A new image data tool dubbed Nightshade has been created by computer science researchers to "poison" data meant for text-to-image models. Nightshade adds imperceptible changes to creators’ images to uploaded online. If a data scraper subsequently adds one of these altered images to its data set, it will “introduce unexpected behaviors,” into the model, poisoning it.
A preview of a paper called Prompt-Specific Poisoning Attacks on Text-to-Image Generative Models was recently published on arXiv, outlining the scope and functionality of Nightshade. MIT Technology Review has gained some further insight from talks with the team behind the project.
The issue of AI models being trained on data without explicit creator permission, and then ‘generating new data’ based on what it has learned, has been well covered in news in recent months. What appears to be a data scraping free-for-all followed by machine regurgitation, with little or no attribution, has caused creators from many disciplines to frown upon current generative AI projects.
Nightshade is intended to help visual artists, or at least make AI data scrapers more wary about grabbing data willy-nilly. The tool is capable of poisoning image data with no detriment to human viewers, but will disrupt AI models used by generative tools like DALL-E, Midjourney, and Stable Diffusion.
Some example data poisoning effects of Nightshade could include: dogs becoming cats, cars becoming cows, cubism becoming anime, hats becoming toasters, and other chaos. See below for examples of the corrosive effects of Nightshade in action.
Previously it was thought that poisoning a generative AI might need millions of poison samples pushed towards the training pipeline. However, Nightshade is claimed to be a “prompt-specific poisoning attack... optimized for potency.” Quite startlingly, Nightshade can do its disruptive business in under 100 poison samples. Moreover, the researchers say that Nightshade poison effects "bleed through" to related concepts, and multiple attacks can composed together in a single prompt. The end result is to disable the generation of meaningful images based on user text prompts.
The researchers don’t intend tools like Nightshade to be used without due care. Rather it is intended “as a last defense for content creators against web scrapers that ignore opt-out/do-not-crawl directives.” Tools like this could become a deterrent against the Wild West-era AI data scrapers. Even now, flagship AI companies like Stability AI and OpenAI are only omitting artworks when users jump through hoops to opt-out, according to MIT Technology Review's report. Some think it should instead be the AI companies that are required to chase users to opt-in.
Ben Zhao, a professor at the University of Chicago who led the Nightshade research team, is also behind Glaze, a tool that allows creators to mask their personal art style to prevent it being scraped and mimicked by AI companies. Nightshade, which is being prepared as an open-source project, could be integrated into Glaze at a later date to make AI data poisoning an option.
