One, yes, some models were trained on CSAM. In AI you’ll have checkpoints in a model. As a model learns new things, you have a new checkpoint. SD1.5 was the base model used in this. SD1.5 itself was not trained on any CSAM, but people have giving additional training to SD1.5 to create new checkpoints that have CSAM baked in. Likely, this is what this person was using.
Two, yes, you can get something out of a model that was never in the model to begin with. It’s complicated, but a way to think about it is, a program draws raw pixels to the screen. Your GPU applies some math to smooth that out. That math adds additional information that the program never distinctly pushed to your screen.
Models have tensors which long story short, is a way to express an average way pixels should land to arrive at some object. This is why you see six fingered people in AI art. There wasn’t any six fingered person fed into the model, what you are seeing the averaging of weights pushing pixels between two different relationships for the word “hand”. That averaging is adding new information in the expression of an additional finger.
I won’t deep dive into the maths of it. But there’s ways to coax new ways to average weights to arrive at new outcomes. The training part is what tells the relationship between A and C to be B’. But if we wanted D’ as the outcome, we could retrain the model to have C and E averaging OR we could use things call LoRAs to change the low order ranking of B’ to D’. This doesn’t require us to retrain the model, we are just providing guidance on ways to average things that the model has already seen. Retraining on C and E to D’ is the part old models and checkpoints used to go and that requires a lot of images to retrain that. Taking the outcome B’ and putting a thumb on the scale to put it to D’ is an easier route, that just requires a generalized teaching of how to skew the weights and is much easier.
I know this is massively summarizing things and yeah I get it, it’s a bit hard to conceptualize how we can go from something like MSAA to generating CSAM. And yeah, I’m skipping over a lot of steps here. But at the end of the day, those tensors are just numbers that tell the program how to push pixels around given a word. You can maths those numbers to give results that the numbers weren’t originally arranged to do in the first place. AI models are not databases, they aren’t recalling pixel for pixel images they’ve seen before, they’re averaging out averages of averages.
I think this case will be slam dunk because highly likely this person’s model was an SD1.5 checkpoint that was trained on very bad things. But with the advent of being able to change how averages themselves and not the source tensors in the model work, you can teach new ways for a model to average weights to obtain results the model didn’t originally have, without any kind of source material to train the model. It’s like the difference between Spatial antialiasing and MSAA.
In the eyes of the law, intent does matter, as well as how it’s responded to.
For csam material, you have to knowingly possess it or have sought to possess it.
The AI companies use a project that indexes everything on the Internet, like Google, but with publicly available free output.
They use this data via another project, https://laion.ai/ , which uses the data to find images with descriptions attached, do some tricks to validate that the descriptions make sense, and then publish a list of “location of the image, description of the image” pairs.
The AI companies use that list to grab the images train an AI on them in conjunction with the description.
So, people at Stanford were doing research on the laion dataset when they found the instances of csam.
The laion project pulled their datasets from being available while things were checked and new safeguards put in place.
The AI companies also pulled their models (if public) while the images were removed from the data set and new safeguards implemented.
Most of the csam images in the dataset were already gone by the time the AI companies would have attempted to access them, but some were not.
A very obvious lack of intent to acquire the material, in fact a lack of awareness the material was possessed at all, transparency in response, taking steps to prevent further distribution, and taking action to prevent it from happening again both provides a defensive against accusations, and will make anyone interested less likely to want to make those accusations.
On the other hand, the people who generated the images were knowingly doing so, which is a nono.
Quick things to note.
One, yes, some models were trained on CSAM. In AI you’ll have checkpoints in a model. As a model learns new things, you have a new checkpoint. SD1.5 was the base model used in this. SD1.5 itself was not trained on any CSAM, but people have giving additional training to SD1.5 to create new checkpoints that have CSAM baked in. Likely, this is what this person was using.
Two, yes, you can get something out of a model that was never in the model to begin with. It’s complicated, but a way to think about it is, a program draws raw pixels to the screen. Your GPU applies some math to smooth that out. That math adds additional information that the program never distinctly pushed to your screen.
Models have tensors which long story short, is a way to express an average way pixels should land to arrive at some object. This is why you see six fingered people in AI art. There wasn’t any six fingered person fed into the model, what you are seeing the averaging of weights pushing pixels between two different relationships for the word “hand”. That averaging is adding new information in the expression of an additional finger.
I won’t deep dive into the maths of it. But there’s ways to coax new ways to average weights to arrive at new outcomes. The training part is what tells the relationship between A and C to be B’. But if we wanted D’ as the outcome, we could retrain the model to have C and E averaging OR we could use things call LoRAs to change the low order ranking of B’ to D’. This doesn’t require us to retrain the model, we are just providing guidance on ways to average things that the model has already seen. Retraining on C and E to D’ is the part old models and checkpoints used to go and that requires a lot of images to retrain that. Taking the outcome B’ and putting a thumb on the scale to put it to D’ is an easier route, that just requires a generalized teaching of how to skew the weights and is much easier.
I know this is massively summarizing things and yeah I get it, it’s a bit hard to conceptualize how we can go from something like MSAA to generating CSAM. And yeah, I’m skipping over a lot of steps here. But at the end of the day, those tensors are just numbers that tell the program how to push pixels around given a word. You can maths those numbers to give results that the numbers weren’t originally arranged to do in the first place. AI models are not databases, they aren’t recalling pixel for pixel images they’ve seen before, they’re averaging out averages of averages.
I think this case will be slam dunk because highly likely this person’s model was an SD1.5 checkpoint that was trained on very bad things. But with the advent of being able to change how averages themselves and not the source tensors in the model work, you can teach new ways for a model to average weights to obtain results the model didn’t originally have, without any kind of source material to train the model. It’s like the difference between Spatial antialiasing and MSAA.
Shouldn’t the company’s who have the CSAM face consequences for possession of it? Seems like a double standard.
The government should be shutting down the source material.
In the eyes of the law, intent does matter, as well as how it’s responded to.
For csam material, you have to knowingly possess it or have sought to possess it.
The AI companies use a project that indexes everything on the Internet, like Google, but with publicly available free output.
https://commoncrawl.org/
They use this data via another project, https://laion.ai/ , which uses the data to find images with descriptions attached, do some tricks to validate that the descriptions make sense, and then publish a list of “location of the image, description of the image” pairs.
The AI companies use that list to grab the images train an AI on them in conjunction with the description.
So, people at Stanford were doing research on the laion dataset when they found the instances of csam. The laion project pulled their datasets from being available while things were checked and new safeguards put in place.
The AI companies also pulled their models (if public) while the images were removed from the data set and new safeguards implemented.
Most of the csam images in the dataset were already gone by the time the AI companies would have attempted to access them, but some were not.
A very obvious lack of intent to acquire the material, in fact a lack of awareness the material was possessed at all, transparency in response, taking steps to prevent further distribution, and taking action to prevent it from happening again both provides a defensive against accusations, and will make anyone interested less likely to want to make those accusations.
On the other hand, the people who generated the images were knowingly doing so, which is a nono.