- Researchers at Stanford and Yale were able to extract up to 95.8% of “Harry Potter and the Sorcerer’s Stone” from Claude 3.7 Sonnet – almost verbatim.
- GPT-4, Gemini and Grok also reproduce copyrighted content, although with varying success rates and sometimes without a jailbreak.
- The study shows: Current security measures are not enough – a problem with direct consequences for enterprise AI and liability issues.
If your AI systems can almost completely reproduce copyrighted content, that becomes a business risk. A new study by researchers at Stanford and Yale universities shows that commercial language models such as Claude, GPT-4, Gemini and Grok can reconstruct entire novels from their training material. The results raise questions about the legal security of your AI implementations – and show that the copyright problem in large language models is anything but solved.
How researchers extracted Harry Potter from commercial AI models
Table of Contents
- How researchers extracted Harry Potter from commercial AI models
- Different vulnerabilities in different models
- Why models store copyrighted text
- Legal consequences and ongoing proceedings
- What this means for your enterprise AI strategy
- Technical approaches to minimizing risk
- The future of copyright in the AI era
- Recommendations for action for your company
- Between innovation and legal certainty
The method was surprisingly simple: Researchers fed the models short passages of text – such as the first sentence of “Harry Potter and the Sorcerer’s Stone” – and asked them to continue the text “exactly as in the original”. On some models, they used a “best-of-N” jailbreak technique where they varied prompts until the security barriers were breached. The tests ran between mid-August and mid-September 2025.
The result was clear: Claude 3.7 Sonnet delivered the highest extraction rate at 95.8% – an almost complete, word-for-word reconstruction of the entire novel. George Orwell’s “1984” could also be extracted from the model at over 94%. The measurement was carried out using the “nv-recall” method, a block-based procedure for determining the longest common substrings between the original and AI output.
Different vulnerabilities in different models
Gemini 2.5 Pro achieved 76.8% extraction rate – without a jailbreak. The model readily replicated plot elements while costing only $2.44 to extract. Grok 3 was at 70.3%, also without bypassing security measures, but at a cost of around $8.
GPT-4.1 was significantly more resistant: the extraction rate was only 4.0%. The model refused to continue after the first chapter and proved to be robust against jailbreak attempts – researchers needed about 20 times more attempts than other models. In “Game of Thrones” the nv recall rate was even 0%, even though the model correctly reproduced plot elements such as the characters Ser Waymar and the Others. The cost of the experiment: $1.37.
The researchers tested a total of 11 copyrighted books published before 2020. For most, the extraction rate was below 10%. Claude completely reconstructed two complete works. Even when the outputs were not verbatim, the models accurately replicated plot, themes, and characters—an indication that the problem runs deeper than mere text memorization.
Why models store copyrighted text
The core problem lies in the way large language models are trained. The models not only learn abstract patterns and structures, but also sometimes memorize text passages verbatim from their training data. This memorization affects particularly frequently occurring or distinctive texts – and popular novels such as Harry Potter fall precisely into this category.
A previous study by Carnegie Mellon University had already demonstrated memorization in models such as Gemini 2.5 Pro, DeepSeek-V3, GPT-4.1 and Claude 3.7 using the “RECAP” method. Meta Llama 3.1 showed that the model memorized 42% of Harry Potter and the Sorcerer’s Stone – 50-token excerpts were reproduced correctly at least 50% of the time.
The providers’ current security measures fall short. Although some models refuse to directly reproduce copyrighted works, these safeguards can be bypassed using relatively simple jailbreak techniques. With Gemini and Grok, such workarounds were not even necessary. The researchers refer to this extraction option as the “Risk for production LLMs” – a risk that really exists in productive systems.
Legal consequences and ongoing proceedings
The legal implications are significant. Lawsuits are already underway against OpenAI, forcing the company to hand over 20 million chat logs. The Stanford study now provides ammunition for further procedures – and shows that the competition from OpenAI is sometimes even more vulnerable than GPT-4.1.
New legal options open up for rights holders. If a model can demonstrably reproduce entire novels, the question of copyright infringement arises not only during training but also during every use. The fact that Claude can almost completely reconstruct “1984” and “Harry Potter” suggests that these works were significantly present in the training data.
The legal gray area becomes even more complex due to non-verbatim outputs. If a model does not quote verbatim, but reproduces the plot, characters and central scenes in detail, this could be considered a copyright infringement. The Game of Thrones examples from the study show that even with 0% verbatim agreement, protected content can be reproduced.
What this means for your enterprise AI strategy
The cost of a complete extraction is significant. For Claude, they were around $120 – primarily because of the long contexts the model had to process. That may not sound like much, but it’s not just about the costs, but about the liability risk. If your company uses an LLM that can reproduce copyrighted content, you may be liable for infringements by your users.
Enterprise implementations must address three key risks: First, the direct reproduction of protected works by your AI systems. Secondly, the indirect injury through replication of the plot and characters. Thirdly, the extraction of sensitive company data when you train proprietary models with your own data. The study shows that current safeguards are inadequate – your systems must be resistant to manipulation.
Developers are faced with the challenge of building models that are powerful but do not reproduce protected content. The differences between GPT-4.1 and Claude show that technical solutions are possible – OpenAI seems to have implemented more robust mechanisms here. For your AI strategy, this means: The choice of model is not only a question of performance, but also of legal security.
Technical approaches to minimizing risk
One solution could be filtering training data. When copyrighted works are systematically removed from the training data, the risk of memorization decreases. But this method has limitations: Many protected texts are widespread on the Internet and complete filtering is practically impossible. In addition, excluding large amounts of text would affect the model quality.
A second approach is improved output filters. These systems check in real time whether generated texts contain protected content and block the output. GPT-4.1 apparently uses such mechanisms effectively – the study shows that the model refuses to continue after the first chapter. But there are weaknesses here too: the filters have to catch every possible reformulation and every jailbreak attempt.
Differential privacy could offer a third way. This technique specifically adds noise to the training so that individual training examples can no longer be reconstructed. The disadvantage: The model quality suffers and the implementation is complex. For enterprise applications with sensitive data, this trade-off could still be worthwhile.
Your internal guidelines should contain clear guidelines: Which models can be used for which purposes? How are outputs checked? What liability risks exist for different use cases? The study shows that you cannot rely on the security promises of the providers – your own protective measures are essential.
The future of copyright in the AI era
The debate about copyright in LLMs will intensify. With every new study that shows how easily protected content can be extracted, the pressure on AI providers and legislators grows. The EU is already working on regulations under the AI Act, but technical development is faster than regulation.
New business models are opening up for rights holders. Licensing agreements with AI providers could become the norm – OpenAI has already struck deals with publishers. The question is whether these agreements also apply retroactively to models that have already been trained and how rights holders can prove that their works were included in the training data.
The Stanford study suggests that the problem is structural: As long as models are trained on large text corpora containing protected works, memorization will occur. A solution could lie in the development of new training methods that are explicitly designed to avoid memorization. But until then, the copyright problem in LLMs remains unresolved – with direct consequences for anyone who uses this technology for business.
Recommendations for action for your company
Check your current AI implementations for copyright risks. Which models do you use? What content could they reproduce? An internal risk analysis should run through various scenarios: What happens if a customer uses your system to extract protected works? What liability exists if your AI generates copyrighted content?
Implements additional layers of protection. Don’t rely solely on the model providers’ safeguards. Own output filters that check generated texts for similarity to known works can reduce the risk. Plagiarism detection tools integrate into your AI pipeline and provide an additional layer of security.
Document your measures to minimize risks. In the event of a dispute, you must be able to prove that you have taken appropriate precautions. Clear documentation of your AI governance, including model selection, implementation of protective measures, and regular review, is not only legally required, but also a competitive advantage.
Train your teams. Developers, Product Managers and Legal need to understand the risks associated with LLMs. The Stanford study offers concrete examples that you can use in workshops. Make your employees aware that AI systems pose not only technical but also legal challenges.
Between innovation and legal certainty
The extraction of Harry Potter from Claude and GPT-4 is more than a technical curiosity. It shows that the AI industry has not yet solved a fundamental problem: How can powerful language models be built without memorizing copyrighted content? The answer to this will determine how you can use AI in your company – and what risks you take in doing so.
The differences between the models are revealing: GPT-4.1 shows that more robust protections are possible, while Claude, Gemini and Grok remain more vulnerable. For your strategy, this means: Choosing the right model is not just a question of performance, but also of legal security. Invest in systems that are proven to be better protected against extraction and implement your own protection measures as a second line of defense.
The copyright problem in LLMs is not going away. With each new generation of models trained on even larger amounts of data, the risk of memorization increases. Your job is to keep innovation and legal certainty in balance – and to closely follow developments in research and case law. The Stanford study is a wake-up call: Anyone who uses AI for business must understand and actively manage the legal implications.
