Coco and GDPR: Privacy Risks With Conversational AI

Coco & GDPR
Coco & GDPR

Published by:

Yaki Dunietz

Voice and text-based conversational AI are quickly permeating all kinds of online services and applications. And more and more users and deployers of these new technologies are raising the question of privacy, and particularly, GDPR compliance.

These concerns are not limited to a scenario of a human having a conversation with a bot. The same privacy concerns arise when the chat takes place between two humans. Who else listens in on the conversation? Is it being recorded? And is the information disclosed in these private dialogs stored, processed and somehow used?

A guide to all the GDPR rules

A new form of data abuse?

The reason such concerns tend to come up more recently is this: Corporations now have the ability to hold many simultaneous one-on-one dialogs, using conversational software. Since computers are now on the other side of the line, computers have long and big memories, with a tendency to remember everything. So the suspicion of data abuse suddenly takes a very concrete form. Therefore, large early adopters of mass-use Conversational AI go out of their way to make sure no sensitive data is at risk.

In recent years I was involved in deploying bots for Fortune 500 companies such as Disney, Viacom and Hyundai. And they were all very particular about what personal data is exposed throughout the conversations their bots were holding with visiting users. In some cases, the bots’ deployers even refused to ask for the name of the visitor, in order to minimize the risk of privacy-related complaints.

More great reading
Bots with an agenda: how to humanize your chatbot?
What’s deep context switching in conversational AI?
Why do we need global variables in open-domain chatbots?

Say a large corporation “A” wants to deploy a customer service chatbot. It may approach a digital agency (corporation “B”) to plan and deploy the system, typically with the help of a software house (“C”) specializing in chatbots. It will typically use one of the many different bot-development platforms (“D”), as well as NLP and /or translation and/or Text-to-Speech API calls (“E”, “F” and “G”). So, it is safe to say that besides “A”, all entities (“B” through “G”) are a privacy risk: They are ALL exposed to the entire conversation!

So – what can you do?

1. Ask this entire supply chain, for GDPR compliance
2. Ask the user to sign a privacy waiver
3. Do not use Conversational AI for private matters

I know. None of these really solve the problem. So here’s another suggestion: Use CoCo!

A bot that is constructed with Conversational Components eliminates the risk from almost the entire supply chain listed above. Only “A” (the deployer) and “B” (the digital agency) are exposed to the entire dialog. All the other functions in the list only receive isolated bits and pieces of the entire dialog, without context and references. Each component that takes part only handles its own limited function, without needing the rest of the user’s parameters. Therefore, no component in itself poses a privacy risk. The entire conversation which includes personal data is ONLY in the hands of the deployer. So the namer component ONLY knows names, the address component only knows addresses (no names), etc.

Chatbots built with components are much safer (from a GDPR standpoint) than bots built in one place. And this is only a side-effect of CoCo’s unique architecture. It not only allows for collaboration and reuse of codes between alien platforms, as well as extensive testing of new components submitted by vendors. It is also strictly on a need to know basis!