by Margherita Barletta e Nicolò Ghibellini
Like the spectator who watches Shakespeare's Hamlet and is confronted with the narrative technique of theater within theater, already present in the works of classical antiquity by Plautus, those reading this article will be confronted with a similar scenario. In fact, although everyone is talking about it, writing about it, and making it the subject of videos and stories on social media, what does ChatGPT (hereafter also "Chat") answer if we ask how it treats our data? How does it stand with respect to the GDPR?
For those who are now among the few who are not familiar with it, it is an advanced language model developed by Open AI, a real written conversation between the user and the model. You can ask ChatGPT to write code, an article, or a poem, you can ask for advice on how to create an attractive profile, recipes, historical research, and legal, in short, you can ask any question...
Going into our analysis now, by accessing the platform the first step we must go through to ask it our most disparate questions is to authenticate/register. This means that some of our data are stored- and thus stored- by OpenAI.
Right from the start, the interface provides some warnings/indications:
It then provides examples on how to best use the platform:
"Explain quantum computing in simple terms."
"Do you have any creative ideas for a 10-year-old's birthday?"
The Model Capabilities are well-defined:
Therefore, another piece of data that Chat GPT certainly collects is the history of our conversations.
Professionals and data protection experts have early on noted what privacy risks may be associated with big data processing and language models such as ChatGPT:
1. Excessive collection of personal information.
2. Misuse of collected information.
3. Interception or theft of information by third parties.
4. Invasive profiling; discrimination based on data analysis (1)
Recently, the Privacy Guarantor Guido Scorza (2) has spoken out about ChatGPT. While reassuring users, he pointed out that such technologies must be used with the understanding that it is a commercial product, and therefore cannot be ignored that IP addresses, e-mail addresses, and chat content are information that is being collected.
To join ChatGPT you can use your Google account. This means that Google will share your name, e-mail address, language preference, and profile picture with the openai.com app. On questioning ChatGPT about this, it responds that:
Asking the Chat how it stands with respect to the GDPR it replies:
In short, the model gives us reassurance about our privacy, but an open question remains: how much should we trust its answers?
Certainly, with more thorough and informed use, it will provide more answers but, in the meantime, we must keep in mind that, as the Guarantor has suggested, ChatGPT is not our friend so let’s experiment with its use but with caution.
(1) P. Mancino - Between Big Data and ChatGPT: new privacy risks and new responsibilities for Data Protection Officers, https://www.federprivacy.org/informazione/primo-piano/fra-big-data-e-chat-gpt-nuovi-rischi-sulla-privacy-e-nuove-responsabilita-per-i-data-protection-officer
(2) Health, love, work: how much are we telling Chat GPT-3 about us? - Talk by Guido Scorza https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9842100