Data Security Risks Associated with ChatGPT in China

CHANG TSI
Insights

May06
2023

Recently, ChatGPT has garnered global attention due to its highly intelligent and human-like communication capabilities. The CEO of a Chinese internet giant stated in an interview that ChatGPT is at the same level as college students, which raises concerns about the capabilities of artificial intelligence. With the rapid evolution of artificial intelligence, the industry has focused on issues such as network information security and intellectual property rights as it enters the "ChatGPT era".

In the development of the internet and communication industry, information sharing and data security are closely intertwined. In particular, network information security has become a critical issue, as the global industry undergoes digital transformation. This is especially relevant for emerging industries such as artificial intelligence. While security issues are inevitable for cutting-edge technologies such as artificial intelligence, their wide-ranging applications have far-reaching implications.
OpenAI's privacy policy indicates that ChatGPT will collect user account information, conversation-related content, and various private information such as cookies, logs, and device information on interactive webpages. Such information may be shared with suppliers, service providers, and affiliated companies. During the data sharing process, unauthorized attackers may gain access to model-related private data, including training/prediction data (which may contain user information), model architecture, parameters, hyper-parameters, and so on.

In addition to ChatGPT’s own risk of privacy leaks, there have also been recent activities that use ChatGPT’s popularity to steal user privacy. For example, the unofficial open source ChatGPT desktop application project on Github was found to be implanted with a high-risk Trojan horse. Once the user runs the installed executable file, it will leak sensitive information such as their account credentials and browser cookies. 

It is important to note that the collection, storage, and use of data by ChatGPT may be subject to different regulations and laws in different countries. In China, the export of data generated during domestic operations is subject to certain requirements and restrictions, including those related to personal information and important data gathered and produced during operations within China by operators of critical information infrastructure.

Therefore, Chinese citizens or entities using ChatGPT should be aware of these regulations and take appropriate measures to protect their privacy, sensitive information and important data, such as carefully considering what information they share with ChatGPT and ensuring that any data exported or shared with overseas entities is in compliance with applicable laws and regulations.
It is also important for ChatGPT developers and service providers to take appropriate measures to protect the privacy and security of user data, such as implementing strong encryption and access controls, conducting regular security audits and assessments, and complying with applicable laws, regulations and industry standards

Compliance Considerations for Cross-Border ChatGPT Data

When introducing ChatGPT services and utilizing ChatGPT, enterprises must take proactive measures to ensure data cross-border compliance due to the potential security risks involved. In order to expand this business field, compliance with cross-border data regulations is a prerequisite for enterprises to adhere to.

China has already established three fundamental laws as guidance for cross-border data: "Cybersecurity Law", "Data Security Law" and "Personal Information Protection Law". Additionally, "Measures for the Security Assessment of Outbound Data Transfers", " Measures for the Standard Contract for Outbound Cross-border Transfer of Personal Information" and other regulations constitute a legal normative system for specific guidance.

Based on the content of these legal regulations, personal information can currently be transferred outbound through three methods: passing a security assessment organized by the national cyberspace authority, obtaining a certification of personal information protection by a professional institution, and concluding standard contracts with the overseas recipient. The compliance requirements for these three data export methods are notably different.

Related News