żěè¶ĚĘÓƵ

Why curbing chatbots’ worst exploits is a game of whack-a-mole

AI companies are trying to impose safety measures on their chatbots, while researchers are finding ways around them all the time. Where will this end, asks Alex Wilkins

2R6BX6F Illustration of symbolic representations of good and evil AI morality.

It has become common for artificial intelligence companies to claim that the worst things their chatbots can be used for can be mitigated by adding “safety guardrails”. These can range from seemingly simple solutions, like warning the chatbots to look out for certain requests, to more complex software fixes – but none is foolproof. And almost on a weekly basis, researchers find new ways to get around these measures, called jailbreaks.

You might be wondering why this is an issue – what’s the worst that could happen? One bleak scenario might be an AI being used to fabricate a lethal bioweapon, but many people say outcomes like this are unrealistic given current AI capabilities. However, there are still fearsome possibilities with today’s tech. An AI with no safety measures could pump out fake articles to try to swing voters, or to manipulate people in more personal ways, acting as a friend to steal personal information.

When I asked Anthropic’s Claude 3 – widely viewed as one of the most advanced chatbots going – for the scariest possibility, it proposed a scenario in which someone uses “a jailbroken AI to analyse a teenager’s social media activity, identifying their insecurities, fears, and desires. The AI then generates personalised content, perhaps in the form of direct messages or targeted ads, designed to prey on those vulnerabilities.” It sounds sinister, but it is perfectly believable.

With the stakes so high, AI companies are keen to impress on us how much time and effort they spend making sure their models don’t do this sort of stuff. OpenAI that, before releasing GPT-4, the model that powers the latest version of ChatGPT, it spent six months testing to make sure of its safety. Anthropic, launched by a splinter group from OpenAI concerned over AI safety, also emphasises that it spends a lot of time thinking about safety.

But these firms aren’t claiming that any model is perfectly safe, because they can’t. In just the past month, we have been told about three major new ways to jailbreak some of the largest chatbot models, including GPT-4 and Claude 3. One method came from , which discovered that for a model that accepts book-length text inputs, repeatedly giving examples of behaviour it was trained to view as bad can convince the model it is fine for it to output that behaviour. found that slowly escalating from innocuous requests, such as asking about the history of the Finnish winter war, to dangerous ones, like asking how to make Molotov cocktails (which the Finnish soldiers used in this war), could circumvent guardrails.

The fact these jailbreaks were discovered by AI firms is used as evidence that they are taking AI safety seriously and that they can implement fixes before this technology is used for misdeeds. But the constant back and forth between finding new ways to manipulate the models and fixes for them is a bit like a game of whack-a-mole. And worse, some of these jailbreaks don’t have convincing solutions. Researchers at the Swiss Federal Institute of Technology in Lausanne a technique to use the chatbots’ own outputs – or, the probability that a particular word would come next in a sequence of words – to create a jailbreak with a “nearly 100% attack success rate” on almost every major public model. This can be adapted to perform requests like the scenarios I mentioned earlier.

Of course, hacking and jailbreaking software isn’t new, and the cat-and-mouse game of finding and fixing security exploits is an established part of cybersecurity. But where these exploits often have a limited impact, jailbroken AIs can have far-reaching consequences.

Firms like Anthropic say they are optimistic their models can be made safe through technical fixes, like giving models more feedback on what is right and wrong, and improving our understanding of how they work and learn. But there is no certainty that this will lead to totally safe systems, or whether that is even possible.

In the meantime, you might be wondering how you can protect yourself against impersonation by or misinformation from jailbroken AIs. The bad news is that it is difficult. Several studies have shown that reliably detecting AI-generated text is impossible, so it isn’t as simple as having an automatic AI detector.

One thing you could do to help protect against AIs pretending to be you or people you know is to establish safe words with close friends and family. If, on a call or online chat, you suspect someone of not being who they say they are, you can ask them for your safe word. This might offer a measure of protection, but, unfortunately, won’t protect against all attacks.

Alex’s week

What I’m reading

The Bell Jar by Sylvia Plath. By no means uplifting, but honest and occasionally beautiful.

What I’m watching

I recently rewatched Eternal Sunshine of the Spotless Mind and had forgotten how stunning and perfect a film it is.

What I’m working on

There’s a raft of new books coming out examining how AI might affect the future, so I am reading as many of them as I can for a review.

Alex Wilkins is a New żěè¶ĚĘÓƵ reporter covering artificial intelligence, physics and space. Artificially intelligent is a column that cuts through the hype and looks at what AI is really capable of and what it means for us. You can follow him @‌AlexWilkins22

Topics: AI / ChatGPT / Technology