If You Build It, They Will Come--And Try To Steal It

I tell you “put all your eggs in one basket, and then watch that basket.” Look round you and take notice; men who do that do not often fail. It is easy to watch and carry the one basket. It is trying to carry too many baskets that breaks most eggs in this country. --Andrew Carnegie, addressing the students of Curry Commercial College, June 23, 1885

It is a depressing truism of cybersecurity that if you create a cyber asset of  unimaginable value and power you create a target so tempting that you will be forced to vigorously defend it. "Watch that basket" indeed!

In the 1980s, so it was the data warehouse, a single database wherein all your organization's information was to be found. What promise! A single place to aggregate all that normalized data, from which you would glean untold insight into your operations! Assuming you could solve the data normalization problem, the real-time interface problem and the very tricky problem of granting access to everyone who might legitimately need it while denying access to anyone who was not authorized. But at least you knew who was making the data repository, how the data was collected and stored.

In the 1990s, so it was with the local (departmental) database, owned and operated by the people who knew the data best. The enterprise database had become a fortress from which it was nearly impossible to get data, so we rolled our own, oriented toward our specific needs and well-understood by its users. Theoretically. Assuming that your data collection and cleaning was working. Again, you knew what you were getting into. Theoretically.

In the 2000s the Computer Cloud was born: you no longer had to be a data weenie to have a database! You could access that database from anywhere, so long as you had credentials. It was glorious, so long as you trusted whoever ran your cloud. But at least you were collecting the data and you were deciding what to collect and you knew it was being collected.

Also in the 2000s we starting "googling" things on the Internet and were equal parts pleased and concerned with Google started remembering what we each like to search for. But Google was a single entity with explicit accounts and relationships, and we were getting something in return for the targeted ads. It was not ideal, but it was acceptable to most of us. At some level we realized that we were giving away personal data but we thought we understood the deal: better search for better ads. We had the ads anyway, so which not have more appropriate ones?

Shortly thereafter, we started letting our phones know where we went and who we interacted with. That was also pretty creepy, but the advantages were huge: convenience for some, peace of mind for others. But we also were comforted by the fact that Apple and other vendors had some skin in the game: they could be sued if something went wrong.

Now we are in the grip of AI fever: we are busy training ChatGPT and its like with our prompts and our data and we are creating a wonderfully detailed and nuanced database all about us. But we don't control that database and we have no idea how well protected it is, or what it might be used for, or who might buy it.

Note that we are not talking about the various copyright violations which went into training the AIs, mostly on public data. Those are a serious problem, but not the problem we are addressing here.

Here we are talking about the implicit database you are creating when you use ChatGPT or similar software to summarize your own data and when you spend hours refining prompts in order to get better results. Your prompts leak information about you, much more than you likely realize.

As you get better at using these AIs, they get better at being used because they are getting to know you. What are they getting to know? Who owns that data? Is that data safe? Is it for sale? What is it used for?

In your personal life, if you are going to keep getting a free lunch, you should spare a thought about how the restaurant is getting paid. In your professional life, you need to extend your cybersecurity policies and procedures to cover AI use. As always with cybersecurity, you can wait until the horse is gone before closing the barn door, or you can get ahead and try to stay ahead. 

Don't play catch-up with your AI policies. You can get ahead of this issue and Pythia Cyber can help.