The tool, called Nightshade, messes up training data in ways that could cause serious damage to image-generating AI models.

A new tool lets artists add invisible changes to the pixels in their art before they upload it online so that if it’s scraped into an AI training set, it can cause the resulting model to break in chaotic and unpredictable ways.

The tool, called Nightshade, is intended as a way to fight back against AI companies that use artists’ work to train their models without the creator’s permission.
[…]
Zhao’s team also developed Glaze, a tool that allows artists to “mask” their own personal style to prevent it from being scraped by AI companies. It works in a similar way to Nightshade: by changing the pixels of images in subtle ways that are invisible to the human eye but manipulate machine-learning models to interpret the image as something different from what it actually shows.

  • Margot Robbie@lemmy.worldEnglish
    2852·
    11 months ago

    It’s made by Ben Zhao? You mean the “anti AI plagerism” UChicago professor who illegally stole GPLv3 code from an open source program called DiffusionBee for his proprietary Glaze software (reddit link), and when pressed, only released the code for the “front end” while still being in violation of GPL?

    The Glaze tool that promised to be invisible to the naked eyes, but contained obvious AI generated artifacts? The same Glaze that reddit defeated in like a day after release?

    Don’t take anything this grifter says seriously, I’m surprised he hasn’t been suspended for academic integrity violation yet.

    • ElectroVagrant@lemmy.worldOPEnglish
      46·
      11 months ago

      Thanks for added background! I haven’t been monitoring this area very closely so wasn’t aware, but I’d have thought a publication that has been would then be more skeptical and at least mention some of this, particularly highlighting disputes over the efficacy of the Glaze software. Not to mention the others they talked to for the article.

      Figures that in a space rife with grifters you’d have ones for each side.

      • Zeth0s@lemmy.worldEnglish
        272·
        11 months ago

        Don’t worry, it is normal.

        People don’t understand AI. Probably all articles I have read on it by mainstream media were somehow wrong. It often feels like reading a political journalist discussing about quantum mechanics.

        My rule of thumb is: always assume that the articles on AI are wrong. I know it isn’t nice, but that’s the sad reality. Society is not ready for AI because too few people understand AI. Even AI creators don’t fully understand AI (this is why you often hear about “emergent abilities” of models, it means “we really didn’t expect it and we don’t understand how this happened”)

        • ElectroVagrant@lemmy.worldOPEnglish
          4·
          11 months ago

          Probably all articles I have read on it by mainstream media were somehow wrong. It often feels like reading a political journalist discussing about quantum mechanics.

          Yeah, I view science/tech articles from sources without a tech background this way too. I expected more from this source given that it’s literally MIT Tech Review, much as I’d expect more from other tech/science-focused sources, albeit I’m aware those require scrutiny just as well (e.g. Popular Science, Nature, etc. have spotty records from what I gather).

          Also regarding your last point, I’m increasingly convinced AI creators’ (or at least their business execs/spokespeople) are trying to have their cake and eat it too in terms of how much they claim to not know/understand how their creations work while also promoting how effective it is. On one hand, they genuinely don’t understand some of the results, but on the other, they do know enough of how it works to have an idea of how/why those results came about, however it’s to their advantage to pretend they don’t insofar as it may mitigate their liability/responsibility should the results lead to collateral damage/legal issues.

        • joel_feila@lemmy.worldEnglish
          32·
          11 months ago

          By that logic humanity isnt ready for personal computers since few understand how they work.

          • Zeth0s@lemmy.worldEnglish
            5·
            11 months ago

            Kind of true. Check the law proposals on encryption around the world…

            Technology is difficult, most people don’t understand it, result is awful laws. AI is even more difficult, because even creators don’t fully understand it (see emergent behaviors, i.e. capabilities that no one expected).

            Computers luckily are much easier. A random teenager knows how to build one, and what it can do. But you are right, many are not yet ready even for computers

            • joel_feila@lemmy.worldEnglish
              3·
              11 months ago

              I read an article the other day about managers complaining about zoomers not even knowing how type on a keyboard.

          • GenderNeutralBro@lemmy.sdf.orgEnglish
            4·
            11 months ago

            That was certainly true in the 90s. Mainstream journalism on computers back then was absolutely awful. I’d say that only changed in the mid-2000 or 2010s. Even today, tech literacy in journalism is pretty low outside of specialist outlets like, say, Ars.

            Today I see the same thing with new tech like AI.

    • P03 Locke@lemmy.dbzer0.comEnglish
      24·
      11 months ago

      who illegally stole GPLv3 code from an open source program called DiffusionBee for his proprietary Glaze software (reddit link), and when pressed, only released the code for the “front end” while still being in violation of GPL?

      Oh, how I wish the FSF had more of their act together nowadays and were more like the EFF or ACLU.

      • Margot Robbie@lemmy.worldEnglish
        23·
        11 months ago

        You should check out the decompilation they did on Glaze too, apparently it’s hard coded to throw out a fake error upon detecting being ran on an A100 as some sort of anti-adversarial training measure.

      • Margot Robbie@lemmy.worldEnglish
        181·
        11 months ago

        You’re welcome. Bet you didn’t know that I’m pretty good at tech too.

        Also, that’s Academy Award nominated character actress Margot Robbie to you!

  • Blaster M@lemmy.worldEnglish
    562·
    11 months ago

    Oh no, another complicated way to jpeg an image that an ai training program will be able to just detect and discard in a week’s time.

  • egeres@lemmy.worldEnglish
    43·
    11 months ago

    Here’s the paper: https://arxiv.org/pdf/2302.04222.pdf

    I find it very interesting that someone went in this direction to try to find a way to mitigate plagiarism. This is very akin to adversarial attacks in neural networks (you can read more in this short review https://arxiv.org/pdf/2303.06032.pdf)

    I saw some comments saying that you could just build an AI that detects poisoned images, but that wouldn’t be feasible with a simple NN classifier or feature-based approaches. This technique changes the artist style itself to something the AI would see differently in the latent space, yet, visually perceived as the same image. So if you’re changing to a different style the AI has learned, it’s fair to assume it will be realistic and coherent. Although maaaaaaaybe you could detect poisoned images with some dark magic tho, get the targeted AI then analyze the latent space to see if the image has been tampered with

    On the other hand, I think if you build more robust features and just scale the data this problems might go away with more regularization in the network. Plus, it assumes you have the target of one AI generation tool, there are a dozen of these, and if someone trains with a few more images in a cluster, that’s it, you shifted the features and the poisoned images are invalid

    • nandeEbisu@lemmy.worldEnglish
      11·
      11 months ago

      Haven’t read the paper so not sure about the specifics, but if it relies on subtle changes, would rounding color values or down sampling the image blur that noise away?

      • RubberElectrons@lemmy.worldEnglish
        4·
        11 months ago

        Wondering the same thing. Slight loss of detail but still successfully gets the gist of the original data.

        For that matter, how does the poisoning hold up against regular old jpg compression?

        Eta: read the paper, they account for this in section 7. It seems pretty robust on paper, by the time you’ve smoothed out the perturbed pixels, youve also smoothed out the image to where the end result is a bit of a murky mess.

    • 0xD@infosec.pubEnglish
      488·
      11 months ago

      I don’t see a problem with it training on all materials, fuck copyright. I see the problem in it infringing on everyone’s copyright and then being proprietary, monetized bullshit.

      If it trains on an open dataset, it must be completely and fully open. Everything else is peak capitalism.

      • Smoogs@lemmy.worldEnglish
        1418·
        11 months ago

        You’re not owed nor entitled to an artist’s time and work for free.

        • barsoap@lemm.eeEnglish
          4·
          11 months ago

          I am perfectly entitled to type random stuff into google images, pick out images for a mood board and some as reference, regardless of their copyright status, thank you. Studying is not infringement.

          It’s what every artist does, it’s perfectly legal, and what those models do is actually even less infringing because they’re not directly looking at your picture of a giraffe and my picture of a zebra when drawing a zebra-striped giraffe, they’re doing it from memory.

            • barsoap@lemm.eeEnglish
              11·
              11 months ago

              And if you think that working with AI does not take effort you either did not try, or don’t have an artistic bone in your body. Randos typing “Woman with huge bazingas” into an UI and hitting generate don’t get copyright on the output, rightly so: Not just did they not do anything artistic, they also overlook all the issues with whatever gets generated because they lack the trained eye of an artist.

    • ElectroVagrant@lemmy.worldOPEnglish
      123·
      11 months ago

      Until the law catches up with the technology, people need ways of protecting themselves.

      I agree, and I wonder if the law might be kicked into catching up quicker as more companies try to adopt these tools and inadvertently infringe on other companies’ copyrighted material. 😅

    • regbin_@lemmy.worldEnglish
      116·
      11 months ago

      Disagree. It’s only unethical if you use it to generate the artist’s existing pieces and claim it as yours.

  • wizardbeard@lemmy.dbzer0.comEnglish
    222·
    11 months ago

    This is already a concept in the AI world and is often used while a model is being trained specifically to make it better. I believe it’s called adversarial training or something like that.

    • Mango@lemmy.worldEnglish
      9·
      11 months ago

      No, that’s something else entirely. Adversarial training is where you put an ai against a detector AI as a kind of competition for results.

  • gregorum@lemm.eeEnglish
    13·
    11 months ago

    Ooo, this is fascinating. It reminds me of that weird face paint that bugs out facial-recognition in CCTV cameras.

    • seaQueue@lemmy.worldEnglish
      8·
      11 months ago

      Or the patterned vinyl wraps they used on test cars that interferes with camera autofocus.

  • afraid_of_zombies@lemmy.worldEnglish
    142·
    11 months ago

    I am waiting for the day that some obsessed person starts finding ways to do like code injection in pictures.

    • FaceDeer@kbin.social
      10·
      11 months ago

      There’s trivial workarounds for Glaze, which this is based off of, so I wouldn’t be surprised.

    • Meowoem@sh.itjust.worksEnglish
      1·
      11 months ago

      It doesn’t even need a work around, it’s not going to affect anything when training a model.

      It might make style transfer harder using them as reference images on some models but even that’s fairly doubtful, it’s just noise on an image and everything is already full of all sorts of different types of noise.

    • hh93@lemm.eeEnglish
      11·
      11 months ago

      The problem is identifying it. If it’s necessary to preprocess every image used for training instead of just feeding it is a model that already makes it much more resources costly

  • RVMWSN@lemmy.mlEnglish
    168·
    11 months ago

    I generally don’t believe in intellectual property, I think it creates artificial scarcity and limits creativity. Of course the real tragedies in this field have to do with medicine and other serious business. But still, artists claiming ownership of their style of painting is fundamentally no different. Why can’t I paint in your style? Do you really own it? Are you suggesting you didn’t base your idea mostly on the work of others, and no one in turn can take your idea, be inspired by it and do with it as they please? Do my means have to be a pencil, why can’t my means be a computer, why not an algorythm? Limitations, limitations, limitations. We need to reform our system and make the public domain the standard for ideas (in all their forms). Society doesn’t treat artists properly, I am well aware of that. Generally creative minds are often troubled because they fall outside norms. There are many tragic examples. Also money-wise many artists don’t get enough credit for their contributions to society, but making every idea a restricted area is not the solution. People should support the artists they like on a voluntary basis. Pirate the album but go to concerts, pirate the artwork but donate to the artist. And if that doesn’t make you enough money, that’s very unfortunate. But make no mistake: that’s how almost all artists live. Only the top 0.something% actually make enough money by selling their work, and that’s is usually the percentile that’s best at marketing their arts, in other words: it’s usually the industry. The others already depend upon donations or other sources of income. We can surely keep art alive, while still removing all these artificial limitations, copying is, was and will never be in any way similar to stealing. Let freedom rule. Join your local pirate party.

    • ElectroVagrant@lemmy.worldOPEnglish
      5·
      11 months ago

      I generally don’t believe in intellectual property, I think it creates artificial scarcity and limits creativity. Of course the real tragedies in this field have to do with medicine and other serious business.

      But still, artists claiming ownership of their style of painting is fundamentally no different. Why can’t I paint in your style? Do you really own it? Are you suggesting you didn’t base your idea mostly on the work of others, and no one in turn can take your idea, be inspired by it and do with it as they please? Do my means have to be a pencil, why can’t my means be a computer, why not an algorythm?

      Limitations, limitations, limitations. We need to reform our system and make the public domain the standard for ideas (in all their forms). Society doesn’t treat artists properly, I am well aware of that. Generally creative minds are often troubled because they fall outside norms. There are many tragic examples. Also money-wise many artists don’t get enough credit for their contributions to society, but making every idea a restricted area is not the solution.

      People should support the artists they like on a voluntary basis. Pirate the album but go to concerts, pirate the artwork but donate to the artist. And if that doesn’t make you enough money, that’s very unfortunate. But make no mistake: that’s how almost all artists live. Only the top 0.something% actually make enough money by selling their work, and that’s is usually the percentile that’s best at marketing their arts, in other words: it’s usually the industry. The others already depend upon donations or other sources of income.

      We can surely keep art alive, while still removing all these artificial limitations, copying is, was and will never be in any way similar to stealing. Let freedom rule. Join your local pirate party.

      Reformatted for easier readability.

  • guyrocket@kbin.social
    103·
    11 months ago

    Invisible changes to pixels sound like pure BS to me. I’m sure others know more about it than i do but I thought pixels were very simple things.

    • seaQueue@lemmy.worldEnglish
      21·
      11 months ago

      “Invisible changes to pixels” means “a human can’t tell the difference with a casual glance” - you can still embed a shit-ton of data in an image that doesn’t look visually like it’s been changed without careful inspection of the original and the new image.

      If this data is added in certain patterns it will cause ML models trained against the image to draw incorrect conclusions. It’s a technical hurdle that will slow a casual adversary, someone will post a model trained to remove this sometime soon and then we’ll have a good old software arms race and waste a shit ton of greenhouse emissions adding and removing noise and training ever more advanced models to add and remove it.

      You can already intentionally poison images so that image recognition draws incorrect conclusions fairly easily, this is the same idea but designed to cripple ML model training.

    • Unaware7013@kbin.social
      82·
      11 months ago

      I’m sure others know more about it than i do but I thought pixels were very simple things.

      You’re right, in that pixels are very simple things. However, you and I can’t tell one pixel from another in an image, and at the scale of modern digital art (my girlfriend does hers at 300dpi), shifting a handful of pixels isn’t going to make much of a visible difference to a person, but a LLM will notice them.

      • ClamDrinker@lemmy.worldEnglish
        1·
        11 months ago

        LLM is the wrong term. That’s Large Language Model. These are generative image models / text-to-image models.

        Truthfully though, while it will be there when the image is trained, it won’t ‘notice’ it unless you distort it significantly (enough for humans to notice as well). Otherwise it won’t make much of a difference because these models are often trained on a compressed and downsized version of the image (in what’s called latent space)

    • Narrrz@kbin.social
      1·
      11 months ago

      have you ever seen those composite images made by combining a huge number of other, radically different images in such a way that each whole image acts like one “pixel” of the overall image? i bet AI models ‘see’ those images very differently than we do.

    • wheresmypillow@lemmy.oneEnglish
      13·
      11 months ago

      A pixel has a binary representation. All of the significant bits for the pixel may not not be needed to display the color of that pixel so there is often excess that can be used or modified. A person wouldn’t see it but an AI reading just the binary would.

  • ayaya@lemdro.idEnglish
    5·
    11 months ago

    Obviously this is using some bug and/or weakness in the existing training process, so couldn’t they just patch the mechanism being exploited?

    Or at the very least you could take a bunch of images, purposely poison them, and now you have a set of poisoned images and their non-poisoned counterparts allowing you to train another model to undo it.

    Sure you’ve set up a speedbump but this is hardly a solution.

    • AnonTwo@kbin.social
      32·
      11 months ago

      Obviously this is using some bug and/or weakness in the existing training process, so couldn’t they just patch the mechanism being exploited?

      I’d assume the issue is that if someone tried to patch it out, it could legally be shown they were disregarding people’s copyright.

        • AnonTwo@kbin.social
          5·
          11 months ago

          The general argument legally is that the AI has no exact memory of the copyrighted material.

          But if that’s the case, then these pixels shouldn’t need be patched. Because it wouldn’t remember the material that spawned them.

          Is just the argument I assume would be used.

          • 📛Maven@lemmy.sdf.orgEnglish
            6·
            11 months ago

            It’s like training an artist who’s never seen a banana or a fire hydrant, by passing them pictures of fire hydrants labelled “this is a banana”. When you ask for a banana, you’ll get a fire hydrant. Correcting that mistake doesn’t mean “undoing pixels”, it means teaching the AI what bananas and fire hydrants are.

          • FaceDeer@kbin.social
            4·
            11 months ago

            Well, I guess we’ll see how that argument plays in court. I don’t see how it follows, myself.

          • FaceDeer@kbin.social
            7·
            11 months ago

            In order to violate copyright you need to copy the copyrighted material. Training an AI model doesn’t do that.

    • egeres@lemmy.worldEnglish
      1·
      11 months ago

      No! It’s not using an internal exploit, it’s rather about finding a way to visually represent almost the same image, but instead using latent features with different artists (e.g, which would confuse a dreambooth+lora training), however, the method they proposed is flawed, I commented more on https://lemmy.world/comment/4770884

    • MxM111@kbin.social
      44·
      11 months ago

      Obviously, with so many different AIs, this can not be a factor (a bug).

      If you have no problem looking at the image, then AI would not either. After all both you and AI are neural networks.

      • skulblaka@kbin.social
        6·
        11 months ago

        The neural network of a human and of an AI operate in fundamentally different ways. They also interact with an image in fundamentally different ways.

        • MxM111@kbin.social
          3·
          11 months ago

          I would not call it “fundamentally” different at all. Compared to, say, regular computer running non-neural network based program, they are quite similar, and have similar properties. They can make a mistake, hallucinate, etc.

          • kayrae_42@lemmy.worldEnglish
            1·
            11 months ago

            As a person who has done machine learning, and some ai training and who has a psychotic disorder I hate they call it hallucinations. It’s not hallucinations. Human hallucinations and ai hallucinations are different things. One is based of limited data , bias, or a bad data set with builds a fundamentally bad neural network connection which can be repaired. The other is something that can not be repaired, you are not working with bad data, your brain can’t filter out data correctly and you are building wrong connections. It’s like an overdrive of input and connections that are all wrong. So you’re seeing things, hearing things, or believing things that aren’t real. You make logical leaps that are irrational and not true and reality splits for you. While similarities exist, one is because people input data wrong, or because they cleaned it wrong, or didn’t have enough. And the other is because the human brain has wiring problem caused by a variety of factors. It’s insulting and it also humanizes computers to much and degrades people with this illness.

            • MxM111@kbin.social
              1·
              11 months ago

              As I understand, healthy people hallucinate all the time, but in different sense, non-psychiatric sense. It is just healthy brain has this extra filter that rejects all hallucinations that do not correspond to the signal coming from reality, that is our brain performs extra checks constantly. But we often get fooled if we do not have checks done correctly. For example, you can think that you saw some animal, while it was just a shade. There is even statement that our perception of the world is “controlled hallucination” because we mostly imagine the world and then best fit it to minimize the error from external stimuli.

              Of course, current ANNs do not have such extensive error checking, thus they are more prone to those “hallucinations”. But fundamentally those are very similar to what we have in those “generative suggestions” our brain generates.

              • kayrae_42@lemmy.worldEnglish
                1·
                11 months ago

                Those aren’t quite the same as a hallucination. We don’t actually call them hallucinations. Hallucinations are a medical term. Those are visual disturbances not “controlled hallucinations”. Your brain filtering it out and the ability to ignore it makes it not a hallucination. It’s hallucinations in a colloquial sense not medical.

                Fundamentally AI is not working the same, you are having a moment of where a process from when in the past every shadow was a potential danger so seeing a threat in the shadow first and triggering fight or flight is best for you as a species. AI has no fight or flight. AI has no motivation, AI just had limited, bad, or biased data that we put there and spits out garbage. It is a computer with no sentience. You are not really error checking, you are processing more information, or reassessing once the fight/flight goes down. AI doesn’t have more information to process.

                Many don’t see people with psychotic disorders as equal people. They see them as dangerous, and and people to be locked away. They use their illnesses and problems as jokes and slurs. Using terms for their illness in things like this only adds to their stigma.

                • MxM111@kbin.social
                  1·
                  11 months ago

                  You are arguing about terminology use. Please google “controlled hallucinations” to see how people use the term in non-psychiatric way.