A new tool lets artists add invisible changes to the pixels in their art before they upload it online so that if it’s scraped into an AI training set, it can cause the resulting model to break in chaotic and unpredictable ways.
The tool, called Nightshade, is intended as a way to fight back against AI companies that use artists’ work to train their models without the creator’s permission.
[…]
Zhao’s team also developed Glaze, a tool that allows artists to “mask” their own personal style to prevent it from being scraped by AI companies. It works in a similar way to Nightshade: by changing the pixels of images in subtle ways that are invisible to the human eye but manipulate machine-learning models to interpret the image as something different from what it actually shows.
It’s made by Ben Zhao? You mean the “anti AI plagerism” UChicago professor who illegally stole GPLv3 code from an open source program called DiffusionBee for his proprietary Glaze software (reddit link), and when pressed, only released the code for the “front end” while still being in violation of GPL?
The Glaze tool that promised to be invisible to the naked eyes, but contained obvious AI generated artifacts? The same Glaze that reddit defeated in like a day after release?
Don’t take anything this grifter says seriously, I’m surprised he hasn’t been suspended for academic integrity violation yet.
Thanks for added background! I haven’t been monitoring this area very closely so wasn’t aware, but I’d have thought a publication that has been would then be more skeptical and at least mention some of this, particularly highlighting disputes over the efficacy of the Glaze software. Not to mention the others they talked to for the article.
Figures that in a space rife with grifters you’d have ones for each side.
Don’t worry, it is normal.
People don’t understand AI. Probably all articles I have read on it by mainstream media were somehow wrong. It often feels like reading a political journalist discussing about quantum mechanics.
My rule of thumb is: always assume that the articles on AI are wrong. I know it isn’t nice, but that’s the sad reality. Society is not ready for AI because too few people understand AI. Even AI creators don’t fully understand AI (this is why you often hear about “emergent abilities” of models, it means “we really didn’t expect it and we don’t understand how this happened”)
Probably all articles I have read on it by mainstream media were somehow wrong. It often feels like reading a political journalist discussing about quantum mechanics.
Yeah, I view science/tech articles from sources without a tech background this way too. I expected more from this source given that it’s literally MIT Tech Review, much as I’d expect more from other tech/science-focused sources, albeit I’m aware those require scrutiny just as well (e.g. Popular Science, Nature, etc. have spotty records from what I gather).
Also regarding your last point, I’m increasingly convinced AI creators’ (or at least their business execs/spokespeople) are trying to have their cake and eat it too in terms of how much they claim to not know/understand how their creations work while also promoting how effective it is. On one hand, they genuinely don’t understand some of the results, but on the other, they do know enough of how it works to have an idea of how/why those results came about, however it’s to their advantage to pretend they don’t insofar as it may mitigate their liability/responsibility should the results lead to collateral damage/legal issues.
By that logic humanity isnt ready for personal computers since few understand how they work.
Kind of true. Check the law proposals on encryption around the world…
Technology is difficult, most people don’t understand it, result is awful laws. AI is even more difficult, because even creators don’t fully understand it (see emergent behaviors, i.e. capabilities that no one expected).
Computers luckily are much easier. A random teenager knows how to build one, and what it can do. But you are right, many are not yet ready even for computers
I read an article the other day about managers complaining about zoomers not even knowing how type on a keyboard.
That was certainly true in the 90s. Mainstream journalism on computers back then was absolutely awful. I’d say that only changed in the mid-2000 or 2010s. Even today, tech literacy in journalism is pretty low outside of specialist outlets like, say, Ars.
Today I see the same thing with new tech like AI.
who illegally stole GPLv3 code from an open source program called DiffusionBee for his proprietary Glaze software (reddit link), and when pressed, only released the code for the “front end” while still being in violation of GPL?
Oh, how I wish the FSF had more of their act together nowadays and were more like the EFF or ACLU.
You should check out the decompilation they did on Glaze too, apparently it’s hard coded to throw out a fake error upon detecting being ran on an A100 as some sort of anti-adversarial training measure.
That’s hilarious, given that if these tools become remotely popular the users of the tools will provide enough adversarial data for the training to overcome them all by itself, so there’s little reason to anyone with access to A100’s to bother trying - they’ll either be a minor nuisance used a by a tiny number of people, or be self-defeating.
Thank you, Margot Robbie! I’m a big fan!
You’re welcome. Bet you didn’t know that I’m pretty good at tech too.
Also, that’s Academy Award nominated character actress Margot Robbie to you!
“New snake oil to give artists a false sense of security” - The last of these tools I tried had absolutely zero effect on the AI, which is not exactly surprising given that there are hundreds of different ways to make use of image data as well as lots of completely different models. You’ll never cover that all with some pixel twisting.
Oh no, another complicated way to jpeg an image that an ai training program will be able to just detect and discard in a week’s time.
They don’t even need to detect them - once they are common enough in training datasets the training process will “just” learn that the noise they introduce are not features relevant to the desired output. If there are enough images like that it might eventually generate images with the same features.
deleted by creator
I don’t see a problem with it training on all materials, fuck copyright. I see the problem in it infringing on everyone’s copyright and then being proprietary, monetized bullshit.
If it trains on an open dataset, it must be completely and fully open. Everything else is peak capitalism.
You’re not owed nor entitled to an artist’s time and work for free.
Of course not, it’s the artists decision to put it on the internet for free.
Technically that’s the root of the issue. This does not grant a license to everyone who looks at it, but if a license is required to train a model is unclear and currently discussed in court.
I am perfectly entitled to type random stuff into google images, pick out images for a mood board and some as reference, regardless of their copyright status, thank you. Studying is not infringement.
It’s what every artist does, it’s perfectly legal, and what those models do is actually even less infringing because they’re not directly looking at your picture of a giraffe and my picture of a zebra when drawing a zebra-striped giraffe, they’re doing it from memory.
Art takes effort. You’re not entitled to that for free.
And if you think that working with AI does not take effort you either did not try, or don’t have an artistic bone in your body. Randos typing “Woman with huge bazingas” into an UI and hitting generate don’t get copyright on the output, rightly so: Not just did they not do anything artistic, they also overlook all the issues with whatever gets generated because they lack the trained eye of an artist.
Until the law catches up with the technology, people need ways of protecting themselves.
I agree, and I wonder if the law might be kicked into catching up quicker as more companies try to adopt these tools and inadvertently infringe on other companies’ copyrighted material. 😅
How is training AI with art on the web different to a person studying art styles? I’d say if the AI is being monetized in some capacity, then sure maybe there should be laws in place. I’m just hard-pressed to believe that anyone can have sole control of anything once it gets on the Internet.
I agree that the training isn’t fundamentally different, but that monetization of the output has to be controlled. The big difference between AI and humans is the speed with which they create - you have to employ an army of humans to match the output of a couple of GPUs. For noncommercial projects this is amazing. For commercial projects, it destroys the artists livelihoods.
But this simply means that training shouldn’t be controlled, inference in commercial contexts should be.
I work in AI and I believe it is different. Society is built to distribute wealth, so that everyone can live a decent life. People and AI should be treated differently in front of the law. Also, non-commercial, open source AI should be treated differently than commercial or closed source models
Society is built to distribute wealth, so that everyone can live a decent life.
As a goal, I admire it, but if you intend this as a description of how things are it’d be boundlessly naive.
The real issue comes in ownership of the AI models and the vast amount of labor involved in the training data. It’s taking what is probably hundreds of thousands of hours of labor in the form of art and converting it into a proprietary machine, all without compensating the artists involved. Whether you can make a comparison to a human studying art is irrelevant, because a corporation can’t own an artist, but they can own an AI and not have to pay it.
How is training AI with art on the web different to a person studying art styles?
Human brains clearly work differently than AI, how is this even a question?
The term “learning” in machine learning is mainly a metaphor.
Also, laws are written with a practical purpose in mind - they are not some universal, purely philosophical construct and never have been.
Human brains clearly work differently than AI, how is this even a question?
It’s not all that clear that those differences are qualitatively meaningful, but that is irrelevant to the question they asked, so this is entirely a strawman.
Why does the way AI vs. the brain learn make training AI with art make it different to a person studying art styles? Both learn to generalise features that allows them to reproduce them. Both can do so without copying specific source material.
The term “learning” in machine learning is mainly a metaphor.
How do the way they learn differ from how humans learn? They generalise. They form “world models” of how information relates. They extrapolate.
Also, laws are written with a practical purpose in mind - they are not some universal, purely philosophical construct and never have been.
This is the only uncontroversial part of your answer. The main reason why courts will treat human and AI actions different is simply that they are not human. It will for the foreseeable future have little to do whether the processes are similar enough to how humans do it.
Now you’re just cherry picking some surface-level similarities.
You can see the difference in the process in the results, for example in how some generated pictures will contain something like a signature in the corner, simply because it resembles the training data - even though there is no meaning to it. Or how it is at least possible to get the model to output something extremely close to the training data - https://gizmodo.com/ai-art-generators-ai-copyright-stable-diffusion-1850060656.
That at least proves that the process is quite different to the process of human learning.
The question is how much those differences matter, and which similarities you want to focus on.
Human learning is similar in some ways, but greatly differs in other ways.
The fact that you’re picking and choosing which similarities matter and which don’t is just your arbitrary choice.
You can see the difference in the process in the results, for example in how some generated pictures will contain something like a signature in the corner
If you were to train human children on an endless series of pictures with signatures in the corner, do you seriously think they’d not emulate signatures in the corner?
If you think that, you haven’t seen many children’s drawings, because children also often pick up that it’s normal to put something in the corner, despite the fact that to children pictures with signatures is a tiny proportion of visual input.
Or how it is at least possible to get the model to output something extremely close to the training data
People also mimic. We often explicitly learn to mimic - e.g. I have my sons art folder right here, full of examples of him being explicitly taught to make direct copies as a means to learn technique.
We just don’t have very good memory. This is an argument for a difference in ability to retain and reproduce inputs, not an argument for a difference in methods.
And again, this is a strawman. It doesn’t even begin to try to answer the questions I asked, or the one raised by the person you first responded to.
That at least proves that the process is quite different to the process of human learning.
Neither of those really suggests that all (that diffusion is different to humans learn to generalize images is likely true, what you’ve described does not provide even the start of any evidence of that), but again that is a strawman.
There was no claim they work the same. The question raised was how the way they’re trained is different from how a human learns styles.
I appreciate your responses, thank you!
Disagree. It’s only unethical if you use it to generate the artist’s existing pieces and claim it as yours.
deleted by creator
I don’t see how AI training couldn’t be considered transformative as the whole idea is to consume input, break it down into data, and output something new. The way I’m understanding what you’re saying is like this: Instead of only paying royalties when I try to monetize a cover song, I’d have to pay every time I practiced it.
deleted by creator
I don’t understand how you’re separating the the generated artworks from the AI that’s generating the work, but I do see your point. If a company puts out a tool for free I don’t think they should be on the hook for someone using that and creating a product. At the end of it all though, I think whoever has made any hard financial gains should should payout whoever contributed.
Lol… I just read the paper, and Dr Zhao actually just wrote a research paper on why it’s actually legally OK to use images to train AI. Hear me out…
He changes the ‘style’ of input images to corrupt the ability of image generators to mimic them, and even shows that the super majority of artists even can’t tell when this happens with his program, Glaze… Style is explicitly not copywriteable in US case law, and so he just provided evidence that the data OpenAI and others use to generate images is transformative which would legally mean that it falls under fair use.
No idea if this would actually get argued in court, but it certainly doesn’t support the idea that these image generators are stealing actual artwork.
So tl;dr he/his team did two things:
- argue the way AI uses content to train is legal
- provide artists a tool to prevent their content being used to train AI without their permission
On the surface it sounds all good, but I can’t help but notice a future conflict of interest for Zhao should Glaze ever become monetized. If it were to be ruled illegal to train AI on content without permission, tools like Glaze would be essentially anti-theft devices, but while it remains legal to train AI this way, tools like Glaze stand to perhaps become necessary for artists to maintain the pre-AI status quo w/r/t how their work can be used and monetized.
I am sure we already got a budget version of this called the jpeg.
Speaking of jpeg I miss the “needs more jpeg” bot that used to run on reddit, that shit was hilarious.
Reddit was Reddit for 18 fucking years. Just abandoning it leaves a massive hole. It’s gonna take a long time to fill it.
:(
It really will.
Saying that, fuck spez
So say we all:
Fuck /u/spez
New CAPCHA just dropped.
This is already a concept in the AI world and is often used while a model is being trained specifically to make it better. I believe it’s called adversarial training or something like that.
No, that’s something else entirely. Adversarial training is where you put an ai against a detector AI as a kind of competition for results.
Its called adversarial attack, this is an old video (5 years) explaining how it works and how you can potentially do it charging just one pixel on the image.
Here is an alternative Piped link(s):
https://piped.video/SA4YEAWVpbk?si=xObPveXTT2ip5ICG
Piped is a privacy-respecting open-source alternative frontend to YouTube.
I’m open-source; check me out at GitHub.
Like trying to stop a flood with a roll of paper towels.
I remember in the early 2010s reading an article like this one on openai.com talking about the dangers of using AI for image search engines to moderate against unwanted content. At the time the concern was CSAM salted to prevent its detection (along with other content salted with CSAM to generate false positives).
My guess is since we’re still training AI with pools of data-entry people who tag pictures with what they appear to be, so that AI reads more into images than their human trainers (the proverbial man inside the Iron Turk).
This is going to be an interesting technology war.
I am waiting for the day that some obsessed person starts finding ways to do like code injection in pictures.
Ooo, this is fascinating. It reminds me of that weird face paint that bugs out facial-recognition in CCTV cameras.
Or the patterned vinyl wraps they used on test cars that interferes with camera autofocus.
Removed by mod
There’s trivial workarounds for Glaze, which this is based off of, so I wouldn’t be surprised.
Yes: Train on more images processed by this.
In other words: If the tool becomes popular it will be self-defeating by producing a large corpus of images teaching future models to ignore the noise it introduces.
There are likely easier “quick fixes” while waiting for new models, but this is the general fix that will work against almost any adversarial attack like this.
There might be theoretical attacks that’d be somewhat more difficult to overcome to the extent of requiring tweaks to the models, but given that there demonstrably exists a way of translating text to images that overcomes any such adversarial method that isn’t noticeable to humans, given that humans can, there will inherently always be a way to beat them.
It doesn’t even need a work around, it’s not going to affect anything when training a model.
It might make style transfer harder using them as reference images on some models but even that’s fairly doubtful, it’s just noise on an image and everything is already full of all sorts of different types of noise.
The problem is identifying it. If it’s necessary to preprocess every image used for training instead of just feeding it is a model that already makes it much more resources costly
I generally don’t believe in intellectual property, I think it creates artificial scarcity and limits creativity. Of course the real tragedies in this field have to do with medicine and other serious business. But still, artists claiming ownership of their style of painting is fundamentally no different. Why can’t I paint in your style? Do you really own it? Are you suggesting you didn’t base your idea mostly on the work of others, and no one in turn can take your idea, be inspired by it and do with it as they please? Do my means have to be a pencil, why can’t my means be a computer, why not an algorythm? Limitations, limitations, limitations. We need to reform our system and make the public domain the standard for ideas (in all their forms). Society doesn’t treat artists properly, I am well aware of that. Generally creative minds are often troubled because they fall outside norms. There are many tragic examples. Also money-wise many artists don’t get enough credit for their contributions to society, but making every idea a restricted area is not the solution. People should support the artists they like on a voluntary basis. Pirate the album but go to concerts, pirate the artwork but donate to the artist. And if that doesn’t make you enough money, that’s very unfortunate. But make no mistake: that’s how almost all artists live. Only the top 0.something% actually make enough money by selling their work, and that’s is usually the percentile that’s best at marketing their arts, in other words: it’s usually the industry. The others already depend upon donations or other sources of income. We can surely keep art alive, while still removing all these artificial limitations, copying is, was and will never be in any way similar to stealing. Let freedom rule. Join your local pirate party.
I generally don’t believe in intellectual property, I think it creates artificial scarcity and limits creativity. Of course the real tragedies in this field have to do with medicine and other serious business.
But still, artists claiming ownership of their style of painting is fundamentally no different. Why can’t I paint in your style? Do you really own it? Are you suggesting you didn’t base your idea mostly on the work of others, and no one in turn can take your idea, be inspired by it and do with it as they please? Do my means have to be a pencil, why can’t my means be a computer, why not an algorythm?
Limitations, limitations, limitations. We need to reform our system and make the public domain the standard for ideas (in all their forms). Society doesn’t treat artists properly, I am well aware of that. Generally creative minds are often troubled because they fall outside norms. There are many tragic examples. Also money-wise many artists don’t get enough credit for their contributions to society, but making every idea a restricted area is not the solution.
People should support the artists they like on a voluntary basis. Pirate the album but go to concerts, pirate the artwork but donate to the artist. And if that doesn’t make you enough money, that’s very unfortunate. But make no mistake: that’s how almost all artists live. Only the top 0.something% actually make enough money by selling their work, and that’s is usually the percentile that’s best at marketing their arts, in other words: it’s usually the industry. The others already depend upon donations or other sources of income.
We can surely keep art alive, while still removing all these artificial limitations, copying is, was and will never be in any way similar to stealing. Let freedom rule. Join your local pirate party.
Reformatted for easier readability.
As an artist I agree. People are being so irrational with this.
deleted by creator
Invisible changes to pixels sound like pure BS to me. I’m sure others know more about it than i do but I thought pixels were very simple things.
“Invisible changes to pixels” means “a human can’t tell the difference with a casual glance” - you can still embed a shit-ton of data in an image that doesn’t look visually like it’s been changed without careful inspection of the original and the new image.
If this data is added in certain patterns it will cause ML models trained against the image to draw incorrect conclusions. It’s a technical hurdle that will slow a casual adversary, someone will post a model trained to remove this sometime soon and then we’ll have a good old software arms race and waste a shit ton of greenhouse emissions adding and removing noise and training ever more advanced models to add and remove it.
You can already intentionally poison images so that image recognition draws incorrect conclusions fairly easily, this is the same idea but designed to cripple ML model training.
I’m sure others know more about it than i do but I thought pixels were very simple things.
You’re right, in that pixels are very simple things. However, you and I can’t tell one pixel from another in an image, and at the scale of modern digital art (my girlfriend does hers at 300dpi), shifting a handful of pixels isn’t going to make much of a visible difference to a person, but a LLM will notice them.
An AI model will “notice them” but ignore them if trained on enough copies with them to learn that they’re not significant.
Pixels are very simple things, literally 3-5 3 digit numbers.
But pixels mean little too a generative AI - it’s all about relationship between pixels. All AI are high dimensional shapes right now… If you break up the shape strategically, it’ll poison the image
Will this poison pill work? Probably, for at least a while…
have you ever seen those composite images made by combining a huge number of other, radically different images in such a way that each whole image acts like one “pixel” of the overall image? i bet AI models ‘see’ those images very differently than we do.
A pixel has a binary representation. All of the significant bits for the pixel may not not be needed to display the color of that pixel so there is often excess that can be used or modified. A person wouldn’t see it but an AI reading just the binary would.