Guard against sensitive information disclosure on Generative AI platforms

Hack day and hack week are approaching at work. I've had several ideas on GPT-related ideas. For the hack week, I'm planning to use a prototype use of privateGPT since using chatgpt-retrieval with LangChain uses the OpenAI API for word and sentence embedding generation. Use of an existing GPT 3/3.5 model on locally trained embeddings. Details for another blog post.

The second hack day idea was also inspired by the sensitive information disclosure that is possible when employees submit personally identifiable information (PII), intellectual property, or other information that shouldn't be submitted to OpenAI or any platform using GPT. This is the case with Samsung employees leaking company information and I'm sure is currently occurring and will continue to occur. Users should be informed of the potential risks that come with using a GPT platform. From information disclosure through the prompts and third-party plugins to the accuracy of the generated results. ChatGPT like other ML/AI tools is just that... tools. Banning them through a network appliance will solve your immediate problem, but won't teach users how to use them appropriately and may impact individual and company performance over the long run. Everyone should be informed of the benefits and risks as well as the dos and don'ts. I don't have control over corporate policy, but I can write code. Let's create a Chrome extension that detects Generative AI sites and display a prompt about the risks. Could also apply some regex to notify if the prompt text contains phone numbers, email addresses, etc. I couldn't wait. I watched this FreeCodeCamp tutorial on writing a Manifest V3 Chrome Extension. The preliminary code for this extension is at https://github.com/Wind010/gpt-guard.

With the introduction of new top-level domains like .zip and .mov from Google. Corporate networks probably already block these suspicious domains, but the general public is susceptible. This extension can also stop the site from loading and prompt the user if they are sure they want to proceed and ask if they were given this link in email or some other platform. Informing them of the risks and if this is possibly a phish. Speaking of phish...

Why would Google do this?

T_T

It occurs to me, that almost every weekend has had a hack day since last year. The jumping from idea to idea and prototyping them has been fun. The rules and prep around a formal hack week and hack day kill the vibe and my desire to do them.

References

• https://interestingengineering.com/culture/chatgpt-alleged-leak-confidential-information-samsung

• https://techcrunch.com/2023/05/02/samsung-bans-use-of-generative-ai-tools-like-chatgpt-after-april-internal-data-leak/

• https://en.wikipedia.org/wiki/Word_embedding

• https://python.langchain.com/

• https://openai.com/blog/chatgpt-plugins

• https://github.com/imartinez/privateGPT

• https://www.youtube.com/watch?v=9AXP7tCI9PI

• https://github.com/wind010/chatgpt-retrieval

• https://www.nytimes.com/2023/06/08/nyregion/lawyer-chatgpt-sanctions.html

• https://www.youtube.com/watch?v=0n809nd4Zu4

• https://developer.chrome.com/docs/extensions/mv3/intro/

• https://en.wikipedia.org/wiki/Top-level_domain

• https://domains.google/tld/zip/

• https://www.malwarebytes.com/blog/news/2023/05/zip-domains

• https://www.bleepingcomputer.com/news/security/new-zip-domains-spark-debate-among-cybersecurity-experts/

• https://github.com/trickest/zip/blob/main/zip-domains.txt

• https://github.com/Wind010/gpt-guard