Sadly digital personal assistants are the biggest example of something that we've not yet figured out how to build safely given the threat of prompt injection.
If your assistant can perform actions on your behalf - even as simple as replying to an email - you can't risk that assistant being exposed to any potentially malicious text from an untrusted source that might contain instructions designed to subvert it.
So your assistant can't be trusted to summarize web pages. Or even to read messages in your inbox!
It seems to me like there's sufficient value even if the assistant can't complete any actions fully (e.g., can compose but not send an email; or maybe not even compose). There's so much potential simply aiding with executive function: what to do, when to do it, acquiring any dependencies, handling partial work, helping break down tasks, and a great deal of potential with perception if the assistant is highly available and perceives what the human perceives.
Imagine a personal assistant that was always ready to respond to the question "what should I do now?" – and of course enter dialog, not just dictate an action. That you could tell about all your tasks, but not just the tasks but also the _why_ of the tasks, giving it the chance to set or change something like a deadline on its own, or even simply discuss those deadlines.
Imagine you could co-develop a process with that assistant. Maybe there's times you like to do certain kinds of work... what are those? What features distinguish different kinds of work? If you have to do a certain kind of work, what do you need (time/place/mindset) to be successful? It doesn't need to be some magic algorithm, it can be a deliberative process that you engage in with your assistant, something conscious and explicit.
Maybe it helps both move through and construct to-do lists. You have an item on your list: either the item is very easy or the question is "what's the first thing you have to do to achieve that item?" – and the assistant has some idea (and can learn more) about what a good size of a task is for you personally. And now it's keeping this list of tasks and dependencies. It should be able to understand enough to mark subtasks complete if you complete the parent task. It can probably suggest items. If it has access to enough information – even if you have to put the information in explicitly – it can probably help you resume tasks by reestablishing all the context you need.
Like maybe all your assistant needs or should have is access to your clipboard (in and out), photos and screenshots, mic and speaker access (with a wake word), a library of notes and observations, and task initiation that isn't any more sophisticated than what you can do from a link (mailto:person?subject=...)
Completely agree - there's still a ton of interesting stuff we can explore with personal assistants if we're careful about it.
My concern is that prompt injection is the kind of vulnerability which you default to being vulnerable to if you don't understand it - so it's going to be really easy (and common) for people to build the unsafe assistants instead.
> So your assistant can't be trusted to summarize web pages
Under these circumstances people can't be trusted to summarized web pages either. Natural selection will weed out these "inapropriate" LLMs the same way inapropriate people are weeded out from e.g. companies by being fired. Models don't need to be perfect, just useful.
Unfortunately in this case they do need to be perfect. A model that reads a web page and then emails all of my private data to some attacker who put malicious instructions on that web page isn't useful.
So you are saying (human) personal assistants are not useful? I think many people disagree and most people would want to have one weren‘t it so expensive
If your assistant can perform actions on your behalf - even as simple as replying to an email - you can't risk that assistant being exposed to any potentially malicious text from an untrusted source that might contain instructions designed to subvert it.
So your assistant can't be trusted to summarize web pages. Or even to read messages in your inbox!
I wrote more about this problem - and provided a very disappointing partial proposed solution - here: https://simonwillison.net/2023/Apr/25/dual-llm-pattern/