MiniDECIlost
I would appreciate it if this file could stay private, as I am still employed at this company and I do not want to get into trouble with my boss.
1. The organization
ILost is a company that provides a digital platform designed to streamline the lost-and-found process for both organizations and individuals. It describes itself as “the ‘Google’ of lost and found” and offers software that allows companies to catalog and track lost items digitally. People can also directly register found items on the iLost website. Once an item is registered, the platform uses a verification process to make sure that a lost object does in fact go back to the rightful owner. At this point in time, the company says it has helped 579,275 people to find their lost item back.
2. The (AI) technologies Employed
The most important technologies employed by iLost involve data collection and storage to manage information about lost and found items. On the platform, a wide array of items can be registered, including clothing, keys, and backpacks. Each item is typically registered with a photograph, a publicly accessible description, and the location where it was found. However, often further private information is stored. When organizations use the iLost software, they may also write down and store additional descriptive details that help verify the rightful owner of an item. In cases where the lost item is personal—such as wallets, bags, or notebooks, these descriptions can contain sensitive or private information, such as a name, a date of birth or other details. All of this data is stored to enable the platform to function effectively, ensuring that items can be accurately matched with their owners and returned.
Furthermore, when it comes to AI technology, Ilost makes use of a "match-bot". This is an LLM that asks questions to someone that tries to claim a lost object to speed up the verification process. When someone attempts to claim a lost item, the match-bot asks a series of questions to confirm that the claimant is the rightful owner.
3. Ethical concerns
In this section I will raise three ethical concerns that could be of importance based on the way Ilost operates. But before I do this, I want to note a number of things the company does well.
First of all, the company, by making the process of lost and found digital and easier, helps a lot of people with finding back their belongings. Without Ilost, many of these objects might be lost forever. I think this assumption is reasonable given the amount of objects Ilost has helped to bring back to the original owners. The aim of this company, therefore, is something benificent.
Second of all, on the website of the company, a statement can be found where they mention the GDPR and the right to be forgotten. The company mentions that people first need to read and confirm the terms and conditions before they can provide any personal data. Furthermore,when it comes to the right to be forgotten, the company provides people with the option to delete their account and all data associated with it from their database. These are things that indicate that the company is willing to give people consent and respect, at least to some extent, their privacy.
However, there are still three concerns I would like to point out that, if addressed, could help the company to perhaps better achieve its goal of reuniting people with their belongings while also creating more trust and confidence in its operations.
Privacy
The first key concern I want to highlight is privacy. Ilost stores information about someone's belongings in different forms: images of objects, textual descriptions, location data (in which city an object was found) and certain senitive details about an object or person (things found in wallets or bags). This type of data, when it is not handled correctly, could expose personal information of people. In case of a data leak for example, privat data could come in hands of third-party unauthorized parties. In order to match a lost item to the correct person, there is of course some datastorage needed. However, storing to much data could lead to potential risks.
Furthermore, the company provides on their website that they will store personal information up to 5 years. The question is, however: when someone found their item back, is it necessary to keep storing this information?
Lastly, owners of a lost item are not able to see the data that is recorded of their item. This lack of transparency may prevent users from understanding what information is held about them or challenging potential inaccuracies. While this particular concern also overlaps with consent, it is...it is also a privacy issue, because users cannot monitor or control how their personal information is stored and protected, perhaps creating privacy issues occuring because of potential misuse.
Consent
The second concern I would like to raise it that of consent. Consent is central concept of digital ethics, as it makes sure that individuals are informed about what personal information is collected, how it is used, and that they have the ability to agree or refuse. The matter of concent and the concerns around it in the case of Ilost, I think, can be split up in two parts: that of people creating an account on the website and that of people that are owners of a lost item that is put on the website.
Firstly, people creating an account on Ilost give concent through reading and accepting Ilost's "terms and conditions". However, in practice this form of consent might not be fully informed. Many users, especially if they are stressed and trying to find their lost object as quickly as possible, will not read a long document int it's entirety. This means they will not be fully informed about what data is being collected, how it will be used, or how long it will be stored.
Secondly, there is the matter of the owners of the lost items that are put on Ilost. These people are not even able to give consent at all, ast their items are registered without their knowledge. As a result, potential privat information may be stored without any of their knowledge. Of course, some data is necessary to be stored in order for them to even find their own lost items on the website. The problem here is: how do you balance the benificence you create with helping people find their objects back and the necessity of storing data for this with the lack of consent that happens during this process?
Use of a LLM
The third and last of my concerns relates to the use of an LLM by Ilost as a match-bot to assist in the matching process. While this automation could perhaps improve efficiency and speed when it comes to matching someone with their lost object, it also raises some ethical consideration.
To start with, using a LLM could lead to a misunderstanding with users. People might not be aware that they are not interacting with a human, but with an AI. This may lead to less transparency for the users of the website.
Moreover, in case Ilost uses a LLM by a company based outside of Europe, this may require transfering personal data outside of Europe. This is something that is not in line with the regulations of the GDPR. After all, all this personal data is still the responsibility of Ilost.
Finally, a chat-bot can make mistakes. At the moment, it is not the case that the matching process is fully automated. However, if the company is planning to move forward with this, it could lead to potential problems and harms. For example, the match-bot might incorrectly reject a rightful owner, or disadvantage users that are not able to write in Dutch or English very well. This way, it could potentially create fairness or bias issues.
4. Recommendations
Privacy
To address these privacy concerns, iLost should focus on minimizing data collection and storage, minimizing the amount of data they record to match an item to an owner. Personal data should be deleted or anonymized once an item has been successfully returned to its owner after the match happend, rather than being stored for the full five years that is mentioned on their website. It could also be a good idea to allow owners to view what data is recorded if Ilost would not choose to delete the information sooner. This way, users can choose themselves what should be stored and what not. Additionally, when dealing with personal information, it is necessary to implement strong security measures, so that it is (almost) impossible for personal data to be leaked to third-party sources.
Consent
In order to increase their image as a company that has the user's best interest in mind, Ilost should strengthen consent practices. For people that make an account on Ilost, this could involve summarizing key points of the terms and conditions in plain language, so that it is easier to read and access for people. This could lead to stronger informed consent for their users. For owners of lost items that are put on the website, it is important that Ilost minimizes the amount of personal data that is being stored without consent. Furthermore, Ilost should give users clear options to manage or delete their personal information after an item is matched if information like this is recorded.
Use of an LLM
There are some recommendations to adress the concerns around the use of an LLM as a match-bot. For example, Ilost should try to be as transparent as possible to their users about the use of a bot. This way, users will not feel lied to. Additionaly, the company should make sure that, when they outsource this to a company outside Europe, they still ensure compliance with the GDPR. Lastly, Ilost should keep a close eye on the performance of the match-bot, perhaps setting up rules and safeguards. This way, they can minimize errors and bias during the matching process.