OpenAI Threatens Popular GitHub Project With Lawsuit Over API Use

A GitHub project called GPT4free offers free access to OpenAI’s GPT4 and GPT3.5 language models by funneling queries through sites that have incorporated GPT4, such as and Quora. However, OpenAI has sent a letter demanding that the project’s developer take it down within five days or face a lawsuit, as the project may be causing financial losses for the sites that are paying OpenAI fees to use its language models. While the developer said he does not believe he is liable for what others do with his script, he is seeking legal advice before making a decision to take down the project.

What are people’s thoughts on this?
Should this even be OpenAI’s battle?
Does something like this indicate a greater problem?
Is this not treating a symptom, rather than the cause?

Is it fair for OpenAI to be involved and threaten the owner of the GitHub when, as mentioned

[…] that OpenAI should not be targeting him for using other sites’ APIs, which are available unsecured on the open web.

It’s obviously terrible to inject your own queries using other people’s API keys - it’s essentially theft. But why would OpenAI bother with this? Streisand Effect anybody?

This isn’t a paid service, it’s an open-source repo that the website owners should use to identify & strengthen their security.

Attacking the developer, in my opinion makes no sense. This situation would not exist if the security was better. It doesn’t matter who the developer is/would be, the situation will happen again, and continue to happen until the root cause is addressed.

OpenAI has a duty to protect its customers and uphold the integrity of its services. Part of that duty involves reinforcing and ensuring compliance with its terms of service, which are designed to maintain a fair, secure, and consistent user experience.

Yet, threatening an open-source script is a fruitless effort. The true solution is to overcome the exploit, which would be much easier if the person that is now very educated on it, would be willing to talk.

Collaboration over confrontation.
A public attempt of collaboration would be nice.

This (I would think) is an issue directly between the repo owner, and the website that they have managed to exploit. Funnily enough, these owners have reached out to the owner as well to threaten with lawsuits, rather than attempt to fix their own code and implement better security measures.

As this code is already out there, now the concept is known, there will be many duplicates now made under false identities that cannot be tracked. Less white-hats will be willing to be more “open” with their discoveries.

Now with the threat of lawsuits, now seeing the cards that are played in the situation, the only entities left will be black-hats who can offset the liability with profit, and won’t open source their exploits.

Of course, there’s the bug bounty program. Which I think is wonderful.

However in the case of this repo, is not applicable.
If it was, why not publicly reach out and apply it?
Surely it would have been cheaper than the potential lawyer fees?

Final Thoughts:

  • Will OpenAI jump to the aid of other websites which are being exploited?
  • How can this be effectively combated? I have been looking through the GitHub and they are simply using an http client or Selenium (A web automation tool commonly used for automating tasks such as data mining)

Disclaimer: I am in no way supporting what the GitHub developer is doing. It’s a tool for theft, and should be treated as such.

1 Like

Honestly, reading the comments from the people using this project is just depressing.

This is why we can’t have nice things, there’s always someone who will abuse it.

What we will see is more services locked behind logins and paywalls.

Agreed. One ridiculous comment (wordspun as a dark ages peasant for fun)

Hear ye, hear ye! On another matter, I say to thee that OpenAI doth not seek to take down our works for the sake of profit (as far as I knoweth). Verily, I reckon that I have caused them harm in the sum of a million coins (calculated based on the number of downloads and usage analytics), with the cost of their API being two pennies per thousand tokens. Yet, they have not sought to take down my work.

Not sure I would ever admit this. But, comments like this do make certain jobs easier, for sure.

Always. It’s our responsibility to acknowledge this and prepare for it.
The only way to improve (in this context) is by reconsidering ourselves, and our failures.

Not simply blaming and attacking the abuser. There will always be more.
I can appreciate fulfilling the “actions have consequences” aspect.

But, on the internet, anybody can be anybody else.
If there is money to be made, it will happen.

Where there’s consequences, there’s more money.

Yeah, good on OAI to deal with this. Some people just have no respect.

That’s a fair response.
It could be exactly for that reason why the lawyers are being brought out.

To scare off scriptkiddies.

But, that’s all they are - scriptkiddies.
An established business which falls victim to them and loses heaps of money is in serious need of evaluation. I’m not speaking of OpenAI, just to clarify, but the websites which have been exploited.

Free access that circumvents the product being leveraged should result in a lawsuit. I think OpenAI needs to be taking legal action against more of these companies trying to leverage OpenAIs IP as an independent or “revolutionary” technology.

1 Like

You’re right. I don’t think the last point applies here though.

There’s no indication of desire for profits to be made. It’s not a company, it’s mainly a single person. Neither they have claimed it as their own, but explicitly state that it uses vulnerabilities of other websites. These are not intricate and ground-breaking exploits. Most of their “exploits” are as simple as asking for permission, and it being granted.

Imagine if you could just “ask” a digital storefront to sell you their product/service without verifiable credentials, and it just goes “okay”. Imagine the same digital storefront is carrying loads of private & valuable information as well.

Not only that. Imagine the same storefront which lets this process happen thousands of times per day, and doesn’t even notice.

There’s two types of people: those who have been hacked, and those who don’t know it

Would you blame the person who brought this situation to light, or the storefront that has absolutely no security? Both, would be a fair answer. But, considering intention and obligations. I would say that more of the fault lies with the storefront.

In my perfect world, this Github developer would be scared, left alone. And anybody using OpenAI API services should be notified that if simple security measures aren’t implemented, they will be cut off.

Adding some assumptions. This could be a kid/student who just wanted to show off what they could do. The intention, in my opinion is clear that nothing malicious was intended. In fact, I don’t think anything was intended. Anybody with a sense and an established picture of life would know the ramifications of releasing a tool like this.

On the other side. We have established well-known websites which haven’t bothered to implement the simplest measures of security. Hopefully it’s a wake up call, for both.