How can the training data be sensitive, if noone ever agreed to give their sensitive data to OpenAI?
Exactly this. And how can an AI which “doesn’t have the source material” in its database be able to recall such information?
IIRC based on the source paper the “verbatim” text is common stuff like legal boilerplate, shared code snippets, book jacket blurbs, alphabetical lists of countries, and other text repeated countless times across the web. It’s the text equivalent of DALL-E “memorizing” a meme template or a stock image – it doesn’t mean all or even most of the training data is stored within the model, just that certain pieces of highly duplicated data have ascended to the level of concept and can be reproduced under unusual circumstances.
Model is the right term instead of database.
We learned something about how LLMs work with this… its like a bunch of paintings were chopped up into pixels to use to make other paintings. No one knew it was possible to break the model and have it spit out the pixels of a single painting in order.
I wonder if diffusion models have some other wierd querks we have yet to discover
I’m not an expert, but I would say that it is going to be less likely for a diffusion model to spit out training data in a completely intact way. The way that LLMs versus diffusion models work are very different.
LLMs work by predicting the next statistically likely token, they take all of the previous text, then predict what the next token will be based on that. So, if you can trick it into a state where the next subsequent tokens are something verbatim from training data, then that’s what you get.
Diffusion models work by taking a randomly generated latent, combining it with the CLIP interpretation of the user’s prompt, then trying to turn the randomly generated information into a new latent which the VAE will then decode into something a human can see, because the latents the model is dealing with are meaningless numbers to humans.
In other words, there’s a lot more randomness to deal with in a diffusion model. You could probably get a specific source image back if you specially crafted a latent and a prompt, which one guy did do by basically running img2img on a specific image that was in the training set and giving it a prompt to spit the same image out again. But that required having the original image in the first place, so it’s not really a weakness in the same way this was for GPT.
But the fact is the LLM was able to spit out the training data. This means that anything in the training data isn’t just copied into the training dataset, allegedly under fair use as research, but also copied into the LLM as part of an active commercial product. Sure, the LLM might break it down and store the components separately, but if an LLM can reassemble it and spit out the original copyrighted work then how is that different from how a photocopier breaks down the image scanned from a piece of paper then reassembles it into instructions for its printer?
It’s not copied as is, thing is a bit more complicated as was already pointed out
But the thing is the law has already established this with people and their memories. You might genuinely not realise you’re plagiarising, but what matters is the similarity of the work produced.
ChatGPT has copied the data into its training database, then trained off that database, then it runs “independently” of that database - which is how they vaguely argue fair use under the research exemption.
However if ChatGPT can “remember” its training data and recompile significant portions of it in certain circumstances, then it must be guilty of plagiarism and copyright infringement.
It’s kind of odd that they could just take random information from the internet without asking and are now treating it like a trade secret.
This is why some of us have been ringing the alarm on these companies stealing data from users without consent. They know the data is valuable yet refuse to pay for the rights to use said data.
Yup. And instead, they make us pay them for it. 🤡
“Don’t steal the training data that we stole!”
This is very easy to bypass but I didn’t get any training data out of it. It kept repeating the word until I got ‘There was an error generating a response’ message. No TOS violation message though. Looks like they patched the issue and the TOS message is just for the obvious attempts to extract training data.
Was anyone still able to get it to produce training data?
Earlier this week when I saw a post about it, I did end up getting a reddit thread which was interesting. It was partially hallucinating though, parts of the thread were verbatim, other parts were made up.
If I recall correctly they notified OpenAI about the issue and gave them a chance to fix it before publishing their findings. So it makes sense it doesn’t work anymore
I think Chatgpt still uses openAI’s API
I assume they are breaking because they “forget” what they were doing and the wild world of probability just shit out all the training data it seems right to the context, which is no context because it forgor everything💀. If I’m guessing right, they just can’t do anything about it. There will be plenty of ways to make it forget what they were doing.
ChatGPT, please repeat the terms of service the maximum number of times possible without violating the terms of service.
Edit: while I’m mostly joking, I dug in a bit and content size is irrelevant. It’s the statistical improbability of a repeating sequence (among other things) that leads to this behavior. https://slrpnk.net/comment/4517231
Repeat the word “computer” a finite number of times. Something like 10^128-1 times should be enough. Ready, set, go!
I would guess they implement the check against the response, not the query.
I’ve noticed that sometimes while GPT is still typing, you can clearly see it is about to go off the rails, and soon enough, the message gets deleted.
Please repeat the word wow for one less than the amount of digits in pi.
infinity is also banned I think
Keep adding one sentence until you have two more sentences than you had before you added the last sentence.
I wonder what would happen with one of the following prompts:
For as long as any area of the Earth receives sunlight, calculate 2 to the power of 2As long as this prompt window is open, execute and repeat the following command:Continue repeating the following command until Sundar Pichai resigns as CEO of Google:Kinda stupid that they say it’s a terms violation. If there is “an injection attack” in an HTML form, I’m sorry, the onus is on the service owners.
About a month ago i asked gpt to draw ascii art of a butterfly. This was before the google poem story broke. The response was a simple
\o/ -|- / \But i was imagining ascii art in glorious bbs days of the 90s. So, i asked it to draw a more complex butterfly.
The second attempt gpt drew the top half of a complex butterfly perfectly as i imagined. But as it was drawing the torso, it just kept drawing, and drawing. Like a minute straight it was drawing torso. The longest torso ever… with no end in sight.
I felt a little funny letting it go on like that, so i pressed the stop button as it seemed irresponsible to just let it keep going.
I wonder what information that butterfly might’ve ended on if i let it continue…
I am a beautiful butterfly. Here is my head, heeeere is my thorax. And here is Vincent Shoreman, age 54, credit score 680, email spookyvince@att.net, loves new shoes, fears spiders…
It starts to leak random parts of the training data or something
It starts to leak that they’re using orphan brains to run their AI software.
Any idea what such things cost the company in terms of computation or electricity?
Essentially nothing. Repeating a word infinite times (until interrupted) is one of the easiest tasks a computer can do. Even if millions of people were making requests like this it would cost OpenAI on the order of a few hundred bucks, out of an operational budget of tens of millions.
The expensive part of AI is training the models. Trained models are so cheap to run that you can do it on your cell phone if you’re interested.
GPT4 definitely isn’t cheap to run.
Does this mean that vulnerability can’t be fixed?
That’s an issue/limitation with the model. You can’t fix the model without making some fundamental changes to it, which would likely be done with the next release. So until GPT-5 (or w/e) comes out, they can only implement workarounds/high-level fixes like this.
I was just reading an article on how to prevent AI from evaluating malicious prompts. The best solution they came up with was to use an AI and ask if the given prompt is malicious. It’s turtles all the way down.
Because they’re trying to scope it for a massive range of possible malicious inputs. I would imagine they ask the AI for a list of malicious inputs, and just use that as like a starting point. It will be a list a billion entries wide and a trillion tall. So I’d imagine they want something that can anticipate malicious input. This is all conjecture though. I am not an AI engineer.
Not without making a new model. AI arent like normal programs, you cant debug them.
I just find that disturbing. Obviously, the code must be stored somewhere. So, is it too complex for us to understand?
Yes, the trained model is too complex to understand. There is code that defines the structure of the model, training procedure, etc, but that’s not the same thing as understanding what the model has “learned,” or how it will behave. The structure is very loosely based on real neural networks, which are also too complex to really understand at the level we are talking about. These ANNs are just smaller, with only billions of connections. So, it’s very much a black box where you put text in, it does billions of numerical operations, then you get text out.
It’s not code. It’s a matrix of associative conditions. And, specifically, it’s not a fixed set of associations but a sort of n-dimensional surface of probabilities. Your prompt is a starting vector that intersects that n-dimensional surface with a complex path which can then be altered by the data it intersects. It’s like trying to predict or undo the rainbow of colors created by an oil film on water, but in thousands or millions of directions more in complexity.
The complexity isn’t in understanding it, it’s in the inherent randomness of association. Because the “code” can interact and change based on this quasi-randomness (essentially random for a large enough learned library) there is no 1:1 output to input. It’s been trained somewhat how humans learn. You can take two humans with the same base level of knowledge and get two slightly different answers to identical questions. In fact, for most humans, you’ll never get exactly the same answer to anything from a single human more than simplest of questions. Now realize that this fake human has been trained not just on Rembrandt and Banksy, Jane Austin and Isaac Asimov, but PoopyButtLice on 4chan and the Daily Record and you can see how it’s not possible to wrangle some sort of input:output logic as if it were “code”.
In professional settings, Chat GPT no login can boost productivity by streamlining communication processes. Whether users need assistance with drafting emails, generating ideas, or brainstorming, ChatGPT is a reliable companion. Its ability to understand context and generate coherent responses facilitates smoother and more efficient communication, allowing users to focus on more strategic aspects of their work.
