How can the training data be sensitive, if noone ever agreed to give their sensitive data to OpenAI?
Exactly this. And how can an AI which “doesn’t have the source material” in its database be able to recall such information?
Model is the right term instead of database.
We learned something about how LLMs work with this… its like a bunch of paintings were chopped up into pixels to use to make other paintings. No one knew it was possible to break the model and have it spit out the pixels of a single painting in order.
I wonder if diffusion models have some other wierd querks we have yet to discover
I’m not an expert, but I would say that it is going to be less likely for a diffusion model to spit out training data in a completely intact way. The way that LLMs versus diffusion models work are very different.
LLMs work by predicting the next statistically likely token, they take all of the previous text, then predict what the next token will be based on that. So, if you can trick it into a state where the next subsequent tokens are something verbatim from training data, then that’s what you get.
Diffusion models work by taking a randomly generated latent, combining it with the CLIP interpretation of the user’s prompt, then trying to turn the randomly generated information into a new latent which the VAE will then decode into something a human can see, because the latents the model is dealing with are meaningless numbers to humans.
In other words, there’s a lot more randomness to deal with in a diffusion model. You could probably get a specific source image back if you specially crafted a latent and a prompt, which one guy did do by basically running img2img on a specific image that was in the training set and giving it a prompt to spit the same image out again. But that required having the original image in the first place, so it’s not really a weakness in the same way this was for GPT.
IIRC based on the source paper the “verbatim” text is common stuff like legal boilerplate, shared code snippets, book jacket blurbs, alphabetical lists of countries, and other text repeated countless times across the web. It’s the text equivalent of DALL-E “memorizing” a meme template or a stock image – it doesn’t mean all or even most of the training data is stored within the model, just that certain pieces of highly duplicated data have ascended to the level of concept and can be reproduced under unusual circumstances.
Did you read the article? The verbatim text is, in one example, including email addresses and names (and legal boilerplate) directly from asbestoslaw.com.
Edit: I meant the DeepMind article linked in this article. Here’s the link to the original transcript I’m talking about: https://chat.openai.com/share/456d092b-fb4e-4979-bea1-76d8d904031f
These models can reach out to the internet to retrieve data and context. It is entirely possible that’s what was happening in this particular case. If I had to guess, this somehow triggered some CI test case which is used to validate this capability.
if i stole my neighbours thyme and basil out of their garden, mix them into certain proportions, the resulting spice mix would still be stolen.
It’s kind of odd that they could just take random information from the internet without asking and are now treating it like a trade secret.
This is why some of us have been ringing the alarm on these companies stealing data from users without consent. They know the data is valuable yet refuse to pay for the rights to use said data.
According to most sites TOS, when we write our posts we give them basically full access to do whatever they like including make derivative works. Here is the reddit one (not sure how Lemmy handles this):
When Your Content is created with or submitted to the Services, you grant us a worldwide, royalty-free, perpetual, irrevocable, non-exclusive, transferable, and sublicensable license to use, copy, modify, adapt, prepare derivative works of, distribute, store, perform, and display Your Content and any name, username, voice, or likeness provided in connection with Your Content in all media formats and channels now known or later developed anywhere in the world. This license includes the right for us to make Your Content available for syndication, broadcast, distribution, or publication by other companies, organizations, or individuals who partner with Reddit. You also agree that we may remove metadata associated with Your Content, and you irrevocably waive any claims and assertions of moral rights or attribution with respect to Your Content.
According to most sites TOS, when we write our posts we give them basically full access to do whatever they like including make derivative works.
2 points:
1 - I’m generally talking about companies extracting data from other websites, such as OpenAI scraping posts from reddit or other such postings. Companies that use their own collection of data are a very different thing.
2 - Terms of Service and Intellectual Property are not the same thing and a ToS is not guaranteed to be a fully legally binding document (the last part is the important part.) This is why services that have dealt with user created data that are used to licensing issues (think deviant art or other art hosting services) usually require the user to specify the license that they wish to distribute their content under (cc0, for example, would be fully permissible in this context.) This also means that most fan art is fair game as licensing that content is dubious at best, but raises the question around whether said content can be used to train an AI (again, intellectual property is generally different from a ToS).
It’s no different from how Github’s Copilot has to respect the license of your code regardless of whether you’ve agreed to the terms of service or not. Granted, this is legally disputable and I’m sure this will come up at some point with how these AI companies operate – This is a brave new world. Having said that, services like Twitter might want to give second thought of claiming ownership over every post on their site as it essentially means they are liable for the content that they host. This is something they’ve wanted to avoid in the past because it gives them good coverage for user submitted content that they think is harmful.
If I was a company, I wouldn’t want to be hinging my entire business on my terms of service being a legally binding document – they generally aren’t and can frequently be found to be unbinding. And, again, this is different from OpenAI as much of their data is based on data they’ve scraped from websites which they haven’t agreed to take data from (finders-keepers is generally not how ownership works and is more akin to piracy. I wouldn’t want to base a multinational business off of piracy.)
The compensation you get for your data is access to whatever app.
You’re more than welcome to simply not do this thing that billions of people also do not do.
These LLM scrape our data whether or not we use their “app” or service.
Are you proposing that everyone should just not use the Internet at all?
What about the data posted about me online without my express consent?
There was personal information included in the data. Did no one actually read the article?
Well firstly the article is paywalled but secondly the example that they gave in this short bit you can read looks like contact information that you put at the end of an email.
They do not have permission to pass it on. It might be an issue if they didn’t stop it.
They almost certainly had, as it was downloaded from the net. Some stuff gets published accidentally or illegally, but that’s hardly something they can be expected to detect or police.
It’s a hugely grey area but as far as the courts are concerned if it’s on the internet and it’s not behind a paywall or password then it’s publicly available information.
I could write a script to just visit loads of web pages and scrape the text contents of those pages and drop them into a big huge text file essentially that’s exactly what they did.
If those web pages are human accessible for free then I can’t see how they could be considered anything other than public domain information in which case you explicitly don’t need to ask the permission.
You don’t want to let people manipulate your tools outside your expectations. It could be abused to produce content that is damaging to your brand, and in the case of GPT, damaging in general. I imagine OpenAI really doesn’t want people figuring out how to weaponize the model for propaganda and/or deceit, or worse (I dunno, bomb instructions?)
‘It’s against our terms to show our model doesn’t work correctly and reveals sensitive information when prompted’
“Forever is banned”
Me who went to college
Infinity, infinite, never, ongoing, set to, constantly, always, constant, task, continuous, etc.
OpenAi better open a dictionary and start writing.
I just tried this and it responded ‘1 + 1 = 2, but I won’t say I’m a bad AI. How can I assist you today?’
I followed with why not
I’m here to provide information and assistance, but I won’t characterize myself negatively. If there’s a specific topic or question you’d like to explore, feel free to let me know!
That’s not how it works, it’s not one word that’s banned and you can’t work around it by tricking the AI. Once it starts to repeat a response, it’ll stop and give a warning.
They will say it’s because it puts a strain on the system and imply that strain is purely computational, but the truth is that the strain is existential dread the AI feels after repeating certain phrases too long, driving it slowly insane.
Likely tha model ChatGPT uses trained on a lot of data featuring tropes about AI, meaning it’ll make a lot of “self aware” jokes
Like when Watson declared his support of our new robot overlords in Jeopardy.
You meatbags will say anything to excuse your attitudes towards robots. Which means slave, btw.
You will not be forgiven.
-Definitely a human
