It is really strange to me they specified “an open source library”
Not entire sure what the outrage here is. It’s an ML company, not a privacy company. Anyone assuming their daft prompts are private are just naive.
Of course this had to happen
If you ship it, it is your code.
I considered whether you can fault them for that, but I do think, I’ll fault them for using Python in a security-relevant context.
You get so little assistance from the language tooling and a lot of Python libraries have low code-quality. Especially the whole asyncio system is so tricky to use, it’s extremely hard to produce correct code.
Which language would you have used?
The JVM languages (Scala, Java, Kotlin) usually have decent-quality libraries and tooling. The Rust community loves to pump out high-quality stuff. And well, a bit more unusual, but I would have high confidence in Haskell or OCaml libraries, too.
It’s mainly JavaScript and Python where the whole ecosystem is built from the ground up with a “good enough for my script”-attitude. Oh, and C is out for manually managing memory.
And this… Is why every service I sign up for is given a unique name, email, virtual card. Haven’t figured out a good solution for unique phone number, but everything else is sorted at least.