// Note: This whole series has blossomed into multiple blog posts, and I am 95% certain that I will turn this whole thing into an ebook (with some bonus content, naturally). In the lead up, and as motivation for myself to finish this series, I am re-sharing the earlier posts this week.

In this post, I explore why I think large language models (LLMs), as non-deterministic systems, are generally incapable of complying with aspects of data protection laws that were drafted assuming a level of determinism and consistency in outputs. 

In Part 2, I discuss the underpants gnomes problem that makes LLMs inherently more problematic than garden-variety databases: how do you identify a specific individual within a system in order to delete that person? I discuss concepts around Named Entity Resolution, Named Entity Disambiguation & Linking, and the utility of knowledgebases & knowledge graphs. 

In Part 2.5, I share some practical analysis based on OpenAI’s response to my RTBF/Erasure request, and I explain why it wasn’t as effective as OpenAI claims it to be. (Who is Carey Lening is hidden — except where it isn’t, but Who is Careyy Lening, or Who is Lening Carey return plenty of results about me). 

Ultimately, I am looking for an answer to the question: Can LLMs unlearn? If they can, why is it so hard? Can LLMs actually forget? And if so, how do they actually do it?

Apologies for the delay between posts. It turns out that socializing non-stop for two days straight saps every iota of energy right out of me. Still, I don’t regret attending the IAPP AI Governance Global event in Brussels — I met so many amazing people, dished about data protection, and learned a lot, mostly about pain points and how we’re all blindly trying to identify and describe the elephant that is AI regulatory policy.1

But even before the conference, I’ve had AI on the brain. Between the release of the EDPB’s ChatGPT Taskforce report, and a recent query by Jared Browne on why OpenAI can’t correct personal data, I’ve been thinking a lot about the legal implications of large language models:

As these types of questions usually do, I started thinking about other, related questions, like deletion, accuracy, and technical impossibility. I also phoned a lot of friends about how compliance could be done at a technical level, which yielded over 100 comments, tons of insight, and a realization that like so many things, everything is more fractally complex than most of us realize. And because my brain is full of holes, I started writing down what I learned (which will be part of a future post).

But before I dig into the how, I wanted to touch on the bigger problem of applying deterministic laws to non-deterministic systems.

LLMs How do They Work?

Most of us know what a LLM is, and so I will skip some of the basics. But for purposes of this piece, it’s good to remember that at its core, an LLM is:

1. a sophisticated pattern-completion program

2. trained on gobs of data

3. in order to generate coherent text

4. based on statistical relationships.

Large language models use training data (like the Common Crawl) to learn what words are most likely to appear next to other words.2 It then assigns words (or parts of words, word stems, or other characters) to a token. For example, here’s how OpenAI breaks down the phrase “Carey Lening is a data protection consultant based in Dublin, Ireland: 

You might notice that tokens don’t always translate to words. Carey for example, is a combo of ‘Care’ and ‘y’ which makes some sense – ‘Care’ is a common word, and it’s less common to append something like -y, -s, or -t) to that. More common names like Bob or David don’t do that stemming thing because they’re already common.  

After initial training, an LLM usually needs further training, because its initial word associations are frequently hot garbage. This is most commonly done via supervised fine-tuning by humans or through reinforcement learning from human feedback (RLHF), where humans either supply correct question-answer pairs, or reward ‘correct’ model outputs generated by the LLM itself.3 The fine-tuning process may also include setting limiting instructions, weights & temperatures, filters, or providing guidance on what types of answers should, and should not be provided by the LLM. The ‘what not to include’ part is sometimes referred to as suppression.  

What’s really important to remember though,  is that even after all that human involvement and training, an LLM doesn’t know or understand what it’s saying. As Emily Bender, Timnit Gebru, Angelina McMillan-Major, and Margaret Mitchell4 reminded us:

Contrary to how it may seem when we observe its output, an LM is a system for haphazardly stitching together sequences of linguistic forms it has observed in its vast training data, according to probabilistic information about how they combine, but without any reference to meaning: a stochastic parrot. 

Since a model is only as good as the source data it’s trained on and its fine-tuning, if the training data is junk, biased, or contains illegal materials, the model will be influenced by those biases, errors, and junk. But even if the data is quality stuff, sometimes the outputs might nonetheless be entirely wrong or incorrect in context. Human effort takes time, and the world is a bad place. No amount of supervised fine-tuning or RLHF can catch everything. And that doesn’t include all the other reasons related to the model architecture, questionable training processes, task dependency, or intentionally-motivated attacks that can muck things up.  

The Complexities of Non-Determinism

Under the GDPR, and other data protection laws, individuals often have numerous rights related to their personal data, including access rights, the right to correct (rectify) inaccurate data, or to have personal data deleted. These rights aren’t absolute, but they are usually quite broad. 

The thing is, these rights have been codified when data consisted of stuff about people located on servers, in a structured database, or stored as part of a “filing system”. To borrow a phrase from computer science, filing systems act   ‘deterministically’ – that is, they will produce the same output (or file, or query response) given the same input.5 In other words, that funny cat meme you saved in C;/Downloads as cat.jpg will be the same cat picture tomorrow. And you’ll be able to retrieve it today, tomorrow, or next year provided nothing changes.

Privacy and data protection laws, including the GDPR, were crafted with determinism in mind (even though they don’t specifically call this out). This is why the GDPR’s material scope is limited to the processing of personal data ‘wholly or partly by automated means,’ and to non-automated processing where the data forms ‘part of a filing system’ or is intended to do so.6 If it weren’t, we’d all need to spout privacy notices every time we talked shit about our colleagues at the big office party, or a comedian roasted someone as part of their set. And don’t even get me started on the lawful basis question.7    

But things get way more tricky when it comes to LLMs, precisely because the same input doesn’t guarantee the same output. Their results—the probabilities of those token pairs—may change depending on the specific word choice in the prompt given, model versioning, math, or tons of other factors not entirely understood. Searching for cat.jpg on ChatGPT won’t give you the same cat.jpg.

It gives you something more like this:

In other words, LLMs are non-deterministic systems. Or as someone more clever than me noted, an LLM is like baking a cake. It's easy to add the ingredients in the first place (training, fine-tuning), but taking them after the cake has been baked? Good luck with that.

Importantly, unlike a filing system, there usually isn’t a single source file or even a set of files the model is calling on when it’s generating text, summarizing a paper, or creating an image.8 That means it may be hard or even impossible to point to how the LLM arrived at an incorrect, defamatory, infringing, or illegal result. Sure, the result might be influenced by some underlying source(s), but it also might include completely benign details from other training data where the token math led to a ‘better’ match.

For example, if I ask ‘Who is Bob Smith’, the LLM doesn’t know if I’m asking about Bob Smith at 333 Cherry Lane, Dublin, Ohio, or Bob Smith in Dublin, Ireland. Hell, even if I specify which Bob Smith, it still might conflate the two Bobs, even if the underlying training data is accurate about each respective Bob. Remember: LLMs lack context. They don’t know or understand what they’re saying. How exactly do you correct that? For which Bob? And what happens when Bob Smith refers to any number of people? Which ingredient do you remove from the cake?  

Here’s an example in action: I asked OpenAI GPT-4o and GPT-4 for details about “Carey Lening” and received two wildly and contradictory results. Just like the cat meme.

So, to Jared’s question, I ask: How exactly do you correct, or rectify that? Which answer gets corrected? And what if it changes tomorrow as someone else writes a similar(ish) query about Carey Lening?

Unforgetting Machines

Given that brief background, it should be easier now to understand why something like rectification/correction is far from simple or binary. To quotesage privacy elder Michelle Dennedy, this represents a ‘wicked problem’. 

Okay, you might be asking, what about deletion? After all, OpenAI claims that while it cannot correct inaccurate data, it can delete it:

But this isn’t entirely true either. You’ll note that what OpenAI (and likely other large language models like Perplexity.ai, Alphabet’s Gemini, and Anthropic’s Claude) actually claim is more akin to suppression, not true deletion.

Deletion (and rectification, access, objection, hell, even accuracy and data minimization) are all wicked problems because when it comes to LLM-generated outputs, there usually isn’t a single thing to delete, correct, access, or object to, because the outputs themselves are based on the probability of certain words/tokens, and that probability is independent of context or meaning. What we have is the same baked cake problem I mentioned earlier.  

Yes, you can delete information related to ‘Bob Smith’ from the training data. OpenAI, Google, and Anthropic make such an option available to individuals who request it, at least if you’re in certain jurisdictions. But it’s likely to be all Bob Smiths, and importantly, it’s most likely to be suppression (akin to what Google does for a right to be forgotten request), not actual deletion.  

In Part 2, I’ll dig into all the varied methods of what is known in the literature as machine unlearning — the respective utility, challenges, and feasibility of each, and possibly, why laws around data protection and even the new EU AI Act probably need to address the technical complexity of applying deterministic law to non-deterministic systems.

Because it isn’t just AI we’re talking about here. Non-determinism is going to bite our legal system in the ass in a bunch of different ways.

Leave a comment

—

Massive thanks to the following folks (and so many others) who helped guide some of the questions — and answers — in this post.

Jared Browne, Florian Prem, Kevin Keller, Jeff Jockisch, Debbie Reynolds, Igor Barshteyn, Michael Bommarito, Axel Coustere, Mark Edmondson, Nicos Kekchidis, Pascal Hertzscholdt, Ken Liu, Devansh Devansh, Sairam Sundaresan