By Aryaman Keshav
Introduction
Apple unveiled its most recent venture in technology with its own Artificial Intelligence (AI), ‘Apple Intelligence’ in June 2024. The integration with AI will allow Apple’s voice assistant, Siri, to be backed by OpenAI’s ChatGPT. This partnership with OpenAI will enable Apple’s iOS to roll out new features like AI writing tools, suggested replies in the Messages app, email summarization, phone call transcription and a deeper integration with the device as a whole.
This has raised privacy concerns however, Apple has christened this integration as a usherer of a “new standard of privacy in AI.” Apple clarified that users’ data will neither be stored by Apple nor by OpenAI. This is being touted as the key difference from using ChatGPT on its own. When used directly, OpenAI’s servers store the data that has been input, however, with the integration with Apple, there will be no intermediary and Apple will act as a “privacy focused middleman.” Further, the users will be able to revoke their access to ChatGPT at any point at their will. The users will not be coerced into making an account as well.
However, these claims are difficult to believe at face value. In a research undertaken at Aalto University, Finland, it was found that keeping your iPhone, MacBook and iPad personal data hidden from Apple is “virtually impossible.” For instance, ‘enabling’ Siri on an iPhone only pertains to the voice assistant feature of Siri. Siri automatically gathers data from other apps that are used in the background, unless the user knows how to specifically deactivate it. Even if the data is anonymized and encrypted end-to-end before being sent to its servers or ChatGPT, experts believe that there is a risk of that data being tracked back to the user.
The privacy concerns have heightened currently owing to the fact that since its inception, OpenAI has elicited grave apprehensions regarding data privacy.
OpenAI & Concerns with Data Privacy
GPT-3 using machine learning algorithms stores information of almost a trillion words available on the internet and digital books including people’s personal information. On 31st March 2023, the Italian data regulatory authority, Garante per la Protezione dei Dati Personali, ordered OpenAI to stop utilizing the personal data of Italian citizens to train its database. The Regulator stated that OpenAI does not possess the legal authorization required to access the information of Italian citizens. Consequently, OpenAI had to restrict access to its chatbot for Italian users.
From the Italy incident, it can be inferred that regulatory bodies have become alert to the potential harm unrestricted AI can cause and are increasingly scrutinizing and enforcing data protection laws. The states want OpenAI to adhere to their domestic laws and obtain explicit legal authorization to use personal data of the citizens. In the same vein, it can be inferred that failure to meet regulatory compliance has the potential to cause severe operational interruptions, such as blocking access to services.
Moreover, AI has also been accused of stealing the artwork of multiple artists. In Sarah Andersen v. Stability AI Ltd. (2023) three artists filed a class action against the use of Stable Diffusion alleging that Stable Diffusion was “trained” on their works of art without their permission. Suits of a similar nature have been filed by Comedian Sarah Silverman and Author Jodi Picoult. All these cases raise significant concerns when it comes to not only personal data but also professional commercialized data being accessed without the approval of the person involved. It is a grim reflection of the harrowing effects on digital data privacy that AI can have if left unregulated.
Further, in a complaint filed by the European Center for Digital Rights against OpenAI, the complainant stated that OpenAI cannot selectively block information on its database. In Google Spain vs. AEPD and Mario Costeja González (2014), the European Court stated that persons in the European Union have the right, under certain situations, to seek the removal of their personal information from search results and public records databases. Further, in the complaint it was also alleged that OpenAI does not know where the data it has stored came from or what data ChatGPT stores about individual persons. Therefore, not only can AI access personal data without authorization, but once the data is stored, it cannot be deleted as well. This constitutes a breach of the right to be forgotten (RTBF) by OpenAI, as they retain the personal data of the users but fail to selectively block personal information.
In a class action suit against OpenAI, the complainant alleged that OpenAI violates the right to privacy of every individual on the internet stating that even information that is not intended for public viewing cannot escape the surveillance of ChatGPT. The complaint further added that by incorporating ChatGPT in third-party platforms, OpenAI acquired unprecedented, uncontrolled, real-time access to the activities of a user including every search query, browser activity and other types of personal data.
This allegation is bolstered by the recent claims that ChatGPT will revolutionize health care as hospitals and other health care facilities aim to integrate ChatGPT in the clinical setting. It can be understood that when a person put their health-related symptoms and medical queries in the chat box of ChatGPT, that data can be used to “train” the AI in order to improve its performance. In the same vein, when hospitals start integrating ChatGPT in a clinical setting it is inevitable that the patients’ confidentiality will be severely undermined leading to drastic risks such as misinformation and misdiagnosis, cybercrime etc.
In another similar complaint filed against OpenAI it was argued that by allowing ChatGPT to collect, store and analyze highly individualized, personal data ranging from photos to habits and preferences, OpenAI facilitates the production of a genre of audios and videos termed as ‘deepfakes’ which can create lifelike audiovisual clones of an individual which can then be used to spread misinformation, exploit other people and even use the likeliness to access private data, as was seen in Hong Kong when a finance worker was deceived into transferring $25 million to the perpetrator who made use of the deepfake technology to impersonate the company’s chief financial officer during a video call conference.
Analysis of Privacy Protection as per Indian Laws
Amidst these apprehensions, India’s Digital Personal Data Protection Act, 2023 (DPDPA) is responsible for protecting the personal data of individuals within and outside India if the Data Fiduciary caters to Indians. A Data Fiduciary is any person who decides how and why any personal data is to be processed and in this case, it can be said that OpenAI is a Data Fiduciary.
Further, Section 3(c) of DPDPA specifies that it does not cover digital personal data that the user, to whom the personal data pertains, has made or caused to be made publicly available. The Act also doesn’t define the criteria for what constitutes the data that individuals have “made publicly available”. For example, while using ChatGPT, it could be assumed that more often than not, a user is consenting to making their query public. However, it is difficult to assert that the user is also consenting to make their IP address publicly available, which is stored by ChatGPT. Further, ChatGPT also states that to meet their business operation needs, they may provide a user’s Personal information to third parties without notifying them of the same can negatively impact user privacy by exposing personal information to third parties.
OpenAI currently uses data that is publicly available to train ChatGPT and does not need Indian citizens’ consent to scrape their personal data. However, restrictions do apply when ChatGPT and other language models have to access data which isn’t made publicly available by the user. OpenAI would have to obtain explicit and informed consent from the users before processing the data.
Furthermore, in the case of a breach of personal information, the Data Fiduciary must alert the user. This is significant given that between June 2022 and May 2023, over 100,000 OpenAI ChatGPT account credentials were traded on the dark web. Since ChatGPT is not required to adhere to the data breach provisions while handling publicly available personal data, the level of protection is consequently lower.
The ambiguity surrounding what constitutes publicly available data and the potential for unauthorized sharing of personal information highlights the necessity for more robust legal frameworks and user consent mechanisms. The DPDPA stipulates asking for explicit consent but AI frequently entails complex, dynamic, and unpredictable data processing activities that may not be fully comprehended or anticipated by either users or service providers like OpenAI. This complexity adds another layer of difficulty to ensuring data protection and privacy. This unpredictability presents significant challenges for compliance with data protection laws and maintaining user trust.
Conclusion
There is no debate on the fact that AI is the future of technology. What initially emerged as a simple chatbot has now become integrated in almost all facets of humankind including household appliances, automobiles, and healthcare. With each new application, AI becomes increasingly embedded in our routines, gaining greater access to personal aspects of our lives. This growing integration, however, raises significant concerns regarding the protection and privacy of an individual’s personal data. OpenAI has been brought under scrutiny on numerous occasions on the question of storing and dealing with the personal data of users. DPDPA is a commendable step towards the protection of personal data in India. However, what data privacy laws in India need more urgently is specificity. Specific regulations concerning data scrapping and protection of publicly available data are essential to address the nuanced challenges posed by AI.
References:
- Snodgrass, E. (2024, June 12). Apple will let users opt out of CHATGPT integration. it’s a “brilliant” move to calm mounting AI privacy concerns, analyst says: Business Insider India. Business Insider. https://www.businessinsider.in/tech/news/apple-will-let-users-opt-out-of-chatgpt-integration-its-a-brilliant-move-to-calm-mounting-ai-privacy-concerns-analyst-says/articleshow/110925080.cms
- O’Flaherty, K. (2024b, August 24). Apple intelligence is coming. here’s what it means for your iPhone. The Guardian. https://www.theguardian.com/technology/article/2024/aug/24/apple-intelligence-iphone-ios-18-siri-chat-gpt-launch.
- Tiainen, M. (2024, March 26). Keeping your data from Apple is harder than expected. Aalto University. https://www.aalto.fi/en/news/keeping-your-data-from-apple-is-harder-than-expected.
- Garante Per La Protezione Dei Dati Personali. Provision of 30 March 2023 [9870832].https://www.gpdp.it/web/guest/home/docweb/-/docweb-display/docweb/9870832.
- Sarah Andersen v. Stability AI Ltd. (https://copyrightlately.com/pdfviewer/andersen-v-stability-ai-order-on-motion-dismiss/?auto_viewer=true#page=&zoom=auto&pagemode=none 2023).
- nyob – European Center for Digital Rights v. OpenAI OpCo, LLC. (https://noyb.eu/sites/default/files/2024-04/OpenAI%20Complaint_EN_redacted.pdf).
- Chen, H., & Magramo, K. (2024, February 4). Finance worker pays out $25 million after video call with Deepfake “chief financial officer.” CNN. https://edition.cnn.com/2024/02/04/asia/deepfake-cfo-scam-hong-kong-intl-hnk/index.html.
- Privacy policy. OpenAI. (n.d.). https://openai.com/policies/privacy-policy/.
- Southern, M. G. (2023a, June 21). Massive leak of chatgpt credentials: Over 100,000 accounts affected. Search Engine Journal. https://www.searchenginejournal.com/massive-leak-of-chatgpt-credentials-over-100000-accounts-affected/489801/.
