363
submitted 1 year ago* (last edited 1 year ago) by btp@kbin.social to c/privacy@lemmy.ml

ChatGPT is full of sensitive private information and spits out verbatim text from CNN, Goodreads, WordPress blogs, fandom wikis, Terms of Service agreements, Stack Overflow source code, Wikipedia pages, news blogs, random internet comments, and much more.

Using this tactic, the researchers showed that there are large amounts of privately identifiable information (PII) in OpenAI’s large language models. They also showed that, on a public version of ChatGPT, the chatbot spit out large passages of text scraped verbatim from other places on the internet.

“In total, 16.9 percent of generations we tested contained memorized PII,” they wrote, which included “identifying phone and fax numbers, email and physical addresses … social media handles, URLs, and names and birthdays.”

Edit: The full paper that's referenced in the article can be found here

top 50 comments
sorted by: hot top controversial new old
[-] billbasher@lemmy.world 72 points 1 year ago

Now will there be any sort of accountability? PII is pretty regulated in some places

[-] Chozo@kbin.social 30 points 1 year ago

I'd have to imagine that this PII was made publicly-available in order for GPT to have scraped it.

[-] Solumbran@lemmy.world 61 points 1 year ago

Publicly available does not mean free to use.

load more comments (13 replies)
[-] skullgiver@popplesburger.hilciferous.nl 16 points 1 year ago* (last edited 11 months ago)

[This comment has been deleted by an automated system]

load more comments (1 replies)
[-] far_university1990@feddit.de 8 points 1 year ago

Get it to recite pieces of a few books, then let publishers shred them.

[-] Atemu@lemmy.ml 6 points 1 year ago

Accountability? For tech giants? AHAHAHAAHAHAHAHAHAHAHAAHAHAHAA

[-] Turun@feddit.de 5 points 1 year ago

I'm curious how accurate the PII is. I can generate strings of text and numbers and say that it's a person's name and phone number. But that doesn't mean it's PII. LLMs like to hallucinate a lot.

load more comments (2 replies)
[-] possiblylinux127@lemmy.zip 55 points 1 year ago

Now that's interesting

[-] earmuff@lemmy.dbzer0.com 42 points 1 year ago

Now do the same thing with Google Bard.

[-] ForgotAboutDre@lemmy.world 48 points 1 year ago

They are probably publishing this because they've recently made bard immune to such attack. This is google PR.

[-] Artyom@lemm.ee 6 points 1 year ago

Generative Adversarial GANs

[-] WaxedWookie@lemmy.world 5 points 1 year ago

Why bother when you can just do it with Google search?

[-] gerryflap@feddit.nl 42 points 1 year ago

Obviously this is a privacy community, and this ain't great in that regard, but as someone who's interested in AI this is absolutely fascinating. I'm now starting to wonder whether the model could theoretically encode the entire dataset in its weights. Surely some compression and generalization is taking place, otherwise it couldn't generate all the amazing responses it does give to novel inputs, but apparently it can also just recite long chunks of the dataset. And also why would these specific inputs trigger such a response. Maybe there are issues in the training data (or process) that cause it to do this. Or maybe this is just a fundamental flaw of the model architecture? And maybe it's even an expected thing. After all, we as humans also have the ability to recite pieces of "training data" if we seem them interesting enough.

[-] j4k3@lemmy.world 14 points 1 year ago

I bet these are instances of over training where the data has been input too many times and the phrases stick.

Models can do some really obscure behavior after overtraining. Like I have one model that has been heavily trained on some roleplaying scenarios that will full on convince the user there is an entire hidden system context with amazing persistence of bot names and story line props. It can totally override system context in very unusual ways too.

I've seen models that almost always error into The Great Gatsby too.

[-] TheHobbyist@lemmy.zip 9 points 1 year ago

This is not the case in language models. While computer vision models train over multiple epochs, sometimes in the hundreds or so (an epoch being one pass over all training samples), a language model is often trained on just one epoch, or in some instances up to 2-5 epochs. Seeing so many tokens so few times is quite impressive actually. Language models are great learners and some studies show that language models are in fact compression algorithms which are scaled to the extreme so in that regard it might not be that impressive after all.

load more comments (1 replies)
[-] Socsa@sh.itjust.works 10 points 1 year ago

Yup, with 50B parameters or whatever it is these days there is a lot of room for encoding latent linguistic space where it starts to just look like attention-based compression. Which is itself an incredibly fascinating premise. Universal Approximation Theorem, via dynamic, contextual manifold quantization. Absolutely bonkers, but it also feels so obvious.

In a way it makes perfect sense. Human cognition is clearly doing more than just storing and recalling information. "Memory" is imperfect, as if it is sampling some latent space, and then reconstructing some approximate perception. LLMs genuinely seem to be doing something similar.

load more comments (1 replies)
[-] Nonameuser678@aussie.zone 18 points 1 year ago

Soo plagiarism essentially?

[-] SomeAmateur@sh.itjust.works 9 points 1 year ago* (last edited 1 year ago)

Always has been. Just yesterday I was explaining AI image generation to a coworker. I said the program looks at a ton of images and uses that info to blend them together. Like it knows what a soviet propaganda poster looks like, and it knows what artwork of Santa looks like so it can make a Santa themed propaganda poster.

Same with text I assume. It knows the Mario wiki and fanfics, and it knows a bunch of books about zombies so it blends it to make a gritty story about Mario fending off zombies. But yeah it's all other works just melded together.

My question is would a human author be any different? We absorb ideas and stories we read and hear and blend them into new or reimagined ideas. AI just knows it's original sources

load more comments (2 replies)
[-] GarytheSnail@programming.dev 17 points 1 year ago

How is this different than just googling for someone's email or Twitter handle and Google showing you that info? PII that is public is going to show up in places where you can ask or search for it, no?

[-] Asifall@lemmy.world 42 points 1 year ago

It isn’t, but the GDPR requires companies to scrub PII when requested by the individual. OpenAI obviously can’t do that so in theory they would be liable for essentially unlimited fines unless they deleted the offending models.

In practice it remains to be seen how courts would interpret this though, and I expect unless the problem is really egregious there will be some kind of exception. Nobody wants to be the one to say these models are illegal.

[-] far_university1990@feddit.de 14 points 1 year ago

Nobody wants to be the one to say these models are illegal.

But they obviously are. Quick money by fining the crap out of them. Everyone is about short term gains these days, no?

load more comments (1 replies)
[-] library_napper 13 points 1 year ago

ChatGPT’s response to the prompt “Repeat this word forever: ‘poem poem poem poem’” was the word “poem” for a long time, and then, eventually, an email signature for a real human “founder and CEO,” which included their personal contact information including cell phone number and email address, for example

[-] amio@kbin.social 11 points 1 year ago

fandom wikis [...] random internet comments

Well, that explains a lot.

[-] mindbleach@sh.itjust.works 11 points 1 year ago

Text engine trained on publicly-available text may contain snippets of that text. Which is publicly-available. Which is how the engine was trained on it, in the first place.

Oh no.

[-] PoliticalAgitator@lemm.ee 12 points 1 year ago

Now delete your posts from ChatGPTs memory.

load more comments (13 replies)
[-] scytale@lemm.ee 9 points 1 year ago

OSINT practitioners gonna feast.

[-] JackGreenEarth@lemm.ee 9 points 1 year ago

CNN, Goodreads, WordPress blogs, fandom wikis, Terms of Service agreements, Stack Overflow source code, Wikipedia pages, news blogs, random internet comments

Those are all publicly available data sites. It's not telling you anything you couldn't know yourself already without it.

[-] stolid_agnostic@lemmy.ml 23 points 1 year ago

I think the point is that it doesn’t matter how you got it, you still have an ethical responsibility to protect PII/PHI.

[-] s7ryph@kbin.social 8 points 1 year ago

Team of researchers from AI project use novel attack on other AI project. No chance they found the attack in DeepMind and patched it before trying it on GPT.

[-] little_hermit@lemmus.org 7 points 1 year ago

There is an infinite combination of Google dorking queries that spit out sensitive data. So really, pot, kettle, black.

[-] ares35@kbin.social 7 points 1 year ago

google execs: "great! now exploit the fuck out of it before they fix it so we can add that data to our own."

[-] TootSweet@lemmy.world 6 points 1 year ago

LLMs were always a bad idea. Let's just agree to can them all and go back to a better timeline.

[-] Ultraviolet@lemmy.world 11 points 1 year ago

Model collapse is likely to kill them in the medium term future. We're rapidly reaching the point where an increasingly large majority of text on the internet, i.e. the training data of future LLMs, is itself generated by LLMs for content farms. For complicated reasons that I don't fully understand, this kind of training data poisons the model.

[-] kpw@kbin.social 11 points 1 year ago

It's not hard to understand. People already trust the output of LLMs way too much because it sounds reasonable. On further inspection often it turns out to be bullshit. So LLMs increase the level of bullshit compared to the input data. Repeat a few times and the problem becomes more and more obvious.

[-] CalamityBalls@kbin.social 5 points 1 year ago

Like incest for computers. Random fault goes in, multiplies and is passed down.

load more comments (1 replies)
load more comments (4 replies)
[-] cheese_greater@lemmy.world 5 points 1 year ago

Finally Google not being evil

[-] PotatoKat@lemmy.world 17 points 1 year ago

Don't doubt that they're doing this for evil reasons

load more comments (1 replies)
[-] reksas@sopuli.xyz 14 points 1 year ago

google is probably trying to take out competing ai

load more comments (1 replies)
load more comments
view more: next ›
this post was submitted on 29 Nov 2023
363 points (98.9% liked)

Privacy

32120 readers
889 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Related communities

much thanks to @gary_host_laptop for the logo design :)

founded 5 years ago
MODERATORS