ChatGPT: how The Italian Data Protection Authority did the right thing!

Think With Giorgio - the future in your email
by Giorgio Taverniti

What you will read about

• Against the mainstream

• We as Italy

• Why The Italian Data Protection did the right thing

• What is the essence?

• More Internet news to read

• Our Initiatives

AGAINST THE MAINSTREAM

Ever since ChatGPT was announced, my position has been to declare that Open AI has been irresponsible. For so many reasons. And that it could damage the entire AI industry. This is all happening slowly.

Generative AI is a huge revolution. It is powerful. It is fascinating. We're just at the beginning and I can't wait to see where it goes. I wonder how many things I could have done 20 years ago if it had been around. I still remember all the pages I created by hand with a text editor for the Giorgiotave.it website, launched on 16 April 2003. I think that site would have had millions of pages instead of thousands.

But not only that, how many tools would I have created with the help of programming?

A lot has happened in the last few hours and I know that there are many people who are angry with the Italian DPA (Italian Data Protection Authority) for taking action against ChatGPT.

And everyone has their own reasons with more or less understandable objections. I understand most of them, except the conspiracy ones. I simply believe that this is a time when we need conversations, not discussions. Conversation has a nice etymology

The word “conversation” derives from two Latin roots; namely com meaning “together” and versare meaning “to turn.”  Hence it literally means “turning together” - perhaps a daily life understanding of structural coupling.

From Sympoetic.net

But on the internet I find a lot of fans and supporters shouting their reasons instead. So I'm going to go against the grain and give my honest opinion: the Italian DPA is doing the right thing. Let's try to talk about it as if we were in person, let's have a conversation.

WE AS ITALY

I have a feeling that in Italy we are good at 2 things:

• Framing Italy as a backward country

• Cheering pointlessly and taking sides on complex issues.

I would like to say to all the people who support the narrative that "Italy is a backward country thanks to the Italian DPA" that this narrative is very dangerous. I say this because I believe that what the Italian DPA has done will be done by other countries and entities. Then you would have to start claiming that Italy is light years ahead. Or argue that everyone else is backward too.

This is without going into the discussion of "what alternatives did the Italian DPA have?" because it is very complex.

But I think it is a very extreme position. The kind that only leads to arguments instead of conversations: in fact, here comes the other consideration, which is the meaningless cheering on of complex issues.

I would like the Italian Internet to be more mature to stop taking such attitudes. Otherwise, how can we complain about the level of information in Italy when we are the first to create a media circus without in-depth coverage, even where we are able to go deeper?

WHY THE ITALIAN DPA DID THE RIGHT THING

At its most basic level, the Italian DPA did well because it did its job. The Italian DPA did not create or design the GDPR. If you are against the GDPR, then you cannot blame the Italian DPA for demanding that it be enforced.

This is regardless of whether they have done their job well or badly and correctly applied the rules, because the issue is mainly about the law.

The Italian DPA moved in time. Perhaps one of the few times we move in a reasonable time to bring very sensitive issues to the table... I try to simplify what is really happening at a macro level to explain it to as many people as possible:

1. The Italian Data Protection Authority applied, by means of a measure, a temporary restriction on the processing of personal data of individuals established in the Italian territory; it did so by requesting Open AI 'to communicate the steps taken to implement the prescribed measures and to provide any element deemed useful to justify the above-mentioned infringements'.

2. Open AI responded by making its service inaccessible in Italy, including by not yet collecting data from individuals established in Italy.

If it seems excessive to someone that the Italian DPA acted in this way, shouldn't they have had the same reaction to what Open AI did? Haven't they gone too far?

Something very important also happened: on the 20th of March, it seems that a serious vulnerability was discovered regarding user conversations and payment information of subscribers to paid services. Get it? :)

Why would we not want the Italian Data Protection Authority to investigate Open AI's handling of data? I don't understand why the mere opening of an investigation is so disturbing.

And in fact, Open AI wrote: "We will contact the Italian DPA with the aim of restoring your access as soon as possible", not "Fine, we'll never open in Italy again".

At this point two objections arise in the comments on the network:

• The first: the Italian DPA  should be concerned about telemarketing! In fact, you just have to do a site: to find nearly 1,000 pages on the Italian DPA's site devoted to the subject.

• The second: the guarantor should be worried about all the other services, from Dalle 2 to APIs to Bing, the latter usually accompanied by the line "the Italian DPA doesn't know how these systems work".

I think it's a line born out of the frustration of the moment: certainly, many of us (myself included) know very little about the mechanisms of how the Italian DPA's inspection and sanctioning activities work.

However, this is an understatement: did the first sanctions for GDPR non-compliance in Italy reach all the services that violated the GDPR? No. Why only a handful of sites and not thousands? Answering this question will prevent many people from making bold claims.

WHAT IS THE ESSENCE

There are a number of considerations made by the Italian DPA that should really concern us very much.

I will tell you what they find in the measure

• lack of information to interested users whose data has been collected by OpenAI

• the lack of an adequate legal basis for the collection and processing of personal data for the purpose of training the algorithms underlying the operation of ChatGPT

• inaccuracy in the processing of personal data of interested users

• Failure to verify the age of users in relation to the ChatGPT service, which is restricted to persons aged 13 or over.

However, there are three issues to highlight

1. the information for users

2. age verification

3. The information on the collection of personal data that Open AI has taken from the Internet

Before I address them, a consideration that is very important to me: if I invent a new car and want to put it on the road, I have to abide by the general rules and traffic regulations to be able to put it on the road.

It's not because I've invented a new thing, let's say the self-driving car, that I have the right not to give a damn about all the rules we've spent years creating to protect ourselves. So I'll build it without seatbelts, for example.

It is a question of competitiveness. You have to respect the laws in force if you want to open a service in the country where you want to open it. Then maybe one day we'll talk about specific laws for generative AI if we need to, but in the meantime it's important to at least comply with the current ones.

Back to the questions

The first one: it's easy to solve, you just have to make everything clearer at registration and write the information for the users better. Simple.

The second: age verification. Quite worrying that Open AI says you have to be over 13 to use it, but then does nothing to verify it.

Thirdly, the information about the collection of personal data that Open AI has taken from the internet.

The last one challenges the whole industry of Generative AI as it has been thought of so far. Can a system go around and take any data and do whatever it wants with it? Is there any control over personal data? How is it processed? Can we correct or modify it? Let me remind you that with GPT4 we no longer know the source of the personal data being processed.

If there is a current data protection standard, new systems will have to comply with it. Such systems can react in a very dangerous way about an individual, causing significant reputational damage.

Where is the right to be forgotten? How is it guaranteed? Wouldn't it be important to create an equivalent of the Robots.txt that exists for search engines to ask them to respect certain decisions of site owners?

I think that if we really want to strive for a better Internet, we cannot be naive. We can't really think that something can come along and sweep away the laws we've created. And we cannot ignore a law just because nobody has ever done us wrong. I hope that never happens to anyone. But that's like saying we don't care about accessibility because we don't have any problems.

A better internet, a better world.

We can improve, change and twist laws. In fact, we have to, because Generative AI is making even the existing ones old. A new way is needed. Maybe we need leaders to open discussions and negotiating tables, right?

But we can't pick on the Italian DPA for applying and enforcing the laws we have.

In fact, OpenAI collaborating with Italian DPA on commitments for protecting italian users :)

Meanwhile in Canada…OPC launches investigation into ChatGPT

I hope that AI world going in this direction:

I agreed with some aspects of the letter, such as the statement that “AI research and development should be refocused on making today’s powerful, state-of-the-art systems more accurate, safe, interpretable, transparent, robust, aligned, trustworthy, and loyal” (though the “loyal” bit stood out to me as a touch of anthropomorphic creepiness). But the mix of reasonableness and breathless hype was too much for me, and I didn’t sign. 

Thoughts on a Crazy Week in AI News by

Melanie Mitchell

.

MORE INTERNET NEWS TO READ

• News for merchant listing in search console

• Google Clarifies Its 15MB Googlebot Limit Is For Each Individual Subresources

• Here is the best software for free live streaming and pay: bye bye Streamyard! [ITA] this is the software

• March Core Update

• You can see a Podcast Tab in Youtube Channel

OUR INITIATIVES

The AI Conference, an advanced seminar on Artificial Intelligence powered by WMF, has sold out. And it is just one of the many initiatives the WMF is pursuing on AI.

On June 15, 16 and 17, the AI Global Summit will be held within WMF at the Rimini Expo Center. On the page you can see the talks that are scheduled for now and will be updated as we go along.

Then the trailer

On the other hand, it is a great pleasure to have announced the guest of honour who will be appearing on the main stage of the 11th edition of WMF - We Make Future: Sir Tim Berners-Lee. So many people will be in the same place with the person to whom they owe so much.

I am looking forward to it.

REACH ME OUT

And that is all. I would like to thank my colleague Sek for helping me translate this newsletter. I'm really pushing myself to produce content in English and this is my second contribution.

I have started a YouTube channel! Guess what it is? It's called Think With Giorgio. It's empty for now, but I'll be working on creating some very in-depth videos on things like the Google ecosystem, YouTube, SEO and so on. I will also be working on a website to explain what I have done in the past and what I want to do in the future: ThinkWithGiorgio.com (I will update in a few weeks). I also have a Twitter account.

WHAT’S NEXT:

Don't expect 1 content per week, nor per month. I'll be very happy if I make 4 this year. I hope it will be a very deep content for you.

If you like it, share it.

For a Better Internet.

Ciao.