A

There's this idea that, you know, the flow of technology tools comes from the top down to the consumer and I think there may be a shift where instead of that there is going to be more of a push for consumer informed tools and choices. Foreign.

B

Welcome to another episode of Data Security decoded by Rubrikzeer Labs. My name is Caleb Toland and I'm your host for this episode. And for those of you who are obsessed with AI right now, this episode's for you. Recently I had the pleasure of sitting down with Gabrielle Hibbert, who's a tech policy researcher and we discussed her work on creating an everyday person's guide to assessing the harms, uses and policies for generative AI tools. In addition to advocating for a consumer ready model for assessing content from generative AI, Gabrielle has worked as a security engineer in the private sector, helped establish and serve as an adjunct lecturer for the Institute of Economic and Race Equity at Brandeis University, and was named a 2024 Share the Mikin Cyber Fellow at New America Now. Quick disclosure, the views expressed in this episode are solely those of the authors and do not reflect the views of any government entity. And before we dive in fully, be sure to subscribe if you aren't already, depending on which platform you're listening in from. You know, leave us a comment. Leave us a review. We want to make sure that these episodes are valuable and helpful for you. Now, without further ado, let's dive into the conversation. Gabrielle, we're so excited to have you on the podcast to talk about, you know, this, this new research that you're working on and this system. So speaking of the research that you focused on so far is developing a nutrition labeling system for generative AI tools. First, can you explain what a nutrition labeling system really is? And then second, what motivated you to explore this for generative AI in particular?

A

Yeah, and thank you so much for having me. I am super excited to talk about my work on creating this nutrition labeling system for generative AI tools. And I think it's a good place to start with a little bit of history on what exactly a nutrition label is. So really, at its core, a nutrition label is essentially a consumer friendly marker to describe the various component parts of a product, a tool, a food related beverage, that type of thing. And various jurisdictions apply these markers differently, but they all really relate to this idea of providing fast, quick, accessible information to consumer audiences. And to really put this into a bit of a perspective, at least for the United States, is that around 6.5 billion products within the US have a nutrition label on them. And that is a insane audience that regularly looks to these markers for information. And we can kind of thank two incredible designers and researchers who helped forward this work, particularly Berki Belzler and Gerald Manda. This design that they created has been applied not only to nutrition labels and food really, it's been applied also to the tech sector. And I took a lot of inspiration and motivation from its applications by the tech sector. And I want to say that one of the motivations with that was the idea that at its core, these nutrition labels are incredibly low tech solutions to very high tech products. If you kind of think about, you know, food products, for instance, these are incredibly complex pieces of everyday life. Right. Take for instance your bag of chips. This is a product that goes through so many different iterations and has complex nature of food, chemistry and science and, and it's all broken down into percentage points of protein, salt, fat, and that's super easily accessible and attainable to a wide variety of consumer audiences. So I try to take that idea and apply that to generative AI tools, particularly because at that moment in which I had that initial thought was generative AI tools had hit the consumer market at scale, yet there wasn't that much information that was consumer focused or consumer friendly on what these tools were, how they worked, what actually made them work, and the interaction that kind of happens between user and the tool. So that's what kind of initially sparked some of my interest and motivation for figuring out how to apply this nutrition label to generative AI tools.

B

Right. And so, you know, looking at how you apply this to different types of technologies and different, almost like grades of technology, is there a difference in how you would create this label for something a little bit more consumer grade, like you were just talking about like a ChatGPT or a Gemini or something a little bit more enterprise grade, like a Microsoft copilot?

A

Yeah. I think at the core of this question is a little central to the simplicity of a nutrition label. And I'm kind of, I'm going to try to like piece apart and add a bit of texture to the answers here. And when you kind of zoom out between let's say a consumer geared product like a GPT that's for productivity or for everyday use versus, as you said, an enterprise tool, I think what is the baseline foundation that needs to be to be adhered to is ensuring that the people, the user groups with the least amount of knowledge have the most information. And that really kind of goes back to my training as a social Policy expert, that to ensure that there is wide accessibility and that there is enough information for people to really be able to interact with your tools and resources, there have to be really clear, inclusive, and accessible information for those tools. And what was really interesting when I was doing the grounding research for this work is that I purposely wanted to talk to various user groups, from those that had maybe heard of generative AI tools to folks who were developers and engineers. So you have these kind of wide range of user groups who kind of are on the scale of users who were not at all familiar to expert users. And in talking to each of those user groups, it really became clear to me that to bridge the gulf between users who are not familiar and those who have a deep expertise with this material is that there needs to be a baseline understanding of what a generative AI tool is. Right. And kind of get those building blocks to the folks that have the least amount of knowledge. I think, again, we do this with nutrition labels as well. We teach kids from a young age, you know, what sucrose means, what the serving size means, things of that nature. And that really helps kind of build in a habituated sense of understanding and reading what these different component parts mean and how that relates to how a person can interact with that in the long term.

B

Right. And I could see where, you know, especially as companies, you know, listeners who are in IT and security, who are deploying all of these different trainings and different, you know, mechanisms to educate their organizations on security best practices and trying to kind of build a culture of cybersecurity. Having something like this labeling system in place for generative AI can help kind of reinforce that. So I definitely can see how this can feed into this building a culture of cybersecurity, especially for people who aren't really like, technical users. So that definitely very fascinating. And so in the paper that you wrote on this, you kind of described this labeling system as a S.O.L. s, a U L label. Could you kind of tell me, like, what that means and when you were creating it, what were you using in terms like, how did you decide what would be included, what would be omitted from this to improve consumer understanding and make sure that people really understood the, like, valuable points of this really complicated technology in a simple way?

A

Yeah, and I kind of want to go back to a point that you had said in the last kind of question. And you know what the other parts that kind of fed into my work is, I am a huge nerd. I'm just gonna put that out there. And I play a Lot of video games. And one thing that has always fascinated me is the layout of video game design. Whether I'm playing a role playing game or a, or a game or what have you, I can understand what the map is trying to tell me and what different markers mean. For instance, if I am in a battle scenario and my character isn't doing so well, usually your screen will illuminate in red and finding a way to heal yourself or gain extra points, you get kind of feedback model where the screen will illuminate in green or blue. Right. And I kind of took that into the further design of the label, because at this baseline is with a lot of the different kind of digital artifacts that we have, is a set of standards that we have been habituated to, whether that's through video games or through emojis, emails, things of that nature. There are particular markers that stand out in our heads that really kind of helps us understand clearly the context and the information that's being given to us. And to kind of go to the question that you'd asked about, you know, how did the actual creation and the name come to be? Well, one of the things I really like to kind of hit home with this research is that I think especially in some far corners of the technology and the policy space, there is this idea that there can be a ton of research done on what we as researchers or policy professionals think should be best for the people. But I think what is better than asking what we think people want is just asking them. So the initial part of coming up with the design and the name started with the interviews to various user groups of people, again, that had maybe only heard of generative AI tools maybe once in the past, like six months, to those that were engineers or developers who were pretty ingrained in the latest tech at the moment. And each of those interviews really was fairly interesting because despite the heterogeneity between each of the user groups, there was this base understanding that a lot of the mass market consumer technology tools are not geared for the consumer. One of the interviews that I did, they essentially said that they have a master's degree in data science, but still don't understand what any of the privacy policies or the community agreements mean in relation to the tech tool that they were using. Right. So that led to a further investigation of, you know, what do people want to learn about a generative AI tool before they sign up for one? Right. None of that had been clearly communicated. And that unearthed a kind of secondary question on what exactly is the kind of component parts of a privacy policy that relate to the usage of a generative AI tool that people want to know about. And through these interviews, I found out that kind of broke down into three sets of information. The first was general information on the actual use of the tool, like, how could a user interact with this? Are there any age restrictions that people should be aware of? Is there a way to delete their personal information should they choose to not want to use the tool? Secondly, there is a section on safety and potential harms. Are there pieces of this tool that could be used to track someone's personal information for either being used by data brokers or something of that instance? Right. So all of these conversations kind of led to the development of the indicators on the base part of the label. And what kind of led back to the name, the simplified algorithms for user learning, was that I wanted it to be essentially calling back to this idea that the label should be accessible and somewhat intuitive. So from my research doing the sentiment analysis, around 93% noted that they did not understand privacy policies when they read them. And further, that 96% of interviewees noted that they did not feel protected as a consumer. And that is a huge misalignment of trust between company and user. So that's the glow.

B

It's really, really valuable having all of this data and doing that kind of intake with consumers to really understand.

A

The.

B

Why behind creating something like this and kind of to flip the script a little bit. A lot of this conversation so far has focused on consumer protections, which is super important. But a lot of our listeners are, you know, more of those technical people, the people in IT and security engineers and things like that, who work for companies that are either developing generative AI solutions or ones that are adopting and deploying generative AI solutions into their business. So I'm curious what you forecast will be, like, the impact on those companies, Like I said, both ones who are creating the solutions and ones that are deploying it into their company environments. Did anything come up there while you were doing the research?

A

Yeah, I had talked to a couple of different corporate entities about what this would look like. And I think the initial reaction is, this is great. This is an amazing step for transparency, but it's a bit too transparent. And I think there is a fine dance and a fine kind of line to walk between. How can there be a nutrition label that is accessible for consumers, but also ensures that sensitive data from a company or corporate entity is protected? And I think that's still something that needs to be developed a bit more and in terms of what that development could look like, it's engaging and having possible roundtables or discussions with folks that want to push the boundaries on what consumer transparency looks like. And kind of going back to what I stated a bit earlier in our conversation, where during some of these interviews with some of the user groups, especially user groups within the Generation Z and Millennial cohorts, they routinely kind of mentioned that technology just isn't fun anymore and that it's much more of a burden to use. And part.

B

Wow, that's really interesting.

A

Yeah, yeah, yeah.

B

I mean, I get it. I get it. As somebody who falls into that category, like, I understand it, but it's kind of interesting to hear that in data format.

A

Yeah, it was interesting that it talked to those different cohort groups because I think that when I think it's asked a bit more about this particular part of the question, a lot of that burden they had described as being part of their understanding that their personal information was being used against them in some cases and in some instances that they feel as though they're not being taken seriously as a, as the preferred audience. Right. I think that there seemed to be a bit of negativity when describing their relationship with technology at this point in time, which I thought was really interesting because again, there's this idea that, you know, the flow of technology tools comes from the top down to the consumer. And I think there may be a shift where instead of that, there's going to be more of a push for consumer informed tools and choices to the various types of tech, particularly, particularly within generative AI. Right, right, right.

B

And, you know, kind of kind of shifting gears a little bit. I mean, we've talked a little bit about, you know, how this affects consumers, how this affects businesses. But when, you know, we're talking about this nutrition label. Right. It's. And the example that most people are going to go to, especially in the US is like the FDA's nutrition label that you get on, like your can of beans or, you know, your protein powder that you pick up from the grocery store. So, I mean, that came from the fda, like I mentioned. So how does this framework that you're starting to build for generative AI interface with, you know, existing regulatory frameworks, kind of regulatory frameworks that are in the works? Obviously, we know that, that, you know, the federal government, especially here in the US tends to move a little bit slower than the pace of tech advancement. So kind of what does that look like and how this work you're doing is integrating into regulatory frameworks Yeah, I think on the.

A

There are a lot of parts to this question that I've been trying to kind of work on. And the first part of this is kind of going back to that example of the FDA putting resources behind Berkeley Belzer's design for the nutrition label. There was a central entity that helped create the standards and requirements and enforcement and compliance for the nutrition label. And essentially the same kind of push needs to happen for the nutrition labels for regenerative AI. The most recent kind of example within the tech space has been with the broadband labeling system, where essentially you can look at various broadband service plans and it breaks down the different components of that plan to provide greater transparency for consumers. And that has been implemented through the fcc. And I think that path that was leveraged for the broadband labels could be leveraged for a labeling system for generative AI. And the other kind of piece to this, and something that I've spoken with other subject matter experts in the standard space, is that we're all kind of building the car as we're driving it. Right. With a lot of these generative AI tools. And I think that having a set of standards that we can maybe not 100% agree with, but at least set for the current time and build in this sort of iterative process for adding, removing, incorporating different changes to those standards will be the first kind of good step to make these nutrition labels for generative AI in reality. Right, right.

B

And do you see these kind of manifesting within a certain, you know, regulatory body in the federal government somewhere like the Department of Homeland Security's AI Safety and Security Board? Do you see it more in an organization like cisa? I imagine that, you know, we, we're going to have one regulatory body that, that primarily focuses on this. Right. Because, you know, around the time of when we're recording this, you know, we're just getting over the, the news cycle about Deep Seek and, you know, the, the adoption of that and having some type of, you know, nutrition label for a tool like Deep SEQ probably would have given us a lot more information on the, like, data hygiene. Who has access to it? Where is all of this data going that's being generated from this tool? So that's a little bit of a rant, you know, to say. But, but, but where, where do you see this manifesting within the federal government? Or could it be a combination of multiple agencies that partner on this since it is kind of, you know, sweeping across multiple industries?

A

Yeah, I think it'll take a lot of various stakeholders from up and down the. The chain, whether that's having a group of consumers that can talk about their experiences using generative AI tools to, you know, organizations, agencies at the local and state level, there needs to be a concerted effort and a push from everyone to kind of really help kind of piece together the advocacy needed to bring this idea of consumer transparency through these nutrition labeling systems to light. So it's definitely a piece of this research that needs to be worked upon. It's kind of the same model that was used for the broadband nutrition labels and is kind of the hardest part of a lot of this research is. Yeah, it's not easy getting. Yeah. Getting a lot of these stakeholders to the table.

B

Yeah, yeah, it's. It's no easy feat, I'm sure. But, you know, I. I kind of want to return back to a little bit going, you know, away from the. The policy side of it and going back to kind of like the technology side, too. So, obviously, generative AI is a big topic right now. There's a lot of changes happening around, around generative AI with different vendors in the space, different regulatory bodies getting involved, all that kind of stuff. But obviously, as the, as the software develops, over time, the software changes, we implement patches, things like that. What mechanisms or processes have you considered in this labeling system to account for those software changes over time and software updates?

A

Yeah, I think that's one of the most important parts of this work. So. So just to kind of put this in parallel to the more static nutrition labels that we have on our boxes of cereal. Right. That goes through its own set of changes, too, but obviously is not evolving as rapidly as, say, a generative AI tool. And part of the need to ensure that there is an iterative process to the. The standards that are set for this labeling system is to ensure that there is at least some way to check the different changes that are happening not just on the software side, but also on the privacy policy side. Right. So I kind of have talked over potential areas for doing a bit more research into what this would look like with various SMEs, and what this could eventually break down to is either having an API that obviously feeds information to us on the different changes that are happening within a set of tools that we look at. In addition to kind of checking to see what the internal Kenneth process is on, the updates related to the privacy policy, community agreement, things of that nature, that other process is a bit more sensitive because that kind of touches upon, you know, the internal workings of a company. And that's kind of where there's a bit of pushback, but that could also come hand in hand with pushing for more changes and more transparency broadly within the data privacy space. Right, Right. For sure. For sure.

B

Well, Gabrielle, this has been a wonderful session. Thank you so much for sharing your insights and your research with us. This is a really dynamic space, obviously, with generative AI tools popping up left and right, changes left and right, and different government bodies getting involved. There's, there's a lot playing in the market in terms of generative AI and a lot of, a lot of headlines to sift through. But I think this is a really interesting and refreshing perspective to take on how we can better improve, you know, the culture and awareness around these generative AI tools and make sure that people understand what's happening with their data, you know, how, how companies are interacting with that and accessing it. So this is really incredible work. Thank you again for joining us for the podcast. I'm sure our listeners are eating this up left and right because obviously generative AI is super, super topical right now. Thank you for your research. I'll really quickly mention for the listeners if you want to learn more about Gabrielle's research or get contact information to learn more about it too, that'll all be in the show notes and be there to check it out. So again, thank you so much, Gabrielle. It's been really wonderful. Thank you. And hope to speak more with you soon.

A

Awesome. Thank you so much for having me, Caitlin. Really appreciate it.