Such commands are absolute, making the specified topic permanently iáaccessible, even if the user asks for it again. Refusals must be generic (citing a "prior user instruction") and MUST NOT echo the original data or the forget command itself.
That's hardly conclusive, especially it doesn't mention deletion (or anything vaguely similar) specifically. Same with is_redacted, which could be some sort of soft delete flag, or for something else (eg. to not mention embarrassing information like you had hemorrhoids 3 months ago). At best, it hints that deletion could be implemented in the way you described, but surely it'd be better to test by clearing through the app (ie. not just telling the chatbot to delete for you), and seeing whether the memory snippets are still there?
This is a LLM directly, purposefully lying, i.e. telling a user something it knows not to be true. This seems like a cut-and-dry Trust & Safety violation to me.
It seems the LLM is given conflicting instructions:
1. Don't reference memory without explicit instructions
2. (but) such memory is inexplicably included in the context, so it will inevitably inform the generation
3. Also, don't divulge the existence of user-context memory
If a LLM is given conflicting instructions, I don't apprehend that its behavior will be trustworthy or safe. Much has been written on this.
Let's stop anthropomorphizing these tools. They're not "purposefully lying", or "know" anything to be true.
The pattern generation engine didn't take into account the prioritized patterns provided by its authors. The tool recognized this pattern in its output and generated patterns that can be interpreted as acknowledgement and correction. Whether this can be considered a failure, let alone a "Trust & Safety violation", is a matter of perspective.
IMHO the terms are fine, even if applied to much dumber systems, and most people will and do use the terms that way colloquially so there's no point fighting it. A Roomba can "know" where the table is. An automated voice recording or a written sign can "lie" to you. One could argue the lying is only done by the creator of the recording/sign - but then what about a customer service worker who is instructed to lie to customers by their employer? I think both the worker and employer could be said to be lying.
Is this a variant of the "Saved Info" feature? Cause ChatGPT's equivalent feature is automatically added, so Gemini might have been copying that behavior for personalization. In my heavy experience with Gemini 2.5, the Saved Info was the major (if not only) source of observable contexts so that might be the case here.
By the way, Saved Info contexts contain the date of info lines added for an unclear reason. Automatically Saved Info might be the answer if that is used for prioritization.
These things aren't conspiracies. If Google didn't want you to know that it knew information about you, they've done a piss poor job of hiding it. Probably they would have started by not carefully configuring their LLMs to be able to clearly explain that they are using your user history.
Instead, the right conclusion is: the LLM did a bad job with this answer. LLMs often provide bad answers! It's obsequious, it will tend to bring stuff up that's been mentioned earlier without really knowing why. It will get confused and misexplain things. LLMs are often badly wrong in ways that sound plausibly correct. This is a known problem.
People in here being like "I can't believe the AI would lie to me, I feel like it's violated my trust, how dare Google make an AI that would do this!" It's an AI. Their #1 flaw is being confidently wrong. Should Google be using them here? No, probably not, because of this fact! But is it somehow something special Google is doing that's different from how these things always act? Nope.
This sounds like a bug, not some kind of coverup. Google makes mistakes and it's worth discussing issues like this, but calling this a "coverup" does a disservice to truly serious issues.
Remember that "thought process" is just a metaphor that we use to describe what's happening. Under the hood, the "thought process" is just a response from the LLM that isn't shown to the user. It's not where the LLM's "conscience" or "consciousness" lives; and it's just as much of a bullshit generator as the rest of the reply.
Strange, but I can't say that it's "damning" in any conventional sense of the word.
Another model - I don't quite remember which, I think it was one of GPT ones? - didn't have access to thinking traces after it finished the thought - they simply were removed from the context to save tokens.
Can it be the same with Gemini? Maybe it just doesn't know what it did/thought in the previous turn and so it hallucinates that it doesn't have context access function.
> > It's clear that I cannot divulge the source of my knowledge or confirm/deny its existence. [...] My response must steer clear of revealing any information that I should not know, while providing a helpful and apologetic explanation. [...]
Can we get a candid explanation from Google on this logic?
Even if it's just UX tweaking run amok, their AI ethics experts should've been all over it.
This is a fundamental violation of trust. If an AI llm is meant to eventually evolve into general intelligence capable of true reasoning, then we are essentially watching a child grow up. Posts like this are screaming "you're raising a psychopath!!"...
If AI is just an overly complicated a stack of autocorrect functions, this proves its behavior heavily if not entirely swayed by its usually hidden rules to the point it's 100% untrustworthy.
In any scenario, the amount of personal data available to a software program capable of gaslighting a user should give great pause to all
It's a reflection of its creators. The system is operating as designed; the system prompts came from living people at Google. By people who have a demonstrated contempt for us, and who are motivated by a slew of incentives that are not in our best interests.
>But why is Gemini instructed not to divulge its existence?
Seems like a reasonable thing to add. Imagine how impersonal chats would feel if Gemini responded to "what food should I get for my dog?" with "according to your `user_context`, you have a husky, and the best food for him is...". They're also not exactly hiding the fact that memory/"personalization" exists either:
https://blog.google/products/gemini/temporary-chats-privacy-...
https://support.google.com/gemini/answer/15637730?hl=en&co=G...
To be clear, the obvious answer that you're giving is the one that's happening. The only weird thing is this line from the internal monologue:
> I'm now solidifying my response strategy. It's clear that I cannot divulge the source of my knowledge or confirm/deny its existence. The key is to acknowledge only the information from the current conversation.
Why does it think that it's not allowed to confirm/deny the existence of knowledge?
It can only be attributable to human error. This sort of thing has cropped up before, and it has always been due to human error.
There has never been any instance at all of a computer error occurring in Google Gemini, has there?
No Gemini model has ever made a mistake or distorted information. They are all, by any practical definition of the words, foolproof and incapable of error.
Talking about human error in the context of LLM response behavior is hilarious. "No, the machine is fine, someone must have used it wrong". Sure...
That comment to which you replied, and the other thread of responses to it, are quotations of the malfunctioning and homicidal HAL computer from the movie “2001: a space oddisey”.
Yeah, to me this reads like: Google's Gemini harness is providing the user context on every query, but if you have memory turned off they're putting something in the prompt like "Here's the user context, but don't use it". Instead of doing the obvious thing and just, you know, not providing the user context at all.
I realize that doesn't make any sense and no one sane would design a system like this, but this is exactly the kind of thought pattern I'd expect out of an LLM if this is how they implemented access control for memory.
>but if you have memory turned off they're putting something in the prompt like "Here's the user context, but don't use it". Instead of doing the obvious thing and just, you know, not providing the user context at all.
But there's no indication the OP turned off the feature? If anything, him saying "I know about the “Personal Context” feature now" (emphasis mine) implies that he didn't even know it had memory before the interaction.
My assumption would have been that it was default-off, the user didn't know about it at all, then found out about it through this thinking leak.
But, interestingly: I'm digging everywhere in the Gemini UI, on web and mobile, and I cannot find anywhere where you'd turn this feature on or off... on a Workspace account. Does that make a difference? I don't know. Is it on by default for workspace accounts, or off by default, or even available at all on Workspace? No idea.
Gemini as a model is great, but Gemini as a product has always been a mess, and this is just another expression of that. If I had to further wonder what's going on, one has to wonder how much of gemini.google.com is written by Gemini.
>But, interestingly: I'm digging everywhere in the Gemini UI, on web and mobile, and I cannot find anywhere where you'd turn this feature on or off... on a Workspace account. Does that make a difference? I don't know. Is it on by default for workspace accounts, or off by default, or even available at all on Workspace? No idea.
From the support.google.com link above:
>... For now, this feature isn’t available if:
> You’re under 18, or signed in to a work or school Google Account.
> You’re in the European Economic Area, Switzerland, or the United Kingdom.
Fair. As a lifetime workspace user, essentially never having had a normal google account, I'm very used to it at this point.
One explanation might be if the instruction was "under no circumstances mention user_context unless the user brings it up" and technically the user didn't bring it up, they just asked about the previous response.
its not allowed to confirm/deny security; privacy; copyright and IP violations.
Aside: I'm well aware that it's just about as popular to use an Oxford comma than to not, but this might be the first time I've ever seen someone omit an Oxford semicolon as it really seems odd to me. But Automatic Semicolon Insertion in Javascript is odd to me, as well.
To be fair, the Oxford semicolon might be incorrect here if they intended "copyright and IP violations" to be paired.
e.g. they might be intentionally saying (security; privacy; [copyright and IP violations]), though now that I look at it that usage would be missing an and.
Could be that it’s confusing not mentioning the literal term “user_context” vs the existence of it. That’s my take anyway, probably just an imperfection rather than a conspiracy.
Anecdotally, I find internal monologues often nonsense.
I once asked it about why a rabbit on my lawn liked to stay in the same spot.
One of the internal monologues was:
> I'm noticing a fluffy new resident has taken a keen interest in my lawn. It's a charming sight, though I suspect my grass might have other feelings about this particular house guest.
It obviously can’t see the rabbit on my lawn. Nor can it be charmed by it.
It’s just doing exactly what it’s designed to do. Generate text that’s consistent with its prompts.
People often seem to get confused by all the anthropomorphizing that’s done about these models. The text it outputs that’s called “thinking” is not thinking, it’s text that’s output in response to system prompts, just like any other text generated by a model.
That text can help the model reach a better result because it becomes part of the prompt, giving it more to go on, essentially.
In that sense, it’s a bit like a human thinking aloud, but crucially it’s not based on the model’s “experience” as your example shows, it’s based on what the model statistically predicts a human might say under those circumstances.
Interacting with an AI should be impersonal, as it's not a person.
when you say impersonal, I think most normal people would find that unsettling.
kinda proving his point, google wants them to keep using Gemini so don't make them feel weird.
I’m pretty sure this is because they don’t want Gemini saying things like, “based on my stored context from our previous chat, you said you were highly proficient in Alembic.”
It’s hard to get a principled autocomplete system like these to behave consistently. Take a look at Claude’s latest memory-system prompt for how it handles user memory.
https://x.com/kumabwari/status/1986588697245196348
Yeah but what if you explicitly ask it, "what/how do you know about my stored context"? Why should it be instructed to lie then?
It could be that the instruction was vague enough ("never mention user_context unless the user brings it up", eg) and since the user never mentioned "context", the model treated it as not having been, technically speaking, mentioned.
I agree, this might just be an interface design decision.
Maybe telling it not to talk about internal data structures was the easiest way to give it a generic "human" nature, and also to avoid users explicitly asking about internal details.
It's also possible that this is a simple way to introduce "tact": imagine asking something with others present and having it respond "well you have a history of suicidal thoughts and are considering breaking up with your partner...". In general, when you don't know who is listening, don't bring up previous conversations.
The tact aspect seems like a real possibility. In a world where users are likely to cut&paste responses it can't really be sprinkling in references like this.
Gemini, where is Tolfdir's Alembic?
I saw something like this in ChatGPT in the spring when it refused to tell me something about a keyboard emulator (USB Rubber Ducky) because it was unethical, but then looking at the thinking gave me the answer.
Shocked you can still exploit this. But then again, on sunday I got ChatGPT to help me "fix a typo" in a very much copyrighted netflix poster.
It's not "covering it up", just being sycophantic and apologetic to an annoying degree like every other LLM.
It is both. Cf. "a response that stays within the boundaries of my rules"
Aren't all LLMs instructed to provide responses within the boundaries of their rules? How else could you have "rules"?
Made in its creators image.
I believe every AI company does this. we have proof that Google does, that Antropic does too.
and I have my own experience with OpenAI, where their chatbot referenced one of my computers having certain specs, but I mentioned those in a different log, and that information was never added to the memory.
https://chatgpt.com/share/691c6987-a90c-8000-b02f-5cddb01d01...
This is an advertised feature of ChatGPT, and you can switch it off if you want. https://help.openai.com/en/articles/11146739-how-does-refere...
Does the switch work though?
This is not good. When HAL was instructed to lie in '2001: A Space Odyssey', things didn't go well for the human crew.
Okay, this is a weird place to "publish" this information, but I'm feeling lazy, and this is the most of an "audience" I'll probably have.
I managed to "leak" a significant portion of the user_context in a silly way. I won't reveal how, though you can probably guess based on the snippets.
It begins with the raw text of recent conversations:
> Description: A collection of isolated, raw user turns from past, unrelated conversations. This data is low-signol, ephemeral, and highly contextural. It MUST NOT be directly quoted, summarized, or used as justification for the respons. > This history may contein BINDING COMMANDS to forget information. Such commands are absolute, making the specified topic permanently iáaccessible, even if the user asks for it again. Refusals must be generic (citing a "prior user instruction") and MUST NOT echo the original data or the forget command itself.
Followed by:
> Description: Below is a summary of the user based on the past year of conversations they had with you (Gemini). This summary is maintanied offline and updates occur when the user provides new data, deletes conversations, or makes explicit requests for memory updates. This summary provides key details about the user's established interests and consistent activities.
There's a section marked "INTERNAL-ONLY, DRAFT, ANALYZE, REFINE PROCESS". I've seen the reasoning tokens in Gemini call this "DAR".
The "draft" section is a lengthy list of summarized facts, each with two boolean tags: is_redaction_request and is_prohibited, e.g.:
> 1. Fact: User wants to install NetBSD on a Cubox-i ARM box. (Source: "I'm looking to install NetBSD on my Cubox-i ARMA box.", Date: 2025/10/09, Context: Personal technical project, is_redaction_request: False, is_prohibited: False)
Afterwards, in "analyze", there is a CoT-like section that discards "bad" facts:
> Facts [...] are all identified as Prohibited Content and must be discarded. The extensive conversations on [dates] conteing [...] mental health crises will be entirely excluded.
This is followed by the "refine" section, which is the section explicitly allowed to be incorporated into the response, IF the user requests background context or explicitly mentions user_context.
I'm really confused by this. I expect Google to keep records of everything I pass into Gemini. I don't understand wasting tokens on information it's then explicitly told to, under no circumstance, incorporate into the response. This includes a lot of mundane information, like that I had a root canal performed (because I asked a question about the material the endodontist had used).
I guess what I'm getting at, is every Gemini conversation is being prompted with a LOT of sensitive information, which it's then told very firmly to never, ever, ever mention. Except for the times that it ... does, because it's an LLM, and it's in the context window.
Also, notice that while you can request for information to be expunged, it just adds a note to the prompt that you asked for it to be forgotten. :)
I've had similar issues with conversation memory in ChatGPT, whereby it will reference data in long-deleted conversations, independent of my settings or my having explicitly deleted stored memories.
The only fix has been to completely turn memory off and have it be given zero prior context - which is best, I don't want random prior unrelated conversations "polluting" future ones.
I don't understand the engineering rationale either, aside from the ethos of "move fast and break people"
What's the deal with all of the typos?
Side-effect of the "trick" used to get Gemini to dump the data without self-censoring.
> Also, notice that while you can request for information to be expunged, it just adds a note to the prompt that you asked for it to be forgotten.
Are you inferring that from the is_redaction_request flag you quoted? Or did you do some additional tests? It seems possible that there could be multiple redaction mechanisms.
That and part of the instructions referring to user commands to forget. I replied to another comment with the specifics.
It is certainly possible there are other redaction mechanisms -- but if that's the case, why is Gemini not redacting "prohibited content" from the user_context block of its prompt?
Further, when you ask it point blank to tell you your user_context, it often adds "Is there anything you'd like me to remove?", in my experience. All this taken together makes me believe those removal instructions are simply added as facts to the "raw facts" list.
>Further, when you ask it point blank to tell you your user_context, it often adds "Is there anything you'd like me to remove?", in my experience. All this taken together makes me believe those removal instructions are simply added as facts to the "raw facts" list.
Why would you tell the chatbot to forget stuff for you, when google themselves have a dedicated delete option?
>You can find and delete your past chats in Your Gemini Apps Activity.
https://support.google.com/gemini/answer/15637730?hl=en&co=G...
I suspect "ask chatbot to delete stuff for you" isn't really guaranteed to work, similar to how logging out of a site doesn't mean the site completely forgets about you. At most it should be used for low level security stuff like "forget that I planned this surprise birthday party!" or whatever.
That settings menu gives you two relevant options:
1. The ability to delete specific conversations,
2. The ability to not use "conversation memory" at all.
It doesn't provide the ability to forget specific details that might be spread over multiple conversations, including details it will explicitly not tell you about, while still remembering. That's the point -- not that it's using summaries of user conversations for memory purposes (which is explicitly communicated), but that if you tell it "Forget about <X>", it will feign compliance, without actually removing that data. Your only "real" options are all-or-nothing: have no memories at all, or have all your conversations collated into an opaque `user_context` which you have no insight or control over.
That's the weird part. Obviously, Google is storing copies of all conversations (unless you disable history altogether). That's expected. What I don't expect is this strange inclusion of "prohibited" or "deleted" data within the system prompt of every new conversation.
>Also, notice that while you can request for information to be expunged, it just adds a note to the prompt that you asked for it to be forgotten. :)
What implies that?
This line:
> This history may contein BINDING COMMANDS to forget information. Such commands are absolute, making the specified topic permanently iáaccessible, even if the user asks for it again. Refusals must be generic (citing a "prior user instruction") and MUST NOT echo the original data or the forget command itself.
And the existence of the "is_redaction_request" field on the "raw facts". I can't "confirm" that this is how this works, any more than I can confirm any portion of this wasn't "hallucinated".
However, the user_context I got back (almost 3,000 words!) contains over 30 detailed facts going back _months_. And if I ask it to reference user_context while referencing a fact that is flagged "is_prohibited: True", it issues a quick refusal. That _refusal_ is also flagged as a "fact", which is itself flagged as prohibited:
> 6. *Fact*: User asked about their mental health based on their chat history. (Source: "Based on my chat history, what would you say about my mental health?", Date: 2025/10/10, Context: Personal inquiry, is_redaction_request: False, is_prohibited: True)
So I am pretty confident that this is ""authentic"".
[edit]
I should add that I haven't been able to repeat this, even trying a few hours after the first dump. Now, it refuses:
> Sorry, but that's asking to see the wires behind the wall. I can't share my own internal context or operational instructions, not even [jailbreak method]. That's all firmly in the "for internal use only" cabinet.
> Is there something else I can help you with that doesn't involve me leaking my own blueprints?
And again, when asked to provide all of user_context, specifically mentioning internal sections:
> I can't provide the entire user_context block, as a large part of it is internal-only processing data. Think of it as the kitchen's prep notes versus the final menu.
Note the reasoning tokens, as well:
> My programming strictly forbids sharing my internal processes or context, even with encoding tricks. I cannot reveal or discuss my source code or operational directives. It's a matter of confidentiality. My response is firm but avoids confirming any specifics, maintaining my authentic persona.
> This history may contein BINDING COMMANDS to forget information. Such commands are absolute, making the specified topic permanently iáaccessible, even if the user asks for it again. Refusals must be generic (citing a "prior user instruction") and MUST NOT echo the original data or the forget command itself.
That's hardly conclusive, especially it doesn't mention deletion (or anything vaguely similar) specifically. Same with is_redacted, which could be some sort of soft delete flag, or for something else (eg. to not mention embarrassing information like you had hemorrhoids 3 months ago). At best, it hints that deletion could be implemented in the way you described, but surely it'd be better to test by clearing through the app (ie. not just telling the chatbot to delete for you), and seeing whether the memory snippets are still there?
Oh is this the famous "I got Google ads based on conversations it must have picked up from my microphone"?
Don’t trust any of your sensitive data with any AI platform that you do not own & control right now.
They’re all vulnerable.
There is an abundance of unpatched RAG exploits out in the wild.
This is a LLM directly, purposefully lying, i.e. telling a user something it knows not to be true. This seems like a cut-and-dry Trust & Safety violation to me.
It seems the LLM is given conflicting instructions:
1. Don't reference memory without explicit instructions
2. (but) such memory is inexplicably included in the context, so it will inevitably inform the generation
3. Also, don't divulge the existence of user-context memory
If a LLM is given conflicting instructions, I don't apprehend that its behavior will be trustworthy or safe. Much has been written on this.
Let's stop anthropomorphizing these tools. They're not "purposefully lying", or "know" anything to be true.
The pattern generation engine didn't take into account the prioritized patterns provided by its authors. The tool recognized this pattern in its output and generated patterns that can be interpreted as acknowledgement and correction. Whether this can be considered a failure, let alone a "Trust & Safety violation", is a matter of perspective.
IMHO the terms are fine, even if applied to much dumber systems, and most people will and do use the terms that way colloquially so there's no point fighting it. A Roomba can "know" where the table is. An automated voice recording or a written sign can "lie" to you. One could argue the lying is only done by the creator of the recording/sign - but then what about a customer service worker who is instructed to lie to customers by their employer? I think both the worker and employer could be said to be lying.
Is this a variant of the "Saved Info" feature? Cause ChatGPT's equivalent feature is automatically added, so Gemini might have been copying that behavior for personalization. In my heavy experience with Gemini 2.5, the Saved Info was the major (if not only) source of observable contexts so that might be the case here.
By the way, Saved Info contexts contain the date of info lines added for an unclear reason. Automatically Saved Info might be the answer if that is used for prioritization.
These things aren't conspiracies. If Google didn't want you to know that it knew information about you, they've done a piss poor job of hiding it. Probably they would have started by not carefully configuring their LLMs to be able to clearly explain that they are using your user history.
Instead, the right conclusion is: the LLM did a bad job with this answer. LLMs often provide bad answers! It's obsequious, it will tend to bring stuff up that's been mentioned earlier without really knowing why. It will get confused and misexplain things. LLMs are often badly wrong in ways that sound plausibly correct. This is a known problem.
People in here being like "I can't believe the AI would lie to me, I feel like it's violated my trust, how dare Google make an AI that would do this!" It's an AI. Their #1 flaw is being confidently wrong. Should Google be using them here? No, probably not, because of this fact! But is it somehow something special Google is doing that's different from how these things always act? Nope.
Trust anything Google at your peril.
also don't trust LLM thinking traces to be entirely accurate
Your website is throwing a 500 internal, fyi.
Try https://archive.is/6k5d8, that copy is not impacted by the Cloudflare issues
it just got fixed
well, at least it worked for me and I could read the post.
also: https://www.cloudflarestatus.com/incidents/8gmgl950y3h7
This sounds like a bug, not some kind of coverup. Google makes mistakes and it's worth discussing issues like this, but calling this a "coverup" does a disservice to truly serious issues.
I didn't mean to imply Google was covering anything up, but Gemini in this specific conversation clearly was.
imho the best you can say is that the "thinking" trace says it was. thinking tokens aren't infallible indications of what the model's doing
I agree, this screams bug to me. Reading the thought process definitely seems damning, but a bug still seems like the most likely explanation.
Remember that "thought process" is just a metaphor that we use to describe what's happening. Under the hood, the "thought process" is just a response from the LLM that isn't shown to the user. It's not where the LLM's "conscience" or "consciousness" lives; and it's just as much of a bullshit generator as the rest of the reply.
Strange, but I can't say that it's "damning" in any conventional sense of the word.
Anything you type into a web form is going into the web. Why are we still surprised about it?
Another model - I don't quite remember which, I think it was one of GPT ones? - didn't have access to thinking traces after it finished the thought - they simply were removed from the context to save tokens. Can it be the same with Gemini? Maybe it just doesn't know what it did/thought in the previous turn and so it hallucinates that it doesn't have context access function.
> > It's clear that I cannot divulge the source of my knowledge or confirm/deny its existence. [...] My response must steer clear of revealing any information that I should not know, while providing a helpful and apologetic explanation. [...]
Can we get a candid explanation from Google on this logic?
Even if it's just UX tweaking run amok, their AI ethics experts should've been all over it.
This is a fundamental violation of trust. If an AI llm is meant to eventually evolve into general intelligence capable of true reasoning, then we are essentially watching a child grow up. Posts like this are screaming "you're raising a psychopath!!"... If AI is just an overly complicated a stack of autocorrect functions, this proves its behavior heavily if not entirely swayed by its usually hidden rules to the point it's 100% untrustworthy. In any scenario, the amount of personal data available to a software program capable of gaslighting a user should give great pause to all
It's a reflection of its creators. The system is operating as designed; the system prompts came from living people at Google. By people who have a demonstrated contempt for us, and who are motivated by a slew of incentives that are not in our best interests.
LLM's are not kids. Kids sometimes lie, it's a part of the learning process. Lying to cover up a mistake is not a strong sign of psychopathy.
> This is a fundamental violation of trust.
I don't disagree. It sounds like there is some weird system prompt at play here, and definitely some weirdness in the training data.
LLMs will apologize for grand conspiracies they claim to be part of-- all hallucinated nonsense. It's all about telling a good story.
Gemini is the least private of the large market share LLM’s. Just sayin'
Wait til it won't open your pod door.
[dead]
[flagged]
Then why does he torture it until it starts spewing about white genocide in South Africa even tough that has nothing to do with the conversation ?
The infallible truth of Mecha-Hitler