Nightshade, the free tool that ‘poisons’ AI models, is now available for artists to use
Nightshade, the free tool that ‘poisons’ AI models, is now available for artists to use
Reminder that this is made by Ben Zhao, the University of Chicago professor who stole open source code for his last data poisoning scheme.
Pardon my ignorance but how do you steal code if it's open source?
He took GPLv3 code, which is a copyleft license that requires you share your source code and license your project under the same terms as the code you used. You also can't distribute your project as a binary-only or proprietary software. When pressed, they only released the code for their front end, remaining in violation of GPLv3.
And as I said there, it is utterly hypocritical for him to sell snake oil to artists, allegedly to help them fight copyright violations, while committing actual copyright violations.
That TOS would be sus under any other situation.
Is there a similar tool that will "poison" my personal tracked data? Like, I know I'm going to be tracked and have a profile built on me by nearly everywhere online. Is there a tool that I can use to muddy that profile so it doesn't know if I'm a trans Brazilian pet store owner, a Nigerian bowling alley systems engineer, or a Beverly Hills sanitation worker who moonlights as a practice subject for budding proctologists?
The only way to taint your behavioral data so that you don’t get lumped into a targetable cohort is to behave like a manic. As I’ve said in a past comment here, when you fill out forms, pretend your gender, race, and age is fluid. Also, pretend you’re nomadic. Then behave erratic as fuck when shopping online - pay for bibles, butt plugs, taxidermy, and PETA donations.
Your data will be absolute trash. You’ll also be miserable because you’re going to be visiting the Amazon drop off center with gag balls and porcelain Jesus figurines to return every week.
Then behave erratic as fuck when shopping online - pay for bibles, butt plugs, taxidermy, and PETA donations.
...in the same transaction. It all needs to be bought and then shipped together. Not only to fuck with the algorithm, but also to fuck with the delivery guy. Because we usually know what you ordered. Especially when it's in the soft bag packaging. Might as well make everyone outside your personal circle think you're a bit psychologically disturbed, just to be safe.
Maybe have a look at using Adnauseam. 👌😁
The browser addon "AdNauseum" can help with that, although it's not a complete solution.
Is there a similar tool that will “poison” my personal tracked data? Like, I know I’m going to be tracked and have a profile built on me by nearly everywhere online. Is there a tool that I can use to muddy that profile so it doesn’t know if I’m a trans Brazilian pet store owner, a Nigerian bowling alley systems engineer, or a Beverly Hills sanitation worker who moonlights as a practice subject for budding proctologists?
Have you considered just being utterly incoherent, and not making sense as a person? That could work.
According to my exes, yes.
I have tricked the internet into thinking I speak Spanish/Portuguese... I really don't. But figured when I get served ads, I may as well learn.
Mbyae try siunlhffg the mldide lterets of ervey wrod? I wnedor waht taht deos to a luaangge medol?
I guess it depends what your threat model is.
If you don't like advertising, then you're just piling a bunch of extra interests/demographics in there. It'll remain roughly as valuable as it was before.
If you're concerned about privacy and state actors, your activity would just increase. Anything that would trigger state interest would remain, so you'd presumably receive the same level of interest. Worse, if you aren't currently of interest, there's a possibility randomly generated traffic would be flagged by your adversary and increase their level of interest in you.
We all know you're the last one.
or a Beverly Hills sanitation worker who moonlights as a practice subject for budding proctologists?
Yeah, it's definitely the last one 😆
There are programs and plugins you can download that will open a bunch of random websites to throw off tracking programs.
Idk if this is what you're looking for but might be worth taking a look
https://github.com/eth0izzle/Needl
"Your ISP is most likely tracking your browsing habits and selling them to marketing agencies (albeit anonymised). Or worse, making your browsing history available to law enforcement at the hint of a Subpoena. Needl will generate random Internet traffic in an attempt to conceal your legitimate traffic, essentially making your data the Needle in the haystack and thus harder to find. The goal is to make it harder for your ISP, government, etc to track your browsing history and habits."
it never know if am really that bad at english
[.__.]
r/BrandNewSentence
The tool's creators are seeking to make it so that AI model developers must pay artists to train on data from them that is uncorrupted.
That's not something a technical solution will work for. We need copyright laws to be updated.
You should check out this article by Kit Walsh, a senior staff attorney at the EFF. The EFF is a digital rights group who recently won a historic case: border guards now need a warrant to search your phone.
A few quotes:
and
The issue is simply reproduction of original works.
Plenty of people mimic the style of other artists. They do this by studying the style of the artist they intend to mimic. Why is it different when a machine does the same thing?
No, the issue is commercial use of copirighted material as data to train the models.
It's different because a machine can be replicated and can produce results at a rate that hundreds of humans can't match. If a human wants to replicate your art style, they have to invest a lot of time into learning art and practicing your style. A machine doesn't have to do these things.
This would be fine if we weren't living in a capitalist society, but since we do, this will only result in further transfer of assets towards the rich.
Disney lawyers just started salivating
Seems like Disney is as eager to adopt this technology as anyone
A few goofy Steamboat Willie knock offs pale beside the benefit of axing half your art department every few years, until everything is functionally a procedural generation.
copyright laws need to be abolished
Truly a "Which Way White Man" moment.
I'm old enough to remember people swearing left, right, and center that copyright and IP law being aggressively enforced against social media content has helped corner the market and destroy careers. I'm also well aware of how often images from DeviantArt and other public art venues have been scalped and misappropriated even outside the scope of modern generative AI. And how production houses have outsourced talent to digital sweatshops in the Pacific Rim, Sub-Saharan Africa, and Latin America, where you can pay pennies for professional reprints and adaptations.
It seems like the problem is bigger than just "Does AI art exist?" and "Can copyright laws be changed?" because the real root of the problem is the exploitation of artists generally speaking. When exploitation generates an enormous profit motive, what are artists to do?
They dutifully note that, this is the next best thing.
Explanation of how this works.
These "AI models" (meaning the free and open Stable Diffusion in particular) consist of different parts. The important parts here are the VAE and the actual "image maker" (U-Net).
A VAE (Variational AutoEncoder) is a kind of AI that can be used to compress data. In image generators, a VAE is used to compress the images. The actual image AI only works on the smaller, compressed image (the latent representation), which means it takes a less powerful computer (and uses less energy). It’s that which makes it possible to run Stable Diffusion at home.
This attack targets the VAE. The image is altered so that the latent representation is that of a very different image, but still roughly the same to humans. Say, you take images of a cat and of a dog. You put both of them through the VAE to get the latent representation. Now you alter the image of the cat until its latent representation is similar to that of the dog. You alter it only in small ways and use methods to check that it still looks similar for humans. So, what the actual image maker AI "sees" is very different from the image the human sees.
Obviously, this only works if you have access to the VAE used by the image generator. So, it only works against open source AI; basically only Stable Diffusion at this point. Companies that use a closed source VAE cannot be attacked in this way.
I guess it makes sense if your ideology is that information must be owned and everything should make money for someone. I guess some people see cyberpunk dystopia as a desirable future. I wonder if it bothers them that all the tools they used are free (EG the method to check if images are similar to humans).
It doesn’t seem to be a very effective attack but it may have some long-term PR effect. Training an AI costs a fair amount of money. People who give that away for free probably still have some ulterior motive, such as being liked. If instead you get the full hate of a few anarcho-capitalists that threaten digital vandalism, you may be deterred. Well, my two cents.
So, it only works against open source AI; basically only Stable Diffusion at this point.
I very much doubt it even works against the multitude of VAEs out there. There's not just the ones derived from StabilitiyAI's models but ones right now simply intended to be faster (at a loss of quality): TAESD can also encode and has a completely different architecture thus is completely unlikely to be fooled by the same attack vector. That failing, you can use a simple affine transformation to convert between latent and rgb space (that's what "latent2rgb" is) and compare outputs to know whether the big VAE model got fooled into generating something unrelated. That thing just doesn't have any attack surface, there's several magnitudes too few weights in there.
Which means that there's an undefeatable way to detect that the VAE was defeated. Which means it's only a matter of processing power until Nightshade is defeated, no human input needed. They'll of course again train and try to fool the now hardened VAE, starting another round, ultimately achieving nothing but making the VAE harder and harder to defeat.
It's like with Russia: They've already lost the war but they haven't noticed, yet -- though I wouldn't be too sure that Nightshade devs themselves aren't aware of that: What they're doing is a powerful way to grift a lot of money from artists without a technical bone in their body.
Is dalle3 and midjourney using other methods?
Those companies don't make the technical details public and I don't follow the leaks and rumors. They almost certainly use, broadly, the same approach (latent diffusion). That is, their AIs work with a compressed version of the image to save on computing power.
o7 General Effort
Yeah. Not that it's the fault of artists that capitalism exists in its current form. Their art is the fruit of their labor, and therefore, means should be taken to ensure that their labor is properly compensated. And I'm a marxist anarchist, no part of me agrees with any part of the capitalist system. But artists are effectively workers, and we enjoy the fruits of their labor. They are rarely fairly compensated for their work. In this particular instance, under the system we live in, artists rights should be prioritized over
I'm all for janky (getting less janky as time goes on) AI images, but I don't understand why it's so hard to ask artists permission first to use their data. We already maintain public domain image databases, and loads of artists have in the past allowed their art to be used freely for any purpose. How hard is it to gather a database of art who's creators have agreed to let it be used for AI? All the time we've (the collective we) been arguing over thise could've been spent implementing a system to create such a database.
You should check out this article by Kit Walsh, a senior staff attorney at the EFF. The EFF is a digital rights group who recently won a historic case: border guards now need a warrant to search your phone. It should help clear some things up for you.
That's not quite right. A traditional worker is someone who operates machines, they don't own, to make products, they don't own. Artists, who are employed, do not own the copyrights to what they make. These employed artists are like workers, in that sense.
Copyrights are "intellectual property". If one needed permission (mostly meaning, pay for it), then the money would go to the property owners. These worker-artists would not receive anything. Note that, on the whole, the owners already made what profit they could expect. Say, if it's stills from a movie, then that movie already made a profit (or not).
People who use their own tools and own their own product (EG artisans in Marx's time) are members of the Petite Bourgeoisie. I think a Marxist analysis of the class dynamics would be fruitful here, but it's beyond me.
The spoilered bit is something I have written about the NYT lawsuit. I think it's illuminating here, too.
spoiler
The NYT wants money for the use of its “intellectual property”. This is about money for property owners. When building rents go up, you wouldn’t expect construction workers to benefit, right?
In fact, more money for property owners means that workers lose out, because where else is the money going to come from? (well, “money”)
AI, like all previous forms of automation, allows us to produce more and better goods and services with the same amount of labor. On average, society becomes richer. Whether these gains go to the rich, or are more evenly distributed, is a choice that we, as a society, make. It’s a matter of law, not technology.
The NYT lawsuit is about sending these gains to the rich. The NYT has already made its money from its articles. The authors were paid, in full, and will not get any more money. Giving money to these property owners will not make society any richer. It just moves wealth to property owners for being property owners. It’s about more money for the rich.
If OpenAI has to pay these property owners for no additional labor, then it will eventually have to increase subscription fees to balance the cash flow. People, who pay a subscription, probably feel that it benefits them, whether they use it for creative writing, programming, or entertainment. They must feel that the benefit is worth, at least, that much in terms of money.
So, the subscription fees represent a part of the gains to society. If a part of these subscription fees is paid to property owners, who did not contribute anything, then that means that this part of the social gains is funneled to property owners, IE mainly the ultra-rich, simply for being owners/ultra-rich.
why it’s so hard to ask artists permission first to use their data.
SD was trained on images from the internet. Anything. There are screenshots, charts and pure text jpgs in there. There's product images from shopping sites and also just ordinary snapshots that someone posted. The people with the biggest individual contribution are almost certainly professional photographers. SD is not built on what one usually calls art (with apologies to photographers). An influencer who has a lot of good, well tagged images on the net has made a more positive contribution than someone who makes abstract art or stick figure comics. And let's not forget the labor of those who tagged those images.
You could not practically get permission from these tens or hundreds of millions of people. It would really be a shame, because the original SD reveals a lot about the stereotypes and biases on the net.
Using permissively licensed images wouldn't have helped a lot. I have seen enough outrage over datasets with exactly such material. People say, that's not what they had in mind when they gave these wide permissions.
Practically, look at wikimedia. There are so many images there which are "pirated". Wikimedia can just take them down in response to a DMCA notice. Well, you can't remove an image from a trained AI model. It's not in there (if everything has worked). So what now? If that means that the model becomes illegal, then you just can't have a model trained on such a database.
Begun, the AI Wars have.
Excited to see the guys that made Nightshade get sued in a Silicon Valley district court, because they're something something mumble mumble intellectual property national security.
They already stole GPLv2 code for their last data poisoning scheme and remain in violation of that license. They're just grifters.
I didn't have that on my 2020 bingo card, but it has been a very long year so everything is possible.
This doesn't work outside of laboratory conditions.
It's the equivalent of "doctors find cure for cancer (in mice)."
It hasn't worked much outside of the laboratory, because they just released it from the laboratory. They've already proven it works in their paper with about 90% effectiveness.
Yeah I wouldn't take this number at face value, let's wait for some real world usage
It's clever really, people who don't like ai are very lonelye to also not understand the technology, if you're going to grift then it's a perfect set of rubes - tell them your magic code will defeat the evil magic code of the ai and that's all they need to know, fudge some numbers and they'll throw their money at you
Apparently people who specialize in AI/ML have a very hard time trying to replicate the desired results when training models with 'poisoned' data. Is that true?
I've only heard that running images through a VAE just once seems to break the Nightshade effect, but no one's really published anything yet.
You can finetune models on known bad and incoherent images to help it to output better images if the trained embedding is used in the negative prompt. So there's a chance that making a lot of purposefully bad data could actually make models better by helping the model recognize bad output and avoid it.
So there's a chance that making a lot of purposefully bad data could actually make models better by helping the model recognize bad output and avoid it.
This would be truly ironic
If users have verry much control and we can coordinate then you could gaslight the AI into a screwed up alternate reality
Until they come with some preprocessing step, or some better feature extractors etc. This is an arms race like there are many of
The thing is data poisoning is a arms race that the Ai side will win with ease. You can either solve it with pre processing or filtering. All it does is make the images look worse. I can't think of a way that you can poison data that doesn't take more effort to unpoison than to poison.
In the long run this will only improve the strength of models as they adapt to the changes this introduces and get that much stronger for it.
That's like saying people shouldn't have developed a vaccine for Covid, only because Covid will adapt to the vaccines at some point.
What do you want artists to do? Accept that all their future work is also used without any compensation?
They didn't say it shouldn't have been developed. Improving the AI models so they can deal with this kind of malicious interference gracefully is a good thing.
Shhhh 🤫 let the artists fight back I say. This is surely a winning battle for them 👍
/s
It's not FOSS and I don't see a way to review if what they claim is actually true.
It may be a way to just help to diferentiate legitimate human made work vs machine-generated ones, thus helping AI training models.
Can't demostrate that fact neither, because of its license that expressly forbids sofware adaptions to other uses.
Edit, alter, modify, adapt, translate or otherwise change the whole or any part of the Software nor permit the whole or any part of the Software to be combined with or become incorporated in any other software, nor decompile, disassemble or reverse engineer the Software or attempt to do any such things
The EULA also prohibits using Nightshade "for any commercial purpose", so arguably if you make money from your art—in any way—you're not allowed to use Nightshade to "poison" it.
This is the part most people will ignore but I get that's it's mainly meant for big actors.
I read the article enough to find that the Nightshade tool is under EULA... :(
Because it definitely is not FOSS, use it with caution, preferably on a system not connected to internet.
Fascinating that they develop this tool and then only release Windows and MacOS versions.
To be fair, windows and macos are the 2 biggest computer operating systems in the world. It makes a lot more sense to focus on building tools for people using the biggest platforms rather than focus on people using something with a user base fragmented across multiple versions of the same OS.
Though I do agree a version for Linux would be nice. Even if we have the mac equivalent of wine, darling, I don't know enough about it to say whether it's up to the task or not.
No they're not. Android is Linux.
It's simple math. 97% of the population uses those two operating systems.
There isn't much more incentive to go after the 3% Linux users. You know the population that loves free and open source software and isn't exactly known for dropping a bunch of cash on software. Not to mention it's a fragmented 3%. Even the flatpak, snap, app images of the world that were supposed to make devs lives easier are fragmented across distros.
Aren't Linux people usually programmers anyway? Why develop for developers?
Why develop for developers?
Why wouldn't you?
It's not like developers get off on reinventing the wheel or something. If somebody has a working solution, I'd rather use that than spend time coming up with code on my own. I'm busy enough as it is.
what does being a developer have anything to do with it? Do you really think we only use things we develop ourselves?
I use Linux and don't know a single thing about programming
Why drink water if you work with water bro it makes no sense
Ironic that they used an AI picture for the article...
big companies already have all your uncorrupted artwork, all this does is eliminate any new competition from cropping up.
It corrupts the training data to recategorize all images generated in the future. It's not about protecting a single image, that's what glaze is for. This is about making the AI worse at making new images.
"Its over jimmy. They stole the money you made last week. I would pay you for this week, with this money you didnt have yet so it couldnt be stolen, but they already have some of your money. All that would do is make the robbers who took your previous weeks pay have fewer competition."
I bet that before the end of this year this tool will be one of the things that helped improve the performance and quality of AI.
is anyone else excited to see poisoned AI artwork? This might be the element that makes it weird enough.
Also, re: the guy lol'ing that someone says this is illegal - it might be. is it wrong? absolutely not. does the woefully broad computer fraud and abuse act contain language that this might violate? it depends, the CFAA has two requirements for something to be in violation of it.
-
the act in question affects a government computer, a financial institution's computer, OR a computer "which is used in or affecting interstate or foreign commerce or communication" (that last one is the biggie because it means that almost 100% of internet activity falls under its auspices)
-
the act "knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer;" (with 'protected computer' being defined in 1)
Quotes are from the law directly, as quoted at https://en.wikipedia.org/wiki/Computer_Fraud_and_Abuse_Act
the poisoned artwork is information created with the intent of causing it to be transmitted to computers across state or international borders and damaging those computers. Using this technique to protect what's yours might be a felony in the US, and because it would be considered intentionally damaging a protected computer by the knowing transmission of information designed to cause damage, you could face up to 10 years in prison for it. Which is fun because the people stealing from you face absolutely no retribution at all for their theft, they don't even have to give you some of the money they use your art to make, but if you try to stop them you go to prison for a decade.
The CFAA is the same law that Reddit co-founder Aaron Swartz was prosecuted under. His crime was downloading things from JSTOR that he had a right to download as an account holder, but more quickly than they felt he should have. He was charged with 13 felonies and faced 50 years and over a million dollars in fines alongside a lifetime ban from ever using an internet connected computer again when he died by suicide. The charges were then dropped.
It's not damaging a computer, it's poisoning the models ai uses to create the images. The program will work just fine, and as expected given the model that it has, the difference is the model might not be accurate. It's like saying you're breaking a screen if you're now looking at a low res version of an image
"Damage to a computer" is legal logorrhoea, possible interpretations range from not even crashing a program to STUXNET, completely under-defined so it's up to the courts to give it meaning. I'm not at all acquainted with US precedent but I very much doubt they'll put the boundary at the very extreme of the space of interpretation, which "causes a program to expose a bug in itself without further affecting functioning in any way" indeed is.
Which is fun because the people stealing from you face absolutely no retribution at all for their theft,
Learning from an image, studying it, is absolutely not theft. Otherwise I shall sue you for reading this comment of mine.
And this is why we don't obey the law.
Here's the summary for the wikipedia article you mentioned in your comment:
The Computer Fraud and Abuse Act of 1986 (CFAA) is a United States cybersecurity bill that was enacted in 1986 as an amendment to existing computer fraud law (18 U. S. C. § 1030), which had been included in the Comprehensive Crime Control Act of 1984. Prior to computer-specific criminal laws, computer crimes were prosecuted as mail and wire fraud, but the applying law was often insufficient.
-
Oily snakes slither such that back and forth looks like production..
Ah, another arms race has begun. Just be wary, what one person creates another will circumvent.
They clam a credit to using AI to make the thumbnail..... The same people who did nothing more then ask Chat GPT to make a picture to represent the article on a tool that poisons AI models to protect people who make pictures for a living from having Chat GPT use their work to make; say a picture to represent an article on a tool that poisons AI models......
so it is a bit like playing a sound at 30k Hz to annoy a dog, we cant detect it but the dog can and gets confused
Won't this thing actually help the AI models in the long run? The biggest issue I've heard is the possibility of AI generated images getting into the training dataset, but "poisoned" artworks are basically guaranteed to be of human origin.
Unless you intentionally poison AI generated images and add them to circulation, which is not hard to do nor a great leap of logic to do if you hate AI
Better poison everything, then
As an artist, nightshade is not something I will ever use. All my art is public domain, including AI. Let people generate as many pigeon pictures as they want I say!
doesnt work anyway lol
I bet scientists will find a workaround very soon.
I hope every artist starts using it.
AI art isn't real art.
Your opinion, not a fact. Most art is as derivative or more than AI art.
How can any human made art be more derivative than ai art that's impossible
Ai doesn't create anything, it's not even real AI yet, it's just an automated data-scraper. When you tell it to "make" something, it just pulls up bits and pieces that match that description and forms it into a Frankenstein's monster of what you asked it to make
I like the idea, but Nightshade and Glaze take some pretty high-end graphics specifications. Sadly, I have a Nvidia GTX 1660 which apparently has issues with Pytorch.😢
Sorry if this is a stupid question.. But can this be used for profile pictures on social media too? That way if your profile picture is scrapped by some bot it will just poison the set instead?
Ok, but who is going to reign in military & law enforcement AI tech?
@throws_lemy @technology Cat's out of the bag, sorry folks
