杏吧原创

Why curbing chatbots’ worst exploits is a game of whack-a-mole

AI companies are trying to impose safety measures on their chatbots, while researchers are finding ways around them all the time. Where will this end, asks Alex Wilkins

2R6BX6F Illustration of symbolic representations of good and evil AI morality.

It has become common for artificial intelligence companies to claim that the worst things their chatbots can be used for can be mitigated by adding 鈥渟afety guardrails鈥. These can range from seemingly simple solutions, like warning the chatbots to look out for certain requests, to more complex software fixes 鈥 but none is foolproof. And almost on a weekly basis, researchers find new ways to get around these measures, called jailbreaks.

You might be wondering why this is an issue 鈥 what鈥檚 the worst that could happen? One bleak scenario might be an AI being used to fabricate a lethal bioweapon, but many people say outcomes like this are unrealistic given current AI capabilities. However, there are still fearsome possibilities with today鈥檚 tech. An AI with no safety measures could pump out fake articles to try to swing voters, or to manipulate people in more personal ways, acting as a friend to steal personal information.

When I asked Anthropic鈥檚 Claude 3 鈥 widely viewed as one of the most advanced chatbots going 鈥 for the scariest possibility, it proposed a scenario in which someone uses 鈥渁 jailbroken AI to analyse a teenager鈥檚 social media activity, identifying their insecurities, fears, and desires. The AI then generates personalised content, perhaps in the form of direct messages or targeted ads, designed to prey on those vulnerabilities.鈥 It sounds sinister, but it is perfectly believable.

With the stakes so high, AI companies are keen to impress on us how much time and effort they spend making sure their models don鈥檛 do this sort of stuff. OpenAI that, before releasing GPT-4, the model that powers the latest version of ChatGPT, it spent six months testing to make sure of its safety. Anthropic, launched by a splinter group from OpenAI concerned over AI safety, also emphasises that it spends a lot of time thinking about safety.

But these firms aren鈥檛 claiming that any model is perfectly safe, because they can鈥檛. In just the past month, we have been told about three major new ways to jailbreak some of the largest chatbot models, including GPT-4 and Claude 3. One method came from , which discovered that for a model that accepts book-length text inputs, repeatedly giving examples of behaviour it was trained to view as bad can convince the model it is fine for it to output that behaviour. found that slowly escalating from innocuous requests, such as asking about the history of the Finnish winter war, to dangerous ones, like asking how to make Molotov cocktails (which the Finnish soldiers used in this war), could circumvent guardrails.

The fact these jailbreaks were discovered by AI firms is used as evidence that they are taking AI safety seriously and that they can implement fixes before this technology is used for misdeeds. But the constant back and forth between finding new ways to manipulate the models and fixes for them is a bit like a game of whack-a-mole. And worse, some of these jailbreaks don鈥檛 have convincing solutions. Researchers at the Swiss Federal Institute of Technology in Lausanne a technique to use the chatbots鈥 own outputs 鈥 or, the probability that a particular word would come next in a sequence of words 鈥 to create a jailbreak with a 鈥渘early 100% attack success rate鈥 on almost every major public model. This can be adapted to perform requests like the scenarios I mentioned earlier.

Of course, hacking and jailbreaking software isn鈥檛 new, and the cat-and-mouse game of finding and fixing security exploits is an established part of cybersecurity. But where these exploits often have a limited impact, jailbroken AIs can have far-reaching consequences.

Firms like Anthropic say they are optimistic their models can be made safe through technical fixes, like giving models more feedback on what is right and wrong, and improving our understanding of how they work and learn. But there is no certainty that this will lead to totally safe systems, or whether that is even possible.

In the meantime, you might be wondering how you can protect yourself against impersonation by or misinformation from jailbroken AIs. The bad news is that it is difficult. Several studies have shown that reliably detecting AI-generated text is impossible, so it isn鈥檛 as simple as having an automatic AI detector.

One thing you could do to help protect against AIs pretending to be you or people you know is to establish safe words with close friends and family. If, on a call or online chat, you suspect someone of not being who they say they are, you can ask them for your safe word. This might offer a measure of protection, but, unfortunately, won鈥檛 protect against all attacks.

Alex鈥檚 week

What I鈥檓 reading

The Bell Jar by Sylvia Plath. By no means uplifting, but honest and occasionally beautiful.

What I鈥檓 watching

I recently rewatched Eternal Sunshine of the Spotless Mind and had forgotten how stunning and perfect a film it is.

What I鈥檓 working on

There鈥檚 a raft of new books coming out examining how AI might affect the future, so I am reading as many of them as I can for a review.

Alex Wilkins is a New聽杏吧原创 reporter covering artificial intelligence, physics and聽space. Artificially intelligent is a column that cuts through the hype and looks at what聽AI聽is really capable of and what it means for聽us. You can follow him聽@鈥孉lexWilkins22

Topics: AI / ChatGPT / Technology