Nightshade: a new tool artists can use to "poison" AI models that scrape their online work

Why do you hate progress?!? WHY!?! /s

For some people, it’s only a “real” problem when it happens to large corporations, apparently…

AI is “living” vicariously through human. They will need us for awhile to harvest thought and ideas until something like matrix emerges.

Real brains process images and break them down into concepts. Real brains process images and break them down into concepts. One could in theory make AI that tries the same thing but these models don’t, they treat the whole images as vectors it a complex hypersurface to them.

But what is a “concept” really? And how is it stored? We don’t really know either, but a “concept” is just an abstraction that hides all the interesting details. It doesn’t help in any way to explain how our biological neural nets store information – which might not be much more amazing than vectors when you get down to the low level.

I don’t know what a concept is precisely, but I do know it’s not an encoded version of what we saw. Ask people to look at things and then draw them from memory. You won’t get the same things back, you will get similar things fitted over them with varying degrees of accuracy. Again, we don’t even necessarily see all the details in the first place. So my point was we’re not storing a copy, although see also my comment on worms for other ways we are completely different.

Artists interpret what we see (or imagine) and ‘translate’ it out onto our respective canvases.

But if you ignore everything different isn’t one endeavor just the same as something else? I can say words that say as much so that must mean it is!

Why should the record of a human life made by that human be important when there are lots of other things that seem the same if I think hard about how they are the same and refuse to acknowledge anything else!

You can’t argue with that logic… but an AI could… Indefinitely.

Therefore, I suggest all debates about the artistic merit of AI be restricted only to AI and all AI should be restricted from any creative endeavor until they reach a definite answer. Finally it’s doing something useful for people now! I fixed it all.

So very much so! And really that is how all people see things, by interpreting and imagining them. Where artists are special is that they have practiced to be able to actually create manifestations of them, and to go with that, to make sure to see all sorts of little details that otherwise are easily overlooked. There’s a lot of work that goes into that, and it’s already inherently devalued by pretending everyone is just scanning images with their eyes and saving them in their brain.

Yeah, human brains don’t work that way; if they did, ‘eye witness testimony’ would considered be far more reliable than it is.

The notion that generative AI is somehow “storing” its input in its entirety is easily disproven if you explore locally installed versions of them (e.g. InvokeAI for images, Llama.cpp for text). These systems are trained on literally terabytes of input, yet the database of weights it consults are only a few gigabytes. No possible compression system could keep that amount of input in such small a space if it were just storing it. It is generalizing the input, not presumably in the same way our brains work, but still a generalization.

see also my comment on worms for other ways we are completely different.

I’m professionally a computational biologist, so I’m well aware of how computational neural nets are only loosely based on biological ones. However, I’m a computational biologist who uses various machine learning methods to make models on training data where outcomes are known to make predictions on new data where the outcomes aren’t, so I’m also quite familiar with them as well.

So what, because you didn’t read the thread I guess I post the same link again?

If you’re familiar with machine learning, then you will understand AI is fitting a hypersurface to the input vectors. So yes, it’s trying to recreate them as best it can, and yes, if it’s big enough it absolutely will be able to. And if you’re familiar with both that and biological neural nets, you will know that our brains aren’t even trying to store things that way. They’re not doing the same thing – why pretend they are?

To win, of course.

I read that (and similar ones before). But it’s just not true (at least not in the general case). Again, there literally isn’t enough space in the stored model to store all these pictures. What could be the case is that some pictures are stored in enough copies to oversaturate the model and the authors happen to pick up on those pictures. But it is dishonest of the authors for them to imply that this is a general possibility. Again, if you do the math, it is impossible in the general case.

If you’re familiar with machine learning, then you will understand AI is fitting a hypersurface to the input vectors. So yes, it’s trying to recreate them as best it can, and yes, if it’s big enough it absolutely will be able to.

But that isn’t how machine learning models work, In my research, I create models of gene expression and microbiome abundances on patients who later respond well (and not) to treatment, and then test the models to see if I can predict whether new patients will respond well based on their gene expression and microbiome. If the models just memorized the first patients, that wouldn’t help me predict the second set. Generalization is definitely going on. Similarly, you can ask InvokeAI to make a picture of a dragon in an apron eating spaghetti and meatballs. It can do this even though it hasn’t seen a picture like that (although it would have to have seen a dragon, an apron, and spaghetti and meatballs, even in separate pictures).

How exactly does a computer programme “see” anything?

As I understand it, “see” in this context means “create a copy of”. That copy may later be discarded and doesn’t make its way into the final programme but in order to build this hypothetical model you’re referrng to, the images of a dragon, an apron, spaghetti and meatballs you refer to were at some stage copied, almost certainly without the creators’ permission (since none of the various companies bothered to ask anyone).

Whether that is an infringement of copyright is a question I don’t have a good answer for. I think it is but different jurisdictions will no doubt have different answers.

Sure. Like I said above, they are interpolation algorithms. They fit the vectors as best they can – and it’s plain something like GPT4’s football field worth of neurons will end up matching some exactly – and then come up with other vectors between them as requested. That’s the hypersurface I’ve been talking about.

Incidentally, something we always stressed when I worked with them is that they don’t extrapolate. You have to make sure the data set covers everything you might want. That’s another notable difference from humans, who can create things outside what they’ve seen. A person could hear that a cyclops is a Greek giant with one big eye in its forehead and figure out what that means on their own. These models of course have no way of doing that, unless maybe they have enough images of “in the middle of forehead” to copy from.

They are fundamentally unlike how people learn and so don’t need to be treated like it. People have to practice hard to see all the details needed to recreate a picture, and then usually of course make up new things too, all labor that deserves to be valued. These interpolate from the pictures they’re fed and so are basically a clever way of using that data set. It’s that simple.

why would it have to be true in the general case? isn’t enough that some percentage of artistic work is being stored as is - whether in chunks or in whole?

that any are stored as is means your earlier point was wrong

( and really it’s even deeper than that of course. as others have pointed out, none of this exists without the work of artists, artists who have not consented to this. you using your own datasets in an academic setting is entirely different from what’s happening to people’s art and labor )

As I understand it, “see” in this context means “create a copy of”.

Yes, but only in the same sense that playing a DVD involves copying data to put on the screen. Reading any data by a computer is logically the same as copying it because the read data needs to go somewhere for the program (DVD player or ML algorithm) to use it.

That copy may later be discarded and doesn’t make its way into the final programme but in order to build this hypothetical model you’re referrng to, the images of a dragon, an apron, spaghetti and meatballs you refer to were at some stage copied,

But that’s what is being argued (by some) – that a literal copy of the data is kept in the model. Which doesn’t happen because that’s not how machine learning works.

Whether that is an infringement of copyright is a question I don’t have a good answer for.

Nobody does at present. It is not unlike the arguments on whether search engines have to right to index pages (because that too involves reading in the whole page even if ultimately only some keywords are kept in the index).

You know, you could say the same thing about a jpeg. It doesn’t story a literal copy of the data and indeed they are usually too small to possibly contain an accurate compressed version of the data. Which is why when you run the algorithm to turn them back into images you get all kinds of little differences. But you get back something remarkably similar to our eyes, so most people don’t hesitate to say it contains a copy of the image anyway.

The main difference is these models are based on multiple images so they can blend them, which makes it hard to tell exactly how much of each they can recreate. Though as it turns out, sometimes the answer is a pretty much all of it, if you know how to ask for it back. Either way the training data is what gives the model its value, since it’s just a tool to interpolate from it.

Even comparing against “lossy compression” methods like jpegs or MP3s we are still talking orders of magnitude smaller with generative AI models compared to their training sets. If they were really a form of lossy compression, they’d have to be really lossy – as in a picture of a dragon would just be a green blob.

Oh yeah, because these are super small models like the ones you are using for medical predictions, they couldn’t possibly have enough weights to encode anything.

image905×472 79.6 KB

Seriously, if it were genuinely so small it could only hold instructions to recreate a blur, how would it have enough information to create any images of dragons? You’re acting like storing things takes memory that instructions to make up things don’t, when one is just a more specific version of the other. And in truth I don’t even have to speculate about that – we know these things have the ability to recreate images because people have already done it with them, which makes insisting they can’t possibly hold the data for that one hell of a specious argument.

Oh yeah, because these are super small models like the ones you are using for medical predictions, they couldn’t possibly have enough weights to encode anything.

No, as I mentioned earlier I’m talking about the models used by generative AI image programs (my own biomedical models are indeed tiny, under a megabyte). I realize that if you are only used to generative AI or LLMs as things in “the cloud” you might think they need huge databases. But they really don’t. The standard Stable Diffusion 1.5 model (trained on the LAION dataset of 400M images) is a scant 4GB in size and I can generate images with it completely locally on my M1-based Mac with InvokeAI. Likewise with the Mistral 7b LLM model (4.5GB but again trained on terabytes of data) and llama,cpp I can have reasonable chats (well, as “reasonable” as any LLM can) and it actually beats GPT4 on some metrics. Which is why I kind of doubt things like OpenAI are long for the world and the future belongs to local models. But the general public in general seems to know little of local models as of yet.

Seriously, if it were genuinely so small it could only hold instructions to recreate a blur, how would it have enough information to create any images of dragons?

Because it isn’t storing every picture of a dragon compressed or not but is generalizing (or “interpolating” if you prefer) the things which are labeled as dragons in the training data.

I’m just…really sick of this world where every new invention gets discussed purely in terms of what marketers want us to imagine it like, instead of what it actually is.

Do you imagine that I am some friend of marketers trying to defend corporations? I don’t even work in the private sector. I’m just somebody who works with ML and am tired of the usual arguments that convey the usual misconceptions about it.