![](\"https:\/\/images.idgesg.net\/images\/idge\/imported\/imageapi\/2023\/03\/28\/16\/cybersecurity_main-100939073-small.jpg\"\/)
<\/p>\n
Reflecting warnings given earlier<\/a>, Apple is now among the growing number of businesses banning employees from using OpenAI’s ChatGPT<\/a> and other similar cloud-based generative AI services in a bid to protect data confidentiality. The Wall Street Journal<\/a><\/em> reports that Apple has also barred staff from using GitHub\u2019s Copilot<\/a> tool, which some developers use to help write software.<\/p>\n A recent survey<\/a> found that 39% of Mac developers are using the tech.<\/p>\n While a ban may seem extreme, it shows the company is paying attention to the flood of warnings emanating from security professionals regarding the use of these services. The concern is that their use could lead to the disclosure of sensitive or confidential data. Samsung banned the tools earlier this year when it discovered that staff had uploaded confidential source code to ChatGPT.<\/p>\n Security professionals are very aware of the problem. Wicus Ross, senior security researcher at\u00a0Orange Cyberdefense warns<\/a>:<\/p>\n \u201cWhile AI-powered chatbots are trained and further refined by their developers, it isn\u2019t out of the question for staff to access the data that\u2019s being inputted into them. And, considering that humans are often the weakest element of a business\u2019 security posture, this opens the information to a range of threats, even if the risk is accidental.\u201d<\/p>\n While OpenAI does sell a more confidential (and expensive to run) self-hosted version of the service to enterprise clients, the risk is that under the public use agreement, there is very little to respect data confidentiality.<\/p>\n That\u2019s bad in terms of confidential code and internal documentation, but deeply dangerous when handling information from heavily regulated industries, banking, health and elsewhere. We have already seen at least one incident in which ChatGPT queries were exposed to unrelated users<\/a>.<\/p>\n While Apple\u2019s decision may feel like an over-reaction, it is essential enterprises convince staff to be wary of what data they are sharing. The issue is that when using a cloud-based service to process the data, it is very likely the information will be retained by the service, for grading, assessment, or even future use.<\/p>\n In essence, the questions you ask a service of this kind become data points for future answers. Information supplied to a cloud-based service may be accessed by humans, either from inside the company or by outside attack. We\u2019ve already seen it happen. OpenAI had to take ChatGPT offline following a data breach earlier this year<\/a>.<\/p>\n Advice from the UK National Cyber Security Research Center<\/a> (NCSC) explains the nature of the risk. It points out that queries will be visible to the service provider, stored and \u201calmost certainly\u201d be used to develop the service at some point.<\/p>\n In this context, the terms of use and privacy policy for a service need to be scrutinized deeply before anyone makes a sensitive query. The other challenge is that once a question is asked, it, too, becomes data.<\/p>\n As the NCSC explains: \u201cAnother risk, which increases as more organizations produce LLMs, is that queries stored online may be hacked, leaked, or more likely accidentally made publicly accessible. This could include potentially user-identifiable information.\u201d<\/p>\n There is also another layer of risk as consolidation across the AI industry accelerates<\/a>. A user might ask a sensitive question of a verified secure LLM service that meets all the requirements of enterprise security protocols on Tuesday, but that service could be purchased by a third-party with weaker policies the following week.<\/p>\n That purchaser would then also take possession of the sensitive enterprise data previously supplied to the service but protect it less effectively.<\/p>\n These concerns aren\u2019t being raised because security professionals have seen them in some form of fever dreams; they reflect events we\u2019ve already seen. For example, one recent report revealed over 10 million confidential items, such as API keys and credentials were exposed in public repositories such as GitHub last year<\/a>.<\/p>\n Much of the time, this kind of confidential data is shared through personal accounts using services of this kind, which is what has already happened to information from Toyota<\/a>, Samsung<\/a>, and, presumably given the ChatGPT usage ban, Apple.<\/p>\n With this in mind, most security professionals I follow are united in warning users not to include sensitive\/confidential information in queries made to public services such as ChatGPT.<\/p>\n Users should never ask questions that could lead to issues if they became public, and within the context of any major company attempting to secure its data, a blanket ban on use is by far the easiest solution, at least for now.<\/p>\n It won\u2019t always be this way.<\/p>\n The most logical path forward is toward small LLM systems capable of being hosted on the edge device. We know it is possible, as Stanford University has already been able to make one\u00a0run on a Google Pixel phone<\/a>. This makes it plausible to anticipate that at some point, no one will be using the recently introduced ChatGPT app on an iPhone, because they\u2019ll be using a similar tech supplied with the phone itself.<\/a><\/p>\n But the bottom line for anybody using cloud-based LLM services is that security is not guaranteed and you should never share confidential or sensitive data with them. It\u2019s a testament to the value of edge processing and privacy protection<\/a> in a connected age.<\/p>\n Please follow me on\u00a0Mastodon<\/a>, or join me in the\u00a0AppleHolic\u2019s bar & grill<\/a>\u00a0and\u00a0<\/em>Apple<\/em>\u00a0Discussions<\/em><\/a>\u00a0groups on MeWe.<\/em><\/p>\n http:\/\/www.computerworld.com\/category\/security\/index.rss<\/a><\/p>\n","protected":false},"excerpt":{"rendered":" Reflecting warnings given earlier<\/a>, Apple is now among the growing number of businesses banning employees from using OpenAI’s ChatGPT<\/a> and other similar cloud-based generative AI services in a bid to protect data confidentiality. The Wall Street Journal<\/a><\/em> reports that Apple has also barred staff from using GitHub\u2019s Copilot<\/a> tool, which some developers use to help write software.<\/p>\n<\/p>\n