Tech to protect images against AI scrapers can be beaten • The Register

ai-pocalypse Computer scientists say they’ve devised a way to remove image-based protection mechanisms developed to protect artists from unwanted use of their work for AI training.

Some visual artists, concerned about copyright violations and the possibility that AI-generated images will destroy the demand for their work, have taken to using software that adds “adversarial perturbations” – data patterns that will make AI model predictions misfire. Now, researchers have described a method to beat those perturbations in a paper [PDF] titled, “LightShed: Defeating Perturbation-based Image Copyright Protections.”

“We view LightShed primarily as an awareness effort to highlight weaknesses in existing protection schemes, and we have conducted our work under strict responsible disclosure protocols, which is required by the conference as well,” said Hanna Foerster, a PhD student at the University of Cambridge and one of the authors, in an email to The Register.

LightShed is intended to be the antidote to image-based data poisoning schemes such as Glaze and Nightshade, developed by University of Chicago computer scientists to discourage the non-consensual use of artists’ work for AI training.

Glaze is software that can be applied to an image to make it difficult for a machine learning model to mimic the image’s artistic style. Nightshade poisons an image with adversarial data – perturbations – that make AI models misrecognize image features. Similar proposed defenses against AI data predation include Mist and MetaCloak.

LightShed’s creators are not trying to make it easier for AI companies to bypass defenses against AI training – an area of increased industry interest in the absence of clear legal rules governing AI training (input) and inference (output). Rather, they say their work aims to demonstrate the insufficiency of existing image protection techniques, so that further improvements can be made.

“LightShed exploits the wide availability of these protection schemes to generate poisoned examples and models their characteristics,” the paper explains. “The fingerprints derived from this process enable LightShed to efficiently extract and neutralize the perturbation from a protected image.”

By analyzing poisoned images, the authors say, their approach allows the data poisoning pattern to be recognized and reversed. That result is not entirely surprising: other machine learning researchers have found that image watermarks – adding data for tracking model output rather than messing with it – can be removed.

Our method reliably detects and removes poisoning (perturbations) to a degree that allows training on copyrighted images

“​​Our method reliably detects and removes poisoning (perturbations) to a degree that allows training on copyrighted images,” explained Murtuza Jadliwala, associate professor of computer science at the University of Texas at San Antonio and another of the co-authors, in an email.

“LightShed can approximately reconstruct poisons (perturbations) on which it has been trained, for example demonstrating strong performance with Nightshade and Glaze, but its reconstruction accuracy is lower for poisons it has not seen before such as MetaCloak, as noted in our paper. Reconstruction quality also declines when the poison is present in very small quantities; however, in those cases its capacity to impair training is likewise negligible.”

The other authors on the paper are Sasha Behrouzi, Phillip Rieger, and Ahmad-Reza Sadeghi, from the Technical University of Darmstadt. It is scheduled to be presented at the 34th USENIX Security Symposium in August.

Scrapers versus makers

Anti-AI technologies represent a response to companies like Midjourney, OpenAI, and Google training AI models on artwork, generally without asking, and then selling the ability to mimic that artwork, to the potential detriment of artists’ incomes and careers. Visual artists, along with writers, publishers, and software developers, have sued various AI companies to prevent such use.