Real-world demonstration in chatbot responses could encourage other firms to label material produced by AI.
Researchers at Google DeepMind in London have devised a ‘watermark’ to invisibly label text generated by artificial intelligence (AI) and deployed it to millions of chatbot users.
The watermark, reported in Nature, is not the first to be made for AI-generated text. Nor is it able to withstand determined attempts to remove it. But it seems to be the first at-scale, real-world demonstration of a text watermark. “To my mind, by far the most important news here is just that they’re deploying this,” says Scott Aaronson, a computer scientist at the University of Texas at Austin, who, until August, worked on watermarks at OpenAI, the creators of ChatGPT based in San Francisco, California.
AI models fed AI-generated data quickly spew nonsense
Spotting AI-written text is gaining importance as a potential solution to the problems of fake news and academic cheating, as well as a way to avoid degrading future models by training them on AI-made content.
In a massive trial, users of Google’s Gemini large language model (LLM), across 20 million responses, rated watermarked texts equal to unwatermarked ones. “I am excited to see Google taking this step for the tech community,” says Furong Huang, a computer scientist at the University of Maryland in College Park. “It seems likely that most commercial tools will be watermarked in the near future,” says Zakhar Shumaylov, a computer scientist at the University of Cambridge, UK.
Related: Transform Your Small Business with Generative AI
Choice of words
Applying a watermark to text is more complex than to images because word choice is essentially the only variable to be altered. DeeDeepMind’stermark — called SynthID-Text — alters which words the model selects in a secret but formulaic way that can be detected with a cryptographic key. Compared with other approaches, DeeDeepMind’stermark is marginally easier to detect, and applying it does not slow down text generation. “It” seems to outperform competitors for watermarking LLMs,” says Shumaylov, a former collaborator and brother of one of the stustudy’sthors.
Three ways ChatGPT helps me in my academic writing
The tool has also been made open so developers can apply their own watermark to their models. “We” would hope that other AI-model developers pick this up and integrate it with their own systems,” said Pushmeet Kohli, a computer scientist at DeepMind. Google is keeping its key secret, so it won’t use detection tools to spot Gemini-watermarked text.
Governments are betting on watermarking as a solution to the proliferation of AI-generated text. Yet, problems abound, including getting developers to commit to using watermarks and coordinating their approaches. Earlier this year, researchers at the Swiss Federal Institute of Technology in Zurich showed that any watermark is vulnerable to being removed, a process of applying watermarks to text to give a false impression that it is AI-generated.
Related: 3 simple steps to automating content creation for businesses
![Get Blog2Social and boost your conversion rate!]([id]=22887&products[1][agreement-id]=5981" linktarget="_blank" hide_on_mobile="small-visibility,medium-visibility,large-visibility" sticky_display="normal,sticky" class="" id="" max_width="" sticky_max_width="" align_medium="none" align_small="none" align="center" mask="" custom_mask="" mask_size="" mask_custom_size="" mask_position="" mask_custom_position="" mask_repeat="" style_type="" blur="" stylecolor="" hue="" saturation="" lightness="" alpha="" hover_type="none" magnify_full_img="" magnify_duration="120" scroll_height="100" scroll_speed="1" margin_top_medium="" margin_right_medium="" margin_bottom_medium="" margin_left_medium="" margin_top_small="" margin_right_small="" margin_bottom_small="" margin_left_small="" margin_top="" margin_right="" margin_bottom="" margin_left="" bordersize="" bordercolor="" borderradius="" z_index="" caption_style="off" caption_align_medium="none" caption_align_small="none" caption_align="none" caption_title="" caption_text="" caption_title_tag="2" fusion_font_family_caption_title_font="" fusion_font_variant_caption_title_font="" caption_title_size="" caption_title_line_height="" caption_title_letter_spacing="" caption_title_transform="" caption_title_color="" caption_background_color="" fusion_font_family_caption_text_font="" fusion_font_variant_caption_text_font="" caption_text_size="" caption_text_line_height="" caption_text_letter_spacing="" caption_text_transform="" caption_text_color="" caption_border_color="" caption_overlay_color="" caption_margin_top="" caption_margin_right="" caption_margin_bottom="" caption_margin_left="" animation_type="" animation_direction="left" animation_color="" animation_speed="0.3" animation_delay="0" animation_offset="" filter_hue="0" filter_saturation="100" filter_brightness="100" filter_contrast="100" filter_invert="0" filter_sepia="0" filter_opacity="100" filter_blur="0" filter_hue_hover="0" filter_saturation_hover="100" filter_brightness_hover="100" filter_contrast_hover="100" filter_invert_hover="0" filter_sepia_hover="0" filter_opacity_hover="100" filter_blur_hover="0"]https://spearheadmm.net/wp-content/uploads/2024/07/affiliate-banner-vertical-en.png "affiliate-banner-vertical-en")
Token tournament
DeepMind’s approach builds on an existing method that incorporates a watermark into a sampling algorithm, a step in text generation separate from the LLM itself.
An LLM is a network of associations built up by training on billions of words or word parts, known as tokens. When given a string of text, the model assigns to each token in its vocabulary a probability of being next in the sentence. The sampling algorithm’s job is to select, from this distribution, which token to use according to a set of rules.
The SynthID-Text sampling algorithm uses a cryptographic key to assign random scores to each possible token. Candidate tokens are pulled from the distribution in numbers proportional to their probability and placed in a ‘tournament.’ There, the algorithm compares scores in a series of one-on-one knockouts, with the highest value winning until there is only one token standing, which is selected for use in the text.
The rise of ChatGPT and other tools raises major questions for research
This elaborate scheme makes it easier to detect the watermark, which involves running the same cryptographic code on generated text to look for the high scores indicative of ‘winning’ tokens. It might also make it more difficult to remove.
The multiple rounds in the tournament can be likened to a combination lock, in which each round represents a different digit that must be solved to unlock or remove the watermark, says Huang. “This mechanism makes it significantly more challenging to scrub, spoof, or reverse-engineer the watermark,” she adds. With text containing around 200 tokens, the authors showed they could still detect the watermark, even when a second LLM was used to paraphrase the text. For shorter strings of text, the watermark is less robust.
The researchers did not explore how well the watermark can resist deliberate removal attempts. The resilience of watermarks to such attacks is a “massive policy question,” says Yves-Alexandre de Montjoye, a computer scientist at Imperial College London. “In the context of AI safety, it’s unclear the extent to which this is providing protection,” he says.
Kohli hopes that the watermark will start by being helpful for well-intentioned LLM use. “The guiding philosophy was that we want to build a tool that the community can improve,” he says.
Related: 5 golden rules of copywriting
doi: https://doi.org/10.1038/d41586-024-03462-7
References
-
Dathathri, S. et al. Nature 634, 818–823 (2024).
.png "Google unveils invisible ‘watermark’ for AI-generated text 21")
Article by By Elizabeth Gibney
Elizabeth Gibney is a senior physics reporter at Nature. She has written for Scientific American, BBC, and CERN.
Leave A Comment
You must be logged in to post a comment.