ChatGPT's Privacy Problem

A technical paper from OpenAI revealed that millions of pages scraped from the web, Reddit posts, books, and more were used to train the large language model GPT-3, which offered a glimpse of the data used to train it when it was released in July 2020. However, the personal information of millions of Italians included in the training data has now gotten OpenAI into trouble. Italy’s data regulator, Garante per la Protezione dei Dati Personali, issued an emergency decision on March 31 demanding that OpenAI stop using the personal information.

According to the regulator, OpenAI does not have the legal right to use people’s personal information in ChatGPT. OpenAI has responded by blocking access to its chatbot in Italy while it provides responses to the officials who are investigating the matter. This is the first action taken against ChatGPT by a Western regulator and highlights privacy tensions surrounding the creation of giant generative AI models, which are often trained on vast swathes of internet data.

Just as artists and media companies have raised concerns about generative AI developers using their work without permission, data regulators are now also raising concerns about the use of people’s personal information without proper consent. Similar decisions could follow across Europe as data regulators in France, Germany, and Ireland have contacted Italy’s Garante for more information on its findings. The head of international at Norway’s data protection authority has also expressed concerns about the legality of models built on unlawfully collected data.

The Italian regulator’s decision highlights more immediate concerns about the potential shortcomings of AI development to date, which is in addition to the increasing scrutiny of large AI models like ChatGPT. Europe’s GDPR rules protect the data of more than 400 million people across the continent and cover the way organizations collect, store, and use people’s personal data. GDPR’s protections apply even if people’s information is freely available online. Italy’s Garante believes that ChatGPT has several problems under GDPR, including a lack of age controls, inaccurate information provision, failure to inform people about data collection, and no legal basis for collecting people’s personal information in the data used to train ChatGPT.

Lilian Edwards, a professor of law, innovation, and society at Newcastle University in the UK, notes that the Italians have exposed OpenAI’s breach of data protection law. She explains that for a company to collect and use people’s information under GDPR, they must rely on one of six legal justifications, such as getting people’s consent or arguing it has “legitimate interests” to use people’s data. In this case, OpenAI did not obtain people’s consent or successfully argue “legitimate interests” to use their data, which is “very hard” to do, according to Edwards.

OpenAI’s privacy policy does not specify its legal reasons for using people’s personal information in training data but mentions relying on “legitimate interests” when developing its services. However, the company did not respond to WIRED’s request for comment. Unlike GPT-3, OpenAI has not made public the training data used for ChatGPT, and GPT-4 is believed to be much larger.

The technical paper for GPT-4 includes a privacy section stating that its training data may include “publicly available personal information” from various sources. OpenAI takes steps to protect people’s privacy, such as fine-tuning models to stop people from asking for personal information and removing personal information from training data “where feasible.”

Jessica Lee, a partner at law firm Loeb and Loeb, emphasizes that collecting data lawfully for training data sets is a critical issue that needs to be solved as AI technology becomes more sophisticated. The action taken by the Italian regulator against OpenAI and the Replika chatbot may be the first of many cases examining OpenAI’s data practices.

GDPR allows companies with a base in Europe to nominate one country to handle all of their complaints, but OpenAI does not have a base in Europe. Therefore, under GDPR, individual countries can open complaints against it. According to experts, the concerns raised by the Italian regulator regarding OpenAI are likely to be relevant to the development of all machine learning and generative AI systems. Although the EU is in the process of developing AI regulations, there has been little action taken to address privacy concerns related to the development of machine learning systems.

Elizabeth Renieris, a senior research associate at Oxford’s Institute for Ethics in AI and author on data practices, suggests that there is a fundamental issue with the technology itself, which may be difficult to resolve. Many data sets used for training machine learning systems have existed for years, and there were likely few privacy considerations when they were initially created.

Renieris notes that there is a complex supply chain of how the data ultimately makes its way into systems like GPT-4, with little to no data protection by design or default. In 2022, the creators of a widely-used image database suggested that images of people’s faces should be blurred in the data set. In Europe and California, privacy rules allow individuals to request that information be deleted or corrected if it is inaccurate. However, deleting inaccurate data from an AI system may not be straightforward, especially if the origins of the data are unclear. Experts question whether GDPR will be effective in upholding people’s rights in the long term, given the lack of provisions for large language models.

Although there has been at least one relevant instance where a company was ordered by the US Federal Trade Commission to delete algorithms created from unauthorized data, with increased scrutiny, such orders could become more common. However, it may be difficult to fully clear AI models of all personal data used to train them, especially if the data was unlawfully collected.

Go to Source
Author: Matt Burgess

Explore

Connect

Connect with Miss Rumbie

ChatGPT’s Privacy Problem

You’ll Also Love