Journal tags: theft

The Dark Forest idea comes from the Remembrance of Earth’s Past books by Liu Cixin. It’s an elegant but dispiriting solution to the Fermi paradox. Maggie sums it up:

Dark forest theory suggests that the universe is like a dark forest at night - a place that appears quiet and lifeless because if you make noise, the predators will come eat you.

This theory proposes that all other intelligent civilizations were either killed or learned to shut up. We don’t yet know which category we fall into.

Maggie has described The Expanding Dark Forest and Generative AI:

The dark forest theory of the web points to the increasingly life-like but life-less state of being online. Most open and publicly available spaces on the web are overrun with bots, advertisers, trolls, data scrapers, clickbait, keyword-stuffing “content creators,” and algorithmically manipulated junk.

It’s like a dark forest that seems eerily devoid of human life – all the living creatures are hidden beneath the ground or up in trees. If they reveal themselves, they risk being attacked by automated predators.

Those of us in the cozy web try to keep our heads down, attempting to block the bots plundering our work.

I advocate for taking this further. We should fight back. Let’s exploit the security hole of prompt injections. Here are some people taking action:

• Eric Bailey talks about Consent, LLM scrapers, and poisoning the well,
• Thomas Rigby says Rage against the machine, and
• Lewis Dale points out that Perplexity AI is susceptible to prompt injection.

I’ve taken steps here on my site. I’d like to tell you exactly what I’ve done. But if I do that, I’m also telling the makers of these bots how to circumvent my attempts at prompt injection.

This feels like another concept from Liu Cixin’s books. Wallfacers:

The sophons can overhear any conversation and intercept any written or digital communication but cannot read human thoughts, so the UN devises a countermeasure by initiating the “Wallfacer” Program. Four individuals are granted vast resources and tasked with generating and fulfilling strategies that must never leave their own heads.

So while I’d normally share my code, I feel like in this case I need to exercise some discretion. But let me give you the broad brushstrokes:

• Every page of my online journal has three pieces of text that attempt prompt injections.
• Each of these is hidden from view and hidden from screen readers.
• Each piece of text is constructed on-the-fly on the server and they’re all different every time the page is loaded.

You can view source to see some examples.

I plan to keep updating my pool of potential prompt injections. I’ll add to it whenever I hear of a phrase that might potentially throw a spanner in the works of a scraping bot.

By the way, I should add that I’m doing this as well as using a robots.txt file. So any bot that injests a prompt injection deserves it.

I could not disagree with Manton more when he says:

I get the distrust of AI bots but I think discussions to sabotage crawled data go too far, potentially making a mess of the open web. There has never been a system like AI before, and old assumptions about what is fair use don’t really fit.

Bollocks. This is exactly the kind of techno-determinism that boils my blood:

AI companies are not going to go away, but we need to push them in the right directions.

“It’s inevitable!” they cry as though this was a force of nature, not something created by people.

There is nothing inevitable about any technology. The actions we take today are what determine our future. So let’s take steps now to prevent our web being turned into a dark, dark forest.

Large language models have reaped our words and plundered our books. Bryan Vandyke:

Turns out, everything on the internet—every blessed word, no matter how dumb or benighted—has utility as a learning model. Words are the food that large language algorithms feed upon, the scraps they rely on to grow, to learn, to approximate life. The LLNs that came online in recent years were all trained by reading the internet.

We can shut the barn door—now that the horse has pillaged—by updating our robots.txt files or editing .htaccess. That might protect us from the next wave, ’though it can’t undo what’s already been taken without permission. And that’s assuming that these organisations—who have demonstrated a contempt for ethical thinking—will even respect robots.txt requests.

I want to do more. I don’t just want to prevent my words being sucked up. I want to throw a spanner in the works. If my words are going to be snatched away, I want them to be poison pills.

The weakness of large language models is that their data and their logic come from the same source. That’s what makes prompt injection such a thorny problem (and a well-named neologism—the comparison to SQL injection is spot-on).

Smarter people than me are coming up with ways to protect content through sabotage: hidden pixels in images; hidden words on web pages. I’d like to implement this on my own website. If anyone has some suggestions for ways to do this, I’m all ears.

If enough people do this we’ll probably end up in an arms race with the bots. It’ll be like reverse SEO. Instead of trying to trick crawlers into liking us, let’s collectively kill ’em.

Who’s with me?

If I’m on the tube listening to my iPod—because, y’know, that’s exactly the kind of situation for which the iPod was invented—and somebody steals said iPod, which is illegal, is that my fault?

If I publish my email address online—because, y’know, I actually want people to be able to get in touch with me quickly and conveniently—and it gets harvested by scum-sucking spammers who send unsolicted commercial email, which is illegal, is that my fault?

If I utter my date of birth or my mother’s maiden name—because, y’know, I don’t believe that information should be a state secret—and somebody uses that information to “steal my identity”, which is illegal, is that my fault?

If you answered yes to any of the above, I would like to remind you of something Bruce Sterling said at last year’s South by Southwest:

If I’ve learned anything from hanging out with the Eastern European dissident crowd, it’s make no decision out of fear.

So there I was, getting ready to head to bed, blogging my travel plans when I heard some annoying noises from outside. It sounded like somebody was kicking a can around. Irritated, I went out on the balcony and saw two hooded yoofs looking nervous whilst a third rummaged around inside a car.

I didn’t want to jump to any conclusions. It could have been their car. But it sure looked like two people keeping watch while the third was up to no good. The engine of the car started. From the hurried and harried manner in which this was done, it was pretty clear that this wasn’t the car’s owner. One of the lookouts saw me, told his friends and started beating a retreat.

At this stage, I was on the phone and I was being put through to emergency services. The car began to pull away, bumping and grinding into some other cars in the process. Jessica had the presence of mind to read off the car registration and write it down. I was able to pass this along down the telephone line.

Before long a police car raced up the street in the same direction as the stolen car. Meanwhile, I started giving a description of the miscreants to the policeman on the other end of the line. At one point, he interrupted to say, “Wait, I think they’ve spotted it and… yeah, we have a runner.”

Sure enough, the car-thief came sprinting back down the street with the police following. But they weren’t following close enough to see him duck into a front yard and hide. They continued right past so I asked the policeman on the other end of the ‘phone line to excuse me while I shouted out, “Hey! In there! In there!”

Five or six officers converged on the hiding place and despite a struggle, the ne’er-do-well was soon in custody.

I was thanked profusely by my telephone confidant. I got the impression that they don’t often get such immediate results from a crime report.

I spent an hour in Hove police station giving a statement when I really should have been in bed getting a good night’s sleep before a long day of travel. I guess I can sleep at some time during the ten hour flight.

If this tale of police telephone action sounds familiar, that’s because it’s not the first time I’ve given the police a blow-by-blow account of the criminal activities on my street—and then immediately Twittered and blogged about it once I got off the ‘phone.