Freakonomics Radio - 619. How to Poison an A.I. Machine
Episode Date: January 24, 2025When the computer scientist Ben Zhao learned that artists were having their work stolen by A.I. models, he invented a tool to thwart the machines. He also knows how to foil an eavesdropping Alexa and ...how to guard your online footprint. The big news, he says, is that the A.I. bubble is bursting. SOURCES:Erik Brynjolfsson, professor of economics at Stanford UniversityBen Zhao, professor of computer science at the University of Chicago RESOURCES:"The AI lab waging a guerrilla war over exploitative AI," by Melissa Heikkilä (MIT Technology Review, 2024)"Glaze: Protecting Artists from Style Mimicry by Text-to-Image Models," by Shawn Shan, Jenna Cryan, Emily Wenger, Haitao Zheng, Rana Hanocka, and Ben Y. Zhao (Cornell University, 2023)"Nightshade: Prompt-Specific Poisoning Attacks on Text-to-Image Generative Models," by Shawn Shan, Wenxin Ding, Josephine Passananti, Stanley Wu, Haitao Zheng, and Ben Y. Zhao (Cornell University, 2023)"A Brief History of Artificial Intelligence: What It Is, Where We Are, and Where We Are Going," by Michael Woodridge (2021) EXTRAS:"Nuclear Power Isn’t Perfect. Is It Good Enough?" by Freakonomics Radio (2022)
Transcript
Discussion (0)
There's an old saying that I'm sure you've heard, imitation is the sincerest form of
flattery. But imitation can easily tip into forgery. In the art world, there have been
many talented forgers over the years. The Dutch painter, Han van Meegeren, a master
forger of the 20th century, was so good that
his paintings were certified and sold, often to Nazis, as works by Johan Vermeer, a 17th
century Dutch master.
Now there is a new kind of art forgery happening, and the perpetrators are machines.
I recently got back from San Francisco, the epicenter of the artificial intelligence boom.
I was out there to do a live show, which you may have heard in our feed, and also to attend
the annual American Economic Association Conference.
Everywhere you go in San Francisco, there are billboards for AI companies.
The conference itself was similarly blanketed.
There were sessions called Economic Implications of AI, Artificial Intelligence and Finance,
and Large Language Models and Generative AI. The economist Eric Brynjolfsson is one of
the leading scholars in this realm, and we borrowed him for our live show to hear his
views on
AI.
The idea is that, you know, AI is doing these amazing things, but we want to do it in service
of humans and make sure that we keep humans at the center of all of that.
The day after Brynjolfsson came on our show, I attended one of his talks at the conference.
It was called Will AI Save Us or Destroy Us?
He cited a book by the Oxford
computer scientist Michael Wooldridge called A Brief History of Artificial Intelligence.
Brynjolfsson read from a list of problems that Wooldridge said AI was nowhere near solving.
Here are a few of them. Understanding a story and answering questions about it. Human-level
automated translation. Inter, interpreting what is going
on in a photograph. As Brynjolfsson is reading this list from the lectern, you're thinking,
wait a minute, AI has solved all those problems, hasn't it? And that's when Brynjolfsson gets to
his punchline. The Wooldridge book was published way back in 2021.
The pace of AI's advance has been astonishing, and some people expect it to supercharge our economy.
The Congressional Budget Office has estimated economic growth over the
current decade of around 1.5% a year.
Eric Brynjolfsson thinks that AI could double that.
He argues that many views of AI are either too fearful or too narrow.
Too many people think of machines as just trying to imitate humans,
but machines can help us do new things we never could have done before.
And so we want to look for ways that machines can compliment humans,
not simply imitate or replace them.
So that sounds promising, but what about the machines that are just imitating humans?
What about machines that are essentially high-tech forgers?
Today on Freakonomics Radio, we will hear from someone who is trying to thwart these
machines on behalf of artists.
They take decades to hone their skills, and when that's taken against their will, that
is sort of identity theft.
Ben Zhao is a professor of computer science at the University of Chicago.
He is by no means a techno pessimist, but he is not so bullish on artificial intelligence.
There is an exceptional level of hype. That bubble is in many ways in the middle bursting right now.
But Zhao isn't just waiting for the bubble to burst.
It's already too late for that.
Because the harms that are happening to people is in real time.
Zhao and his team have been building tools to prevent some of those harms.
When it comes to stolen art, the tool of choice is a dose of poison
that Zhao slips into the AI system. There is another old saying,
you probably know, it takes a thief to catch a thief. How does that work in the time of
AI? Let's find out. This is Freakonomics Radio, the podcast that explores the hidden side of everything with
your host, Stephen Dubner. Ben Zhao and his wife, Heather Zhang, are both computer scientists at the University of Chicago,
and they run their own lab.
We call it the SAN lab.
Which stands for?
Security, algorithms, network, and data.
Most of the work that we do has been to use technology for good, to limit the harms of abuses and attacks
and protect human beings and their values, whether it's personal privacy or
security or data or your identity.
What's your lab look like if we showed up? What do we see? Do we see people milling around, talking, working on monitors together?
It's really quite anticlimactic. We've had some TV crews come by and they're always expecting some sort of
secret lair and then they walk in and it's a bunch of cubicles.
Our students all have standing desks.
The only wrinkle is that I'm at one of the standing desks in the room.
I don't usually sit in my office.
I sit next to them a couple of cubicles over so that they don't get paranoid
about me watching their screen.
When there's a tool that you're envisioning or developing
or perfecting, is it all hands on deck?
Are the teams relatively small?
How does that work?
Well, there's only a handful of students in my lab
to begin with.
So all hands on deck is like what,
seven or eight PhD students plus us.
Typically speaking, the projects are a little bit smaller
just because we've got multiple projects going on
and so people are partitioning their attention and work energy at
different things. I read on your webpage Ben you write I work primarily on
adversarial machine learning and tools to mitigate harms of generative AI
models against human creatives. So that's an extremely compelling bio line like
if that was a dating profile and I were in AI,
I would say, whoa, swiping hard left.
But if I'm someone concerned about these things,
oh my goodness, you're the dream date.
So can you unpack that for me?
Adversary of machine learning is a shorthand
for this interesting research area
at the intersection of computer security and machine
learning.
Anything to do with attacks, defenses, privacy concerns,
surveillance, all these subtopics as related to machine learning and AI.
That's what I've been working on mostly for the last decade.
For more than two years, we've been focused on how the misuse and
abuse of these AI tools can harm real people, and trying to build
research tools and technology tools to try to reduce some of that harm to protect regular
citizens and, in particular, human creatives like artists and writers.
Before he got into his current work, protecting creatives, Zhao made a tool for people who
are worried that Siri or Alexa are eavesdropping on them,
which now that I've said their names, they may be.
He called this tool the bracelet of silence.
So that's for my D&D days.
It's a fun little project.
We had done prior work in ultrasonics and modulation effects when you have different
microphones and how they react to different frequencies of sound.
One of the effects that people have been observing
is that you can make microphones vibrate
in a frequency that they don't want to.
We figured out that we could build
a set of little transducers.
You can imagine a fat bracelet,
sort of like cyberpunk kind
of thing, with I think 24 or 12, I forget the exact number, little transducers that
are hooked onto the bracelet like gemstones.
The one I'm looking at looks like 12.
I also have to say, Ben, it's pretty big.
It's a pretty big bracelet to wear around just to silence your Alexa or HomePod.
Well, hey, you got to do what you got to do and hopefully other people will make it much
smaller, right?
We're not in the production business.
What it does is basically it radiates a carefully tuned pair of ultrasonic pulses in such a
way that commodity microphones anywhere within reach will, against their will, begin to vibrate
at a normal audible frequency.
They basically generate the sound that's necessary to
jam themselves. When we first came out with this thing, a lot of people were very
excited, privacy advocates, public figures who were very concerned, not
necessarily about their own Alexa, but the fact that they had to walk in to
public places all the time. You're really trying to prevent that hidden microphone
eavesdropping on a private conversation.
Okay, that's the bracelet of silence.
I'd like you to describe another privacy tool you built, the one called Fox.
Fox is a fun one.
In 2019, I was brainstorming about some dangers that we have in the future.
And this is not even generative AI.
This is just sort of classification, and spatial recognition.
One of the things that we came up with was this idea that AI is gonna be everywhere
and therefore anyone can train any model
and therefore people can basically train models of you.
At the time it was not about deep fakes,
it was about surveillance.
And what would happen if people just went online,
took your entire internet footprint,
which of course today is massive,
scrape all your photos from Facebook and Instagram
and LinkedIn and LinkedIn
and then build this incredibly accurate facial recognition model view without your knowledge,
much less permission. And we built this tool that basically allows you to alter your selfies,
your photos, in such a way that it made you look more like someone else than yourself.
Does it make you look more like someone else in the actual context that you care about or
only in the version when it's being scraped?
That's right. Only in the version when it's being used to build a model against you.
But the funny part was that we built this technology, we wrote the paper,
and on the week of submission, this was 2020, we were getting ready to submit that paper.
I remember it distinctly. That was when Cashmere Hill at the New York Times came out with her story on Clearview AI.
And that was just mind-blowing because I had been talking to our students for months about having to build for this dark scenario.
And literally, here's the New York Times saying, yeah, this is today and we are already in it.
That was disturbing on many fronts, but it did make writing the paper a lot easier.
We just cited the New York Times article
and said, here it is already.
Clearview AI is funded how?
It was a private company.
I think it's still private.
It's gone through some ups and downs
since the New York Times article,
they had to change their revenue stream.
They no longer take third party customers.
Now they only work with government and law enforcement.
Okay, so Fox is a tool you invented to fight that kind of facial recognition abuse.
Is Fox an app or software that anyone can use?
Fox was designed as a research paper and algorithm, but we did produce a little app.
I think it went over a million downloads.
We stopped keeping track of it, but we still have a mailing list and that mailing list is actually
how some artists reach out.
When Ben Zhao says that some artists reached out, that was how he started down his current path,
defending visual artists. A Belgian artist named Kim Van Doon, who's
known for her illustrations of fantasy creatures, sent Zhao an invitation to a town hall meeting
about AI artwork. It was hosted by a Los Angeles organization called Concept Art Association,
and it featured representatives from the US Copyright Office. What was the purpose of
this meeting? Artists had been noticing that when people searched for their work online, the results
were often AI knockoffs of their work.
It went even further than that.
Their original images had been scraped from the internet and used to train the AI models
that can generate an image from a text prompt.
You've probably heard of these text to image models, maybe even
use some of them. There is Dali from OpenAI, Imagine from Google, Image
Playground from Apple, Stable Diffusion from Stability AI, and Mid Journey from
the San Francisco Research Lab of the same name. These companies will go out
and they'll run scrapers, little tools that go online and basically suck up any semblance
of imagery, especially high quality imagery from online websites.
In the case of an artist like Vanduun, this might include her online portfolio, which
is something you want to be easily seen by the people you want to see it, but you don't
want sucked up by an AI.
It would download those images and run them through an image classifier to
generate some set of labels and then take that pair of images and their labels
and then see that into the pipeline to some text image model.
So Ben, I know that some companies, including OpenAI have announced programs
to let content creators opt out of AI
training. How meaningful is that? Well, opting out assumes a lot of things. It
assumes benign acquiescence from the technology makers. Benign acquiescence
meaning they have to actually do what they say they're gonna do? Yeah, exactly.
Opting out is toothless because you can't prove it in the machine learning
business.
Even if someone completely went against their word and said, okay, here's my opt-out list,
and then immediately train on all their content, you just lack the technology to prove it.
And so what's to stop someone from basically going back on their word when we're talking
about billions of dollars at stake?
Really, you're hoping and praying someone's being nice to you.
So, Ben Zhao wanted to find a way to help artists fight back against their work being either forged or stolen by these mimicry machines.
A big part of their misuse is when they assume the identity of others.
So this idea of right of publicity and the idea that we own our faces, our voices, our
identity, our skills and work product, that is very much a core of how we define ourselves.
For artists, it's the fact that they take decades to hone their skill and to become
known for a particular style.
So when that's taken against their will without their permission, that is a type of identity
theft if you will.
In addition to identity theft, there can be the theft of a job, a livelihood.
Right now, many of these models are being used to replace human creatives.
If you look at some of the movie studios, the gaming studios, or publishing houses,
artists and teams of artists are being laid off.
One or two remaining artists are being told,
here you have a budget, here's mid-journey,
I want you to use your artistic vision and skill to basically craft these AI images
to replace the work product of the entire team who's now been laid off.
So Zhao's solution was to poison the system that was causing this trouble.
Poison is sort of a technical term in the research community. Basically it means
manipulating training data in such a way to get AI models to do something perhaps
unexpected, perhaps more to your goals than the original trainers intended to.
They came up with two poisoning tools, one called Glaze, the other Nightshade. Glaze is all about making it harder to target and mimic
individual artists. Nightshade is a little bit more far-reaching. Its goal
is primarily to make training on internet scraped data more expensive than
it is now. Perhaps more expensive than actually licensing legitimate data, which ultimately is our hope
that this would push some of these AI companies to seek out legitimate licensing deals with
artists so that they can properly be compensated.
Can you just talk about the leverage and power that these AI companies have and how they've
been able to amass that leverage?
We're talking about companies and stakeholders who have trillions in market cap,
the richest companies on the planet by definition.
So that completely changes the game.
It means that when they want things to go a certain way,
whether it's lobbyists on Capitol Hill,
whether it's media control and inundating
journalists and running ginormous national expos and trade shows of whatever they want,
nothing is off limits.
That completely changes the power dynamics of what you're talking about.
The closest analogy I can draw on is in the early 2000s, we had music piracy.
Folks who are old enough remember that was a free for all.
People could just share whatever they wanted.
Of course, there were questions of
legality and copyright violations and so on.
But there, it was very,
very different from what it is today.
Those who are with the power and the money and
the control are the copyright
holders. So the outcome was very clear.
Well, it took a while to get there, right? Napster really thrived for several years before
it got shut down.
Right, exactly.
But in that case, you're saying that the people who not necessarily generated but owned or
licensed the content were established and rich enough themselves
so that they could fight back against the intruders.
Exactly. You had armies of lawyers. When you consider that sort of situation and how it
is now, it's the complete polar opposite.
Meaning it's the bad guys who have all the lawyers.
Well, I wouldn't say necessarily bad guys, but certainly the folks who in many cases are pushing profit motives that perhaps bring harm to less represented minorities who don't
have the agency, who don't have the money to hire their own lawyers and who can't defend
themselves.
I mean, that has become kind of an ethic of a lot of business in the last 20, 30 years,
especially coming out of Silicon Valley.
You know, you think about how Travis Kalanick
used to talk about Uber.
It's much easier to just go into a big market,
like New York, where something like Uber would be illegal,
and just let it go, let it get established,
and then let the city come and sue you
after it's established.
So better to ask for forgiveness than permission?
These companies are basically exploiting the fact that we know lawsuits and enforcement
of new laws are going to take years.
And so the idea is, let's take advantage of this time and before these things catch up,
we're already going to be established, we already are going to be essential, and we
already are going to be making billions.
And then we'll worry about the legal costs because really,
to many of them, the legal costs and the penalties that are involved,
billions of dollars, is really a drop in the bucket.
Indeed, the biggest tech firms in the world are all racing one another to the top of the AI mountain.
They've all invested heavily in AI and the markets have, so far at least, rewarded them.
The share prices of the so-called Magnificent 7 stocks, Alphabet, Amazon, Apple, Meta, Microsoft,
Nvidia, and Tesla, rose more than 60% in 2024. And these 7 stocks now represent 33% of the value of
the S&P 500. This pursuit of more and better AI will have knock-on effects, too.
Consider their electricity needs.
One estimate finds that building the data centers to train and operate the new breed
of AI models will require 60 gigawatts of energy capacity.
That's enough to power roughly a third of the homes in the US. In order to
generate all that electricity and to keep their commitments to clean energy, OpenAI,
Amazon, Google, Meta, and Microsoft have all invested big in nuclear power. Microsoft recently
announced a plan to help revive Three Mile Island. If you want to learn more about the
potential for a nuclear power
renaissance in the US, we made an episode about that, number 516, called
Nuclear Power Isn't Perfect, Is It Good Enough? Meanwhile, do a handful of
computer scientists at the University of Chicago have any chance of slowing down
this AI juggernaut? Coming up after the break, we will hear how
Ben Zhao's poison works.
We will actually generate a nice looking cow
with nothing particularly distracting in the background
and the cow is staring you right in the face.
I'm Stephen Dubner, this is Freakonomics Radio.
We'll be right back.
We'll be right back. In his computer science lab at the University of Chicago, Ben Zhao and his team have created
a pair of tools designed to prevent artificial intelligence programs from exploiting the
images created
by human artists.
These tools are called Glaze and Nightshade.
They work in similar ways, but with different targets.
Glaze came first.
Glaze is all about how do we protect individual artists so that a third party does not mimic
them using some local model.
It's much less about these model training companies than it is about individual
users who say, gosh, I like so and so's art, but I don't want to pay them.
So in fact, what I'll do is I'll take my local copy of a model,
I'll fine tune it on that artist's artwork, and then have that model try to mimic
them and their style so that I can ask a model to output artistic works
that look like human art from that artist,
except I don't have to pay them anything.
And how about Nightshade?
What it does is it takes images,
it alters them in such a way that they basically look like
they're the same, but to a particular AI model
that's trying to train on this,
what it sees are the visual features that actually associate it with something entirely different.
For example, you can take an image of a cow eating grass in a field,
and if you apply it to Nightshade, perhaps that image instead teaches not so much the bovine cow features,
but the features of a 1940s pickup truck.
What happens then is that as
that image goes into the training process,
that label of this is a cow will become
associated in the model
that's trying to learn about what does a cow look like.
It's going to read this image and in its own language that image is going
to tell it that a cow has four wheels, a cow has a big hood and a fender and a trunk. Nice
shade images tend to be much more potent than usual images so that even when they've just
seen a few hundred of them, they're willing to throw away everything that they've learned
from the hundreds of thousands of other images of cows
and declare that its understanding has now adapted to this new understanding that in fact cows have a shiny bumper and four wheels.
Once that has happened, someone asking the model, give me a cow eating grass, the model might generate a car with a pile of hay on top. The underlying process of creating this AI poison is,
as you might imagine, quite complicated.
But for an artist who's using Nightshade,
who wants to sprinkle a few invisible pixels of poison
on their original work, it's pretty straightforward.
There's a couple of parameters about intensity,
how strongly you want to change the image.
You set the parameters, you hit go, and out comes an image that may look a little bit
different.
Sometimes there are tiny little artifacts that if you blow it up you'll see.
But in general, it basically looks like your old image except with these tiny little tweaks
everywhere in such a way that the AI model, when it sees it, will see something entirely
different.
That entirely different thing is not chosen by the user.
It's nightshade that decides whether your image of a cow becomes a 1940s pickup truck
versus, say, a cactus.
And there's a reason for that.
The concept of poisoning is that you are trying to convince the model that's training on these
images that something looks like something else entirely, right?
So we're trying, for example, to convince a particular model
that a cow has four tires and a bumper.
But in order for that to happen, you need numbers.
You don't need millions of images to convince it,
but you need a few hundred.
And of course, the more, the merrier.
And so you want everybody who uses Nightshade around the world, whether they're photographers
or illustration or graphic artists, you want them all to have the same effect.
So whenever someone paints a picture of a cow, takes a photo of a cow, draws an illustration
of a cow, draws a clip art of a cow, you want all those nightshaded effects to be consistent
in their target.
In order to do that, we have to take control of what the target actually is, ourselves, inside the software.
If you gave users that level of control, then chances are people would choose very different things.
Some people might say, I want my cow to be a cat, I want my cow to be the sun rising.
If you were to do that, the poison would not be as strong. And what do the artificial intelligence companies think about this nightshade being thrown at
them? A spokesperson for OpenAI recently described data poison as a type of abuse. AI researchers
previously thought that their models were impervious to poisoning attacks, but Ben Zhao
says that the AI training models
are actually quite easy to fool.
His free Nightshade app has been downloaded
over two million times, so it's safe to say
that plenty of images have already been shaded.
But how can you tell if Nightshade is actually working?
You probably won't see the effects of Nightshade.
If you see it in the wild, models give you wrong answers to things that you're asking for. But the people who are
creating these models are not foolish. They are highly trained professionals. So
they're gonna have lots of testing on any of these models. We would expect that
effects of nightshade would actually be detected in the model training process.
It'll become a nuisance, and perhaps what really will happen
is that certain versions of models post-training will be detected
to have certain failures inside them,
and perhaps they'll have to roll them back.
So I think really that's more likely to cause delays
and more likely to cause costs of these model training processes to go up.
The AI companies, they really have to work on millions, potentially billions of images.
So it's not necessarily the fact that they can't detect nightshade on a particular image,
it's the question of can they detect nightshade on a billion images in a split second with
minimal cost.
Because any one of those factors that goes up significantly will mean that their operation
becomes much, much more expensive.
And perhaps it is time to say, well, maybe we'll license artists and get them to give
us legitimate images that won't have these questionable things inside them.
Is it the case that your primary motivation here really was an economic one of getting
Producers of labor in this case artists simply to be paid for their work that their work was being stolen
Yeah, I mean really it blows down to that I came into it not so much thinking about economics as I was just
seeing people that I respected and had affinity for
Be severely harmed by some of this technology.
In whatever way that they can be protected, that's ultimately the goal. In that scenario,
the outcome would be licensing so that they can actually maintain a lively hood and maintain the
vibrancy of that industry. When you say these are people you respect and have affinity for,
I'm guessing you being an academic computer scientist, you also have respect and infinity for,
and I'm sure you know many people
in the AI machine learning community
on the firm side though, right?
Yes, yes, of course.
Colleagues and former students in that space.
And how do they feel about Ben Zhao?
It's quite interesting, really.
I go to conferences, same as I usually do,
and many people resonate with what we're trying to do. We've gotten a bunch of awards and such from the community.
As far as folks who are actually employed by some of these companies, some of them,
I have to say, appreciate our work.
They may or may not have the agency to publicly speak about it, but lots of private conversations
where people are very excited.
I will say that, yeah, there's been some cooling effects,
burn bridges with some people.
I think it really comes down to how you see your priorities.
It's not so much about where employment lies,
but it really is about how personally you see
the value of technology versus the value of people.
And oftentimes it's a very binary decision.
People tend to go one way or the other rather hard.
I think most of these bigger decisions, acquisitions, strategy and whatnot are largely in the hands
of executives way up top.
These are massive corporations and many people are very much aware of some of the stakes
and perhaps might disagree with some of the technological stances that are being
taken but everybody has to make a living.
Big tech is one of the best ways to make a living.
Obviously they compensate people very well.
I would say there's a lot of pressure there as well.
We just had that recent news item that the young whistleblower from OpenAI just tragically
passed away.
Zhao is talking here about Suchir Biology, a 26-year-old former researcher at OpenAI just tragically passed away. Zhao is talking here about Suchir Balaji,
a 26-year-old former researcher at OpenAI,
the firm best known for creating chat GPT.
Balaji died by apparent suicide
in his apartment in San Francisco.
He had publicly charged OpenAI
with potential copyright violations,
and he left the company because of ethical concerns.
Whistleblowers like that are incredibly rare because the risks that you're taking
on when you publicly speak out against your former employer,
that is tremendous courage. That is an unbelievable act.
It's a lot to ask.
I feel that we don't speak so much about ethics in the business world.
I know they teach it in business schools,
but my feeling is that by the time you're teaching the ethics
course in the business school, it's because things are already
in tough shape.
Many people obviously have strong moral and ethical make-ups,
but I feel there is an absence of courage.
And since you just named that word, you said you have to have an enormous absence of courage and since you just named that word
You said you have to have an enormous amount of courage to stand up for what you think may be right and since there is so
Much leverage in these firms as you noted
I'm curious if you have any message to the young employee or the soon-to-be graduate who says yeah, sure
I would absolutely love to go work for an AI firm because it's bleeding
edge, it pays well, it's exciting, and so on.
But they're also feeling like it's contributing to a pace of technology that is too much for
humankind right now.
What would you say to that person?
How would you ask them to examine, if not their soul or something, at least their courage
profile?
Yeah, what a great question.
I mean, it may not be surprising, but as a computer science professor, I actually have
these kind of conversations relatively often.
This past quarter, I taught many second year and third year computer science majors, and
many of them came up to me in office hours and asked very similar kind of questions.
They said, look, I really want to push back on some of these harms. On the other hand, look at these job opportunities. Here's this great golden
ticket to the future and what can you do? It's fascinating. I don't blame them if they'd
make any particular decision, but I applaud them for even being aware of some of the issues
that I think many in the media and many in Silicon Valley certainly have trouble recognizing, there is a level of ground truth underneath all this, which is that these
models are limited. There is an exceptional level of hype like we've
never seen before. That bubble is in many ways in the middle bursting right now.
Why do you say that? There's been many papers published on the fact that these
generative AI models are well at their end in terms of training data.
To get better, you need something like double the amount of data that has ever been created by humanity.
And you're not going to get that by buying Twitter or by licensing from Reddit or New York Times or anywhere.
You've seen now recent reports about how Google and OpenAI are having trouble improving upon their models.
That's common sense. They're running out of data, and no amount of scraping or licensing will fix that.
Bloomberg News recently reported that OpenAI, Google, and Anthropic have all had trouble releasing their next-generation AI models because of this plateauing effect.
Some commentators say that AI growth overall
may be hitting a wall.
In response to that, OpenAI CEO Sam Altman tweeted,
there is no wall.
Ben Zhao is in the wall camp.
And then, of course, just the fact
that there are very few legitimate revenue generating applications
That will even come close to compensating for the amount of investment that VCs and these companies are pouring in
Obviously, I'm biased doing what I do
But I thought about this problem for quite some time and honestly these are great interpolation machines
These are great mimicry machines, but there's only so many things that you can do with them.
They are not going to produce entire movies,
entire TV shows, entire books to
anywhere near the value that humans will actually want to consume.
They can disrupt and they can bring down the value of a bunch of industries,
but they are not going to actually generate much revenue in and of themselves.
I see that bubble bursting.
And so what I say to these students oftentimes is that things will take their
course and you don't need to push back actively.
All you need to do is to not get swept along with the hype.
When the tide turns, you will be well positioned.
You will be better positioned than most to come out of it having a clear head and
being able to go back to the fundamentals of
why did you go to school? Why did you go to University of Chicago and all the education
that you've undergone to use your human mind because it will be shown that humans will be
better than AI will ever pretend to be. Coming up after the break, why isn't Ben Zhao out in
the private sector trying to make his billions?
I'm Stephen Duvnor.
This is Freakonomics Radio.
We'll be right back.
It's easy to talk about the harms posed by artificial intelligence, but let's not
ignore the benefits.
That's where we started this episode, hearing from the economist Eric Brynjolfsson.
If you think about something like the medical applications alone, AI is plainly a major
force, and just to be witness to a revolution of this scale is exciting. Its evolution will
continue in ways that, of course, we can't predict. But as the University of Chicago
computer scientist Ben Zhao has been telling us today, AI growth may be slowing down. And
the law may be creeping closer to some of these companies too. OpenAI and Microsoft are both being sued by the New York Times.
Anthropic is fighting claims from Universal Music that it misused copyrighted lyrics.
And related to Zhao's work, a group of artists are suing Stability AI, Mid Journey, and Deviant Art
for copyright infringement and trademark claims. But Zhao says that the argument about AI and art is about more than just intellectual property
rights.
Art is interesting when it has intention, when there's meaning and context.
So when AI tries to replace that, it has no context and meaning.
Art replicated by AI, generally speaking, loses the point.
It is not about automation.
I think that is a mistaken analogy
that people will oftentimes bring up.
They say, well, you know,
what about the horse and buggy and the automobile?
No, this is actually not about that at all.
AI does not reproduce human art at a faster rate.
What AI does is it takes past samples of human art,
shakes it in a kaleidoscope, and gives
you a mixture of what has already existed before.
So when you talk about the scope of the potential problems, everything from the human voice,
the face, pieces of art, basically anything ever generated that can be reproduced in some
way, it sounds like you are, no offense, a tiny little band
of Don Quixotes there in the middle of the country tilting at these massive global windmills of
artificial intelligence and technology overlordship and the amount of money being
invested right now in AI firms is really almost unimaginable. They could probably start up a
thousand labs like yours within a week
to crush you.
Not that I'm encouraging that, but I'm curious, on the one hand, you said, well, there is
a bubble coming because of, let's call it, data limitations.
On the other hand, when there's an incentive to get something for less or for nothing and
to turn it into something else that's profitable in some way, whether for crime or legitimate seeming purposes, people
are going to do that.
And I'm just curious how hopeless or hopeful you may feel about this kind of effort.
What's interesting about computer security is that it's not necessarily about numbers.
If it's a brute force attack, I can run through all your pin numbers and it doesn't matter how ingenious they are, I will eventually come up with the
right one. But for many instances, it is not about brute force and resource riches. So
yeah, I am hopeful. We're looking at vulnerabilities that we consider to be fundamental in some
of these models and we're using them to slow down the machine. I don't necessarily wake up in the morning thinking, oh yeah, I'm gonna topple OpenAI or Google or anything like that.
That's not necessarily the goal. I see this as more of a process in motion. This hype is a storm that will eventually
blow over and how I see my role in this is not so much to necessarily stop the storm.
I'm more, if you will, a giant umbrella.
I'm trying to cover as many people as possible and shield them from the short-term harm.
What gives you such confidence that the storm will blow over or that there will be maybe more umbrellas
other than what you pointed out as the data limitations in the near term?
And maybe you know better than all of us,
maybe data limitations and computing limitations
are such that the fears that many people have
will never come true.
But it doesn't seem like momentum is moving in your favor.
It seems it's moving in their favor.
I would actually disagree, but that's okay.
We can have that discussion, right?
Look, you're the guy that knows stuff.
I'm just asking the questions.
I don't know anything about this.
No, no.
I think this is a great conversation to have because back in 2022 or early 2023, when I
used to talk to journalists, the conversation was very, very different.
The conversation was always, when is AGI coming?
What industries will be completely useless in a year or two?
It was never the question of like, are we going to get return on investment for these billions and trillions of dollars? Are these
applications going to be legit? So even in the year and a half since then, the
conversation has changed materially because the truth has come out. These
models are actually having trouble generating any sort of realistic value.
I'm not saying that they're completely useless. There's certain scientific applications or daily applications where it is handy,
but it is far, far less than what people had hoped them to be. And so yeah, you
know, how do I believe it? Part of this is hubris. I've been a professor for 20
years. I've been trained or I've been training myself to believe in myself in
a way. Another answer to this question is that it really is irrelevant because the harms are happening to people in real time and
so it's not about will we eventually win or will this happen eventually in the
end it's the fact that people's lives were being affected on a daily basis and
I can make a difference in that then that is worthwhile in and of itself
regardless of the outcome. If I were a cynic or maybe a certain kind of operative, I might think that maybe
Ben Zhao is the poison. Maybe in fact you're a bot talking down the industry, both in intention
and in capabilities, and who knows, for what reason, maybe you're even shorting
the industry in the markets or something.
I kind of doubt that's true, but you know, we've all learned to be suspicious of just
about everybody these days.
Where would you say you fall on the spectrum of makers versus hardcore activists, let's
say?
Because I think in every realm throughout history, whenever there's a new technology, there are activists who overreact and often protest against new technologies
in ways that in retrospect are revealed to have been either short-sighted or self-interested.
So that's a big charge I'm putting on you.
Persuade me that you are neither short-sighted nor self-interested, please.
Sure.
Very interesting.
Okay, let me unpack that a little bit there.
The thing that allows me to do the kind of work that I do now, I recognize as quite a
privilege.
The position and being a senior tenured professor and honestly, I don't have many of the pressures
that some of my younger colleagues do.
You have your own lab at the University of Chicago with your wife.
When I read about this, I think, how did you get the funding?
Did you have some kind of blackmail material on the UChicago budget, people?
No, I mean, all of our grants are quite public.
And I'm pretty sure that I'm not the most well-funded professor in the department.
I run a pretty regular lab.
We write a few grants, but it's nothing earth-shaking.
It's just what we turn our time towards, that's all.
There's very little that drives me these days outside of just wanting my students to succeed.
I don't have the pressures of needing to establish a reputation
or explain to colleagues who I am and why I do what I do.
So in that sense, I almost don't care.
In terms of self-interest, none of these products have any
money attached to them in any way shape or form and I've tried very very hard to keep it that way.
There's no startup, there's no hidden profit motive or revenue here. So that simplifies things for me.
When you say that you don't want to commercialize these tools,
I assume the University of Chicago is not pressing you to do so?
No.
The university always encourages entrepreneurship.
They always encourage licensing.
But they certainly have no control over what we do or don't do
with our technology.
This is sort of the reality of economics and academic research.
We, as a lab, have a stream of PhD students that come through and we train
them, they do research along the way, and then they graduate and then they leave. For
things like Fox where, you know, this was the idea, here's the tool, here's some code,
we put that out there, but ultimately we don't expect to be maintaining that software for
years to come, we just don't have the resources.
That sounds like a shame if you come up with a good tool.
Well, the idea behind academic research is always that if you have the good ideas and
you demonstrate it, then someone else will carry it across the finish line, whether that's
a startup or a research lab elsewhere.
But somebody with resources who sees that need and understands it will go ahead and
produce that physical tool or make that software and actually maintain it.
Since you're not going to commercialize
or turn it into a firm, let's say you continue
to make tools that continue to be useful
and that they scale up and up and up.
And let's say that your tools become an integral part
of the shield against villainous technology,
let's just call it.
Are you concerned that it will outgrow you and
will need to be administered by other academics or maybe governments and so on?
You know, at a high level I think that's great. I think if we get to that point
that will be a very welcome problem to have. We are in the process of exploring
perhaps what a nonprofit organization would look like because that would sort
of make some of these questions transparent.
It would.
That's what Elon Musk once said about OpenAI, I believe, correct?
Well, yeah, very different type of nonprofit, I would argue.
I'm more interested in being just the first person to walk down a particular path and
encouraging others to follow.
So I would love it if we were not the only technology in the space.
Every time I see one of these other research papers that works to protect human creatives, I applaud all that.
In order for AI and human creativity to coexist in the future,
they have to have a complementary relationship.
What that really means is that AI needs
human work product or images or text in order to survive.
So they need humans and humans really need to be compensated
for this work that they're producing.
Otherwise, if human artistry dies out,
then AI will die out because they're gonna have nothing new
to learn on and they're just gonna get stale and fall apart.
I'm feeling a strong Robin Hood vibe here.
Stealing from the rich, giving to the poor,
but also what you're describing, your defense mechanism,
it's like you are a bow, but you don't have an arrow.
But if they shoot an arrow at you,
then you can take the arrow and shoot it back at them
and hit them where it really hurts.
Over the last couple of years,
I've been practicing lots of fun analogies.
Barbed wire is one, the large Doberman in your backyard.
One particular funny one is where the hot sauce
that you put on your lunch.
So if that unscrupulous coworkerworker steals your lunch repeatedly they get a tummy ache
But wait a minute you have to eat your lunch too. That doesn't sound very good
Well, you know you eat the portion that you know is good and then you leave out some stuff that got it got it
Can you maybe envision or describe what might be a fair?
Economic solution here a deal that would let the AI models get what they want
without the creators being ripped off?
Boy, that's a bit of a loaded question because, honestly, we don't know.
It really comes down to how these models are being used.
Ultimately, I think what people want is creative content that's crafted by humans.
In that sense, the fair system would be generative AI systems that stayed out of the creative domain,
that continue to let human creatives do what they do best,
to create really truly imaginative ideas and visuals,
and then use generative AI for domains where it is more reasonable.
For example, conversational chatbots seem like
a reasonable use for them as long as they don't hallucinate.
I'm just curious why you care about artists. Most people, at least in positions of power, don't seem to go to bat for people who make stuff.
And when I say most people in positions of power, I would certainly include most academic economists. So of all the different labor forces that are being affected by AI, there are retail workers, people in manufacturing, medicine, on and
on and on, why go to bat for artists?
Certainly I know what it's not because I'm not an artist, not particularly
artistic. Some people can say there's an inkling of creativity in what we do, but it's not nearly
the same.
I guess what I will say is creativity is inspiring.
Artists are inspiring.
Whenever I think back to what I know of art and how I appreciate art, I think back to
college.
You know, I went to Yale and I remember many cold Saturday mornings.
I would walk out and there's piles of snow and
everything would be super quiet and I would take a short walk over to the Yale
Art Gallery and it was amazing. I would be able to wander through halls of
masterpieces, nobody there except me and maybe a couple of security guards. It's
always been inspiring to me how people can see the world so differently
through the same eyes, through the same physical mechanism. That is how I get a
lot of my research done, is I try to see the world differently and it gives me
ideas. So when I meet artists and when I talk to artists to see what they can do,
to see the imagination that they have at their disposal that I see nowhere else.
You know, creativity, it's the best of humanity.
What else is there?
That was Ben Zhao.
He helps run the Sand Lab at the University of Chicago.
You can see a lot of their work on the Sand Lab website.
While you're online, you may also want to check out a new museum scheduled to open this
year in Los Angeles.
It's called Dataland, and it is the world's first museum devoted to art that is generated
by AI.
Maybe I will run into Ben Zhao there someday, and maybe I'll run into you too.
I will definitely be in LA soon.
On February 13th, we are putting on Freakonomics Radio live
at the gorgeous Ebell Theater.
Tickets are at Freakonomics.com slash live shows.
I hope to see you there.
Coming up next time on the show,
are you ready for some football?
The Super Bowl is coming up and we will be talking about one of the most undervalued
positions in the game, the running back.
Why are my boys being paid less when these quarterbacks who aren't nearly as tough as
running backs are being paid more?
But wait a minute, running backs used to be the game's superstars and they were paid
accordingly.
What happened?
This is a classic example of multivariate causation.
Okay, that doesn't sound very exciting, but the details are, I promise.
We will hear from the eggheads, the agents, and the players.
You're telling me that you'd be a great difference maker,
and I can't get paid the right value for my position.
And we'll ask whether this year's NFL season
has marked a return to glory for the running back.
That's next time on the show.
Until then, take care of yourself
and if you can, someone else too.
Freakonomics Radio is produced by Stitcher
and Renbud Radio.
You can find our entire archive on any podcast app, also
at Freakonomics.com, where we publish transcripts and show notes. This episode was produced
by Teo Jacobs. The Freakonomics Radio network staff also includes Alina Coleman, Augusta
Chapman, Dalvin Abouaji, Eleanor Osborne, Ellen Frankman, Elsa Hernandez, Gabriel Roth,
Greg Rippon, Jasmine Klinger, Jeremy Johnston, John Schnars,
Morgan Levy, Neil Carruth, Sarah Lilly, and Zach Lipinski.
Our theme song is Mr. Fortune by the Hitchhikers, and our composer is Luis Guerra.
As always, thank you for listening.
When I don't have a shredder around and I need to put something in the trash that I
don't want anyone to see, I just put some ketchup on it.
The Freakonomics Radio Network.
The hidden side of everything.