Google has long promised that artificial intelligence will revolutionize everyday tasks like travel planning. With Gemini Spark, the company takes a far more drastic step than any chatbot demo has managed before — and the results are as impressive as they are unsettling.
What is Gemini Spark?
Spark is Google's new agentic AI system, designed to function as a personal assistant that never sleeps. Unlike a conventional chatbot that answers individual questions, Spark operates autonomously over time: it plans, acts, and follows up on the user's behalf.
The system is deeply integrated with Google's own service platform — Gmail, Docs, Drive, Calendar, and Chrome — and can connect to external services such as Canva, OpenTable, and Instacart. According to The Verge, Spark is the most impressive and frightening AI encounter the journalist has had to date.
Spark is Google's agentic answer to everything — but the price may be your privacy.

Impressive on paper
Where earlier AI tools have only delivered generic travel suggestions, Spark is designed to carry out the entire planning process: searching for options, reading reviews, checking availability, and putting together a complete itinerary — without the user having to lift a finger.
This is precisely what technology companies have been promising for years. Spark appears to deliver on that promise, but the reality means an AI agent with very broad permissions is making decisions on your behalf.
Privacy experts are concerned
The autonomous functionality comes with a significant security cost. Research data shows that agentic AI introduces a range of new risks that traditional AI systems do not carry.
One of the most serious scenarios is known as "prompt injection": malicious instructions hidden in emails or documents can trick Spark into performing unwanted actions — such as exfiltrating data or abusing access privileges. Bret Cohen, a partner at law firm Hogan Lovells, stresses to researchers that the risks associated with AI agents "are no longer merely theoretical," warning of potentially "very negative real-world consequences" if attackers exploit the system's probabilistic nature.
Ashley Zlatinov, head of product policy at Anthropic, points out that agentic AI can "gain access to enormous amounts of user data from sources such as calendars, email, and travel systems" — and that information shared in one context may resurface unexpectedly in another.
Data retention and missing guidelines
A report from May 2026 revealed that Gemini Spark's technical documentation lacked its own privacy policy and instead referred users to the general Gemini policy. This is a troubling gap for a system that handles sensitive personal information at scale.
Google states that the default setting for automatic deletion of Gemini activity data is 18 months, but users can select periods of 3 months, 36 months, or unlimited retention. Conversations reviewed by human reviewers are retained for up to three years. Google is also explicit that human employees may read user conversations in order to improve the system.
Structural security weaknesses
Researchers highlight several systemic problems with agentic AI in general, and Spark in particular:
Privilege escalation occurs when an agent's capabilities exceed the user's own access rights, potentially granting unintended permissions. Supply chain attacks become possible through third-party integrations via protocols such as the Model Context Protocol (MCP). In addition, agents can become trapped in recursive loops that consume resources uncontrollably — and in the worst case accumulate costs through repeated API calls or cloud resource usage.
Experts recommend "data minimization as a design principle": users should be able to explicitly choose which tools and databases the AI system can access. A system with unrestricted access to everything the user can see is, according to these experts, not privacy-protective regardless of what the policies say.
What does Google say?
For Google Workspace users, Google states that data is not reviewed by humans or used to train generative AI models outside the user's domain without explicit permission. The company also states that users have control over Spark's access permissions, and recommends not sharing information one would not want a human colleague to see.
The specific details of which controls are actually available, and the extent to which third-party partners are held to Google's own standards, remain unclear for now. 24AI is following developments.
