{"id":8877,"date":"2024-08-19T11:53:01","date_gmt":"2024-08-19T09:53:01","guid":{"rendered":"https:\/\/s8.tgin.eu\/?p=8877"},"modified":"2024-08-19T12:21:24","modified_gmt":"2024-08-19T10:21:24","slug":"data-protection-digest-19082024-data-labelling-for-llms-third-party-cookies-as-a-cause-of-leaks","status":"publish","type":"post","link":"https:\/\/techgdpr.com\/blog\/data-protection-digest-19082024-data-labelling-for-llms-third-party-cookies-as-a-cause-of-leaks\/","title":{"rendered":"Data protection digest 3 – 16 Aug 2024: data labelling for LLMs, third-party cookies as a cause of leaks"},"content":{"rendered":"\n

In this issue: X\u2019s AI Grok training suspended in the EU,\u00a0 third-party cookies may lead to data breaches, Uniqlo \u2018payroll\u2019 mistake, car rental refusal based on client\u2019s income, and AI non-transparency – data scraping, maximisation, risks of regurgitation, and what is behind data labelling for the LLMs industry.<\/em><\/p>\n\n\n\n

Stay up to date! Sign up to receive our fortnightly digest via email.<\/a><\/em><\/p>\n\n\n\n

LLMs, data labelling and data protection<\/h4>\n\n\n\n

A fundamental principle of data protection law is data minimisation. Privacy International however insists that LLMs are being trained through indiscriminate data scraping and generally maximise their approach to data collection. Under data protection laws, individuals have the right to assert control over data related to them. However, LLMs are unable to adequately uphold these rights<\/a>, as the information is held within the parameters of a model in addition to a more traditional form, such as a database. ‘Regurgitation’ can also lead to personal data being spat out by LLMs. Because training data is enmeshed in LLM algorithms, this can be extracted, (or regurgitated), by feeding in the right prompts. <\/p>\n\n\n\n

PI also investigated digital labour platforms that have arisen to supply data labelling for LLM training<\/a>. This includes training an AI model against a labelled dataset and is supplemented by reinforcement learning from human feedback. For example, data labellers mark raw data points, (images, text, sensor data, etc.), with ‘labels’ that help the AI model make crucial decisions, such as for an autonomous vehicle to distinguish a pedestrian from a cyclist. It appeared that many such labellers can be completely disconnected from the AI developers, and are often not informed about who or what they are labelling raw datasets for. They are also subject to algorithmic surveillance and unreliable job stability. <\/p>\n\n\n\n

Third-party cookies as a cause of data breaches<\/h4>\n\n\n\n
\"\"<\/figure>
\n

<\/p>\n\n\n\n

JDSupra legal insights look at the disclosure of data through website cookies which may facilitate a data breach in California. In the related court case, the plaintiff claimed that an online counselling service where website users can find and seek therapy violated the California Consumer Privacy Act by allowing tracking software to retarget website users with ads. The court refused to dismiss the data breach claim. Specifically, the simple fact a user visited the website, may qualify as sensitive information because such a visit could mean they must have been seeking therapy<\/a>. <\/p>\n<\/div><\/div>\n\n\n\n

Concerning whether using retargeting cookies is inherently illegal, the court refrained from rendering a decision.<\/p>\n\n\n\n

US Child privacy bill<\/strong><\/h4>\n\n\n\n

On 30 July, the Kids Online Safety and Privacy Act was passed by the Senate. KOSPA is a variation of two previously proposed bills: the Kids Online Safety Act, (KOSA), and the amended Child Online Privacy Protection Act, (COPPA 2.0). The act applies to digital platforms, particularly those with more than 10 million active monthly users. The duty of care includes options for minors to protect their data, prohibition of the use of dark patterns, and transparency regarding the use of opaque algorithms, etc. KOSPA now heads to the House, where it will be debated over potential censorship<\/a> and the possibility of minors lacking access to vital information. <\/p>\n\n\n\n

Oncological oblivion<\/h4>\n\n\n\n
\"\"<\/figure>
\n

<\/p>\n\n\n\n

The Italian data protection authority Garante looks at \u201cthe right to be forgotten\u201d in oncology, and whether banks, insurance companies, credit bodies, and employers can ask for information on the oncological pathology of an individua<\/a>l in a remission stage. Also, can a clinically recovered person adopt a child? These and other questions are answered in the FAQs<\/a> published by the regulator, (in Italian). The aim is to prevent discrimination and protect the rights of people who have recovered from oncological diseases.<\/p>\n<\/div><\/div>\n\n\n\n

Chatbots and customer data<\/h4>\n\n\n\n

Employees sharing patient or consumer personal information with an AI chatbot<\/a> have resulted in allegations of data leaks to the Dutch Data Protection Authority, (AP). The majority of chatbot developers store all data entered. Organisations must make clear agreements with their employees about the use of AI chatbots.  They could also arrange with the provider of a chatbot that it does not store the entered data. <\/p>\n\n\n\n

More official guidance<\/h4>\n\n\n\n

Avoiding outages and system failures:<\/strong> The US Federal Trade Commission insists that many common types of software flaws can be preemptively addressed through systematic and known processes that minimise the likelihood of outages. This includes rigorous testing of both code and configuration and the incremental rollout procedures. For instance, when deploying changes to automatically updating software, vendors could initially deploy it to a small subset of machines, and then roll it out to more users<\/a> after it\u2019s confirmed that the smaller subset has continued to function without interruption. <\/p>\n\n\n\n

\"data<\/figure>
\n

<\/p>\n\n\n\n

Surveys at schools:<\/strong> The Latvian data protection authority investigates if a teacher can ask students to complete surveys. The educational process has long been not limited to the learning of the subject, but the psychological state<\/a> of the child too. Answers given in student surveys can be divided into standard, personalised or anonymous forms. However, children often are not able to assess how much private information to give to others. Thus, security requirements, such as data non-disclosure and storage limitations must be applied in most cases. <\/p>\n<\/div><\/div>\n\n\n\n

Additional parent consent should be required if the surveys are related to the organisation of the learning process indirectly.<\/p>\n\n\n\n

AI systems transparency:<\/strong> The German Federal Information Security Office, (BSI), published a white paper on the “Transparency of AI systems”. It says that the increasing complexity of the AI \u201cblack boxes\u201d systems as well as missing or inadequate information about them makes it difficult to make a visual assessment<\/a> or to judge the trustworthiness of the outputs. The paper defines the term transparency for various stakeholders from users to developers, and discusses the opportunities and risks of transparent AI systems, both positive, (promoting safety, data protection, avoiding copyright infringements), and negative, (the possible disclosure of attack vectors). <\/p>\n\n\n

<\/div>\n
\n \n

\n Receive our digest by email <\/h2>\n

Sign up to receive our digest by email every 2 weeks<\/h3>\n \n
\n
\n
\n
\n
\n
\n
\n