We learned something about how LLMs work with this… its like a bunch of paintings were chopped up into pixels to use to make other paintings. No one knew it was possible to break the model and have it spit out the pixels of a single painting in order.
I wonder if diffusion models have some other wierd querks we have yet to discover
I’m not an expert, but I would say that it is going to be less likely for a diffusion model to spit out training data in a completely intact way. The way that LLMs versus diffusion models work are very different.
LLMs work by predicting the next statistically likely token, they take all of the previous text, then predict what the next token will be based on that. So, if you can trick it into a state where the next subsequent tokens are something verbatim from training data, then that’s what you get.
Diffusion models work by taking a randomly generated latent, combining it with the CLIP interpretation of the user’s prompt, then trying to turn the randomly generated information into a new latent which the VAE will then decode into something a human can see, because the latents the model is dealing with are meaningless numbers to humans.
In other words, there’s a lot more randomness to deal with in a diffusion model. You could probably get a specific source image back if you specially crafted a latent and a prompt, which one guy did do by basically running img2img on a specific image that was in the training set and giving it a prompt to spit the same image out again. But that required having the original image in the first place, so it’s not really a weakness in the same way this was for GPT.
But the fact is the LLM was able to spit out the training data. This means that anything in the training data isn’t just copied into the training dataset, allegedly under fair use as research, but also copied into the LLM as part of an active commercial product. Sure, the LLM might break it down and store the components separately, but if an LLM can reassemble it and spit out the original copyrighted work then how is that different from how a photocopier breaks down the image scanned from a piece of paper then reassembles it into instructions for its printer?
But the thing is the law has already established this with people and their memories. You might genuinely not realise you’re plagiarising, but what matters is the similarity of the work produced.
ChatGPT has copied the data into its training database, then trained off that database, then it runs “independently” of that database - which is how they vaguely argue fair use under the research exemption.
However if ChatGPT can “remember” its training data and recompile significant portions of it in certain circumstances, then it must be guilty of plagiarism and copyright infringement.
Speaking for LLMs, given that they operate on a next-token basis, there will be some statistical likelihood of spitting out original training data that can’t be avoided. The normal counter-argument being that in theory, the odds of a particular piece of training data coming back out intact for more than a handful of words should be extremely low.
Of course, in this case, Google’s researchers took advantage of the repeat discouragement mechanism to make that unlikelihood occur reliably, showing that there are indeed flaws to make it happen.
If a person studies a text then writes an article about the same subject as that text while using the same wording and discussing the same points, then it’s plagiarism whether or not they made an exact copy. Surely it should also be the case with LLM’s, which train on the data then inadvertently replicate the data again? The law has already established that it doesn’t matter what the process is for making the new work, what matters is how close it is to the original work.
The technology of compression a diffusion model would have to achieve to realistically (not too lossily) store “the training data” would be more valuable than the entirety of the machine learning field right now.
IIRC based on the source paper the “verbatim” text is common stuff like legal boilerplate, shared code snippets, book jacket blurbs, alphabetical lists of countries, and other text repeated countless times across the web. It’s the text equivalent of DALL-E “memorizing” a meme template or a stock image – it doesn’t mean all or even most of the training data is stored within the model, just that certain pieces of highly duplicated data have ascended to the level of concept and can be reproduced under unusual circumstances.
Did you read the article? The verbatim text is, in one example, including email addresses and names (and legal boilerplate) directly from asbestoslaw.com.
They claim it’s not stored in the LLM, they admit to storing it in the training database but argue fair use under the research exemption.
This almost makes it seems like the LLM can tap into the training database when it reaches some kind of limit. In which case the training database absolutely should not have a fair use exemption - it’s not just research, but a part of the finished commercial product.
These models can reach out to the internet to retrieve data and context. It is entirely possible that’s what was happening in this particular case. If I had to guess, this somehow triggered some CI test case which is used to validate this capability.
Welcome to the wild West of American data privacy laws. Companies do whatever the fuck they want with whatever data they can beg borrow or steal and then lie about it when regulators come calling.
How can the training data be sensitive, if noone ever agreed to give their sensitive data to OpenAI?
Exactly this. And how can an AI which “doesn’t have the source material” in its database be able to recall such information?
Model is the right term instead of database.
We learned something about how LLMs work with this… its like a bunch of paintings were chopped up into pixels to use to make other paintings. No one knew it was possible to break the model and have it spit out the pixels of a single painting in order.
I wonder if diffusion models have some other wierd querks we have yet to discover
I’m not an expert, but I would say that it is going to be less likely for a diffusion model to spit out training data in a completely intact way. The way that LLMs versus diffusion models work are very different.
LLMs work by predicting the next statistically likely token, they take all of the previous text, then predict what the next token will be based on that. So, if you can trick it into a state where the next subsequent tokens are something verbatim from training data, then that’s what you get.
Diffusion models work by taking a randomly generated latent, combining it with the CLIP interpretation of the user’s prompt, then trying to turn the randomly generated information into a new latent which the VAE will then decode into something a human can see, because the latents the model is dealing with are meaningless numbers to humans.
In other words, there’s a lot more randomness to deal with in a diffusion model. You could probably get a specific source image back if you specially crafted a latent and a prompt, which one guy did do by basically running img2img on a specific image that was in the training set and giving it a prompt to spit the same image out again. But that required having the original image in the first place, so it’s not really a weakness in the same way this was for GPT.
But the fact is the LLM was able to spit out the training data. This means that anything in the training data isn’t just copied into the training dataset, allegedly under fair use as research, but also copied into the LLM as part of an active commercial product. Sure, the LLM might break it down and store the components separately, but if an LLM can reassemble it and spit out the original copyrighted work then how is that different from how a photocopier breaks down the image scanned from a piece of paper then reassembles it into instructions for its printer?
It’s not copied as is, thing is a bit more complicated as was already pointed out
But the thing is the law has already established this with people and their memories. You might genuinely not realise you’re plagiarising, but what matters is the similarity of the work produced.
ChatGPT has copied the data into its training database, then trained off that database, then it runs “independently” of that database - which is how they vaguely argue fair use under the research exemption.
However if ChatGPT can “remember” its training data and recompile significant portions of it in certain circumstances, then it must be guilty of plagiarism and copyright infringement.
Speaking for LLMs, given that they operate on a next-token basis, there will be some statistical likelihood of spitting out original training data that can’t be avoided. The normal counter-argument being that in theory, the odds of a particular piece of training data coming back out intact for more than a handful of words should be extremely low.
Of course, in this case, Google’s researchers took advantage of the repeat discouragement mechanism to make that unlikelihood occur reliably, showing that there are indeed flaws to make it happen.
If a person studies a text then writes an article about the same subject as that text while using the same wording and discussing the same points, then it’s plagiarism whether or not they made an exact copy. Surely it should also be the case with LLM’s, which train on the data then inadvertently replicate the data again? The law has already established that it doesn’t matter what the process is for making the new work, what matters is how close it is to the original work.
The technology of compression a diffusion model would have to achieve to realistically (not too lossily) store “the training data” would be more valuable than the entirety of the machine learning field right now.
They do not “compress” images.
IIRC based on the source paper the “verbatim” text is common stuff like legal boilerplate, shared code snippets, book jacket blurbs, alphabetical lists of countries, and other text repeated countless times across the web. It’s the text equivalent of DALL-E “memorizing” a meme template or a stock image – it doesn’t mean all or even most of the training data is stored within the model, just that certain pieces of highly duplicated data have ascended to the level of concept and can be reproduced under unusual circumstances.
Did you read the article? The verbatim text is, in one example, including email addresses and names (and legal boilerplate) directly from asbestoslaw.com.
Edit: I meant the DeepMind article linked in this article. Here’s the link to the original transcript I’m talking about: https://chat.openai.com/share/456d092b-fb4e-4979-bea1-76d8d904031f
Problem is, they claimed none of it gets stored.
They claim it’s not stored in the LLM, they admit to storing it in the training database but argue fair use under the research exemption.
This almost makes it seems like the LLM can tap into the training database when it reaches some kind of limit. In which case the training database absolutely should not have a fair use exemption - it’s not just research, but a part of the finished commercial product.
Overfitting.
These models can reach out to the internet to retrieve data and context. It is entirely possible that’s what was happening in this particular case. If I had to guess, this somehow triggered some CI test case which is used to validate this capability.
Then that’s copyright infringement. Just because something is available to read on the internet does not mean your commercial product can copy it.
Welcome to the wild West of American data privacy laws. Companies do whatever the fuck they want with whatever data they can beg borrow or steal and then lie about it when regulators come calling.
deleted by creator
if i stole my neighbours thyme and basil out of their garden, mix them into certain proportions, the resulting spice mix would still be stolen.
deleted by creator
If you put shit on the internet, it’s public. The email addresses in question were probably from Usenet posts which are all public.
What training data?