Before AI, you needed to trust the recipient and the provider (Gmail, Signal, WhatsApp, discord). You could at least make educated guesses about both for the risk profile. Such as: if someone leaks the code to this repo, it’s likely a collaborator or GitHub.
Today, you invite someone to a private repo and the code gets exfiltrated by a collaborator running whatever AI tool simply by opening their IDE.
Or you send someone an e2ee message on Signal but their AI reads the screen/text to summarize and now that message is exfiltrated.
Yes, I know it’s ”nothing new” ”in principle this could happen because you don’t control the client”. But opsec is also about what happens when well-meaning participants being accomplices in data collection. I used to trust that my friends enough to not share our conversations. Now the default assumption is that text & media on even private messaging will be harvested.
Personally I’m not ever giving keys to the kingdom to a remote data-hungry company, no matter how reputable. I’ll reconsider when local or self-hosted AI is available.
> used to trust that my friends enough to not share our conversations. Now the default assumption is that text & media on even private messaging will be harvested
I would seriously reëvaluate my trust level in a friend or colleague who installs a non-ADA screen reader on their phone. At least to the level of sharing anything sensitive.
Assuming the courts simplify Otter AI down to being a glorified call recording and transcribing tool (because the fact it's "AI" isn't really relevant here w.r.t. privacy/one/two-party-consent rules then doesn't the legal responsibility here lie with whichever person added Otter AI to group-calls without informing the other members?
----
EDIT: So the crux of the matter is whether-or-not having Otter AI automatically join meetings via their Slack/Zoom/etc integrations is by-itself legally wrong - or not:
> "In fact, if the meeting host is an Otter accountholder who has integrated their relevant Google Meet, Zoom, or Microsoft Teams accounts with Otter, an Otter Notetaker may join the meeting without obtaining the affirmative consent from any meeting participant, including the host," the lawsuit alleges. "What Otter has done is use its Otter Notetaker meeting assistant to record, transcribe, and utilize the contents of conversations without the Class members' informed consent."
I'm surprised the NPR article doesn't touch on the possible liability of whoever added Otter in the first place - surely the buck stops there?
>doesn't the legal responsibility here lie with whichever person added Otter AI to group-calls without informing the other members
IANAL but companies providing a product has certain responsibilities too, especially when they're intended to be used for a given purpose (ie. recording meetings with other people on it). Most call recording software I come across have a recording notice that can't be disabled, presumably to avoid lawsuits like this.
>EDIT: So the crux of the matter is whether-or-not having Otter AI automatically join meetings via their Slack/Zoom/etc integrations is by-itself legally wrong - or not:
Note the preceding paragraph also notes that even when the integrations aren't used, otter only obtains consent from the meeting host. In all-party consent states that's clearly not sufficient.
>because the fact it's "AI" isn't really relevant here
Again, IANAL, but "recording" laws might not apply if they're merely transcribing the audio? To take an extreme case, it's (probably) legal to hire a stenographer to sit next to you on meetings and transcribe everything on the call, even if you don't tell any other participants. Otter is a note-taking app, so they might have been in the clear if they weren't recording for AI training.
Apparently, I am "inviting" Otter into very private work meetings and i don't even have an account. Someone else had it on a meeting and Otter took it upon itself to send notes to all people in the meeting...from "me". It said i was inviting them. i am being trolled by an ai bot and spreading it like a disease to others and i didn't even know it until i saw the invitation from me in a meeting i was in...and that's when i first learned it attached itself to me. This is like a virus and i am trying to figure out how to stop it.
I've been getting Otter AI ads on the various ad-supported streaming services I watch. The ad shows a scenario where a couple of people are tapped for a last-minute meeting, but they've got other things to attend to (lunch, PTO), and they just have Otter sit in their place in the meeting.
I may be a dinosaur, but I was shocked at how casual they made this look (I know, it's just an ad), but I would be fired almost instantly at $ENTERPRISE if I did this. I almost looks like it's designed for corporate espionage.
I think we should have an opt-out standard via a subsonic signal, like DO NOT TRACK in browsers. Then, it's on the vendors to intentionally ignore a clear signal.
To that end, I've been working on opening sourcing https://dontrecord.me as a side project. Putting together a fork of Whisper that will follow the opt-out signal, too. If anyone one wants to help, please connect.
That’s the problem though, getting the email with a copy of the recording may be the unwitting participants first indication that the call was recorded without their knowledge or consent.
Otters defense is that it’s up to their users to inform other participants and get their consent where necessary, the claim of the lawsuit is that Otter is deliberately making a product which does not make it obvious that the call is being recorded, and by default does not send a pre-meeting notice that it will be joining and recording.
> Last year, an AI researcher and engineer said Otter had recorded a Zoom meeting with investors, then shared with him a transcription of the chat including "intimate, confidential details" about a business discussed after he had left the meeting. Those portions of the conversation ended up killing a deal,
I'm sorry but this is another example of not checking AI's work. Whatever about the excessive recording, that's one thing, but blindly trusting the AI's output and then using it blindly as a company document for a client is on you.
I checked the original tweet to try and understand this better and what appears to have happened is that Otter kept recording after he left and the VCs stayed on the call chatting (for hours, according to the tweet). This violates the assumption baked into the recording agent (all participants of the call have a right to a transcript of the whole call) by repurposing a scheduled meeting into a party line/just chatting sort of situation.
You could fix this by training people not to use booked meetings this way but I'm not sure how realistic that is to do. I think it might be that services like Otter need to be adjusted to take into account that not every part of a meeting is of equal sensitivity.
i.e. my HOA's monthly meetings have a private period for the board only and a public period for all residents. If Otter were used in this configuration, it would broadcast the exact details of those private discussions to the whole building, which might include board members discussing details that shouldn't be shared with everyone.
This just seems like massive user error. The same thing could have happened in a low tech environment. And the notetaker just made it more obvious.
Ex: Hop on a conference call with a group of people, Person A "leaves early" but doesn't hang up the phone, then the remaining group talks about sensitive info they didn't want Person A to hear.
A month ago a potential customer automatically included their Otter.ai meeting agent into a Teams call. The customer never turned up (he canceled the meeting somewhat later), but me and a colleague chatted a bit in the meeting. Then the Otter.ai meeting agent posted a link in the chat, from which it was clear that everything had been recorded, up to a complete video of the meeting with full facial imagery.
As I'm a European citizen, I filed a GDPR removal request with them to remove all images of me from their servers. The email address that they list in their privacy policy [1] for GDPR requests immediately bounces and tells you to reply from an Otter.ai account (which I don't have). I was able to fill in a contact form on their website and I did receive replies via email after that.
After a few emails back and forth, their position is that
> You will need to reach out to the conversation owner directly to request to have your information deleted/removed. Audio and screenshots created by the user are under the control of the user, not Otter.
> We are required by law to deny any request to delete personal information that may be contained within a recording or screenshot created by another user under the CCPA, Cal. Civil Code § 1798.145(k), which states in relevant part
> “The rights afforded to consumers and the obligations imposed on the business in this title shall not adversely affect the rights and freedoms of other natural persons. A verifiable consumer request…to delete a consumer’s personal information pursuant to Section 1798.105…shall not extend to personal information about the consumer that belongs to, or the business maintains on behalf of, another natural person…[A] business is under no legal obligation under this title or any other provision of law to take any action under this title in the event of a dispute between or among persons claiming rights to personal information in the business’ possession.”
Which is a ridiculous answer towards a European user, as the CCPA doesn't apply to me at all. Furthermore, I don't think the CCPA prohibits them at all in deleting my face from their servers, as the CCPA merely stipulates that I can't compel them under the CCPA. Otter.ai can perfectly decide this for themselves or be compelled under the GDPR to delete data, and their Terms and Conditions make it clear they may delete any user or data if they wish to do so.
After these emails, and me threatening to file a lawsuit, "Andrew" from "Otter.ai Support Team" promised to escalate the matter to his manager, but I got ghosted after that: they simply stopped replying.
So I'm going to file that lawsuit (a "verzoekschriftprocedure" under Dutch law) this week. It's going to be a very short complaint.
And out of nowhere, after posting this comment, Otter.ai now has responded after ghosting me for 3,5 weeks. They are no longer quoting the CCPA, but now are misinterpreting the GDPR and claim that every user is their own little GDPR data controller island and they're merely a "hosting platform". It's all very convenient and creative.
Their response:
Thank you for reaching out to Otter.ai. Under Articles 12 and 17 of the GDPR, Otter.ai is able to delete personal data that is stored in and controlled by your own account. However, Otter.ai cannot delete personal data that is stored in another user’s account. In those cases, Otter.ai acts as the processor or hosting platform, and the other user is the controller for that content. As such, only that account holder has the authority to remove the content.
If you wish to have such data deleted, we recommend that you contact the relevant user directly and exercise your rights under the GDPR with them.
Thank you,
Otter.ai Privacy Team
To which I responded:
To whom am I speaking? Is this the Privacy Officer? Why have you been ignoring emails for 3,5 weeks since the 23rd of July, while a GDPR request was filed on the 8th of July?
You know very well that a meeting agent of Otter.ai, the emails by Otter.ai and the website of Otter.ai fall under the direct responsibility of Otter.ai as data controller. Your privacy statement in no way supports a narrative that Otter.ai would act as a so called "hosting platform". It's preposterous to suggest that every one of your users – not being a company but a private person – would be it's own little GDPR data controller island and you're merely an accidental processor of data. Jurisprudence is very clear on this and this notion will be outright rejected.
The deadline has long passed, I'm initiating a court procedure this week.
Hoogachtend,
klabb3|6 months ago
Today, you invite someone to a private repo and the code gets exfiltrated by a collaborator running whatever AI tool simply by opening their IDE.
Or you send someone an e2ee message on Signal but their AI reads the screen/text to summarize and now that message is exfiltrated.
Yes, I know it’s ”nothing new” ”in principle this could happen because you don’t control the client”. But opsec is also about what happens when well-meaning participants being accomplices in data collection. I used to trust that my friends enough to not share our conversations. Now the default assumption is that text & media on even private messaging will be harvested.
Personally I’m not ever giving keys to the kingdom to a remote data-hungry company, no matter how reputable. I’ll reconsider when local or self-hosted AI is available.
JumpCrisscross|6 months ago
I would seriously reëvaluate my trust level in a friend or colleague who installs a non-ADA screen reader on their phone. At least to the level of sharing anything sensitive.
unknown|6 months ago
[deleted]
DaiPlusPlus|6 months ago
----
EDIT: So the crux of the matter is whether-or-not having Otter AI automatically join meetings via their Slack/Zoom/etc integrations is by-itself legally wrong - or not:
> "In fact, if the meeting host is an Otter accountholder who has integrated their relevant Google Meet, Zoom, or Microsoft Teams accounts with Otter, an Otter Notetaker may join the meeting without obtaining the affirmative consent from any meeting participant, including the host," the lawsuit alleges. "What Otter has done is use its Otter Notetaker meeting assistant to record, transcribe, and utilize the contents of conversations without the Class members' informed consent."
I'm surprised the NPR article doesn't touch on the possible liability of whoever added Otter in the first place - surely the buck stops there?
gruez|6 months ago
IANAL but companies providing a product has certain responsibilities too, especially when they're intended to be used for a given purpose (ie. recording meetings with other people on it). Most call recording software I come across have a recording notice that can't be disabled, presumably to avoid lawsuits like this.
>EDIT: So the crux of the matter is whether-or-not having Otter AI automatically join meetings via their Slack/Zoom/etc integrations is by-itself legally wrong - or not:
Note the preceding paragraph also notes that even when the integrations aren't used, otter only obtains consent from the meeting host. In all-party consent states that's clearly not sufficient.
>because the fact it's "AI" isn't really relevant here
Again, IANAL, but "recording" laws might not apply if they're merely transcribing the audio? To take an extreme case, it's (probably) legal to hire a stenographer to sit next to you on meetings and transcribe everything on the call, even if you don't tell any other participants. Otter is a note-taking app, so they might have been in the clear if they weren't recording for AI training.
nearysvoice|6 months ago
cbm-vic-20|6 months ago
I may be a dinosaur, but I was shocked at how casual they made this look (I know, it's just an ad), but I would be fired almost instantly at $ENTERPRISE if I did this. I almost looks like it's designed for corporate espionage.
cj|6 months ago
septemberagain|6 months ago
https://news.ycombinator.com/item?id=32751071
jmort|6 months ago
To that end, I've been working on opening sourcing https://dontrecord.me as a side project. Putting together a fork of Whisper that will follow the opt-out signal, too. If anyone one wants to help, please connect.
blitzar|6 months ago
They recorded the call and sent it to all participants. Its not their fault the users are idiots.
brendang_sd|6 months ago
Otters defense is that it’s up to their users to inform other participants and get their consent where necessary, the claim of the lawsuit is that Otter is deliberately making a product which does not make it obvious that the call is being recorded, and by default does not send a pre-meeting notice that it will be joining and recording.
matthewdgreen|6 months ago
bilekas|6 months ago
I'm sorry but this is another example of not checking AI's work. Whatever about the excessive recording, that's one thing, but blindly trusting the AI's output and then using it blindly as a company document for a client is on you.
kg|6 months ago
You could fix this by training people not to use booked meetings this way but I'm not sure how realistic that is to do. I think it might be that services like Otter need to be adjusted to take into account that not every part of a meeting is of equal sensitivity.
i.e. my HOA's monthly meetings have a private period for the board only and a public period for all residents. If Otter were used in this configuration, it would broadcast the exact details of those private discussions to the whole building, which might include board members discussing details that shouldn't be shared with everyone.
themanmaran|6 months ago
Ex: Hop on a conference call with a group of people, Person A "leaves early" but doesn't hang up the phone, then the remaining group talks about sensitive info they didn't want Person A to hear.
xnx|6 months ago
jorts|6 months ago
Confiks|6 months ago
As I'm a European citizen, I filed a GDPR removal request with them to remove all images of me from their servers. The email address that they list in their privacy policy [1] for GDPR requests immediately bounces and tells you to reply from an Otter.ai account (which I don't have). I was able to fill in a contact form on their website and I did receive replies via email after that.
After a few emails back and forth, their position is that
> You will need to reach out to the conversation owner directly to request to have your information deleted/removed. Audio and screenshots created by the user are under the control of the user, not Otter.
> We are required by law to deny any request to delete personal information that may be contained within a recording or screenshot created by another user under the CCPA, Cal. Civil Code § 1798.145(k), which states in relevant part
> “The rights afforded to consumers and the obligations imposed on the business in this title shall not adversely affect the rights and freedoms of other natural persons. A verifiable consumer request…to delete a consumer’s personal information pursuant to Section 1798.105…shall not extend to personal information about the consumer that belongs to, or the business maintains on behalf of, another natural person…[A] business is under no legal obligation under this title or any other provision of law to take any action under this title in the event of a dispute between or among persons claiming rights to personal information in the business’ possession.”
Which is a ridiculous answer towards a European user, as the CCPA doesn't apply to me at all. Furthermore, I don't think the CCPA prohibits them at all in deleting my face from their servers, as the CCPA merely stipulates that I can't compel them under the CCPA. Otter.ai can perfectly decide this for themselves or be compelled under the GDPR to delete data, and their Terms and Conditions make it clear they may delete any user or data if they wish to do so.
After these emails, and me threatening to file a lawsuit, "Andrew" from "Otter.ai Support Team" promised to escalate the matter to his manager, but I got ghosted after that: they simply stopped replying.
So I'm going to file that lawsuit (a "verzoekschriftprocedure" under Dutch law) this week. It's going to be a very short complaint.
[1] https://otter.ai/privacy-policy
Confiks|6 months ago
Their response:
To which I responded:unknown|6 months ago
[deleted]
jorts|6 months ago
tiahura|6 months ago
nkotov|6 months ago
stefanwlb|6 months ago
[deleted]