In a startling revelation, it has come to light that staff members from the Department of Defense have accessed the servers of the AI chatbot ChatGPT without proper authorization, using the service thousands of times. These unauthorized connections were made through the web domain of OpenAI, the company behind ChatGPT, raising concerns about potential data breaches and privacy violations. The incident has prompted the Department of Defense to immediately restrict access to OpenAI’s web domain to prevent further unauthorized use and potential security risks.
Unauthorized access and data breach concerns
Documents obtained through a freedom of information request by Crikey indicate that Department of Defense personnel, using devices such as computers and smartphones, connected to webpages under the OpenAI.com domain approximately 5630 times over six months, from December 1, 2022, to June 30, 2023. The connection pattern suggests that users accessed the domain through the online web interface, likely excluding third-party services or smartphone apps offered by OpenAI.
OpenAI’s suite of AI products
OpenAI.com is the hosting platform for a range of AI products developed by the company, including ChatGPT, which was initially launched on November 30, 2022. The platform also hosts other AI offerings like the text-to-image generator DALL-E-2 and GPT-4, along with various other webpages associated with OpenAI.
Defense department’s response
In response to these unauthorized connections, the Department of Defense has taken steps to curtail further access to OpenAI’s services. The department’s accredited decision-maker, David Evans, emphasized that the access to OpenAI’s products, especially “online AI services such as Chat GPT,” has not been approved by the department. Limiting access aims to prevent any potential compromise of classified or private information, safeguarding sensitive data.
Questions unanswered
Despite the action taken by the Department of Defense, there remain several questions regarding the nature of the unauthorized connections and the timeline of events. The department acknowledged the receipt of a media request from Crikey. Still, it did not specify which connections occurred before the restrictions were imposed, when they were enacted, or whether any legitimate reasons were cited for allowing access despite the limitations.
Lack of clear government policy
Interestingly, federal departments have no comprehensive government-wide guidance concerning the use of generative AI products like ChatGPT. Earlier this year, the Digital Transformation Agency offered a cautious endorsement of public service experimentation with such AI services, advising that while experimentation was not discouraged, a thorough assessment of potential risks should be conducted. However, no specific regulations or guidelines were issued.
The call for robust regulation
Greens Senator for NSW and digital rights spokesperson David Shoebridge has expressed deep concern over Department of Defense staff’s unauthorized use of AI services. Shoebridge pointed out that the large number of unauthorized connections indicates a lack of comprehensive policy to address security concerns posed by emerging technologies. He called for implementing new policies and regulations that govern the use of generative AI in government settings, especially given the presence of sensitive and classified information. Shoebridge highlighted the importance of refining security controls to prevent incidents like these from occurring in the future.
Department of Defense staff’s unauthorized use of ChatGPT underscores the urgent need for clear regulations and guidelines governing the use of AI services in government departments. The incident has shed light on the potential risks of unauthorized data access and privacy breaches, emphasizing the importance of robust security measures in an era of emerging technologies. How the government responds to these concerns remains to be seen, and whether comprehensive policies will be enacted to address the security challenges posed by AI services.
