Google presents invisible watermarks for AI generated texts

Veröffentlicht:

Von:

Google Deepmind has developed an invisible watermark for AI generated texts to combat false information.
(Symbolbild/natur.wiki)

researchers at Google Deepmind in London have developed a “watermark” to identify text that is generated by artificial intelligence (AI)-this has already been used in millions of chatbot users.

The watermark that was published on October 23 in the journal Nature 1 is not the first to be created for AI generated. However, it is the first to demonstrate in a large, real context. "In my opinion, the most important news here is that they actually use it," says Scott Aaronson, computer scientist at the University of Texas in Austin, who worked on watermarks at Openai until August, the creators of chatt, based in San Francisco, California.

The detection of AI generated texts is becoming increasingly important because you have a potential solution for the problems of Fake News and Academic fraud . In addition, it could help to to protect future models from devaluation by not being trained with AI-generated content .

In an extensive study, users of the Google Gemini Large Language Model (LLM) evaluated in 20 million answers watermarked texts as equivalent with unmarked texts. "I am enthusiastic to see that Google is taking this step for the tech community," says Furong Huang, computer scientist at the University of Maryland in College Park. "It is likely that most commercial tools will contain watermarks in the near future," adds Zakhar Shumaylov, computer scientist at the University of Cambridge, UK.

choice of words

It is more difficult to apply a watermark to text than to images, since the choice of words is essentially the only variable that can be changed. Deepmind's watermark-called synthid text-changes which words the model chooses, in a secret but formulaic way that can be recorded with a cryptographic key. Compared to other approaches, Deepmind's watermark is slightly easier to recognize, and the application does not delay the text position. "It seems that it exceeds the concepts of competitors at LLMS watermarks," says Shumaylov, who is a former employee and brother of one of the authors of the study.

The tool was also disclosed so that developers can apply their own watermark to their models. "We hope that other developers of AI models will take this and integrate them into their own systems," says Pushmeet Kohli, computer scientist at Deepmind. Google keeps its key secret so that the users cannot use detection tools to identify watermarked text of the Gemini model.

governments on a watermark as a solution for the distribution of AI generated text . Nevertheless, there are many problems, including the obligation of the developers to use watermarks and the coordination of their approaches. At the beginning of this year, researchers at the Federal Technology Zurich showed that Watermarks are susceptible to removal , a process that is referred to as "scrubbing", or "spoofing", in which watermarks are applied to texts to give the wrong impression that they are ki-generated.

token-tournament

Deepminds approach is based on a existing method Watermark integrated into a sampling algorithm, a step in the text of the text that is separated from the LLM itself.

An LLM is a network of associations that are built up by training with billions of words or parts known as tokens. When a text is entered, the model shows every token in its vocabulary a probability of being the next word in the sentence. The task of the sampling algorithm is to select which tokens should be used according to a number of rules.

The synthid text sampling algorithm uses a cryptographic key to assign random values ​​to every possible token. Candidate tickets are proportional to their probability of the distribution and classified in a "tournament". There the algorithm compares the values ​​in a series of one-against-one-k.o.-rounds, whereby the highest value gains until there is only one token left that is selected for the text.

This sophisticated method makes it easier to detect the watermark, since the same cryptographic code is applied to generated text to search for the high values ​​that indicate "winning" tokens. This could also make the distance more difficult.

The several rounds in the tournament can be seen as a combination of Lock, in which each round represents a different number that needs to be solved to unlock or remove the watermark, says Huang. "This mechanism makes it considerably more difficult to scrub, to spol or develop the watermark," she adds. For texts with around 200 tokens, the authors showed that they could still recognize the watermark, even if a second LLM was used to rewrite the text. With shorter texts, the watermark is less robust.

The researchers have not examined how well the watermark is resistant to deliberate attempts to remove. The resistance of watermarks against such attacks is a "massive political question," says Yves-Alexandre de Montjoye, computer scientist at Imperial College London. "In the context of AI security it is unclear to what extent this offers protection," he explains.

Kohli hopes that the watermark will initially help to support the well -intentioned use of LLMs. "The guiding philosophy was that we wanted to develop a tool that can be improved by the community," he adds.

  1. Datthri, S. et al. Nature 634, 818–823 (2024).

    2. Download references