Global | Implications of ChatGPT bans | Dragonfly Intelligence

More countries appear likely to ban or restrict the use of popular artificial intelligence (AI) large language models (LLMs) in the near term.

This assessment was issued to clients of Dragonfly’s Security Intelligence & Analysis Service (SIAS) on 4 April 2023.

National regulatory bodies will probably temporarily ban or restrict the use of large language models (LLMs) such as ChatGPT due to concerns about data privacy
Such restrictions would most probably be imposed by national regulators in EU member states where compliance with data protection is closely regulated
Government efforts to regulate AI tools are likely to trail behind the accelerating development of such technologies, resulting in negative impacts such as disinformation

In a first, Italy on 31 March 2023 temporarily banned the popular chatbot ChatGPT over concerns about data privacy. This comes amid rising pressure on its developer, OpenAI, to pause the development of its latest chatbot system. While bans or restrictions on the use of ChatGPT would be likely to cause some degree of disruption within organisations already using the service, we do not anticipate that any restrictions would be permanent or long-lasting.

Tools like ChatGPT have been in development for years. But the recent exponential growth in the volume of data sets available to train LLMs means that the speed of innovations is now accelerating and appears to be outpacing the ability of countries to establish common standards, norms and behaviours over their use. This dynamic is highly likely to persist in the long term, in our view. And countries will probably increasingly find themselves in a predicament over balancing pro-innovation AI strategies and regulating such technology.

First regulatory move against ChatGPT

The ban on ChatGPT in Italy does not appear politically motivated. The Italian data protection authority (an independent authority), rather than the government, has said that it temporarily banned the service due to the ‘unlawful collection of personal data [and] absence of systems for verifying the age of minors’. It said ChatGPT processed data in breach of privacy laws, referring to a specific data breach on 20 March 2023. OpenAI said that the breach led some users to ‘see titles from another active user’s chat history’, among other information.

Regulatory bodies in other countries appear likely to pursue similar bans or restrict the use of ChatGPT, mainly due to data protection issues. There does not seem to be existing legislation that would specifically govern or regulate AI in countries or blocs like the EU. But national regulators do seem to be considering whether ChatGPT complies with the EU’s General Data Protection Regulation (GDPR) or comparable data protection legislation:

According to German business outlets on 3 April 2023, a spokesperson for the German Federal Commissioner for Data Protection said that a ‘similar procedure’ to the temporary ban on ChatGPT in Italy ‘is also possible in Germany’.
According to the BBC on 1 April 2023, the Irish data protection commission said that it was in discussions with its Italian counterparts to ‘understand the basis for their action’ and that it ‘will coordinate with all data protection authorities’ in relation to the ban.
The BBC also reported on 1 April that the UK Information Commissioner’s Office would ‘support’ developments in AI, but that it was ready to ‘challenge non-compliance’ with data protection laws.
That said, the UK government in a policy paper on 29 March 2023 said it has set out a ‘proportionate and pro-innovation regulatory framework’.

As such, any bans or restrictions would most likely be imposed by individual national regulators in the EU on a case-by-case basis. Such bans would probably cause some degree of disruption to organisations that have already integrated ChatGPT into their business functions or backends across a diverse range of sectors. And in our view, the data breach of ChatGPT highlights the risks around the protection and confidentiality of highly-sensitive corporate or customer information when inputting this into chatbot services like ChatGPT.

Any bans are unlikely to be long-lasting. Instead, the timeframe of these would probably be dependent on the ability of OpenAI to meet regulators’ concerns, such as by adding age checks or updating privacy policies. The Italian regulator said on 31 March that OpenAI has 20 days to address the allegations. Beyond seemingly immediate concerns over privacy and regulatory compliance, European governments do not appear to hold overtly strong anti-AI sentiment at present, including over whether AI might replace jobs. For instance, Italy’s deputy prime minister reportedly called the recent ban ‘disproportionate’.

A losing race?

Still, legislative efforts to govern AI tools and chatbots specifically are likely to trail behind the accelerating pace of innovation of such technologies in the long term. A group of AI researchers and tech executives in late March reportedly argued for a six-month moratorium on the training of next-generation AI tools so the industry has time to set safety standards. The BEUC, a European consumer advocacy group, recently said EU efforts to roll out an ‘AI act’ to regulate such technologies could ‘take years’ to come into effect.

This gap is only likely to widen. There has been intense and increased competition and investment in LLMs, such as by the likes of Microsoft and Google. A contact who has a deep knowledge of generative AI told us recently that while some AI tools are relatively mature, there is ‘massive potential’ for a rapid advancement in the capabilities of LLMs in the next one to two years. Rising regulatory pressure on AI tools such as chatbots would probably only at most slow the development of new and more capable models.

Security risks and other challenges

Rapid innovation and advancements in such technologies are likely to present new challenges and risks for organisations over the coming years. OpenAI has been transparent and detailed about the risks of the latest version of its chatbot, ChatGPT-4, in a paper it released on 23 March. It said that despite improvements in its models and ‘fine-tuning’ of GPT-4 since its launch, issues of the service include or might include in the future:

A lack of information reliability (such as ‘hallucination’ effects, and unbiased and unreliable content)
The production of harmful content (such as hate speech, instructions on planning attacks and finding websites selling illegal goods and services), especially before mitigations put in place by OpenAI
The enabling of disinformation (primarily the production of plausible, persuasive and targeted content that the user intends to use to mislead)
Negative impacts on cybersecurity (such as GPT-4’s capabilities of drafting social engineering content, such as e-mail phishing, potentially ‘lowering the cost of certain steps of a cyber attack’ and in some cases ‘explaining’ vulnerabilities in source code)
Impacts on the economy (such as the automation of jobs and workforce displacement)
Impacts of accelerating AI technologies on societal risks and international stability
Overreliance (issues such as GPT-4’s ‘tendency to make up facts’ and its impacts on the skill set development of users)

We anticipate that the impacts of accelerating AI technologies on society, stability and the global economy, in particular, will increasingly become key strategic risk issues for national governments over the coming years.

Image: Mobile phone showing ChatGPT suspension in Italy on 1 April 2023. Photo by Donato Fasano via Getty Images.

Cookie	Duration	Description
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
PHPSESSID	session	This cookie is native to PHP applications. The cookie is used to store and identify a users' unique session ID for the purpose of managing user session on the website. The cookie is a session cookies and is deleted when all the browser windows are closed.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_ga_1D3J10QGCV	2 years	This cookie is installed by Google Analytics.
_gcl_au	3 months	Provided by Google Tag Manager to experiment advertisement efficiency of websites using their services.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.
BrowserId	1 year	This cookie is used for registering a unique ID that identifies the type of browser. It helps in identifying the visitor device on their revisit.
iutk	5 months 27 days	This cookie is used by Issuu analytic system to gather information regarding visitor activity on Issuu products.
pardot	past	The pardot cookie is set while the visitor is logged in as a Pardot user. The cookie indicates an active session and is not used for tracking.

Cookie	Duration	Description
__qca	never	The __qca cookie is associated with Quantcast. This anonymous data helps us to better understand users' needs and customize the website accordingly.
mc	1 year 1 month	Quantserve sets the mc cookie to anonymously track user behaviour on the website.

Cookie	Duration	Description
_dc_gtm_UA-44215426-3	1 minute	No description
BrowserId_sec	1 year	No description available.
CookieConsentPolicy	1 year	No description
lpv932963	30 minutes	No description
LSKey-c$CookieConsentPolicy	1 year	No description
pi_opt_in932963	10 years	No description
visitor_id135291	10 years	No description
visitor_id135291-hash	10 years	No description
visitor_id932963	10 years	No description
visitor_id932963-hash	10 years	No description

Global | Implications of ChatGPT bans

More countries appear likely to ban or restrict the use of popular artificial intelligence (AI) large language models (LLMs) in the near term.

First regulatory move against ChatGPT

A losing race?

Security risks and other challenges

QUICK LINKS

ACCREDITATIONS & PARTNERSHIPS

KEEP UPDATED