back to article How artists can poison their pics with deadly Nightshade to deter AI scrapers

University of Chicago boffins this week released Nightshade 1.0, a tool built to punish unscrupulous makers of machine learning models who train their systems on data without getting permission first. Nightshade is an offensive data poisoning tool, a companion to a defensive style protection tool called Glaze, which The …

  1. Bebu
    Windows

    Nightshade - poetic

    Atropa belladonna - Atropa < Atropos the fatal greek lady with the scissors and belladonna - beautiful woman.

    Gorgeous. A beautiful woman waiting with a pair of scissors - why does that remind of a scene featuring Renée Soutendijk in the Dutch movie "The Fourth Man"* ? :)

    If this technique can emasculate AI/LLM's pillaging of the products of human creativity I am all for it.

    * If you have seen the movie ("De vierde man") you will know the scene I mean. :)

    1. cosmodrome

      Re: Nightshade - poetic

      Sorry, never advanced further than "Der Dritte Mann". Didn't even know there was a sequel.

      1. Eclectic Man Silver badge
        Joke

        Re: Nightshade - poetic

        Not sure if it has been made into a film yet, but Graham Greene got as far as "The Tenth Man"

        https://en.wikipedia.org/wiki/The_Tenth_Man_(novel)

        1. Michael Wojcik Silver badge

          Re: Nightshade - poetic

          Pfft. Francis Fukuyama got all the way to the end.

  2. Pete Sdev Bronze badge
    Mushroom

    Let the AI wars begin!

    It's an interesting concept. Though historically the sword has always had an edge over the shield, so it's probably only a matter of time before someone develops an 'antidote'.

    1. Catkin Silver badge

      Re: Let the AI wars begin!

      I wonder what other uses might crop up for this. For example, fooling the guidance systems of autonomous vehicles or concealment from image recognition when used with CCTV.

      1. doublelayer Silver badge

        Re: Let the AI wars begin!

        Both cases have the much harder task of getting the system to react wrong when it takes the picture. IN this case, the pixels in your file are the pixels the model ingests, but in the case of a camera, it captures with some inaccuracy and lots of angle and background choices, so you have no guarantee of it getting whatever interference you try to send at it. Not that doing something to mess with either system isn't possible, but it will be more difficult.

        1. Michael Wojcik Silver badge

          Re: Let the AI wars begin!

          Maybe.

          Adversarial attacks against non-CLIP image-recognition and computer-vision systems have been pretty successful. And Nightshade and similar attacks are on the training data, not on images presented to the classifier when it's in production, so "what the camera captures" is not the attack vector.

          1. doublelayer Silver badge

            Re: Let the AI wars begin!

            The camera's output kind of has to be the attack vector. You can poison the model in training, but it won't do anything useful unless you can get it to fail during use. If you can poison the training data to identify some specific input as something it's not, it won't help you unless you can also get the camera to properly recognize that thing in production. So, for example, if I feed in images of stop signs with pixels changed and convince the model to identify them as detour signs, but I can't get the camera to identify tampered stop signs in reality, then I haven't obtained any result. If, instead, I manage to get it to frequently mistake stop signs for detours, then it won't work during testing and won't get to production. Thus, to make malicious use of this, I need to be able to poison it in a specific direction and later invoke the behavior.

      2. A Non e-mouse Silver badge

        Re: Let the AI wars begin!

        You're assuming the current image recognition is perfect: When I drive past my local hospital, the sign reading cameras in my car think the speed limit is 100mph!

        There are aleady examples where people have managed to slightly alter signs or their appearance to fool currrent image recognition systems. The war has already started.

        1. EricB123 Silver badge

          Re: Let the AI wars begin!

          "When I drive past my local hospital, the sign reading cameras in my car think the speed limit is 100mph!"

          "Death Race 2000" rebooted?

          1. Anonymous Coward
            Anonymous Coward

            Re: Let the AI wars begin!

            'take a sharp turn right for the morgue'

      3. elsergiovolador Silver badge

        Re: Let the AI wars begin!

        Can see that at some point freckles become illegal...

      4. Eclectic Man Silver badge
        Childcatcher

        Re: Let the AI wars begin!

        Catkin: fooling the guidance systems of autonomous vehicles

        Whoa there!

        Motor vehicle Satnav systems were notorious for guiding people down footpaths, over cliffs, into rivers and, to my own former company's knowledge, claiming that visitors had 'arrived at their destination' as they drove past the site on the motorway ('freeway' to USAfolk) with no exit in sight. Autonomous vehicles have driven into people, bicycles, Parked cars and lots of other things, and ignored red stop lights. Let's get autonomous vehicles working correctly before we start trying to fool with their guidance systems, please.

        1. Catkin Silver badge

          Re: Let the AI wars begin!

          I'd say it's probably "best" to fool them when they're at the development stage, rather than widely rolled out. Imagine, for example, an attacker taking advantage of different detection systems (e.g. LIDAR and image sensors) to cause some vehicles on a motorway to slow down abruptly while others behind them kept merrily moving along.

          I realise that sounds a bit outlandish and that this research doesn't fully encapsulate possible threats but how bad actors might interfere with autonomous vehicles is definitely something the industry and regulators should be thinking about. I would be amazed if people with malicious intent weren't already thinking hard about this topic.

      5. EricB123 Silver badge

        Re: Let the AI wars begin!

        " fooling the guidance systems of autonomous vehicles "

        You mean make the autonomous vehicles even more confused than they already are? Holy crap, Batman!

      6. Dinanziame Silver badge
        Pint

        Re: Let the AI wars begin!

        I can imagine the Sci-Fi movie of the top assassin, which has become invisible to all CCTVs because the secret society which employs them has poisoned all the AI recognition systems over the years

      7. Anonymous Coward
        Anonymous Coward

        Re: concealment from image recognition when used with CCTV

        rest assured this will be made illegal as soon as the first case comes up and you can't prosecute other than for some minor, not-deterrentsy-enough offence. Think of the children and imagine a very real scenario: they stand at a crowded bus stop, young and innocent, all smiles and dreaming about bright future, and they see a big lollipop walking up to them... while in reality, it's a paedophile rigged with explosives and something, EVERYTHING must be done to prevent this horror!

        1. Catkin Silver badge

          Re: concealment from image recognition when used with CCTV

          I do envy the "only criminals need it" crowd. It must be relaxing to unwaveringly trust the current and all future governments to both restrain their use of invasive powers and trust that said powers are effective at stopping criminals. Plus the dopamine rush from straddling that moral high horse.

        2. Michael Wojcik Silver badge

          Re: concealment from image recognition when used with CCTV

          You know we've had successful, generally-available attacks on image-recognition systems, including commercial facial-recognition systems, for years now, right? Yes, it's always an arms race, but governments don't seem to be racing to attempt to outlaw any of the documented approaches — and they'll have a hard time outlawing new ones.

          (In your hypothetical example — which I believe you meant satirically — are the children using image recognition? I confess I don't understand it.)

    2. Anonymous Coward
      Anonymous Coward

      Re: Let the AI wars begin!

      Exactly. This sort of thing is ultimately pointless, it's just going to be a temporary annoyance for everybody.

      Somebody will first develop a detection system for this sort of thing to prevent AI from being poisoned, then somebody will develop a reversing system so that previously 'poisoned' images can still be used.

      Ultimately that's a good thing, snooty 'artiste' types shouldn't be able to stop the advance of technology.

  3. steamnut

    I'm sure that this offensive/counter offensive battle will continue for quite a while with both sides using AI as the tool of choice.

    There will no real winners here but I think that the material originators will be the ultimate losers.

    Like CD and DVD anti-copying schemes that were defeated long ago, there are more people working on breaking the anti-copying schemes than devloping them.

  4. elsergiovolador Silver badge

    SEO

    It's like SEO to search engines. Now you can't find anything if you use Google. Sometimes they don't even bother showing any results, even if they are wrong - you just get a blank page.

  5. Anonymous Coward
    Anonymous Coward

    Most training uses text information as to the category of the images, rather than trying to use AI identification too so this fails in this case.

    1. John Brown (no body) Silver badge

      How? The example given in the article is precisely that. A picture of a cow in a field, labelled as a picture of a cow in a field, but with subtle changes not normally visible to a human such that when the AI sucks it in an analyses it it "sees" a leather purse in a field and then "thinks" it's got a correct identification of a cow. The text is telling it what the image is and it has no good reason to "think" it may be incorrect.

      1. Falmari Silver badge

        @John Brown (no body) ”A picture of a cow in a field, labelled as a picture of a cow in a field, but with subtle changes not normally visible to a human such that when the AI sucks it in an analyses it it "sees" a leather purse in a field and then "thinks" it's got a correct identification of a cow.”

        I read the paper referenced in the article and I would say it’s a fair analogy, the AI “sees" a leather purse. Because the AI would been shown an image of a leather purse. The image actually gets encoded, and the Diffusion model (AI) gets given that. But the encoding process (analyses) due to the changes to the image generate the encoding for an image of a leather purse.

        These text to image models, Stable Diffusion and DALLE-2 etc are a variant of diffusion models called Latent diffusion model (LDM). LDMs have an encoder for input data and a decoder for output data. The text to image models uses a variational autoencoder to provide a neural net to encode and a second neural net to decode.

        So, to paraphrase the paper using variational autoencoders latent diffusion converts images from pixel space into a latent feature space. Models then perform the diffusion process in the lower-dimensional image feature space.

        The researchers were able to poison a text prompt by changing an image labelled with one text prompt so the encoder would produce the same encoded values as an image labelled with another text prompt. The image in pixel space to a human still matches the label, but the image in feature space which is what these models train on matches an image with another label.

        E.G. they were able to poison the dog prompt to produce cat images.

      2. Anonymous Coward
        Anonymous Coward

        It only causes problems for AI image identification in this case. Not image creation. After all It has something that looks like a cow among many that it is told is a cow. And it will create images that look like this when asked for cows.

        1. Anonymous Coward
          Anonymous Coward

          Me: AI, draw a cow for me

          AI: draws cow

          Me: that is a nice cow.

          Me: raise the tail

          AI: redraws tail higher

          ME: that is a nice cow.

          ME: let the tip of the tail droop

          AI: redraws the tail drooping

          ME: that is a nice cow

          ME make the tip touch the udder

          IA: redrwaws the tail touching the udder

          ME: that is a nice cow

          ME make the legs shorter

          AI redraws the legs shorter

          ME: that is a nice cow

          ME make the legs shorter

          AI redraws the legs shorter

          ME: that is a nice cow

          ME hide the legs

          AI: removes the legs

          ME: that is a nice cow

          ME: make the body bigger

          IA: redraws the body bigger

          ME: that is a nice cow

          ME: redraw the neck longer

          AI: redraws the neck longer

          ME: that is a nice cow

          ME: make the head smaller

          AI: redraws the head

          ME: that is a nice cow

          ME: make the head smaller

          AI: redraws the head

          ME: that is a nice cow

          ME: just remove the head

          AI: removes the head

          ME: that is a nice cow

          At this point we have a picture of a lumpy brown hairy teapot that the AI knows is a cow.

          1. Robin

            Me: AI, draw me a cow

            AI: HTTP 418

    2. Michael Wojcik Silver badge

      I don't think you understand how CLIP models work.

  6. heyrick Silver badge
    WTF?

    How big!?

    I tapped on the fast link Windows binary. Probably would not work on my ancient system but was curious to see how big it was.

    Ummmm...

    2.48GB. Gigabytes (the Mac version is ~244 Megabytes).

    The f'k? Does the Windows one come with its own operating system?

    1. doublelayer Silver badge

      Re: How big!?

      From their download page:

      "After the initial download, the app will download additional ML libraries and resources that will require stable Internet access and approx. 4GB of storage."

      So my guess is that they download more stuff at runtime for Mac OS and include more stuff in the installer for Windows, possibly because it aids with signing for binaries. Either way, ML stuff tends to be pretty big. I suppose they assume that anyone with enough processing to run it probably doesn't mind the disk requirement. With the tendency championed by Apple, but unfortunately not limited to them, of including 256 or 512 GB of storage and not letting it be expanded in many of their computers, I would find such large tools constraining if I was running it on a typical hobbyist artist's computer.

  7. Anonymous Coward
    Anonymous Coward

    AI misled?

    "For example, human eyes might see a shaded image of a cow in a green field largely unchanged, but an AI model might see a large leather purse lying in the grass. "

    May be the "AI" is just ahead in time?

    And/or it's a Marimekko purse...

    1. HuBo Silver badge
      Gimp

      Re: AI misled?

      Right on! And can I put a giant sweatshirt cloak around my car to make it invisible to traffic cameras (please!)? Or maybe some Guy Fawkes-oriented algorithmic masking makeup ... anything to beat the RotM.

      Conformity is futile!

  8. Anonymous Coward
    Anonymous Coward

    As a photographer

    I'd like a system that protects my images by fooling these AI systems with every picture being that either of Trump's orange face or a Horses penis.

    Yeah, I know that it not going to happen but I can wish can't I?

    1. Anonymous Coward
      Anonymous Coward

      Re: As a photographer

      If AIs think that your picture is of Trump, that's also what Google search will categorise it as.

      I don't know if that is an issue for you ofc... but there I would be surprised if this obfuscation system works for very long anyway. The next time OpenAI train their networks it'll "learn" to interpret the image correctly.

  9. TheMaskedMan Silver badge

    "Most importantly, artists associate their styles with their very identity."

    While the rest of us associate this sort of melodramatic claptrap with the traditionally neurotic artistic temperament, and welcome the advent of generative AI toys so we don't have to deal with it.

    That said, it's a neat idea. But, like all forms of copy protection since the dawn of digital time, it's doomed to fail. There are already dozens of clever buggers in bedrooms and basements around the world devising ways to spot and avoid it, plus a few looking to exploit it. It's an arms race that nether side can win.

  10. Sceptic Tank Silver badge

    What the AI saw

    I'd certainly be surprised if I expected to see Hillary Clinton but saw a leather purse instead.

    Anyway, some standardisation would be nice. E.g., human sees kittens playing in the long grass, AI sees a raised middle finger. Human sees paintbrush on a palette, AI sees a raised middle finger. Human sees cornucopia of pork products, AI sees a raised middle finger. Etc., etc.

  11. Anonymous Coward
    Anonymous Coward

    Unintended consequences?

    Would this have an effect on images and image descriptions for the visually impaired?

    1. doublelayer Silver badge

      Re: Unintended consequences?

      Image descriptions probably not too much because the processed images will be direct from camera ones. Since they don't contain poisoned pixels, they won't trigger the inaccuracies as often. While it's possible that an image of a purse gets mistaken for a cow, it's a significant enough change that the user will probably know about it. For generated images, it probably would cause some problems, but I'm unaware of a reason for a visually impaired person to generate images that's any different than a sighted person doing so.

      1. Michael Wojcik Silver badge

        Re: Unintended consequences?

        The attack is on the training data, not the input to the finished classifier. If someone were using a CLIP model for annotating images, and that CLIP model had been extensively and effectively poisoned with Nightshade, the model would have poor precision.

  12. wobbly1

    I'm still grappling with the problem this solution addresses. A fine art student studies the works of the old masters to understand their techniques. They can then utilise those techniques in their own paintings, and as long as they don't attach the name of the master whose technique they're borrowing, there's no issue. Similarly, a student of literature who reads existing authors can be "inspired" by a particular plot twist and use it in their own work. Again, as long as they publish under their own name, not the writer's, there's no problem. I see no difference between that and a machine learning system ingesting the same works. It's analogous to me watching a YouTube video on Python programming and advising another programmer based on what I've learned. I hope this ridiculous situation reaches the courts for a dose of common sense soon. I want a painting of the Mona Lisa smoking a bong, but not attributed to Leonardo da Vinci.

    1. hayzoos

      The difference is machine

      "I see no difference between that and a machine learning system ingesting the same works."

      Up until machine learning systems existed, application of copyright was well settled. Court cases were necessary when photocopiers came about and cassette tapes and VCRs etc. New technologies representing new ways of copying for new purposes. Since copyright sets boundaries of fair use granting the copyright holder the greater say of how their work can be copied, any new way of copying should be restricted by default until courts set the fair use boundary concerning the new way of copying.

      In machine learning systems, it is not about just the output a copyright holder is concerned. A copyright holder expects all the non-machine learning system examples you have given as long as they are within the boundaries set for fair use or have been granted by the copyright holder. Since most of the copyrighted works existed prior to the explosion of machine learning systems, copyright holders never considered this manner of copying.

      I am not okay with free-sale copying via machine learning systems as fair use by default. Machine learning systems are not people. Their benefit to society as a whole has yet to be demonstrated. Their detriment to society as a whole has yet to be demonstrated. I would rather assume the worse and not call forth the genie until being better prepared for the consequences or deciding not to call forth the genie at all if careful consideration shows that is the prudent path.

      1. wobbly1

        Re: The difference is machine

        f i see the Mona Lisa , have I copied it? If not, training a ML system using existing data (out of copyright), is also not copying. A brushstroke for brushstroke or word for word or note for note duplication would seem to break copyright but if generative system is asked to create an image of a sad face women sitting in landscape and it is not a stroke for stroke replication of the Mona Lisa , it is not copy. The real problem is with Generalised Artificial Intelligence. It will be used by large powerful organisations against individuals , Hence the rush to legislate. But rather like the fax machine during the fall of communism in Russia circumventing censorship , the cat' is out of the bag. I run an LLM on my system at home i can develop that how i like. I have an aversion for connecting my machines for inbound data from the net and what there is is carefully filtered and sanitised, there is no way a the state could know what i am doing with my LLM. I happen to user it primarily for correcting my dyslexia induced e misspellings. I believe in mastering technology, so it is harder for it to be used to master me.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like