An AI model will "notice them" but ignore them if trained on enough copies with them to learn that they're not significant.
vidarh
Yes: Train on more images processed by this.
In other words: If the tool becomes popular it will be self-defeating by producing a large corpus of images teaching future models to ignore the noise it introduces.
There are likely easier "quick fixes" while waiting for new models, but this is the general fix that will work against almost any adversarial attack like this.
There might be theoretical attacks that'd be somewhat more difficult to overcome to the extent of requiring tweaks to the models, but given that there demonstrably exists a way of translating text to images that overcomes any such adversarial method that isn't noticeable to humans, given that humans can, there will inherently always be a way to beat them.
That's hilarious, given that if these tools become remotely popular the users of the tools will provide enough adversarial data for the training to overcome them all by itself, so there's little reason to anyone with access to A100's to bother trying - they'll either be a minor nuisance used a by a tiny number of people, or be self-defeating.
To me, that's not an argument for regulating AI, though, because most regulation we can come up with will benefit those with deep enough pockets to buy themselves out of the problem, while solving nothing.
E.g. as I've pointed out in other debates like this, Getty Images has a market cap of <$2bn. OpenAI may have had a valuation in the $90bn range. Google, MS, Adobe all also have shares prices that would trivially allow them to purchase someone like Getty to get ownership of a large training set of photos. Adobe already has rights to a huge selection via their own stock service.
Bertelsmann owns Penguin Random-House and a range ofter publishing subsidiaries. It's market cap is around 15 billion Euro. Also well within price for a large AI contender to buy to be able to insert clauses about AI rights. (You think authors will refuse to accept that? All but the top sellers will generally be unable to afford to turn down a publishing deal, especially if it's sugar-coated enough, but they also sit on a shit-ton of works where the source text is out-of-copyright but they own the right to the translations outright as works-for-hire)
That's before considering simply hiring a bunch of writers and artists to produce data for hire.
So any regulation you put in place to limit the use of copyrighted works only creates a "tax" effectively.
E.g. OpenAI might not be able to copy artist X's images, but they'll be able to hire artist Y on the cheap to churn out art in artist X's style for hire, and then train on that. They might not be able to use author Z's work, but they can hire a bunch of hungry writers (published books sells ca 200 copies on average; the average full time author in the UK earns below minimum wage from their writing) as a content farm.
The net result for most creators will be the same.
Even wonder why Sam Altmann of OpenAI has been lobbying about the dangers of AI? This is why. And its just the start. As soon as these companies have enough capital to buy themselves access for data, regulations preventing training on copyrighted data will be them pulling up the drawbridge and making it cost-prohibitive for people to build open, publicly accessible models in ways that can be legally used.
And in doing so they'll effectively get to charge an "AI tax" on everyone else.
If we're going to protect artists, we'd be far better off finding other ways of compensating them for the effects, not least because it will actually provide them some protection.
You can see the difference in the process in the results, for example in how some generated pictures will contain something like a signature in the corner
If you were to train human children on an endless series of pictures with signatures in the corner, do you seriously think they'd not emulate signatures in the corner?
If you think that, you haven't seen many children's drawings, because children also often pick up that it's normal to put something in the corner, despite the fact that to children pictures with signatures is a tiny proportion of visual input.
Or how it is at least possible to get the model to output something extremely close to the training data
People also mimic. We often explicitly learn to mimic - e.g. I have my sons art folder right here, full of examples of him being explicitly taught to make direct copies as a means to learn technique.
We just don't have very good memory. This is an argument for a difference in ability to retain and reproduce inputs, not an argument for a difference in methods.
And again, this is a strawman. It doesn't even begin to try to answer the questions I asked, or the one raised by the person you first responded to.
That at least proves that the process is quite different to the process of human learning.
Neither of those really suggests that all (that diffusion is different to humans learn to generalize images is likely true, what you've described does not provide even the start of any evidence of that), but again that is a strawman.
There was no claim they work the same. The question raised was how the way they're trained is different from how a human learns styles.
This idea that copyright and IP shouldn’t exist at all is kinda absurd.
For the majority of human existence, that was the default.
Copyright exists as an explicit tradeoff between the rights of the public to be able to do as they please with stuff introduced into the public sphere, and a legal limitation infringing on the publics liberty for a limited time for the purpose of encouraging the creation of more works for the public benefit. It was not introduced as some sort of inherent right, but as a trade between the public and creators to incentivise them.
Stripping it away from existing artists who has come to depend on it without some alternative would be grossly unfair, but there's nothing absurd about wanting to change the bargain over time. After all, that has been done many times, and the copyright we have now is vastly different and far more expansive and lengthy than early copyright protection.
Personally, I'd be in favour of finding alternative means of supporting creators and stripping back copyright as a tradeoff. The vast majority of creators earn next to nothing from their works; only a very tiny minority makes a livable wage of art of any form at all, and of the rest the vast majority of profits take place in a very short period of initial exploitation of a work, so we could allow the vast majority to earn more from their art relatively cheaply, and affect the rest to a relatively limited degree, while benefiting from the reduced restrictions.
Society is built to distribute wealth, so that everyone can live a decent life.
As a goal, I admire it, but if you intend this as a description of how things are it'd be boundlessly naive.
Human brains clearly work differently than AI, how is this even a question?
It's not all that clear that those differences are qualitatively meaningful, but that is irrelevant to the question they asked, so this is entirely a strawman.
Why does the way AI vs. the brain learn make training AI with art make it different to a person studying art styles? Both learn to generalise features that allows them to reproduce them. Both can do so without copying specific source material.
The term “learning” in machine learning is mainly a metaphor.
How do the way they learn differ from how humans learn? They generalise. They form "world models" of how information relates. They extrapolate.
Also, laws are written with a practical purpose in mind - they are not some universal, purely philosophical construct and never have been.
This is the only uncontroversial part of your answer. The main reason why courts will treat human and AI actions different is simply that they are not human. It will for the foreseeable future have little to do whether the processes are similar enough to how humans do it.
They don't even need to detect them - once they are common enough in training datasets the training process will "just" learn that the noise they introduce are not features relevant to the desired output. If there are enough images like that it might eventually generate images with the same features.
Trying to detect poisoned images is the wrong approach. Include them in the training set and the training process itself will eventually correct for it.
I think if you build more robust features
Diffusion approaches etc. do not involve any conscious "building" of features in the first place. The features are trained by training the net to match images with text features correctly, and then "just" repeatedly predict how to denoise an image to get closer to a match with the text features. If the input includes poisoned images, so what? It's no different than e.g. compression artifacts, or noise.
These tools all try to counter models trained without images using them in the training set with at most fine-tuning, but all they show is that models trained without having seen many images using that particular tool will struggle.
But in reality, the massive problem with this is that we'd expect any such tool that becomes widespread to be self-defeating, in that they become a source for images that will work their way into the models at a sufficient volume that the model will learn them. In doing so they will make the models more robust against noise and artifacts, and so make the job harder for the next generation of these tools.
In other words, these tools basically act like a manual adversarial training source, and in the long run the main benefit coming out of them will be that they'll prod and probe at failure modes of the models and help remove them.
I'm just very tickled at how much it backfired - Lewis turned outright anti-Catholic. If I'd been a religious man I might have tried to read something into that (but I'm not, so).
You wouldn't want to. If you just feed it to the models, then if there are enough of these images to matter the model will learn to ignore the differences. You very specifically don't want to prevent the model from learning to overcome these things, exactly because if you do you're stuck with workarounds like that forever, but if you don't the model will just become more robust to noisy data like this.