I came across Nepenthes today in the comments under a post about AI mazes. It has an option to purposefully generate not just an endless pit of links and pages, but also to deterministically generate random, human-like text for those pages to poison the LLM scrapers as they sink into the tarpit.
After reading that, I thought, could you do something similar to poison image scrapers too?
Like if you have an art hosting site, as long as you can get an AI to fall into the tarpit, you could replace all the art it thinks should be there with distorted images from a dataset.
Or just send it to a kind of “parallel” version of the site that replaces (or heavily distorts) all the images but leaves the text descriptions and tags the same.
I realize there’s probably some sort of filter for any automated image scraper that attempts to sort out low quality images, but if one used similar images to the expected content, that might be enough to get through the filter.
I guess if someone really wanted to poison a model, generating AI replacement images would probably be the most effective way to speed up model decay, but that has much higher energy and processing power overhead.
Anyway, I’m definitely not skilled/knowledgeable enough to make this a thing myself even just as an experiment. But I thought you all might know if someone’s already done it, or you might find the idea fascinating.
What do you think? Any better ideas / suggestions for poisoning art scraping AI?
With aggressive scrapers, the “change” is having sites slowed or taken offline, being basically DDOSed by scrapers ignoring robots.txt.
What is your proposed adaptation that’s better than countermeasures? Be rich enough to afford more powerful hardware? Simply stop hosting anything on the internet?
If you just want to stop scrapers use Anubis why tf are you moving your own goalpost?
Also if your website is trash enough that it gets downed by 15,000 requests you should either hire a proper network engineer or fire yours like wtf man I made trash tier Wordpress websites that handled magnitudes more in 2010
EDIT: And stop using PHP in the case of ScummVM. Jesus Christ this isn’t 2005
Oh when you said arms race I thought you were referring to all anti-AI countermeasures including Anubis and tarpits.
Were you only saying you think AI poisoning methods like Glaze and Nightshade are futile? Or do you also think AI mazes/tarpits are futile?
Both kind of seem like a more selfless version of protection like Anubis.
Instead of protecting your own site from scrapers, a tarpit will trap the scraper, stopping it from causing harm to other people’s services whether they have their own protections in place or not.
In the case of poisoning, you also protect others by making it more risky for AI to train on automatically scraped data which would deincentivize automated scrapers from being used on the net in the first place
You do realize how data science works, right? The data is cleared by a human team before it is fed to a model, the data is also normalized and processed by some criteria, etc.
Also if you hold some seriously high value data, if I was designing the system, I’d make it flag your system for more advanced visual retrieval (you can let a multimodal LLM use a website like a human user with tool use)
I work in a lab, so yes, I understand how data science works. However, I think you have too much faith in the people running these scrapers.
I think it’s unlikely that ChatGPT would have had those early scandals of leaking people’s SSNs or other private information if the data was actually “cleared by a human team” The entire point of these big companies is laziness; I doubt they have someone looking over the thousands of sites worth of data they feed to their models.
Maybe they do quality checks on the data but even in that event, forcing them to toss out a large data set because some of it was poisoned is a loss for the company. And if enough people poison their work or are able to feed poison to the scrapers, it becomes much less profitable to scrape images automatically.
I previously mentioned methods for possibly slipping through automatic filters in the scraper (though maybe I mentioned that in a different comment chain).
As for a scraper acting like a human by use of an LLM, that sounds hella computationally expensive on the side of the scrapers. There would be few willing to put in that much effort, fewer scrapers makes DDOS like effect of scraping less likely. It would also take more time which means the scraper is spending less time harassing others.
But these are good suggestions. I suppose a drastic option for fighting a true AI mimicking a human would be to make all links have a random chance of sending any user to the tarpit. People would know to click back and try again, but the AI would at best have to render the site, process what it sees, decide it is in the tarpit, and then return. That would further slow down the scraper (or very likely stop/trap it) but that would make it slightly annoying for regular users.
In any case, at a certain point, trying to tailor an AI scraper to avoid a single specific website and navigate the traps for it would probably take more time and effort than sending a human to aggregate the content instead of an automated scraper