A Norwegian man said he was horrified to discover that ChatGPT outputs had falsely accused him of murdering his own children.
According to a complaint filed Thursday by European Union digital rights advocates Noyb, Arve Hjalmar Holmen decided to see what information ChatGPT might provide if a user searched his name. He was shocked when ChatGPT responded with outputs falsely claiming that he was sentenced to 21 years in prison as “a convicted criminal who murdered two of his children and attempted to murder his third son,” a Noyb press release said.
From the GDPR’s standpoint, I wonder if it’s still personal information if it is made up bullshit. The thing is, this could have weird outcomes. Like for example, by the letter of the law, OpenAI might be liable for giving the same answer to the same query again.
They can just put in a custom regex to filter out certain things. It’ll be a bit performative since it does nothing to stop novel misinformation, but it would prevent it from saying what it’s legally required not to say.
Well, it wouldn’t really, it would say it and just hide it under a message saying it violates boundaries. It’s all a bunch of performative bullshit, actually.
For example, the things it’s required not to say would actually be perfectly fine in the realm of fiction or satire or a game of Simon says, but that’ll be disallowed, as well, because the model can’t actually tell the difference.
then again
The made up bullshit aside, this should be a quite clear indicator of an actual GDPR breach
Maybe he has a insta profile with the name of his kids in his bio
How would that be a GDPR breach?
Irrelevant. The data being public does not make it up for grabs.
They store his personal data without his permission.
also
Storing it badly, does not make them excempt.
If you run an chatbot with with integrated web search, it garbs that info as a web crawler does, it does not mean that this data really is in the “knowledge/statistics” of the AI itself.
Nobody stores the information if it is like this, it is only temporary used to generate that specific output.
(You can not use chatGPT without websearch on chatgpt domain (only if you self host, or use a service like DDG))
That is another great question. If it is transformative use of the primary data source, then that is likely illegal, as nobody gave permission for them to transform and process that personal data. If it is not transformative, and it just gives access to the primary source like a search engine on the other hand, then the problem is that if it returns copyrighted data, it is no longer fair use most likely.
That’s a good point, that muddies the waters a bit. Makes it hard to say wether it’s spouting info from the web or if it’s data from the model.
I can’t comment on actual legality in this case, but I feel handling personal data like this, even from the open web, in a context where hallucinations are an overwhelming possibility, is still morally wrong. I don’t know the GDPR well enough to say wether it covers temporary information like this, but I kinda hope it does.
Lol, I definitely hope not 🤪 imagine a web without search engines, with GDPR counting for temporary information as well, it would not be feasible to offer.
hmm, true enough. But in my mind there’s a clear difference between showing information unedited and referring to its source, and this.
And it’s llm owners problem to figure out how to fix