Anybody interested in generative A.I. or data privacy needs to stop what they’re doing and pay attention to this one right now.
A new complaint filed in California this week involving OpenAI and Microsoft and how they are training generative AI tools may be the single biggest civil lawsuit in history–and the effects will ripple far and wide across the backbone of the American ecommerce backbone.
First, a reminder– litigation under the California Invasion of Privacy Act (CIPA) is now the most dangerous litigation on the face of the planet.
With $5k in exposure per illegally recorded web session–and billions of California-based web visits occurring daily–there is a wellspring of potential CIPA exposure rivaling the GDP of developing nations being generated daily.
The essence of many recent CIPA cases is that information shared by consumers with companies online is being listened in on by third-parties–often using java-embedded within a consumer’s browser–for various purposes.
Well in a new and sprawling complaint filed this week in the Northern District of California a Plaintiff is contending that ChatGPT and OpenAI are illegally eavesdropping on consumer interactions with popular applications and seeks an unspecified recovery on behalf of a massive class–and there could be trillions of dollars at issue in this case.
The Complaint in P.M., et al. vs. OPENAI LP, and MICROSOFT CORPORATION,–available here Open AI CIPA — is sprawling and asserts numerous claims arising out of Big Tech’s alleged surreptitious use of consumer chats to feed its AI machine learning products.
As to the CIPA claim, the Plaintiffs allege:
The transmissions of Plaintiffs’ and ChatGPT API Class Members’ communications (including but not limited to chats, comments, replies, searches, keystrokes, mouse clicks/movements, signals, browser activity, or other data, activity, or intelligence) on various applications, programs, platforms, websites which integrate ChatGPT API (i.e., Stripe, Snapchat, etc.) qualify as “electronic communications” under Cal. Penal Code §629.51(2).
By incorporating ChatGPT technology on third party platforms, Defendants are in the unique position of having unrestricted, real-time access to the users’ every input, move, chat, comment, reply, search, keystroke, or other browser activity/communication on the third-party platform.
As Plaintiffs and ChatGPT API Class Members interact with the third-party platform, Defendants intentionally tap, electrically or otherwise, the lines of internet communication between Plaintiffs and ChatGPT API Class Members, and/or third-party entities.
In disregard for Plaintiffs’ and ChatGPT API Class Members’ privacy rights, Defendants act as a third-party “eavesdropper”, redirecting Plaintiffs and Chat-GPT API Members’ electronic communications to Defendants’ own servers for appropriation, and training of their Products
Defendants’ interception of the contents of Plaintiffs’ and ChatGPT API Class Members’ communications happens contemporaneously with their exchange of such communications, whether such communications are directed to Plaintiffs’ and ChatGPT API Class Members’ friends, colleagues, or third-party entities. As described above, the ChatGPT technology, integrated on various platforms, is designed to simultaneously intercept and send a recording of each keystroke, mouse click, movement, writing, or other data, activity, or intelligence to Defendants sufficient to not only identify Plaintiffs and ChatGPT API Class Members’, but also to be able to understand, collect, and use for training Plaintiffs’ and ChatGPT API Class Members’ communications.
Through this calculated scheme of using ChatGPT technology, integrated on various non-ChatGPT platforms (such as Snapchat, Stripe etc.) to intercept, acquire, transmit, and record Plaintiffs’ and ChatGPT API Class Members’ electronic communications, Defendants willfully and without valid consent from all parties to the communication, take unauthorized measures to read and understand the contents or meaning of the electronic communications of Plaintiffs and ChatGPT API Class. The interception and recording of electronic communications occurs while the electronic communications are in transit or passing over any wire, line, or cable…
HOLY MOLY.
To my eye if these allegations are true the Plaintiffs have actually asserted a valid claim under CIPA. This sort of real time reading and analysis of ongoing communications is PRECISELY what the CIPA was designed to prevent. So unlike some of the silly web session recording cases we have seen P.M. really seems to have legs.
A bunch of classes at issue here including:
a. Non-User Class: All persons in the United States whose PII, Personal
Information, or Private Information was disclosed to, or accessed, collected,
tracked, taken, or used by Defendants without consent or authorization.
b. ChatGPT User Class: All persons in the United States who used ChatGPT,
whose Private Information was disclosed to, or intercepted, accessed, collected,
tracked, taken, or used by Defendants without consent or authorization.
c. ChatGPT API User Class: All persons in the United States who used other
platforms, programs, or applications which integrated ChatGPT technology,
whose Private Information was disclosed to, or intercepted, accessed, collected,
tracked, taken, or used by Defendants without consent or authorization.
d. Microsoft User Class: All persons in the United States who used Microsoft
platforms, programs, or applications which integrated ChatGPT technology,
whose Private Information was disclosed to, or intercepted, accessed, collected,
tracked, taken, or used by Defendants without consent or authorization.
e. Minor ChatGPT User Class: All persons in the United States who, while 16
years or younger, used ChatGPT, or other platforms, programs, or applications
which integrated ChatGPT API or ChatGPT Plug-In, whose Private
Information was disclosed to, or intercepted, accessed, collected, tracked,
taken, or used by Defendants without consent or authorization.
f. ChatGPT Plus User Class: All persons in the United States who used ChatGPT website or mobile app and whose Personal Information or PII was intercepted, accessed, collected, tracked, stored, shared, taken, or used by Defendants without consent and/or authorization
While it is impossible at this stage to say how many people are in each class, given the millions of daily users these platforms have it is easy to imagine damages surpassing $5BB a day. So while Microsoft famously has over $100BB in cash on hand at any one time, this case could exceed $1.5TT in damages with relative ease–and that’s just looking at one year of exposure.
My goodness.
It is not overstatement to say that P.M. may be one of the most consequential civil actions ever filed. Not only are the available damages here potentially enough to bankrupt both Microsoft and OpenAI, the crushing and stifling impact of the CIPA as applied to emerging generative AI tools may be sufficient to set back Americas’ AI ambitions and allow less litigious nations–say, China–to take a clear lead in the world’s great AI arms race.
And notably this complaint does not appear to be some slapped-together hogwash by some lawyer with a crazy pipedream. This thing is well crafted and well thought out. Indeed, even beyond CIPA there are a number of claims that have credibility. This could be an absolute nightmare for OpenAI and Microsoft to deal with.
Obviously Troutman Amin, LLP has been at the forefront of legal issues in this space and are closely following and reporting on developments here.
Indeed we will be putting on an absolutely CRITICAL conference on July 13, 2023 addressing inter alia the risk of CIPA suits, the proliferation of privacy suits across the nation and the rise of legal issues arising out of generative A.I.
NOBODY covers these issues like we do, so you MUST ATTEND the Troutman Amin, LLP Summer Marketing/Advertising/Privacy Law conference.
Unfortunately, in-person tickets are SOLD OUT–no surprise there– but you can still attend our virtual option!
Obviously P.M. is an absolutely fascinating development with consequences far and wide. We will be carefully monitoring developments here and will report as merited.
Fascinating. Thanks for sharing this development!
This is very interesting, as Elon Musk threatened to sue them for using Twitter to tune their engine as well. Thankfully for the future of Generative AI, ChatGPT is not the only AI kernel out there and not even the best, just the most hyped. I do wonder how long it will take for someone to look at Amazon’s AI, and ask if they have been using AWS storage, where many firms store their call recordings for tuning.
This is pretty funny, to me anyway. I typed in “write a demand letter to openAI for violating my privacy.” This is what it came up with (pretty good IMO compared to apps like Do Not Pay):
[Your Name]
[Your Address]
[City, State, ZIP Code]
[Email Address]
[Phone Number]
[Date]
OpenAI
[OpenAI Address]
[City, State, ZIP Code]
Subject: Demand for Privacy Violation Compensation
Dear OpenAI,
I hope this letter finds you well. I am writing to bring to your attention a serious matter concerning the violation of my privacy rights by OpenAI. It has come to my attention that my personal information has been mishandled, resulting in a breach of my privacy rights as a user of your services.
On [date or time period], I became aware of the privacy breach when I discovered that my personal data, including [specify the nature of the personal information breached, such as name, address, email, or any sensitive data], was compromised without my knowledge or consent. This breach of privacy has caused me significant distress and concern regarding the security of my personal information.
OpenAI has a legal and ethical responsibility to protect the personal data of its users. The mishandling of my personal information has violated my privacy rights under [specify relevant laws or regulations related to privacy and data protection]. I trusted OpenAI to maintain the confidentiality and security of my personal data, and your organization has failed to fulfill this obligation.
The consequences of this privacy violation are substantial, as it has exposed me to the risk of identity theft, fraud, and other malicious activities. Moreover, it has eroded my trust in OpenAI’s commitment to safeguarding user privacy. I believe that I am entitled to compensation for the damages and distress caused by this privacy violation.
I demand the following:
A thorough investigation into the privacy breach incident, including an explanation of how and why it occurred.
Immediate measures to rectify the breach and enhance the security protocols to prevent similar incidents from happening in the future.
Notification of any third parties who may have accessed or acquired my personal information as a result of this breach.
Full disclosure of the extent and nature of the personal data that was compromised.
Assurance that OpenAI will comply with all applicable privacy laws and regulations in the future.
Compensation for the damages, distress, and any financial losses incurred as a result of this privacy violation.
Please be advised that if my demands are not adequately addressed within [reasonable timeframe, such as 30 days] from the date of this letter, I will have no choice but to pursue legal remedies available to me, including initiating a legal action to protect my rights and interests.
I strongly believe in resolving this matter amicably and trust that OpenAI will take swift and appropriate action to rectify the situation. I kindly request a written response to this letter within [reasonable timeframe, such as 14 days] to confirm your intentions in addressing this privacy violation.
Thank you for your prompt attention to this matter. I look forward to a timely resolution.
Yours sincerely,
[Your Name]