After ChatGPT’s viral success starting in late 2022, a legion of corporations jumped on the AI bandwagon by launching their own AI chatbots. More often than not, these were extremely limited, intended for customer support, product recommendations, and the like. But what if the AI powering those chatbots could be diverted for other, more productive purposes?
That’s precisely what’s been happening to Chipotle’s Pepper, a “concierge bot” launched on Facebook Messenger back in the summer of 2020, through which customers can place orders. Unlike many more recently launched corporate customer support chatbots powered by ChatGPT, Pepper uses an automated conversation algorithm called Amelia, built by software company IPSoft. Pepper started getting some attention online in March when inquisitive developers discovered that it would do much more than take burrito orders: it could respond to complex coding questions, and even write new Python code.
Things escalated when a developer named Maksim Soltan, who goes by the GitHub handle @Gonzih, reverse-engineered the backend protocol powering Pepper’s chat function to build a new, production-ready LLM that needs no API keys: “free inference via fast food,” as Soltan described it.
Inspired by Soltan, a Brooklyn-based “creative technologist” named Rob Dezendorf hardcoded Pepper’s API into OpenCode, a popular open-source AI coding platform, “slapped on Chipotle’s brand colors,” as he wrote on his project’s GitHub page, and introduced the world to ChipotlAI Max.
If the cases of developers using Pepper to write code from Chipotle’s website were like tailgaters who try to follow a game happening inside a sports arena from foldable chairs set up in the parking lot, Soltan and Dezendorf were more like fans who hacked into the city’s cable network, plugged it directly into their TVs, and watched the game from the comfort of their own home. “Seeing those other memes go viral sparked it,” Dezendorf told Gizmodo, “and then I was like, why don’t we just take this all the way to the extreme and put it straight into your [coding] program?” Compute for the people
Dezendorf included a disclaimer on ChipotlAI Max’s GitHub page: “Not affiliated with Chipotle. They will probably sue us. Worth it.”
While Chipotle hasn’t sued Dezendorf (yet), the company did quickly go in and modify its product so that its API couldn’t be stolen again. But not before the word about ChipotlAI managed to spread online: as of early Thursday afternoon, it has a respectable 824 stars on GitHub, as well as dozens of “forks”—basically copies of the code that can be used for similar projects. According to Dezendorf, the short-lived project struck a chord with a coding community that’s sick of having to pay for mainstream AI coding tools. (Claude Code’s subscription tier, for example, starts at $20/month and quickly gets expensive with heavy use.) “It started as a joke, but I actually think there’s a weird truth to it,” he says. “There’s so much demand for compute, and people want so much AI power at their fingertips, but it’s just completely unaffordable…I think that’s why people are going crazy over it.”
A federal crime?
There was some speculation online earlier this week that ChipotlAI Max could be a violation of the federal Computer Fraud and Abuse Act (CFAA) of 1986, which prohibits unauthorized access to protected computer systems. Legal experts I interviewed for this story, however, find that highly unlikely, since Pepper and other corporate AI customer support bots are available to the public for free.
“It’s off-topic from what the company wants it to be used for, but…there’s no hacking involved, there’s no password-guessing, there’s no nefarious activity that one normally associates with [criminal] computer hacking going on,” says Joseph DeMarco, an attorney specializing in digital privacy and cybercrime. “It’s somewhat analogous to taking too many free samples at the Costco cheese spread display.”
Chipotle could conceivably take legal action against Dezendorf for violating its terms of use, which states that users may “not alter or modify” services offered by the company, “other than as may be reasonably necessary to use the Services for their intended purpose.”
Clearly, ChipotlAI falls outside the purview of Pepper’s “intended purpose,” which could hypothetically give Chipotle a legal leg to stand on. According to Yafit Lev-Aritz, an associate professor of law at Baruch College, “building a proxy that reroutes the chatbot into a third-party coding tool isn’t a modification made to facilitate any kind of customer support…That said, damages are difficult to quantify in ToS-based claims when the service is publicly available, and Chipotle’s costs aren’t meaningfully affected by the activity.”
“It’s definitely not legal”
Things get a little murkier, however, around Dezendorf’s promotion of ChipotlAI Max. On the project’s GitHub page, he paints it as more of a prank than anything else. (He told me he was hoping that Chipotle might be entertained by the whole thing, and reach out to him about kicking off a possible marketing collaboration; they haven’t.) But he also explicitly calls on other developers to pull similar stunts on other corporate AI chatbots. Under a section on that page titled “How to Contribute,” he provides a step-by-step guide for reverse-engineering the APIs of the customer support chatbots hosted by major corporations like Lowe’s, Home Depot, Sephora, and Expedia.
That “explicit framing as a replicable template,” according to Lev-Aritz, is where the real legal risk lies. “Dezendorf’s explicit invitation and the subsequent documentation of submissions establishes intent,” she says, which could help bolster a CFAA-violation case. “Each contributor who submits a new proxy becomes part of that scheme. It also multiplies the number of companies with legal standing and financial incentive to sue, and it really only takes one of them with sufficiently motivated in-house counsel to decide to make an example of it.”
Dezendorf himself, when I asked him about the possible legal ramifications of pirating corporate chatbots for “free inference,” was much warier than his apparent call to action on GitHub would lead one to believe. “It’s definitely not legal,” he said. “Don’t do what I do, don’t do as I say…but if you want to, that’s your choice.”