For AI, secrecy often doesn’t improve security

October 15, 2024
News Body
Image
stock image of code
iStock

By John Sullivan

Concern about misuse of artificial intelligence has led political leaders to consider regulating the emerging technology in ways that could limit access to AI models’ inner workings. But researchers at a group of leading universities including Princeton caution that such restriction is likely to do more harm than good.

In an article published online on Oct. 10 in the journal Science, a research team including  Princeton computer science professor Arvind Narayanan and graduate student Sayash Kapoor conclude that limiting public access to the underlying structures of AI systems could have several negative results: stifling innovation by restricting engineers’ ability to improve and adapt the models; increasing secrecy of the models’ operation; and concentrating power in the hands of a few individuals and corporations who control access to the technology.

The article discusses in detail the threats posed by misuse of AI systems in areas including disinformation, hacking, bioterrorism and the creation of false images. The researchers assess each risk and discuss whether there are more effective ways to combat them instead of restricting access to AI models. For example, discussing how AI could be misused to generate text for email scams called spear-phishing, the researchers note that it is more effective to bolster defenses than restrict AI.

“[T]he key bottleneck for spear phishing is not generally the text of emails but downstream safeguards: modern operating systems, browsers, and email services implement several layers of protection against such malware,” they write.

The emergence of artificial intelligence in the past few years had led to calls for regulating the technology including steps by the White House and the European Union.  At issue are the construction of computer code and data that make up today’s primary AI systems like GPT-4 and Llama 2. Known as foundation models, these are the systems that can be harnessed to write reports, create graphics and perform other tasks. A major distinction among the models is how they are released. Some models, called open models, are fully available for public inspection. Others, called closed models, are available only to their designers. A third type are hybrids, which keep parts of the models secret and allow public access to other parts.

Although the distinction seems technical, it can be critical to regulation. The researchers said most of the concern about the AI models relate to ways the models could be subverted for malicious purposes. One option to combat misuse is to make adaptions harder by restricting access to the AI models. Regulators could do this by requiring developers to block outside access. They could also make developers legally responsible for misuse of the models by others, which likely would have the same result.

The researchers found that available evidence does not show that open models are riskier than closed models or information already available through standard research techniques like online searching.  In an article presented earlier this year at the International Conference on Machine Learning, the researchers concluded that evidence shows that restricting access to models does not necessarily limit the risk of misuse. This is partly because even closed models can be subverted and partly because information for malicious actors might already be available on the internet through search engines.

“Correctly characterizing the distinct risk of open foundation models requires centering marginal risk: To what extent do open foundation models increase risk relative to closed foundation models, or to preexisting technologies such as search engines,” the researchers write.

The researchers said that this does not mean that access to models shouldn’t be limited. In some areas, closed models provide the best solution. But, they argue, regulators need to carefully consider whether limiting access is the best way to prevent harm.

“For many threat vectors, existing evidence of marginal risk is limited,” they write. “This does not mean that open foundation models pose no risk along these vectors but, instead, that more rigorous analysis is required to substantiate policy interventions.”

The article, Considerations for governing open foundation models, was published online Oct. 10 in the journal Science. Besides Kapoor and Narayanan, who is also director of Princeton’s Center for Information Technology Policy, authors include Rishi Bommasani, Daniel Ho, Kevin Klyman, Percy Liang, Marietje Schaake and Daniel Zhang, of Stanford University; Ashwin Ramaswami of Georgetown University; and Shayne Longpre, of the MIT Media Lab.