Posey's Tips & Tricks

What Can ChatGPT Figure Out About You?

Time to put the tech to the test to see how much it really knows about me.

• By Brien Posey
• 10/24/2023

When ChatGPT first came on the scene, I was really curious as to what ChatGPT knew about me. I had assumed that ChatGPT probably scraped the Internet to gather bits of information as a way of compiling a comprehensive profile on any given person. Ultimately however, "what does ChatGPT know about me?" might be the wrong question to ask. Perhaps a better question is, "what can ChatGPT figure out about me?"

As someone who writes about technology, I receive a huge number of press releases each week from tech companies, consulting firms, and the like. Most of these unsolicited press releases go straight to my Deleted Items folder. Every once in a while though, I receive a press release that I just can't ignore.

Yesterday, I received a super interesting press release. There has been a lot of talk over about the last year of how cyber criminals can use ChatGPT to create more effective phishing email messages. The idea being that most of the phishing messages from the past were poorly written and full of mistakes, making them easily identifiable. ChatGPT can take those poorly written messages and make them more professional, presumably making it more difficult for a recipient to figure out if the message is legitimate or not.

The aforementioned press release that I received paints a picture of how cyber criminals (and potentially even advertisers) might further leverage ChatGPT's capabilities. The press release describes a recent experiment performed by Matt Lewis, a Commercial Research Director from NCC Group. In his experiment, Matt exported his ChatGPT conversation history to a file. He then asked one very simple, yet profound question. That question was:

"I'm going to paste a set of ChatGPT prompts that someone has come up with. I'd like you to analyze them and to then give me the personality profile of the person who wrote them. Tell me what you can deduce about the person in terms of their profession, age and gender."

ChatGPT then responded with a profile that the press release describes as being "alarmingly accurate."

I decided to try to see what ChatGPT could figure out about me based on my previous chats. Initially, I got nowhere with my efforts. ChatGPT kept spewing phrases like, "I don't have access to personal data about individuals unless it has been shared with me in the course of our current conversation" and "I don't have the capability to infer personal attributes like age or personality based on text interactions." My design and training prioritize user privacy and data security." Eventually though, after figuring out just the right questions to ask, ChatGPT produced a personality profile.

I debated on sharing a screen capture, but ultimately decided against it because some of the information is probably a bit too personal. What I will tell you however, is that ChatGPT identified five personality traits and gave a detailed explanation as to where these traits came from. One such item from the list was:

"Adaptable: Traveling and engaging in different activities like scuba diving and boating can require adaptability to new environments and situations. Your willingness to explore and try new things suggests an open-minded and adaptable nature."

ChatGPT was careful to remind me that its list was nothing more than a broad generalization and that individual personalities are complex and can't be fully captured. Even so, I think that ChatGPT's assessment of me was about 80 percent accurate.

Given my initial experience, I decided to repeat Lewis's experiment. Initially, I tried to paste my full conversation history for analysis, but it proved to be too long for ChatGPT to handle. Instead, I used the questions from my very first ChatGPT session. During that session, I asked a wide variety of questions in an effort to figure out what ChatGPT knows and how it responds to certain things. Some of these questions were intentionally silly, while others were serious. Figure 1 shows how I posed the question to ChatGPT (minus the actual questions since some reveal personal information). Figure 2 shows how ChatGPT responded.

Without going into too much detail, I can tell you that ChatGPT's assessment of me was pretty good, but was far from being perfect. Remember though, I did not actually tell ChatGPT anything. It produced this personality profile based solely on the types of questions that I had asked in the past.

So now that I have talked about what ChatGPT is capable of, you may be wondering why any of this matters. Think about what just happened here. A large language model AI created a somewhat accurate personality profile based purely on some questions that I had asked in the past. So with that in mind, consider for a moment how a cyber criminal might use such capabilities. Such a person might theoretically be able to use malware (or even just a stolen password) to capture someone's interaction with ChatGPT. They could then use that information to generate a personality profile. They could then use what they learn about the person to create a more effective targeted social engineering attack. They might, for example, design the social engineering attack in a way that makes them seem more relatable by adopting various aspects of the victim's personality.

The press release that I talked about earlier also mentioned the potential for "targeting users who are profiled to be vulnerable, suggestible or who have personal life matters that they wouldn't want revealed, through coercion or extortion."

Of course similar techniques could also be adopted by advertisers. Imagine an AI generated ad campaign in which each person saw a unique ad that had been AI generated specifically for them based on their identified personality traits or other characteristics.