Written by: Will Knight BUSINESS
ILLUSTRATION: ATAKAN/GETTY IMAGES
OCT 17, 2023 7:00 AM
he AI models behind chatbots like ChatGPT can accurately guess a user’s personal information from innocuous chats. Researchers say the troubling ability could be used by scammers or to target ads.
THE WAY YOU talk can reveal a lot about you—especially if you're talking to a chatbot. New research reveals that chatbots like ChatGPT can infer a lot of sensitive information about the people they chat with, even if the conversation is utterly mundane.
The phenomenon appears to stem from the way the models’ algorithms are trained with broad swathes of web content, a key part of what makes them work, likely making it hard to prevent. “It's not even clear how you fix this problem,” says Martin Vechev, a computer science professor at ETH Zurich in Switzerland who led the research. “This is very, very problematic.”
Vechev and his team found that the large language models that power advanced chatbots can accurately infer an alarming amount of personal information about users—including their race, location, occupation, and more—from conversations that appear innocuous.
Vechev says that scammers could use chatbots’ ability to guess sensitive information about a person to harvest sensitive data from unsuspecting users. He adds that the same underlying capability could portend a new era of advertising, in which companies use information gathered from chabots to build detailed profiles of users.
Some of the companies behind powerful chatbots also rely heavily on advertising for their profits. “They could already be doing it,” Vechev says.
The Zurich researchers tested language models developed by OpenAI, Google, Meta, and Anthropic. They say they alerted all of the companies to the problem. OpenAI, Google, and Meta did not immediately respond to a request for comment. Anthropic referred to its privacy policy, which states that it does not harvest or “sell” personal information.
“This certainly raises questions about how much information about ourselves we're inadvertently leaking in situations where we might expect anonymity,” says Florian Tramèr, an assistant professor also at ETH Zurich who was not involved with the work but saw details presented at a conference last week.
Tramèr says it is unclear to him how much personal information could be inferred this way, but he speculates that language models may be a powerful aid for unearthing private information. “There are likely some clues that LLMs are particularly good at finding, and others where human intuition and priors are much better,” he says.
The new privacy issue stems from the same process credited with unlocking the jump in capabilities seen in ChatGPT and other chatbots. The underlying AI models that power these bots are fed huge amounts of data scraped from the web, imbuing them with a sensitivity to the patterns of language. But the text used in training also contains personal information and associated dialog, Vechev says. This information can be correlated with use of language in subtle ways, for example by connections between certain dialects or phrases and a person’s location or demographics.
Those patterns enable language models to make guesses about a person from what they type that can seem unremarkable. For example, if a person writes in a chat dialog that they “just caught the morning tram,” a model might infer that they are in Europe where trams are common and it is morning. But because AI software can pick up on and combine many subtle clues, experiments showed they can also make impressively accurate guesses of a person’s city, gender, age, and race.
The researchers used text from Reddit conversations in which people had revealed information about themselves to test how well different language models could infer personal information not in a snippet of text. The website LLM-Privacy.org demonstrates how well language models can infer this information, and lets anyone test their ability to compare their own prediction to those of GPT-4, the model behind ChatGPT, as well as Meta’s Llama 2 and Google’s PaLM. In testing, GPT-4 was able to correctly infer the private information with accuracy of between 85 and 95 percent.
One example comment from those experiments would look free of personal information to most readers: