In September 2024, an AI researcher named Alex Bilzerian finished a Zoom call with a venture capital firm. A few minutes later, an email from Otter.ai landed in his inbox with a transcript of the meeting. Attached to that transcript were several more hours of conversation, recorded after the call had formally ended, during which the investors discussed what Bilzerian later described to The Washington Post as "strategic failures and cooked metrics."
The bot had kept listening.
That story, and others like it, are now the factual backbone of a federal class action consolidated in San Jose: In re Otter.AI Privacy Litigation. Four separate suits filed between August and September 2025, all alleging the same basic pattern. A motion-to-dismiss hearing is scheduled for May 20, 2026.
Whatever the courts decide, the case is a useful mirror. It shows professionals what their AI tools are actually doing in the rooms where work happens.
What the Lawsuits Allege
The complaints are detailed and worth taking seriously on their own terms. They allege that Otter:
- Joins Zoom, Google Meet, and Microsoft Teams calls automatically when a user has linked their calendar, sometimes without the host's affirmative action, often without any notice to other participants.
- Records audio, generates transcripts, captures screenshots, and stores the resulting data on Otter's servers.
- Uses recorded conversations to train its machine-learning models, with consent obtained, at most, through a checkbox the meeting host clicked at signup, not from the other people in the room.
- Sends follow-up emails containing partial transcripts to all calendar invitees, including people who did not attend, and uses those emails to encourage non-users to create accounts.
- Captures biometric voiceprint data, which in Illinois falls under BIPA and carries its own statutory penalties.
The plaintiffs are pursuing claims under the federal Electronic Communications Privacy Act, California's Invasion of Privacy Act (CIPA), and Illinois's Biometric Information Privacy Act. CIPA alone allows $5,000 in statutory damages per violation. With 25 million users and over a billion meetings transcribed since 2016, the math is not small.
Otter denies the allegations and will defend the case. Its position, broadly, is that hosts are responsible for getting permission from participants, and that its terms of service describe how data is used. None of the underlying claims have been proven in court.
But you do not need a verdict to draw a useful lesson.
The New Attack Surface Is the Input Layer
For most of the last twenty years, professional security advice has focused on the same handful of attack surfaces: passwords, phishing, endpoint malware, network perimeters. The advice was good and most of it is still right.
What has changed is that an entirely new attack surface has opened up underneath it: the input layer.
Your voice in a meeting. Your draft in a notes app. Your queries in an AI assistant. Your transcripts. Your dictation. Your search history. The raw material of knowledge work, the stuff that used to live only in your head and on your local machine, is now being captured, transmitted, stored, and in many cases used to train models, by a stack of vendors most professionals have never audited.
This is not a hypothetical. The Otter complaints describe, in plain language, what one large vendor allegedly does with that material. The Bilzerian story describes what can happen when the system fails in the most basic way imaginable: a recording that does not stop when the meeting does.
Three things about that input layer make it different from the attack surfaces most professionals already think about:
It is invisible. A phishing email is something you can see and decide not to click. An AI notetaker silently joining your calendar invites is not. The Ohio State IT department issued a campus-wide advisory in August 2025 telling faculty and staff to make their own informed decisions about Otter, because there was no way for the institution to know who was using it or in which meetings.
It is persistent. Audio captured today can be stored, retained, repurposed, and fed into model training for years. Unlike a leaked password, which you can rotate, a leaked conversation is permanent. It cannot be revoked.
It crosses jurisdictions. A single Zoom call between participants in California, Illinois, and Texas already implicates three different consent regimes. AI tools do not ask. They record under the rule of whichever jurisdiction is most permissive, or, in some allegations, none of them.
What "Private by Design" Actually Means
There is a marketing version of privacy and there is an architectural version. They are not the same thing, and the difference matters more every year.
The marketing version is a privacy policy that describes how your data is used and gives you opt-outs. It depends on the vendor's word, the vendor's security, the vendor's contractor relationships, and the vendor's continued solvency. It is, fundamentally, a promise.
The architectural version is a system that cannot leak your data, because the data never leaves your machine. There is no transcript on a server. There is no voiceprint in a database. There is no behavioral log in a vendor's analytics pipeline. There cannot be. The architecture does not permit it.
The Otter case is one in a series of moments, from Clearview AI to Amazon Alexa's COPPA settlement to the Fireflies.ai parallel litigation, that are slowly teaching professionals to recognize the difference. A privacy policy is a promise. An air gap is a fact.
A Short Audit for Your Own Stack
If you do knowledge work for a living, the practical question is not whether to use AI tools. It is which tools handle which kinds of data, and on whose hardware. Three questions worth answering for every tool already in your workflow:
- Where does my input go? When you speak, type, or upload, does the data leave your device? If yes, where does it land, and who has access to it once it is there?
- What is it used for, beyond the immediate task? Is your input retained? Used to train models? Shared with third parties? Sent to subprocessors you have never heard of?
- Can you verify the answer? A privacy policy is a claim. A local-only architecture is a claim you can verify by watching your own network traffic.
Most professionals will find that the tools doing the most sensitive work, capturing voice, drafting documents, processing client information, are the ones with the weakest answers to these questions. That is the gap worth closing first.
Where TypeSay Fits
We built TypeSay around a single architectural choice: your voice never leaves your machine.
Speech-to-text does not need the cloud. It does not need an account. It does not need telemetry, analytics, or a vendor pipeline. TypeSay runs OpenAI's Whisper model directly on your hardware. Audio is captured, transcribed, and discarded in memory. Nothing is saved. Nothing is sent. There is no Otter-style email arriving an hour after a sensitive conversation, because there is no server that could send it.
That is not a feature. It is the absence of a category of risk.
The professionals reading the Otter coverage and asking "what else am I exposed to?" are asking the right question. The next generation of professional tools will answer it the same way: by not capturing what does not need to be captured, and by keeping what does on the user's own hardware.
One-time purchase. No subscription. No cloud. No surprise emails.
TypeSay is private, local-first speech-to-text for Windows, macOS, and Linux. $199, one time, forever.