That raises an interesting question – one that has bothered me for a long time: Who owns copyright on training data?
As we saw with Clearview AI, a lot of data is being used without consent or even knowledge of the creators. And it's extremely hard to detect this usage, let alone enforce rights on it.
I might be misunderstanding this work, but it seems like this would give you the ability to mark your digital data in such a way that you could prove it was later used in a model.
Unfortunately, it's not that simple. You don't have access to the models (normally). And I'm betting that this work is somehow domain-specific, meaning you can't really come up with a generalized marker to imprint on all your data.
But this implies you might be able to mark your data with many such markers, in hopes that one of them will later be triggered:
We also designed the radioactive data method so that it is extremely difficult to detect whether a data set is radioactive and to remove the marks from the trained model.
The flipside is interesting, too: This might give companies yet another way of tracking users. Now you can check whether a given user was in your model's actual training set, and if not, fine-tune the model on the fly.
Looking forward to seeing what comes of this.
In this case, wouldn't such a marker be able to be detected by looking at images of the same class and seeing if there are any common perturbation across them, adjusting the images by the common perturbation , and then training the neural network? Even if there isn't such a common perturbation across them, adjusting them by the false flag common perturbation generated shouldn't be any more destructive than this method would be.
If there was a way to make it dependent upon the initial image and the class, that would be much harder to detect, but would such a method be possible to detect since all images within a class would not have the common perturbation?
Megacorps. Regardless of what the data is, who produced that data or when.
This appears to be a modern variation of the https://en.wikipedia.org/wiki/Fictitious_entry / copy-trap behavior that mapmakers have made in the past.
The leanness could be increased during training by progressively trimming width/depth of weights, but I doubt if every model has this done.
"Overlearning Reveals Sensitive Attributes": https://arxiv.org/abs/1905.11742
This last sentence is the real reason behind this technology. Training data isn't cheap and I'm sure the paying party needs a watermark on it.
I think you're right in that DRM systems are likely to be built on top of such infrastructure, but DRM has been broken in other contexts before and the system doesn't necessarily have to be used for DRM.
At the moment advertising providers use a lot of data for ad targeting, some of which is benign and/or acquired with informed consent. As a result it makes it impossible for the user to tell whether an ad was targeted to them based on data they consented to share or if the data used was data they didn’t want to be collected or used for advertising purposes.
Also notice that being proactive in watermarking the dataset can be desirable in some cases. For example, many datasets have large overlaps in the base images they use (but sometimes different labels), so it can be interesting to know whether a model was trained on "your" version of the dataset.
What's to stop cameras from making raw photos "radioactive" from now on, making deepfakes traceable by tainting the image-sets on which the models generating the deepfakes were trained?
This isn't my field. I'm certain there's a workaround, but I'd suspect detecting sufficiently well-placed markers would require knowing the original data pre-mark, which should be impossible if the data is marked before it's written to camera storage. I haven't even fully thought out the logistics yet, such as how to identify the radioactive data.
But am I missing something? I feel like this is viable.
1 - https://en.wikipedia.org/wiki/Machine_Identification_Code
Overall, I instinctively think that one can create an NN architecture that is not affected, or even easily detect the tampered pictures with a pre processing pass, and untamper them.
NN are actually fuzzy, they support noise, you could add a bit more noise in the dataset to defeat the "radioactiveness".
Also, I'm pretty sure Facebook is not doing it to protect user data, but I have no proof.
Then observe the outputs of said models to try to discern related patterns.
Can you elaborate? Chapter? Context? Thanks.
> Manfred drains his beer glass, sets it down, stands up, and begins to walk along the main road, phone glued to the side of his head. He wraps his throat mike around the cheap black plastic casing, pipes the input to a simple listener process. "Are you saying you taught yourself the language just so you could talk to me?"
> "Da, was easy: Spawn billion-node neural network, and download Teletubbies and Sesame Street at maximum speed. Pardon excuse entropy overlay of bad grammar: Am afraid of digital fingerprints steganographically masked into my-our tutorials."
I guess it would have only been a major plot point if the digital fingerprints had turned out to be present and had tripped some kind of monitoring system.