Pictures, text prompts, documents and health metrics are just a few examples of data we’re giving away to different AI applications and thus, to different companies/organizations. While it’s always good to know what happens to your data, it is especially relevant in healthcare settings and regarding health data.
The rise of social media platforms signifies the beginning of a new era, one where individuals become valuable resources: providing tons of personal data that can be utilised for commercial purposes. But as the plethora of AI applications begins to enter our lives, we have to level up our games and become much more conscious about what we are willing to give away.
Thus, we decided to take a look at what there is to learn about what happens to data uploaded to and generated by the most popular AI platforms.
There are more things in heaven and Earth, Horatio
This whole issue is far more complicated than it seems at first glance, as there are multiple layers of privacy/legal issues. In general, these include:
- Personally identifiable information (including sensitive data like social security numbers, financial identifiers, health data, etc) collected by companies/organizations
- Information we provide to these algorithms including personal (user) info, financial (billing) info and our prompts (sample pictures, business or personal questions, health symptoms, etc.)
- Copyright issues regarding any material or content we create with these services and the legal implications of us using these for personal or business purposes
- And copyright issues of our publicly available content that might have been used to train an algorithm without our knowledge
Let’s start with the obvious: right now we are very far from seeing clearly in these matters, and there’s a lot going on with legal experts trying to weigh in and provide guidance. The situation is especially confusing in the latter two facets.
Midjourney: a scary list of collected personal info
Text-to-image generator Midjourney provides you with the following info:
“By using the Services, You may provide Midjourney with personal information like Your email address, user name, billing information, favorites, image outputs, and text prompts that You enter, or sample images that You upload to the Service. Our privacy policy can be found here.”
Open questions:
Following the privacy policy link, you will also learn that privacy measures are different based on where you are, and there are somewhat different terms for European and California users.
At this moment I can’t decide whether the extensive list of info they declare to collect AND disclose in California including
- social security, driving license and passport numbers,
- postal addresses,
- insurance policy number,
- education, employment, employment history,
- bank account number, credit card number, debit card number, or any other financial information,
- medical information, or health insurance information
are also collected and disclosed in Europe, or the GDPR regulations protect such personal data of EU users.
Also quite inscrutable for me is
- How do they collect such personal information
- Also not sure for what purposes they plan to collect and disclose all the deeply personal and sensitive info listed above.
- Impossible to decide what happens to what kinds of data of users not residing in the EU or in California
Applications from Open AI (DALL-E, ChatGPT): let’s not talk about it
OpenAI’s terms of use and privacy policy offer clear guidance in terms of ownership of input and usage rights of created content:
“As between the parties and to the extent permitted by applicable law, you own all Input, and subject to your compliance with these Terms, OpenAI hereby assigns to you all its right, title and interest in and to Output. “
Open questions:
Their position is less clearly defined regarding personal data. The privacy policy again specifically mentions California users and declares that they collect social, communication and technical info. They do not explicitly list what kind of information this includes.
Also unclear is what the matter is with non-US users. The privacy policy lets international users know that “your Personal Information will be transferred from your location to our facilities and servers in the United States”, but there is no guidance on whether they process this personal information in line with the US data protection regulations or EU users can rely on the protection GDPR offers.
Ada Health: confusing in the best European fashion
Germany-based Ada offers AI-backed mobile health app services for users. As with any decent European enterprise, you will find a book’s worth of privacy information under the relevant section of the website, starting with GDPR (in bold), and an assurance that it is vitally important for them that customers should feel secure when using their services.
This is followed by thousands of words of legal mambo-jumbo no real human is capable to read and understand. It is especially sweet as they don’t forget to mention “Before starting using our Services, you should read our Privacy Policy carefully. “ A staple example of corporate compliance without the slightest intent to actually help the user.
Trying to make sense of it, this is what I found:
- There is an extensive list of what kind of data they collect for what purposes under section 3 of the privacy policy. It all makes sense, using this app, we want health assessment, which is not possible without providing health data and records.
- The interesting part comes under section 6 though, when we get to “disclosure of personal data” with third parties. Based on my understanding, they work with a number of US service providers, whom they asked nicely to behave in a proper European way, please.
- Apart from that they assure users they will not transfer personal data to third parties unless the case falls in the listed exceptions, which includes basically anything: they buy or sell assets, their company gets acquired, and here users’ rights to opt-out are not listed.
- Another interesting snippet is the list of their “third-party processors to provide infrastructure services” which is a long list that includes Amazon, Google and Facebook.
- The whole document is extremely confusing, statements like “We will never share your personal health information with advertisers or third parties” are followed by “A full list of our third-party processors processing your personal data on our behalf and strictly according to section 3 above can be found here.” and “we do not transfer your personal data to third parties – with the exception, when applicable, of the purposes listed below”.
All in all, this is a prime example of how you basically have no idea about what happens to your personal information, even after reading the relevant sections of the document multiple times.
Open questions: well, GDPR is supposed to ensure my privacy rights, but despite that, I still don’t understand what happens to my data and what control I have over it.
AI-based voice-over Revoicer: we have your data, thanks for all the fish
In a way, reading the privacy policy of Revoicer was a breath of fresh air after the Ada statement. Revoicer promises nothing, they collect data and intend to use it. They will use collected data to sell you products, send offers from third parties, and for advertising, retargeting, and tracking sales. They also include tracking pixels – analytics tools capable of collecting personal information without the users’ consent – from Facebook and Google. Apart from these cases, Revoicer assures me that “We do not share your personal information (email, phone number) with anybody.” Ok, thanks.
The Revoicer homepage also doesn’t say a word about the usage rights of generated content. This can be problematic in certain cases. Theoretically, I could use the platform to create the audio parts of my next mega-hit YouTube video generating 7 billion views. No idea what happened if the company requested compensation for the assumed financial results of this.
Open questions: Re personal data: nothing. They collect your data and use it in every possible way they can. Re content usage rights: everything.
AI-based video generator Synthesia: you have the content, we have your data.
Synthesia terms of use state that users retain all rights regarding input (uploaded data) and output (created content). Users are responsible for not uploading copyrighted materials they don’t own or anything that is against the law.
Regarding processing personal information, they seem to mix the Ada and the Revoicer approach. There is a looong text frequently mentioning GDPR and the information that they collect data, track users and allow Google, Facebook, Hubspot and Stripe to collect analytics data about users.
Open questions: not really, you need to be aware that they might store lots of data. The privacy policy offers you guidance on how you can inquire about what they actually have and some – not highly useful – links to the privacy policies of third parties that may also have access to some parts of your data.
Meeting transcription AI Fireflies has rights to all of your content
Another extremely confusing case is Fireflies.ai, a tool that is “used across 62,000 organizations”. The software is supposed to provide you assistance in taking automated notes and summaries of meetings.
Their “terms of service” is an exceptionally miserly read. Through a long and highly user-unfriendly pdf, they list all your responsibilities and decline any of their own.
According to the terms of use “By making available any User Content through the Services, you hereby grant to Fireflies a worldwide, irrevocable, perpetual, non-exclusive, transferable, royalty-free license, with the right to sublicense, to use, access, view, copy, adapt, modify, distribute, license, sell, transfer, publicly display, publicly perform, transmit, stream, broadcast and otherwise exploit such User Content on, through or by means of the Services.”
For my layman’s brain, this means that whatever I use the service for can be published – which makes me seriously wonder what those 62,000 organizations were thinking when opting in.
Their privacy policy is a similarly unpleasant experience, they promise basically nothing.
Open questions: why would anyone use such a service???
Give me the takeaways, man!
If you got this far, I’m sure you already surmised a key takeaway: don’t take anything for granted. These were just a handful of random examples from a wide range of AI applications.
We covered some that are currently mostly used by the masses for fun (Midjourney, DALL-e, ChatGPT), some that are used by individuals for personal purposes (ADA health) and some that are most likely utilized in the corporate world (Revoicer, Synthesia, Fireflies). As you see, the privacy and potential legal issues are far from being settled and can be hugely different between various apps.
Whenever you give away personal or corporate data and/or create personal/corporate content, you need to take the time (and misery) to dive into these typically verbose documents and learn for yourself what kind of trade you are expected to make.
The post Here Is What Even Healthcare AI Companies Do With Your Data appeared first on The Medical Futurist.
