A complaint lodged by privacy advocacy group Noyb with the Austrian data protection authority (DSB) alleged that ChatGPT's generation of inaccurate information violates the European Union’s privacy regulations. The Vienna-based digital rights group Noyb, founded by known activist Max Schrems, said in its complaint that ChatGPT's failure to provide accurate personal data and instead guessing it, violates the GDPR requirements. Under GDPR, an individual's personal details, including date of birth, are considered personal data and are subject to stringent handling requirements. The complaint contends that ChatGPT breaches GDPR provisions on privacy, data accuracy, and the right to rectify inaccurate information. Noyb claimed that OpenAI, the company behind ChatGPT, refused to correct or delete erroneous responses and has withheld information about its data processing, sources, and recipients. Noyb's data protection lawyer, Maartje de Graaf said, "If a system cannot produce accurate and transparent results, it cannot be used to generate data about individuals. The technology has to follow the legal requirements, not the other way around." Citing a report from The New York Times, which found that "chatbots invent information at least 3% of the time - and as high as 27%," noyb emphasized the prevalence of inaccurate responses generated by AI systems like ChatGPT.

OpenAI’s ‘Privacy by Pressure’ Approach

Luiza Jarovsky, chief executive officer of Implement Privacy, has previously said that artificial intelligence-based large language models follow a "privacy by pressure" approach. Meaning: “only acting when something goes wrong, when there is a public backlash, or when it is legally told to do so,” Jarovsky said. She explained this further citing an incident involving ChatGPT in which people's chat histories were exposed to other users. Jarovsky immediately noticed a warning being displayed to everyone accessing ChatGPT, thereafter. Jarovsky at the beginning of 2023, prompted ChatGPT to give information about her and even shared the link to her LinkedIn profile. But the only correct information that the chat bot responded with was that she was Brazilian. [caption id="attachment_65919" align="aligncenter" width="1024"] Prompt given by Luiza Jarovsky to ChatGPT bot followed by the incorrect response. (Credit:Luiza Jarovsky)[/caption] Although the fake bio seems inoffensive, “showing wrong information about people can lead to various types of harm, including reputational harm,” Jarovsky said. “This is not acceptable,” she tweeted. She argued that if ChatGPT has "hallucinations," then prompts about individuals should come back empty, and there should be no output containing personal data. “This is especially important given that core data subjects' rights established by the GDPR, such as the right of access (Article 15), right to rectification (Article 16), and right to erasure (Article 17), don't seem feasible/applicable in the context of generative AI/LLMs, due to the way these systems are trained,” Jarovsky said.

Investigate ChatGPT’s GDPR Violations

The complaint urges the Austrian authority to investigate OpenAI's handling of personal data to ensure compliance with GDPR. It also demands that OpenAI disclose individuals' personal data upon request and seeks imposition of an "effective, proportionate, dissuasive, administrative fine. The potential consequences of GDPR violations are significant, with penalties amounting to up to 4% of a company's global revenue. OpenAI's response to the allegations remains pending, and the company faces scrutiny from other European regulators as well. Last year, Italy's data protection authority temporarily banned ChatGPT's operations in the country over similar GDPR concerns, following which the European Data Protection Board established a task force to coordinate efforts among national privacy regulators regarding ChatGPT. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Law professor Dan Solove has a new article on privacy regulation. In his email to me, he writes: “I’ve been pondering privacy consent for more than a decade, and I think I finally made a breakthrough with this article.” His mini-abstract:

In this Article I argue that most of the time, privacy consent is fictitious. Instead of futile efforts to try to turn privacy consent from fiction to fact, the better approach is to lean into the fictions. The law can’t stop privacy consent from being a fairy tale, but the law can ensure that the story ends well. I argue that privacy consent should confer less legitimacy and power and that it be backstopped by a set of duties on organizations that process personal data based on consent.

Full abstract:

Consent plays a profound role in nearly all privacy laws. As Professor Heidi Hurd aptly said, consent works “moral magic”—it transforms things that would be illegal and immoral into lawful and legitimate activities. As to privacy, consent authorizes and legitimizes a wide range of data collection and processing.

There are generally two approaches to consent in privacy law. In the United States, the notice-and-choice approach predominates; organizations post a notice of their privacy practices and people are deemed to consent if they continue to do business with the organization or fail to opt out. In the European Union, the General Data Protection Regulation (GDPR) uses the express consent approach, where people must voluntarily and affirmatively consent.

Both approaches fail. The evidence of actual consent is non-existent under the notice-and-choice approach. Individuals are often pressured or manipulated, undermining the validity of their consent. The express consent approach also suffers from these problems ­ people are ill-equipped to decide about their privacy, and even experts cannot fully understand what algorithms will do with personal data. Express consent also is highly impractical; it inundates individuals with consent requests from thousands of organizations. Express consent cannot scale.

In this Article, I contend that most of the time, privacy consent is fictitious. Privacy law should take a new approach to consent that I call “murky consent.” Traditionally, consent has been binary—an on/off switch—but murky consent exists in the shadowy middle ground between full consent and no consent. Murky consent embraces the fact that consent in privacy is largely a set of fictions and is at best highly dubious.

Because it conceptualizes consent as mostly fictional, murky consent recognizes its lack of legitimacy. To return to Hurd’s analogy, murky consent is consent without magic. Rather than provide extensive legitimacy and power, murky consent should authorize only a very restricted and weak license to use data. Murky consent should be subject to extensive regulatory oversight with an ever-present risk that it could be deemed invalid. Murky consent should rest on shaky ground. Because the law pretends people are consenting, the law’s goal should be to ensure that what people are consenting to is good. Doing so promotes the integrity of the fictions of consent. I propose four duties to achieve this end: (1) duty to obtain consent appropriately; (2) duty to avoid thwarting reasonable expectations; (3) duty of loyalty; and (4) duty to avoid unreasonable risk. The law can’t make the tale of privacy consent less fictional, but with these duties, the law can ensure the story ends well.

More than five years after domain name registrars started redacting personal data from all public domain registration records, the non-profit organization overseeing the domain industry has introduced a centralized online service designed to make it easier for researchers, law enforcement and others to request the information directly from registrars.

In May 2018, the Internet Corporation for Assigned Names and Numbers (ICANN) — the nonprofit entity that manages the global domain name system — instructed all registrars to redact the customer’s name, address, phone number and email from WHOIS, the system for querying databases that store the registered users of domain names and blocks of Internet address ranges.

ICANN made the policy change in response to the General Data Protection Regulation (GDPR), a law enacted by the European Parliament that requires companies to gain affirmative consent for any personal information they collect on people within the European Union. In the meantime, registrars were to continue collecting the data but not publish it, and ICANN promised it would develop a system that facilitates access to this information.

At the end of November 2023, ICANN launched the Registration Data Request Service (RDRS), which is designed as a one-stop shop to submit registration data requests to participating registrars. This video from ICANN walks through how the system works.

Accredited registrars don’t have to participate, but ICANN is asking all registrars to join and says participants can opt out or stop using it at any time. ICANN contends that the use of a standardized request form makes it easier for the correct information and supporting documents to be provided to evaluate a request.

ICANN says the RDRS doesn’t guarantee access to requested registration data, and that all communication and data disclosure between the registrars and requestors takes place outside of the system. The service can’t be used to request WHOIS data tied to country-code top level domains (CCTLDs), such as those ending in .de (Germany) or .nz (New Zealand), for example.

As Catalin Cimpanu writes for Risky Business News, currently investigators can file legal requests or abuse reports with each individual registrar, but the idea behind the RDRS is to create a place where requests from “verified” parties can be honored faster and with a higher degree of trust.

The registrar community generally views public WHOIS data as a nuisance issue for their domain customers and an unwelcome cost-center. Privacy advocates maintain that cybercriminals don’t provide their real information in registration records anyway, and that requiring WHOIS data to be public simply causes domain registrants to be pestered by spammers, scammers and stalkers.

Meanwhile, security experts argue that even in cases where online abusers provide intentionally misleading or false information in WHOIS records, that information is still extremely useful in mapping the extent of their malware, phishing and scamming operations. What’s more, the overwhelming majority of phishing is performed with the help of compromised domains, and the primary method for cleaning up those compromises is using WHOIS data to contact the victim and/or their hosting provider.

Anyone looking for copious examples of both need only to search this Web site for the term “WHOIS,” which yields dozens of stories and investigations that simply would not have been possible without the data available in the global WHOIS records.

KrebsOnSecurity remains doubtful that participating registrars will be any more likely to share WHOIS data with researchers just because the request comes through ICANN. But I look forward to being wrong on this one, and will certainly mention it in my reporting if the RDRS proves useful.

Regardless of whether the RDRS succeeds or fails, there is another European law that takes effect in 2024 which is likely to place additional pressure on registrars to respond to legitimate WHOIS data requests. The new Network and Information Security Directive (NIS2), which EU member states have until October 2024 to implement, requires registrars to keep much more accurate WHOIS records, and to respond within as little as 24 hours to WHOIS data requests tied everything from phishing, malware and spam to copyright and brand enforcement.