An X post last week has been viewed 1.9 million times. It opens with this line:

“AI can now make you a great parent.”

The product being pitched is Ollie, a family AI assistant (link to the thread is at the end of this post). The thread describes Ollie deploying “an army of AI agents to scan the chaos, extract what matters and plan your day.” It reads your email, monitors your WhatsApp, finds unpaid bills while you sleep, and sends you a morning brief at 7am.

“Ollie never shuts off,” the author says. That’s presented as the product’s best feature.

I believe the app is genuinely useful. Parenting coordination is exhausting with all the school emails, the activity group chats, the calendar conflicts, and the missing ingredients you notice at 6pm when about to prepare dinner.

And I get why 1.9 million people were intrigued by the X thread. But “never shuts off” describes something most people have never deliberately agreed to give a third-party company. And the implications are worth understanding before you hand over your inbox.

Especially because, in one form or another, you may have already handed it over.

A Different Kind of Access

Most apps ask for permission to do one thing. Your weather app wants your location. Your camera app wants your microphone. You grant it, you understand roughly what it gets, and the relationship is bounded.

Agentic AI tools work differently. They don’t ask for one thing. They ask for persistent, broad access to read and act across multiple systems at once:

• your email

• your calendar

• your messages

• your finances

Then they operate continuously, without your involvement, making decisions about what matters and what to do with it. Unlike current apps that typically touch one data type, agentic AI connects dots across your entire digital life and makes autonomous decisions about how to use that information, often with minimal human oversight.

That’s a fundamentally different relationship than anything most people have agreed to before.

Ollie isn’t alone in this category. Skylight, a physical touchscreen calendar sitting in over a million family kitchens, aggregates your Google Calendar, iCal, Microsoft account, school apps, and sports scheduling apps into a single always-on display. The newer model uses AI to parse photos of paper flyers from your kids’ backpacks and automatically adds events to your calendar.

The device never goes dark and the sync never stops. Your family’s full schedule, routines, locations, and recurring appointments live in cloud infrastructure you probably haven’t thought about since setup.

Share

And then there’s Gmail. Google has been scanning your email for years to power its “smart features,” and in late 2024 expanded that access to Gemini AI across Gmail, Calendar, Drive, and Meet. Users were automatically opted in. Turning it off is possible, but Google buried the setting in two separate places and bundled it with features like spell-check so that opting out is genuinely annoying. (opt out instructions are further down below).

If you’ve been following the privacy conversation around AI wearables, you’re already familiar with a related version of this problem. Tate Jarrow at Online Safety Substack wrote last week about Amazon’s acquisition of Bee, a wearable that records conversations all day and uploads transcripts to the cloud. His point:

the real risk isn’t to the person wearing it, who consented. It’s to everyone around them who didn’t.

Family AI tools work on similar logic, just applied to your household. The data flowing through Ollie isn’t only yours. It includes your partner, your kids, your nanny, and your family’s schedule as a whole.

These tools are part of a growing category that markets itself as the “family OS.” The convenience is legit. The privacy tradeoffs are of course more complicated than the compelling pitch suggests.

How Google's Gemini AI Accessed Private Tax Data

July 19, 2024

Read full story

The Attack Vector Built into the Design

There's one risk with these tools that most people are overlooking:

When you give an AI agent access to your email, every email you receive becomes a potential instruction to that agent. Not from you. From whoever sent it.

Security researchers have documented a class of attack called prompt injection, where malicious content hidden inside an email tricks an AI agent monitoring your inbox into taking actions you never authorized. Unlike phishing attacks that require a human to click something, a successful prompt injection against an agent requires no human error at all. The email arrives, the agent reads it, the hidden instruction executes.

This is already happening in real deployments. Security teams are detecting prompt injection payloads arriving through email, with instructions hidden in white text on a white background, invisible to human readers, designed specifically to manipulate AI agents monitoring inboxes. The agent does exactly what it’s told.

This isn’t a flaw in Ollie specifically. It’s a structural property of any system that gives an AI persistent access to read and act on your communications. Meredith Whittaker, the president of Signal, made this point publicly at SXSW last year (link to video at the end):

agentic AI poses serious security risks precisely because completing tasks for users requires giving the agent access to reams of data, and that access doesn’t just serve you. It creates a target.

The more access an agent has, and the more autonomously it acts, the larger the surface area for this kind of attack. An agent that reads your email to surface a school reminder and an agent that reads your email to exfiltrate your financial details have exactly the same level of access. The difference is who’s giving it instructions.

What the Data Actually Includes

Ollie’s privacy policy says message content “may be reviewed or used in aggregate to improve Ollie’s systems.” That’s easy to skim past, and I’ve written before about why privacy policies generally aren’t worth reading as a primary strategy because they’re written to protect the company, not you (and they’re intentionally broad enough to permit almost anything). But even setting aside what the policy permits, the practical implications of opting into those are worth understanding.

Your family’s communications aren’t abstract data. They include medical appointments, financial stress, the dietary restriction your kid was just diagnosed with, the pickup logistics when schedules don’t align, the nanny you just hired. “Used in aggregate to improve our systems” is where all of that goes.

Ollie’s infrastructure runs on third-party services including OpenAI’s API. Ollie’s own FAQ cites OpenAI’s commercial API terms as the basis for its claim that your data isn’t used for model training. That’s a claim about OpenAI’s behavior, not a contractual guarantee Ollie itself is making to you. If that relationship changes, you have no direct recourse.

Early agentic AI deployments have already produced security incidents where researchers found thousands of exposed instances leaking API keys, chat histories, and account credentials. In some cases, the failures originated not at the consumer-facing product but in the infrastructure beneath it.

Ollie is also currently free, with a stated goal that future features will support the business. The data is being collected now, before the monetization model is finalized. Whatever Confabulation Corporation eventually decides to do with this product, they will have a detailed behavioral dataset of family households already built. Privacy policies can be updated. Data that exists at the time of a policy change doesn’t disappear.

How to Evaluate Any Agentic Tool Before You Grant Access

Since privacy policies are generally written to protect companies rather than users, I don’t rely on them as a reliable guide to actual behavior. But four practical questions help you size up your real exposure before you hand a tool access to your household. They don’t require reading anything legal.