Like us, the news about ChatGPT has caught the attention of Nixon Peabody attorney Leslie Hartford. We’re excited to have Leslie on A Little Privacy, Please!® to get her insights on the wave of generative AI tools hitting the market. More importantly, we discuss the privacy issues raised by ChatGPT and the pitfalls businesses must watch for.
Watch A Little Privacy, Please! on ChatGPT
Let’s start with the basics. What is ChatGPT?
ChatGPT is an artificial intelligence or AI tool. It was brought to the market by a company called OpenAI, and it’s the fourth generation of OpenAI’s AI tool. This one came out earlier in the spring. What’s interesting about the generative AI tool is that, as it sounds, it generates content. It doesn’t aggregate something that is given to it. It trains itself on the data it is provided with, and based on that data, it responds to user prompts.
Italy recently banned ChatGPT. What was the primary concern there?
Italy’s data privacy authority, Garante per la Protezione dei Dati Personali (GPDP), banned ChatGPT in March 2023, and it banned ChatGPT based on violations of various General Data Protection Regulation (GDPR) principles. The main one is the GDPR principle that just because data is public doesn’t mean it’s not protected. That GDPR principle can easily get companies in trouble. In cases like this, OpenAI trained its ChatGPT tool by doing internet scrapes and sourcing publicly available data to train the tool to respond to user prompts. But in this case, some of the information they use to train the tool is protected, and ChatGPT, according to Garante, did not have a legally permissive reason to collect and use that data.
What other data privacy concerns are there about ChatGPT or similar AI programs?
ChatGPT uses what are called user prompts. That is, a user goes to the tool and asks it to do something. Those user prompts can have some sensitive information in them.
For example, if a user goes into ChatGPT and says, “Give me a chocolate chip cookie recipe,” in this case, “chocolate chip cookie” is not terribly confidential. But when the user goes in and says, “This is my source code. I’m having trouble figuring out what’s going wrong with it,” that’s providing sensitive information into the tool.
Similarly, some users are using AI tools to generate agreements or legal documents, and in doing so, they are providing client names, addresses, and financial information. Once the information is provided to ChatGPT, it is put into the same database as the training information. You have this cycle of sensitive information where ChatGPT could receive new sensitive information and use it for the next person who comes in and requests a generative production.
What should companies or organizations consider when advising their employees on using ChatGPT?
There’s a concern with the information that ChatGPT collected to train itself. And then there are also issues with the information being provided to ChatGPT. Most companies or institutions can only really address that latter part. They can address what their people are giving to ChatGPT and be aware of what sensitive and protected information employees are providing. Are you putting in client information? Are you putting in financial information? Any information that goes in there is now out there for any ChatGPT user to see.
The other thing to think about is that ChatGPT is an automated tool. It’s not perfect, and it can be wrong. There’s no great way to tell if the output you’ve received as a user is correct because no sources are cited. There is a real danger with outsourcing work or brainstorming with a tool where you can’t verify the underlying information.