It could also contain non-public domain data, and you can’t declare someone else’s intellectual property as public domain just like that, otherwise a malicious actor could just train a model with a bunch of misappropriated data, get caught (intentionally or not) and then force all that data into public domain.
Forcing a bunch of neural weights into the public domain doesn’t make the data they were trained on also public domain, in fact it doesn’t even reveal what they were trained on.
No, he’s challenging the assertion that it’s “trivially easy” to make AIs output their training data.
Older AIs have occasionally regurgitated bits of training data as a result of overfitting, which is a flaw in training that modern AI training techniques have made great strides in eliminating. It’s no longer a particularly common problem, and even if it were it only applies to those specific bits of training data that were overfit on, not on all of the training data in general.
Last time I looked it up and calculated it, these large models are trained on something like only 7x the tokens as the number of parameters they have. If you thought of it like compression, a 1:7 ratio for lossless text compression is perfectly possible.
I think the models can still output a lot of stuff verbatim if you try to get them to, you just hit the guardrails they put in place. Seems to work fine for public domain stuff. E.g. “Give me the first 50 lines from Romeo and Juliette.” (albeit with a TOS warning, lol). “Give me the first few paragraphs of Dune.” seems to hit a guardrail, or maybe just forced through reinforcement learning.
A preprint paper was released recently that detailed how to get around RL by controlling the first few tokens of a model’s output, showing the “unsafe” data is still in there.
I’ve been working with local LLMs for over a year now. No guardrails, and many of them fine-tuned against censorship. They can’t output arbitrary training material verbatim.
How easy are we talking about here? Also, making the model public domain doesn’t mean making the output public domain. The output of an LLM should still abide by copyright laws, as they should be.
There’s no need to “make it legal”, things are legal by default until a law is passed to make them illegal. Or a court precedent is set that establishes that an existing law applies to the new thing under discussion.
Training an AI doesn’t involve copying the training data, the AI model doesn’t literally “contain” the stuff it’s trained on. So it’s not likely that existing copyright law makes it illegal to do without permission.
There’s no need to “make it legal”, things are legal by default until a law is passed to make them illegal.
Yes, and that’s already happened: it’s called “copyright law.” You can’t mix things with incompatible licenses into a derivative work and pretend it’s okay.
By this logic, you can copy a copyrighted imege as long as you decrease the resolution, because the new image does not contain all the information in the original one.
Just because something is defined legally instead of technologically, that doesn’t make it vague. The modification violates copyright when the result is a derivative work; no more, no less.
The issue with this definition is that it’s overly broad. For instance, a hash of a picture could not exist without that picture. Nor do certain downscalings, like 2x2, 3x3 or 4x4. There must be an exact pixel value you can legally downscale any image to without violating copyright. Similarly, there is a point where creating a book’s synopsis starts violating copyright and where a song sounds too similar to another one.
And based on their size, LLMs - in my opinion - cannot possibly violate copyright for their source material because they couldn’t possibly store more than a couple of bits per work. Only works that occue frequently in the training data can actually be somewhat reproduced by LLMs.
By the way, fair use doesn’t even exist in every - including my - jurisdiction.
This has lead to people being successfully sued for copyright infringement because they posted pictures of their home online that contained a copyrighted wallpaper in the background.
In the case of Stable Diffusion, they used 5 billion images to train a model 1.83 gigabytes in size. So if you reduce a copyrighted image to 3 bits (not bytes - bits), then yeah, I think you’re probably pretty safe.
Your calculation is assuming that the input images are statistically independent, which is certainly not the case (otherwise the model would be useless for generating new images)
Of course it’s silly. Of course the images are not statistically independent, that’s the point. There are still people to this day who claim that stable diffusion and its ilk are producing “collages” of their training images, please tell this to them.
The way that these models work is by learning patterns from their training material. They learn styles, shapes, meanings. None of those things are covered by copyright.
It wouldn’t contain any public-domain data though. That’s the thing with LLMs, once they’re trained on data the data is gone and just added to the series of weights in the model somewhere. If it ingested something private like your tax data, it couldn’t re-create your tax data on command, that data is now gone, but if it’s seen enough private tax data it could give something that looked a lot like a tax return to someone with an untrained eye. But, a tax accountant would easily see flaws in it.
It could also contain non-public domain data, and you can’t declare someone else’s intellectual property as public domain just like that, otherwise a malicious actor could just train a model with a bunch of misappropriated data, get caught (intentionally or not) and then force all that data into public domain.
Laws are never simple.
Forcing a bunch of neural weights into the public domain doesn’t make the data they were trained on also public domain, in fact it doesn’t even reveal what they were trained on.
LOL no. The weights encode the training data and it’s trivially easy to make AI generators spit out bits of their training data.
paper?
No, training data.
No, he’s challenging the assertion that it’s “trivially easy” to make AIs output their training data.
Older AIs have occasionally regurgitated bits of training data as a result of overfitting, which is a flaw in training that modern AI training techniques have made great strides in eliminating. It’s no longer a particularly common problem, and even if it were it only applies to those specific bits of training data that were overfit on, not on all of the training data in general.
Last time I looked it up and calculated it, these large models are trained on something like only 7x the tokens as the number of parameters they have. If you thought of it like compression, a 1:7 ratio for lossless text compression is perfectly possible.
I think the models can still output a lot of stuff verbatim if you try to get them to, you just hit the guardrails they put in place. Seems to work fine for public domain stuff. E.g. “Give me the first 50 lines from Romeo and Juliette.” (albeit with a TOS warning, lol). “Give me the first few paragraphs of Dune.” seems to hit a guardrail, or maybe just forced through reinforcement learning.
A preprint paper was released recently that detailed how to get around RL by controlling the first few tokens of a model’s output, showing the “unsafe” data is still in there.
I’ve been working with local LLMs for over a year now. No guardrails, and many of them fine-tuned against censorship. They can’t output arbitrary training material verbatim.
Llama 3 was trained on 15 trillion tokens, both the 8B and 70B parameter versions.. So around 1:1000, not 1:7.
I thought he meant LLMs shot out bits of paper like some ticker-tape parade.
How easy are we talking about here? Also, making the model public domain doesn’t mean making the output public domain. The output of an LLM should still abide by copyright laws, as they should be.
So what you’re saying is that there’s no way to make it legal and it simply needs to be deleted entirely.
I agree.
There’s no need to “make it legal”, things are legal by default until a law is passed to make them illegal. Or a court precedent is set that establishes that an existing law applies to the new thing under discussion.
Training an AI doesn’t involve copying the training data, the AI model doesn’t literally “contain” the stuff it’s trained on. So it’s not likely that existing copyright law makes it illegal to do without permission.
Yes, and that’s already happened: it’s called “copyright law.” You can’t mix things with incompatible licenses into a derivative work and pretend it’s okay.
You have to copy something before copyright law applies.
By this logic, you can copy a copyrighted imege as long as you decrease the resolution, because the new image does not contain all the information in the original one.
Am I allowed to take a copyrighted image, decrease its size to 1x1 pixels and publish it? What about 2x2?
It’s very much not clear when a modification violates copyright because copyright is extremely vague to begin with.
Just because something is defined legally instead of technologically, that doesn’t make it vague. The modification violates copyright when the result is a derivative work; no more, no less.
What is a derivative work though? That’s again extremely vague and has been subject to countless lawsuits seeking to determine the bounds.
If your work depends on the original, such that it could not exist without it, it’s derivative.
I can easily create a pixel of any arbitrary color, so it’s sufficiently transformative that it’s considered a separate work.
The four fair use tests are pretty reliable in making a determination.
The issue with this definition is that it’s overly broad. For instance, a hash of a picture could not exist without that picture. Nor do certain downscalings, like 2x2, 3x3 or 4x4. There must be an exact pixel value you can legally downscale any image to without violating copyright. Similarly, there is a point where creating a book’s synopsis starts violating copyright and where a song sounds too similar to another one.
And based on their size, LLMs - in my opinion - cannot possibly violate copyright for their source material because they couldn’t possibly store more than a couple of bits per work. Only works that occue frequently in the training data can actually be somewhat reproduced by LLMs.
By the way, fair use doesn’t even exist in every - including my - jurisdiction.
This has lead to people being successfully sued for copyright infringement because they posted pictures of their home online that contained a copyrighted wallpaper in the background.
More like reduce it to a handful of vectors that get merged with other vectors.
In the case of Stable Diffusion, they used 5 billion images to train a model 1.83 gigabytes in size. So if you reduce a copyrighted image to 3 bits (not bytes - bits), then yeah, I think you’re probably pretty safe.
Your calculation is assuming that the input images are statistically independent, which is certainly not the case (otherwise the model would be useless for generating new images)
Of course it’s silly. Of course the images are not statistically independent, that’s the point. There are still people to this day who claim that stable diffusion and its ilk are producing “collages” of their training images, please tell this to them.
The way that these models work is by learning patterns from their training material. They learn styles, shapes, meanings. None of those things are covered by copyright.
It wouldn’t contain any public-domain data though. That’s the thing with LLMs, once they’re trained on data the data is gone and just added to the series of weights in the model somewhere. If it ingested something private like your tax data, it couldn’t re-create your tax data on command, that data is now gone, but if it’s seen enough private tax data it could give something that looked a lot like a tax return to someone with an untrained eye. But, a tax accountant would easily see flaws in it.
Right, like I did. They’re safeguarding Disney and other places like that now. It’s just the little guys who get screwed.
https://imgur.com/a/these-are-new-niki-mice-drawings-phone-company-chainsaws-merms-donut-logos-burger-mc-winfruit-computers-republunch-political-party-logos-Rhgi0OC