iAnybody interested in generative A.I. or data privacy needs to stop what they’re doing and pay attention to this one right now.
A new complaint filed in California this week involving OpenAI and Microsoft and how they are training generative AI tools may be the single biggest civil lawsuit in history–and the effects will ripple far and wide across the backbone of the American e-commerce backbone.
First, a reminder– litigation under the California Invasion of Privacy Act (CIPA) is now the most dangerous litigation on the face of the planet.
With $5k in exposure per illegally recorded web session–and billions of California-based web visits occurring daily–there is a wellspring of potential CIPA exposure rivaling the GDP of developing nations being generated daily.
The essence of many recent CIPA cases is that information shared by consumers with companies online is being listened in on by third-parties–often using java-embedded within a consumer’s browser–for various purposes.
Well in a new and sprawling complaint filed this week in the Northern District of California a Plaintiff is contending that ChatGPT and OpenAI are illegally eavesdropping on consumer interactions with popular applications and seeks an unspecified recovery on behalf of a massive class–and there could be trillions of dollars at issue in this case.
The Complaint in P.M., et al. vs. OPENAI LP, and MICROSOFT CORPORATION,–available here Open AI CIPA — is sprawling and asserts numerous claims arising out of Big Tech’s alleged surreptitious use of consumer chats to feed its AI machine learning products.
As to the CIPA claim, the Plaintiffs allege:
The transmissions of Plaintiffs’ and ChatGPT API Class Members’ communications (including but not limited to chats, comments, replies, searches, keystrokes, mouse clicks/movements, signals, browser activity, or other data, activity, or intelligence) on various applications, programs, platforms, websites which integrate ChatGPT API (i.e., Stripe, Snapchat, etc.) qualify as “electronic communications” under Cal. Penal Code §629.51(2).
By incorporating ChatGPT technology on third-party platforms, Defendants are in the unique position of having unrestricted, real-time access to the users’ every input, move, chat, comment, reply, search, keystroke, or other browser activity/communication on the third-party platform.
As Plaintiffs and ChatGPT API Class Members interact with the third-party platform, Defendants intentionally tap, electrically or otherwise, the lines of internet communication between Plaintiffs and ChatGPT API Class Members, and/or third-party entities.
In disregard for Plaintiffs’ and ChatGPT API Class Members’ privacy rights, Defendants act as a third-party “eavesdropper,” redirecting Plaintiffs and Chat-GPT API Members’ electronic communications to Defendants’ own servers for appropriation, and training of their Products
Defendants’ interception of the contents of Plaintiffs’ and ChatGPT API Class Members’ communications happens contemporaneously with their exchange of such communications, whether such communications are directed to Plaintiffs’ and ChatGPT API Class Members’ friends, colleagues, or third-party entities. As described above, the ChatGPT technology, integrated on various platforms, is designed to simultaneously intercept and send a recording of each keystroke, mouse click, movement, writing, or other data, activity, or intelligence to Defendants sufficient to not only identify Plaintiffs and ChatGPT API Class Members’, but also to be able to understand, collect, and use for training Plaintiffs’ and ChatGPT API Class Members’ communications.
Through this calculated scheme of using ChatGPT technology, integrated on various non-ChatGPT platforms (such as Snapchat, Stripe, etc.) to intercept, acquire, transmit, and record Plaintiffs’ and ChatGPT API Class Members’ electronic communications, Defendants willfully and without valid consent from all parties to the communication, take unauthorized measures to read and understand the contents or meaning of the electronic communications of Plaintiffs and ChatGPT API Class. The interception and recording of electronic communications occurs while the electronic communications are in transit or passing over any wire, line, or cable…
HOLY MOLY.
To my eye, if these allegations are true the Plaintiffs have actually asserted a valid claim under CIPA. This sort of real-time reading and analysis of ongoing communications is PRECISELY what the CIPA was designed to prevent. So unlike some of the silly web session recording cases we have seen P.M. really seems to have legs.
A bunch of classes at issue here including:
a. Non-User Class: All persons in the United States whose PII, Personal
Information, or Private Information was disclosed to, or accessed, collected,
tracked, taken, or used by Defendants without consent or authorization.
b. ChatGPT User Class: All persons in the United States who used ChatGPT,
whose Private Information was disclosed to, or intercepted, accessed, collected,
tracked, taken, or used by Defendants without consent or authorization.
c. ChatGPT API User Class: All persons in the United States who used other
platforms, programs, or applications which integrated ChatGPT technology,
whose Private Information was disclosed to, or intercepted, accessed, collected,
tracked, taken, or used by Defendants without consent or authorization.
d. Microsoft User Class: All persons in the United States who used Microsoft
platforms, programs, or applications which integrated ChatGPT technology,
whose Private Information was disclosed to, or intercepted, accessed, collected,
tracked, taken, or used by Defendants without consent or authorization.
e. Minor ChatGPT User Class: All persons in the United States who, while 16
years or younger, used ChatGPT, or other platforms, programs, or applications
which integrated ChatGPT API or ChatGPT Plug-In, whose Private
Information was disclosed to, or intercepted, accessed, collected, tracked,
taken, or used by Defendants without consent or authorization.
f. ChatGPT Plus User Class: All persons in the United States who used ChatGPT website or mobile app and whose Personal Information or PII was intercepted, accessed, collected, tracked, stored, shared, taken, or used by Defendants without consent and/or authorization
While it is impossible at this stage to say how many people are in each class, given the millions of daily users these platforms have it is easy to imagine damages surpassing $5BB a day. So while Microsoft famously has over $100BB in cash on hand at any one time, this case could exceed $1.5TT in damages with relative ease–and that’s just looking at one year of exposure.
My goodness.
It is not an overstatement to say that P.M. may be one of the most consequential civil actions ever filed. Not only are the available damages here potentially enough to bankrupt both Microsoft and OpenAI, the crushing and stifling impact of the CIPA as applied to emerging generative AI tools may be sufficient to set back Americas’ AI ambitions and allow less litigious nations–say, China–to take a clear lead in the world’s great AI arms race.
And notably, this complaint does not appear to be some slapped-together hogwash by some lawyer with a crazy pipedream. This thing is well crafted and well thought out. Indeed, even beyond CIPA there are a number of claims that have credibility. This could be an absolute nightmare for OpenAI and Microsoft to deal with.
Obviously, Troutman Amin, LLP has been at the forefront of legal issues in this space and are closely following and reporting on developments here.
