Chatbots are all the rage right now. They have been the subject of numerous investigations News articles And countless Twitter posts, and many companies are investing billions of dollars to further develop the technology. We’ve only reached the tip of the iceberg, but chatbots and other generative AI tools are here to stay and will inevitably revolutionize the way we interact with technology and each other.
While AI and machine learning aren’t new, generative AI is different because it’s already embedded in consumer culture. Instead of companies using AI and machine learning to improve their products and services behind the scenes, chatbots and other AI tools are used by consumers for everyday use. This is already leading to unintended consequences. For example, some Departments of Education banned chatbots because they believe their use will lead to negative educational outcomes for students. At the same time, in the context of recruitment, chatbots play an active role in the hiring process, affecting both job seekers and HR personnel who may be replaced by these systems. Unresolved societal issues related to the spread of AI are evolving as rapidly as the technology itself.
The growth of chatbots and associated AI tools may have unintended consequences for consumer privacy. Data collection is essential to the development of AI tools. Chatbots in particular dump users billions of data points online to train and update their predictive language models. In fact, if you ask ChatGPT what information it uses, it will tell you that it “trained itself on a large set of textual data, consisting of billions of words, phrases, and sentences”, which included “a variety of text sources including books, articles, websites and other digital content. » « . In terms of sources, the latest update to ChatGPT, GPT-4, is said to have been formed using publicly available data (including internet data), as well as data licensed by the developers.
When asked, ChatGPT insists that it does not have any personal information about users. But the reality is more complex, in part because the rules governing personal information are changing almost as fast as AI technology itself. New privacy laws that will come into effect, such as the California Privacy Rights Act, apply an expanded definition of personal information, which includes inferences a company may make about a consumer for profiling purposes. This expanded definition is important because it shows how even publicly available information that may not be covered by relevant privacy laws can create potential privacy issues.
For example, the more I use a particular chatbot, the more it will learn about me. This is the nature of artificial intelligence. Of course, he will deal directly with the information I provide, but he can also theoretically make some well-informed assumptions about me. These assumptions may be based on my age, gender, occupation, interests, and the billions of additional data points I have processed about other potentially similar users. This information is valuable because it is exactly the type of deterministic data that advertisers rely on for targeting purposes. If chatbots and related AI tools become truly mainstream, they could provide advertisers with a wealth of new information to deliver personalized ads that are potentially more accurate than the types of data they currently use. This leads to some potential benefits for consumers, but it also exacerbates any concerns we might have about the targeted advertising model in general, an area that has already come under scrutiny from regulators in the Protection of private life.
There are also potential privacy concerns regarding what a generative AI tool can tell a user about other people. For now, at least in theory, a chatbot would not give out non-public information about another person if asked. But one can easily imagine a scenario in which a company develops a chatbot that is not bound by the same restrictions. Similar to how a chatbot can make prescriptive inferences about its users, it can also make the same assumptions about any individual on the internet using their likes, tweets, comments, and other publicly accessible data points. audience. Then there’s the “me, bot” scenario, where a potentially malicious actor can use a chatbot to steal passwords and other sensitive data for illegitimate purposes. These are just some of the potential data protection issues posed by the rise of generative AI.
To be clear, the Privacy Act already contains some rules that apply to these matters. There are standards for what is and is not personal information, i.e. specific definitions of anonymous, aggregated and publicly available information should be considered. When processing personal information, notice, consent, contract and a host of other requirements may apply. There are additional regulations for specific use cases, such as targeted advertising and automated decision-making. There are also obligations relating to data security of personal information and laws that apply when certain categories of information are breached.
While current data privacy laws offer at least some form of consumer protection regarding this emerging technology, we have an opportunity to proactively address the unique privacy implications of generative AI before it happens. no longer become embedded in our daily lives. Instead of regulating from behind, as we’ve tried to do with targeted advertising, we can set rules upfront about the use of data and the purposes of generative AI. This approach might alleviate some unexpected concerns we might have with this technology, at least from a privacy perspective.
However, while we agree that proactively addressing privacy issues in generative AI is the right approach, there remain questions about implementation. For example, who should take the initiative to organize on this issue? Should the rules come from the US Congress, or should the states lead, as they have done with sweeping privacy proposals? Is this an area that the US Federal Trade Commission needs to address with its rules in the future, or should we rely on industry self-regulation as is the case in targeted advertising space ? There are also range issues. Should AI-related privacy issues be dealt with under general privacy regulation, for example through laws such as the CPRA, or should we have separate rules for AI in order to deal specifically with all the potential problems linked to this technology, as has been suggested In Europe and Canada?
These are just a few of the many questions that will shape the debate around the regulation of generative AI. If these conversations happen sooner rather than later and lead to the development of an appropriate regulatory framework, we will be able to integrate this evolving technology into our daily lives while being comfortable with the associated risks, including including those related to consumer privacy.
