Can You Make AI “Forget”?
James Zou, a Stanford professor and biomedical data scientist, faced a dilemma when the UK Biobank requested the removal of certain participants' data from an AI model he had trained. The issue is that it's nearly impossible to remove a user's data from a trained AI model without resetting the model and losing the extensive resources invested in training it.
This challenge, along with AI "hallucinations" and difficulties in explaining AI outputs, is one of the most pressing issues in the AI era. As AI models grow larger and consume more data, the inability to delete data from a model or the model itself becomes a significant problem for everyone, not just those participating in health studies.
AI models are not just lines of code; they are learned sets of statistical relationships between data points. Once a model learns these relationships, there is no simple way to make it ignore a portion of what it has learned. Retraining an AI model is expensive, especially for the ultra-large "foundation models" that power generative AI.
We don’t believe this subject is discussed enough. In the traditional world of DMCA, if a rights holder requests a takedown, the company can find the offending piece of IP and delete it. With AI (at least for now) the problem is much bigger, and and much harder to unravel. Let’s say a judge rules that a specific song was used to inform an AI music tool, or a book was scraped in an LLM. How can you pull that asset specifically from the model? AI is largely a black box. This “all or nothing” reality is a problem that’s brewing underneath the surface that will undoubtedly be front and center in the court system in the coming months. With an adversarial ruling, could some (or the majority) of LLMs go dark overnight?
Algorithmic disgorgement, a legal process used by the US Federal Trade Commission to force companies to delete offending AI models, assumes that creators can identify which part of a dataset was illegally collected. However, data often traverses various internet locations, making it difficult to determine its original ownership.
Zou and his collaborators found ways to delete data from simple machine learning models based on clustering techniques without compromising the entire model. However, these methods won't work for more complex models like deep learning systems. A different training regime may be needed to make it possible to delete certain statistical pathways in the model without affecting its performance or requiring a complete retraining.
Companies like Xayn and SpotLab are working on solutions to bridge the gap between privacy and AI. Xayn creates private, personalized AI search and recommendation technology by training separate small models for each user, making it easy to delete individual users' models upon request. SpotLab builds models for clinical research and is also exploring AI's ability to unlearn.
Until more progress is made, user data will continue to be vulnerable in an expanding constellation of AI models, potentially leading to dangerous consequences.
Source: Fortune
