News outlets announced today that the FTC has chosen to investigate OpenAI for engaging in “unfair or deceptive privacy or data security practices” or “unfair or deceptive practices relating to risk of harm to consumers”. As reported, this sounds very much like FTC’s other pursuits against various companies, but it is simply not that.
Poor characterization
First, this investigation has been mischaracterized as “providing information that is wrong” about consumers. This is neither what the letter from the FTC has said, nor what OpenAI has promoted as a meaningful use of their tool. When attorneys in New York submitted a brief that cited cases that did not exist, the AI was not implicated because the language of the agreement makes clear that the text generated by the engine neither provides accurate information nor should be relied on for anything important. Any investigation into “providing misinformation” would be stopped as soon as the FTC hit the rather extensive disclaimer in their terms of service. Correlation cannot be inferred.
So often privacy and data security are misunderstood and misreported for maximum drama, only causing further confusion for people trying to make informed decisions about the issues and their lives. This is only good for media outlets, not the FTC or people working in the field of AI, and especially not for people working in the field of privacy or security.
Unfair or Deceptive Privacy and Security Practices
Rather than misusing data, the question arises about what the engine has collected and how that data is being held and preserved. This is a significantly more interesting question since what these engines pull down from wherever they get their data informs how they handle that data. If any data that they used to train the engine was collected under an agreement that limited its use to certain purposes, then using it for other purposes is an unfair or deceptive practice.
Data security in this context is a strange beast. Words will come out for whoever enters a prompt in strange combinations. The data may be regurgitated in seemingly random combinations or entire chunks. However, information is information. Any release of information would potentially constitute a security violation if that information had been collected in confidence.
The real question is whether every bit of data used to train the AI was “public” data, collected to be used and disseminated to the public. If OpenAI used any bit or piece of information that was not public, then the FTC investigation could have teeth and they, and anyone who provided non-public data, would be subject to FTC sanctions.
Risk of Harm to Consumers
This is the second question that the FTC is investigating and I expect it to bear far less fruit directly. However, if the first question is answered in any way in the affirmative, the risk of harm is the money shot. It is the necessary question that the FTC must show in order to make anything stick. If OpenAI’s privacy and security practices are problematic, it is a tree in the woods if nobody was actually harmed.
This is a really difficult question to answer and is highly dependent on what kind of data misuse (if any) they find in the first question. We shall see.
___
Disclaimer: I attempted to use ChatGPT for sections of this article, but since the AI could only generate gushing glowing reviews of AI, I found it inappropriate for what I was trying to convey.