What would you do if your next business call ended up training someone else's AI without their knowledge? In this episode: Brewer vs. Otter.ai A case study of how automated note-taking tools are reshaping privacy, compliance, and trust in today's workplaces.
self
transcript
Eric Felsberg
long island principal
Hello everyone. Welcome to the latest episode of Bringing AI to Work. My name is Eric Felsberg. My colleague Joe Lazzarotti joins me. Joe and I lead the AI group here at the company, and that team is hands-on with all aspects of AI, from bias testing to policy drafting to privacy considerations related to AI and many other issues.
We have a great episode today. I look forward to speaking with you about Otter AI You may have heard about this incident on the news. Joe, just imagine that. Schedule a business call. It's almost time for the call. Dial into the call. There is one meeting platform that we are all familiar with at this point. When you log in and start a meeting, you notice that someone is there taking notes. Or maybe you don't notice. There is an AI note taker on the call with you, but you don't think much about it and continue the discussion with the other people on the call. Perhaps during that call, you may be discussing sensitive issues, even proprietary issues or confidential information. You're on the phone with a trusted colleague, trying to solve a business problem, so you're having that discussion. And when you hang up after a call, you will then receive an email recording and possibly a record of everything that was discussed during that call. And lo and behold, you'll probably find out later that some of the content of that call, including the content you contributed to the call, is being used to train algorithms and models by a third-party provider of call note-taking services. Now, I'm not sure where to find the information you discussed. Just by knowing that it exists in the world, you may come across a model that you didn't know about. No one said this was on. No one asked if it was okay to do that.
What do you think? If something like that happened to you, where would you go? What’s your first thought?
Joe Lazzarotti
tampa principal
Well, it would certainly give me a little break. At our firm, we are very sensitive to attorney-client privilege and things like that. I know we tend to try to be mindful of that, but most people don't always think about it. They just jump on the phone and, like you said, are trying to solve a business problem. What brings us here today is this otter lawsuit filed in California in August. What's interesting is that the plaintiff in this case was not an ATA subscriber, but just happened to be participating in the calls that he claimed were being recorded. They allege a variety of things, including that their calls were recorded and that their information was accessed and used without their consent. They claim that the information recorded was used to train ATA's algorithms, citing laws such as the Electronic Communications Privacy Act, the Computer Fraud and Abuse Act, and numerous California laws that appear to be relevant. Let's see how this case goes.
The way this is put together makes a lot of sense. This is because many questions arise as to whether it was appropriate to record the call, whether the process for recording the call was meaningful and followed, what was recorded and who had access to it. What happens to that data, how long is it kept, and who is it shared with? All of these questions not only impact the specific process of recording calls, but can also have unintended consequences. We may share information with third parties (in this case Otter or other vendors). It doesn't have to be Otter, but it could violate the confidentiality clause you signed off on in your contract.
There was another story. About six or seven people answered the phone. One person won't answer the phone, but everyone is on the invite, and a few people will stay after everyone leaves, potentially giving you some less-than-flattering things to say about the person who missed the call. Of course, amazingly, everyone you invite gets a recording of that call. That included comments from the remaining two or three people who wished they hadn't been sent. Even those who didn't call will see it, and it will cause some pretty serious conflicts in the workplace. These are all issues that businesses must address as they implement. Or, companies may not be aware or sensitive to the fact that their employees are using these tools. That's an important issue.
Felsberg
You alluded to this, but there are legal implications. You mentioned that as lawyers, we are always concerned about the applicability of privilege and whether we can speak freely with our clients. If that information is out there, how is that information privileged and compromised? We've touched on some of the legal issues that apply to this before, but it's also an employee relationship issue. We've all been on a conference call. Typically, when you participate in a conference call, there will be some small talk at the beginning of the call. There is no expectation that the chat will be made public in any way. Now, you might expect participants to continue speaking in a businesslike manner, but in some cases, participants may say something off-the-cuff. Now, all of a sudden, it's out there, and to the point you mentioned, it can cause concerns for employee relations.
Joe, I'm just wondering, how can we mitigate this? I mean, who do you bring in the note taker, or even if it's the note taker arriving on the call, it's not tied to one person. At least that person is on the phone. You might be able to remove the person from the call in the backend. What else can you do? What if a window pops up and says, “Do you agree to use this Notepad?” And if you have six people on the phone, what happens if four of them say OK and two say NO? How do you move forward? John, I don't know if you have any views on that. I don't think this is an easy answer, even if you just think about it from a logical point of view.
lazzarotti
Well, that's difficult. So I think for the most part, people follow the rule of tacit consent. If you see this pop-up and someone continues the call, they consent. I think some platforms require you to actually click, so they accept the recording and that click is captured and retained. But there's also the technical issue of if you're on the phone with a patient and the patient is effectively disclosing information to the person on the call, maybe the doctor, maybe the health care provider, maybe the employer who's helping manage the claim, and there's a third party, a third party note taker. And is that person a business associate whose data is now stored on a server? After that analysis, you need to decide whether consenting to the recording is enough. We've talked about various compliance obligations over many episodes. The other one is CCPA, right? The people you're talking to, who could be consumers or employees, for example, have you notified anyone that you're collecting their information? Does your website have an appropriate privacy policy that takes into account the type of data you're collecting, recording, and transmitting to third parties? I think these are some questions. So, in a way, it goes back to some of the things in governance that we talked about, in my mind, Eric, about what you really want. I think I said this in the previous episode, but do you really want to sit down and think, what is this tool? what are we doing? And then we run through scenarios, we run through use cases, and we try to anticipate as best we can what's going to happen, what data is going to be collected, what notices and consents and policies need to be in place to make sure that we minimize our risk profile and our risk platforms when working with these technologies. It's interesting because this technology can be used for any conversation within an organization. It could be employment, it could be legal, it could be finance, it could be board level. And all these different conversations being recorded come with different frameworks of laws and obligations that require reflection to understand, but is this a good idea?
Felsberg
Yes and no, I think that makes sense. But for now, the point here is that we talked about one case that is currently in question. I think the takeaway here is, at least at this point, there are risks to using note-takers, and you should know if they can be fully mitigated with consent. You know, I think this is an open question at this point. And it's important to understand that exactly where some of this information is stored is also an important factor. I know for now, but if I'm on a call and I know it's something sensitive that needs to be discussed, I often strike up a conversation right away with the person on the call and say, “Hey, I have some concerns that I have.” Should we keep this technology running or should we turn it off? Tough question. As long as people know what the problem is, I don't know if they can necessarily solve it with this particular phone.
lazzarotti
No, I think this is a great discussion and probably a good place to end this discussion. We'll see how this audit incident and others that follow play out. I'm sure there will be something, but I hope it will be of help to everyone who is listening. If you have any questions or comments about topics you would like us to cover, please contact us at any time. Contact AI at JacksonLewis.com.
The content of this article is intended to provide a general guide on the subject. You should seek professional advice regarding your particular situation.
