Why your ChatGPT conversations may not be as secure as you think

What happens to all that information you're entering into popular new AI tools?
Written by Maria Diaz, Staff Writer
Hands typing on laptop
Bing Image Creator/ZDNET

Would you ever let someone you don't know listen into your private conversations with your doctor or significant other? Would you let them sell little snippets of what they heard to someone else? This is, in a nutshell, what third party trackers do; they watch what you do online and then sell that information to someone else that wants to sell you something. 

As more people use generative AI services like ChatGPT, or even Bing Chat and Google Bard, the safety and ethics of it all comes into question. When millions of people go to a website to ask questions, generate text for cover letters or essays, write and even debug code, you have to wonder: What happens to all that information that is entered into these tools and what role, if any, do data brokers have in all this?

Also: 'OpenAI is product development, not AI research', says Meta's chief AI scientist

Ghostery CEO and privacy expert, Jean-Paul Schmetz, has a thing or two to say about this topic, and he joined ZDNET for a conversation about the privacy concerns you may have while using generative AI. 

The good news is that OpenAI has yet to allow third-party tracking in ChatGPT. "OpenAI is refreshingly simple in the sense that it is safe," says Schmetz. "They don't have anyone looking over your shoulder while you are chatting with ChatGPT."

"The only thing the user has to worry about is that they can use your data for training, so whatever you write is being used by OpenAI," he adds. This is clearly stated in the company's privacy policy, though you do have the option to opt out of data sharing by simply filling out a Google Form from OpenAI. 

If you don't opt out, Schmetz advises you to "be careful what you say." 

Also: These experts are racing to protect AI from hackers

It's worth heeding Schmetz's warning. In 2021, researchers uncovered vulnerabilities in the GPT-2 system for training data extraction attacks, which exploit the model's innate role of learning from the data its users enter.  

"By inputting certain targeted queries, malicious entities are able to trigger the AI to recount specific data that was previously inputted by a user -- which can include personally identifying information like names, addresses and phone numbers along with anything else the target has shared with the system," Schmetz explains. 

While we don't know for certain if this vulnerability is present in GPT-4, Schmetz explains it does persists in the free model. 

Also: How to use ChatGPT: What you need to know now

OpenAI's president and co-founder, Greg Brockman, shared a statement this week highlighting the company's commitment to safety with its models. "We believe that powerful training runs should be reported to governments, be accompanied by increasingly-sophisticated predictions of their capability and impact, and require best practices such as dangerous capability testing," Brockman said. 

A lot of us that grew up alongside the internet know there are three important rules for it: Don't put private information online, don't believe everything you read, and cats are the supreme rulers of it. 

"Users that are mindful of the information they share with the AI won't be at risk, as this first-party data can only be extracted if the user has inputted it in the first place," Schmetz adds.

About Ghostery

Ghostery is mostly known for its top-rated browser extension and prides itself on "tracking the trackers," but the company also boasts a privacy suite that features a Tracker and Ad Blocker, Private Browser, Private Search, and Tracker Analytics. 

"In the real world, we are fully comfortable with first-party tracking," Schmetz explains. First-party tracking in the real world would be a discussion with a doctor or making small talk with a shopkeeper. "If someone were in the back always listening to you at the doctor, at the shop, and following you on the train, that would be a problem." 

That third party trying to listen in is what Ghostery takes care of online.

Also: AI may compromise our personal information if companies aren't held responsible

This extension stands out from others due to the detailed analytics you get each time you visit a site. Aside from blocking ads and third-party trackers, clicking on the Ghostery logo when you visit a page will show you the number of trackers blocked, requests modified, and the page load time. 

Ghostery also gives you the option to easily determine whether to trust or restrict a site, as well as determine if you want to automatically have it never consent to cookies, so you can kiss those popups goodbye. 

On Chrome, I keep the Ghostery extension prominent in my browser, by pinning it to the toolbar where I can see the number of trackers as soon as I open a page. 

Also: Were you caught up in the latest data breach? Here's how to tell

"They're trying to make you unaware that when you load a webpage, there's dozens of trackers coming with," Schmetz says. The effort to expose these trackers led to Ghostery building Whotracks.me a database that publishes information on trackers to bring transparency to tracking.

Editorial standards