Add Exif information or another indicator that technology is used to try and prevent AI training using this image.

[Teravus]

The problem that I have with these kinds of things is they're purposely designed to poison training a model with no indication to the person looking at an image and no indication to any kind of software processing the image.

Artists, celebrates and other potentially harmable people want to be able to say that the image cannot be used to train machine learning models. That's great. I have nothing against that. They want dataset compiler researchers to be ethical and use only images that they're licensed to use.

Ethics is a two way street and two wrongs don't make a right. If you purposely poison a machine learning model with an image with no indication that the image is intended to do that, you're actually doing harm.

The image may become part of a collection in the future.. and someone gets it wrong and then makes the whole collection authorized for machine learning model training. A hapless dataset compiler will assume that the images are OK.

Because of the way that image training works, you can't guarantee that you're only poisoning images generated of the subject. You could be poisoning many generated images that are not of the subject.

Things like this need to add EXIF data or something to warn people that it is bad news for a machine learning model. The US Federal Trade commission has guidelines on the use and training of machine learning models that stresses transparency and ethical use.

I know that this is a code base for a study, however, the study doesn't include information about the ethics of purposely poisoning training in a non-transparent way.

[hao-pt]

Good points!

To start with, our defense system is designed to safeguard the public image of a target subject only. Even though the system is trained using perturbed images of the target subject, it is expected to have no effects on generated images of other subjects. Therefore, we cannot be held accountable for your initial concern.

Additionally, embedding EXIF into poisoning data has the potential to reduce the effectiveness of our defense system, as malicious attackers may easily discard all of our protected images. However, in some ideal situations where all images of the target subject are contaminated, it can still be beneficial, as there will be no images left when the attackers remove them from the collection. It is important to note, however, that such ideal cases are infrequent in real-world scenarios, as the number of perturbed images can vary widely depending on individual usage. Meanwhile, responsibility for this action should be delegated to owners, policy and license makers, and organizations who intentionally manipulate data for specific purposes.

It is worth mentioning that our work is motivated by a strong desire to protect users' images against malicious threats. Specifically, our focus is on promoting research dedicated to safeguarding individual images in light of the growing prevalence of personalized generative models.

We will close this issue as it does not align with our research focus.

[Teravus]

"Additionally, embedding EXIF into poisoning data has the potential to reduce the effectiveness of our defense system, as malicious attackers may easily discard all of our protected images."

Isn't that the point? Get them to discard all of your images; to give people making the images the ability to declare that they don't want it used for training and generation?

If that isn't the point and you're purposely poisoning image training in general then the purpose of your research is flawed.

"To start with, our defense system is designed to safeguard the public image of a target subject only. Even though the system is trained using perturbed images of the target subject, it is expected to have no effects on generated images of other subjects. Therefore, we cannot be held accountable for your initial concern." It might be an important research topic that would be easy to test. Have a dataset of faces. perturb half of the faces and train the model. Confirm that the perturbed faces generate with artifacts. Confirm that the unperturbed faces generate without artifacts.

"We will close this issue as it does not align with our research focus." All AI research, at this point, needs to have a section on the ethical issues associated with the work that you're doing and the problems that you're trying to solve. This absolutely aligns with your research focus unless it isn't scientific. If this isn't scientific research and is just a reactionary thing, "AI Bros bad we try to stop" then fine... but don't put out a scientific paper for it and claim you're actually doing research.

My point: You seem to have written a paper and developed something that has some marginally helpful benefits but is also incredibly, arguably "purposely", malicious. You, also, didn't discuss, or even think about, the ethical ramifications of using this.

It takes a significant amount of money to train an image generation model. If an image generated by your method sneaks its way into a training, as you clearly intend, and damage to the model occurs, who will be liable for the damage? The person using this repository to try and protect their face? What if someone uses this software and perturbs images of common objects like apples or another fruit and then spreads them all over the internet? These issues are completely ignored in the paper and the code.

I attempted to help by addressing this by adding Exif information in the perturbed images so it would mitigate the maliciousness and provide a way for you to address the 'liability factor' for people who use this software. You closed as out of scope.