The AI Legal Challenge: Balancing Progress And Security in Tackling Unauthorized Access

THE AI LEGAL CHALLENGE: THE AI LEGAL CHALLENGE: BALANCING PROGRESS AND SECURITY IN TACKLING UNAUTHORIZED ACCESS By Umar Shahid, Bar at Law* Artificial intelligence ( AI ) is another chapter in a recent series of disruptive technologies to have a complicated relationship with law. A technology that continuously evolves, forcing businesses to keep changing and introducing new applications in the market. The impact of such disruptive technologies has always posed a challenge to the traditional legal systems, with which the new concepts are often incompatible and sometimes entirely alien, often making the traditional applications redundant. Like fitting a cube in a round hole. It can be argued that no recent technology has the potential to be as disruptive as AI, be it from a business evolution perspective, or the impact on human participation. From a legal and commercial point of view, one of the biggest challenges posed by the introduction of AI is ensuring data protection, not just from misuse, but also from unauthorized access. From a business perspective any authorized access by AI can, not only result in leak of confidential information, but also undermine the monetary worth of such data, especially if the protection or grant of access to such data is a core element of such businesses model. Though defining AI for legal application is a separate debate altogether, at present, English law defines it as technology enabling the programming or training of a device or software to (i) perceive environments through the use of data; (ii) interpret data using automated processing designed to approximate cognitive abilities; (iii) make recommendations, predictions or decisions; with a view to achieving a specific objective."1. This definition itself raises questions about what the technology will do to achieve that specific objective. How will AI interpret and use data it is not authorized to access? The hallmark of AI, its ability to learn, rather than preprogrammed codes, makes it impossible to determine this. Its present capability allows AI to gather human knowledge and reproduce human intelligence but not human empathy. As such, AI can define ethics but not implement it. It cannot choose to do something unethical and then have a change of heart. It cannot, on its own, distinguish between right and wrong. This means, in completing its tasked objective, it may carry out an operation that may be considered unethical in the legal context, including infringing protected data or bypassing payment walls. Various jurisdictions have defined AI, however, it is yet to find an identity for itself in Pakistan law. Pakistan has introduced the National Artificial Intelligence Policy (the Policy ) and a draft bill, to make provisions for the regulation of artificial intelligence and related matters in Pakistan (the Bill ). The policy does not define AI or AI systems; however, the Bill defines AI to mean a combination of human and digital intelligence-based ecosystem, that work together to develop an efficient and sustainable information technology system for learning, problem identification / resolution, reasoning and research to influence physical and virtual environments in real time.2 This definition of AI under the Bill, when compared to other jurisdictions with a better understanding of the disruptive technology, appears to be rudimentary. Moreover, even though the policy sets out objectives with respect to the application of AI, the Bill is silent on all matters pertaining to the specific use, regulation, advancement and implementation of AI and AI systems. Both the Policy and the Bill certainly do not tackle the concern of AI accessing information without due authorization and any preventive measures and consequences in relation thereto. This brings us to the important question of how to regulate AI in terms of data protection, especially in the commercial context? The Artificial Intelligence Act of the European Union3 (the EU AI Act ) has been passed to implement a comprehensive framework of ethical and legal standards for the development and deployment of trustworthy AI systems. The EU AI Act works on the basis of seven principles with the paramount concern being the handling of personal data. The seven principles include human agency and oversight; technical robustness and safety; privacy and data governance; transparency; diversity, non-discrimination and fairness; social and environmental well-being; and accountability. From a privacy and data governance view, it is important to note that the EU AI Act, in order to ensure a high-level protection of personal data, whilst supporting innovation of AI, grants the same protection as enshrined under the Charter of Fundamental Rights of the European Union ( the Charter ) as a fundamental right. The fundamental right to the protection of personal data is safeguarded in particular by Regulations (EU) 2016/679 (11) and (EU) 2018/1725 (12) of the European Parliament and of the Council and Directive (EU) 2016/680 of the European Parliament and of the Council (13). As per the EU AI Act, the right to privacy and to protection of personal data must be guaranteed throughout the entire lifecycle of an AI system.4 It seeks to achieve this by applying the principles of data minimization and data protection in the design of an AI system. The EU AI Act recommends the measures that service providers may adopt in order to ensure compliance with such principles which may include the use of technology that allows AI algorithms to be trained without the transmission between parties or copying of raw data without prejudice to the requirements on data governance. Even though, the EU AI Act has linked the protection of personal data with the protection of fundamental rights under the Charter and has proposed measures for the use of AI systems in this regard, the EU AI Act also does not specifically address the business concern of AI without due authorization accessing data that has value to an entity and reproduces the same for a user that has not paid the requisite consideration for such data. Similarly, a White Paper has been introduced in the United States of America, which is a Blueprint for an AI Bill of Rights.5 The White Paper is based on five principles namely safe and effective systems, algorithmic discrimination protections, data privacy, notice and explanation and human alternative, consideration, and fallback.6 The important principle with respect to the question at hand being data privacy. In essence, as per the White Paper, a user should have control over their data and privacy protection should be built in by default. In this respect, the collection of data should be limited and consent must be obtained from the owner of the data. Additionally, surveillance should be regulated to prevent any harm to the owner of the data and transparency should be ensured in order to respect the rights of the individual. However, it seems that the White Paper, and the Bill it proposes to introduce, focuses on protecting and regulating the collection and use of personal data of citizens by AI and AI systems and does not address the unauthorized access and use of information of value to entities essential for business operations. The need for such express regulation is even more evident now that online databases/resource providers have initiated lawsuits against AI service providers. One famous instance of relevance is the lawsuit filed by the New York Times against OpenAI and its partner Microsoft for copyright infringement7 due to OpenAI taking millions of articles off the New York Times website to, allegedly, train the ChatGPT algorithm. As per the New York Times, ChatGPT, based on prompts by users, reproduces parts of its articles without any changes and shares content which is important to the New York Times as, inter alia, it has been collected and collated after investigations by its reporters.8 The New York Times also alleged that there were instances of ChatGPT making up articles and attributing the same to it.9 Such actions by ChatGPT constitute copyright violations and undercut the New York Times business model which is reliant on subscriptions and similar revenue sources. The lawsuit is yet to conclude, however, the legal, the tech and the business world have their eyes fixated on the progress of the case as the lawsuit is the first major step for AI s interaction with copyright laws and companies business models.10 From a Pakistan business perspective, it seems that the Bill, if it takes a shape of law in its current form, may be redundant at inception. The Policy and any resulting law can take inspiration from the EU AI Act in terms of prompting the growth of AI and its safe use. However, it would need go beyond the EU AI Act and the proposed Bill as envisaged by the White Paper in the US for protecting unauthorized access by AI with the result of undermining companies profitability. The practicality of any safeguards that can be built into AI systems as mandated by law is open to debate as the nature of AI is such that it may eventually bypass any in-built safeguards and, despite compliance with law by the developer, result in unethical, unauthorized use of data by an AI system. Further, the issue of unauthorized access and use is a part of a much broader debate regarding ownership of works reproduced by AI based on information retrieved from natural persons and the concept of fair use. * Partner at Orr, Dignam & Co. 1 Definition of artificial intelligence - National Security and Investment Act, 2021. 2 hhtps://senate.gov.pk/uploads/documents/1725968951 269.pdf. 3 Regulation (EJ) 2024/1689 of the European Parliament and of the Council of 13 June, 2024 laying down harmonized rules on artificial intelligence and amending Regulations (EC) No 300/2008, (EU) No 167/2013, (EU) No 168/2013, (EU) 2018/858, (EU) 2018/1139 and (EU) 2019/2144 and Directives 2014/90/EU, (EU) 2016/797 and (EU)) 2020/1828 (Artificial Intelligence Act) (Text with EEA relevance) 4 Ibid. 5 https://www.whitehouse.gov/wp-content/uploads/2022/10/Blueprint-for-an-Al-Bill-of-Rights.pdf. 6 Ibid. 7 https://hls/harvard.edu/today/does-chatgpt-violate-new-york-times-copyrights/. 8 Ibid. 9 Ibid. 10 Ibid.