12 comments

[ 10.7 ms ] story [ 274 ms ] thread
Assuming the courts simplify Otter AI down to being a glorified call recording and transcribing tool (because the fact it's "AI" isn't really relevant here w.r.t. privacy/one/two-party-consent rules then doesn't the legal responsibility here lie with whichever person added Otter AI to group-calls without informing the other members?

----

EDIT: So the crux of the matter is whether-or-not having Otter AI automatically join meetings via their Slack/Zoom/etc integrations is by-itself legally wrong - or not:

> "In fact, if the meeting host is an Otter accountholder who has integrated their relevant Google Meet, Zoom, or Microsoft Teams accounts with Otter, an Otter Notetaker may join the meeting without obtaining the affirmative consent from any meeting participant, including the host," the lawsuit alleges. "What Otter has done is use its Otter Notetaker meeting assistant to record, transcribe, and utilize the contents of conversations without the Class members' informed consent."

I'm surprised the NPR article doesn't touch on the possible liability of whoever added Otter in the first place - surely the buck stops there?

Wait until they find out about Granola AI
Before AI, you needed to trust the recipient and the provider (Gmail, Signal, WhatsApp, discord). You could at least make educated guesses about both for the risk profile. Such as: if someone leaks the code to this repo, it’s likely a collaborator or GitHub.

Today, you invite someone to a private repo and the code gets exfiltrated by a collaborator running whatever AI tool simply by opening their IDE.

Or you send someone an e2ee message on Signal but their AI reads the screen/text to summarize and now that message is exfiltrated.

Yes, I know it’s ”nothing new” ”in principle this could happen because you don’t control the client”. But opsec is also about what happens when well-meaning participants being accomplices in data collection. I used to trust that my friends enough to not share our conversations. Now the default assumption is that text & media on even private messaging will be harvested.

Personally I’m not ever giving keys to the kingdom to a remote data-hungry company, no matter how reputable. I’ll reconsider when local or self-hosted AI is available.

Why does Otter AI exist? Aren't those features built-in to videoconferencing now?
> Last year, an AI researcher and engineer said Otter had recorded a Zoom meeting with investors, then shared with him a transcription of the chat including "intimate, confidential details" about a business discussed after he had left the meeting. Those portions of the conversation ended up killing a deal,

I'm sorry but this is another example of not checking AI's work. Whatever about the excessive recording, that's one thing, but blindly trusting the AI's output and then using it blindly as a company document for a client is on you.

I cant believe I am going to say this - but I am on the Ai company side.

They recorded the call and sent it to all participants. Its not their fault the users are idiots.

I've been getting Otter AI ads on the various ad-supported streaming services I watch. The ad shows a scenario where a couple of people are tapped for a last-minute meeting, but they've got other things to attend to (lunch, PTO), and they just have Otter sit in their place in the meeting.

I may be a dinosaur, but I was shocked at how casual they made this look (I know, it's just an ad), but I would be fired almost instantly at $ENTERPRISE if I did this. I almost looks like it's designed for corporate espionage.

I think we should have an opt-out standard via a subsonic signal, like DO NOT TRACK in browsers. Then, it's on the vendors to intentionally ignore a clear signal.

To that end, I've been working on opening sourcing https://dontrecord.me as a side project. Putting together a fork of Whisper that will follow the opt-out signal, too. If anyone one wants to help, please connect.

A month ago a potential customer automatically included their Otter.ai meeting agent into a Teams call. The customer never turned up (he canceled the meeting somewhat later), but me and a colleague chatted a bit in the meeting. Then the Otter.ai meeting agent posted a link in the chat, from which it was clear that everything had been recorded, up to a complete video of the meeting with full facial imagery.

As I'm a European citizen, I filed a GDPR removal request with them to remove all images of me from their servers. The email address that they list in their privacy policy [1] for GDPR requests immediately bounces and tells you to reply from an Otter.ai account (which I don't have). I was able to fill in a contact form on their website and I did receive replies via email after that.

After a few emails back and forth, their position is that

> You will need to reach out to the conversation owner directly to request to have your information deleted/removed. Audio and screenshots created by the user are under the control of the user, not Otter.

> We are required by law to deny any request to delete personal information that may be contained within a recording or screenshot created by another user under the CCPA, Cal. Civil Code § 1798.145(k), which states in relevant part

> “The rights afforded to consumers and the obligations imposed on the business in this title shall not adversely affect the rights and freedoms of other natural persons. A verifiable consumer request…to delete a consumer’s personal information pursuant to Section 1798.105…shall not extend to personal information about the consumer that belongs to, or the business maintains on behalf of, another natural person…[A] business is under no legal obligation under this title or any other provision of law to take any action under this title in the event of a dispute between or among persons claiming rights to personal information in the business’ possession.”

Which is a ridiculous answer towards a European user, as the CCPA doesn't apply to me at all. Furthermore, I don't think the CCPA prohibits them at all in deleting my face from their servers, as the CCPA merely stipulates that I can't compel them under the CCPA. Otter.ai can perfectly decide this for themselves or be compelled under the GDPR to delete data, and their Terms and Conditions make it clear they may delete any user or data if they wish to do so.

After these emails, and me threatening to file a lawsuit, "Andrew" from "Otter.ai Support Team" promised to escalate the matter to his manager, but I got ghosted after that: they simply stopped replying.

So I'm going to file that lawsuit (a "verzoekschriftprocedure" under Dutch law) this week. It's going to be a very short complaint.

[1] https://otter.ai/privacy-policy

Apparently, I am "inviting" Otter into very private work meetings and i don't even have an account. Someone else had it on a meeting and Otter took it upon itself to send notes to all people in the meeting...from "me". It said i was inviting them. i am being trolled by an ai bot and spreading it like a disease to others and i didn't even know it until i saw the invitation from me in a meeting i was in...and that's when i first learned it attached itself to me. This is like a virus and i am trying to figure out how to stop it.