Am I missing something? The article seems to suggest it works via hidden text characters. Has OpenAI never heard of pasting text into a utf8 notepad before?
They could inject random zero width non joiners to help detection too. Easy to defeat, but something a layperson would have to go through extra effort to filter out. Kinda like how some plagiarism cases have been won by pointing out identical misspelled words.
This has been known in the ML space forever. LLMs don’t actually output words/tokens, but probabilities for a long list of tokens, and the sampler picks one (usually the mostl likely token). And if you arbitrarily weigh these probabilities (eg 50% of possible token outputs are more likely than the other 50%, as a random example), it creates a “signature” in any text thats easy to measure. The sampler randomizes it a tiny bit, but that averages out in long texts.
It’s defeatable. I’m sure if you maken enough OpenAI queries, you can find the bias. I think a paper already tackled this. But this likely will stop the lazy absures, aka 99% of abusers, who should just use some other LLM if they really care.
Another open secret in LLM land is that OpenAI is actually falling behind open research efforts, hence its hilarious it took them this long to implement something so simple.
So if cheating on homework, use self hosted only then. Cool. I mean, they can’t possibly use that algorithm for every model on hugging face especially if I don’t tell anyone which one I use. I’m done with school after this semester anyway, I feel sorry for everyone in the future that has to complete assignments in the age of ai warfare.
You have full control of your logit outputs with local LLMs, so theoretically you could “unscramble” them. And any finetuning would just blow that bias away anyway.
OpenAI (IIRC) very notably stopped giving the logprobs of their models. They did this for many reasons, and most of them boil down to “profits” and “they are anticompetitive jerks,” but another reason is to enable watermark methods just like this.
Also, thing about this is that basically no one uses self hosted LLMs compared to OpenAI (or really any API) LLM.
It’s a good thing that ChatGPT is only one of the many LLM’s to choose from.
About a dozen methods they could use https://arxiv.org/pdf/2312.07913v2
Humans instinctively do something analogous with natural language, using poetic forms like rhyme, meter, and alliteration. (For example, the speeches from Shakespeare’s plays are immediately detectable because they’re in iambic pentameter.)
Imagine you lacked the natural human ability to detect verse, making poetry indistinguishable from prose. As far as you could tell, it would be like an invisible watermark that only specialists could detect. LLMs can use a similar approach, making up their own patterns that are opaque to humans but detectable to themselves.
In other news, mathematicians have been working hard on calculator detector software. Upon request for comment, leading mathematicians suggested a variety of ideas, such as such as secretly embedding a watermark “58008” (BOOBS) into the decimal parts of pi and e to more easily identify derived calculations. There was consistent sentiment among leading minds that “back in my day we had to work hard to do math, and walk up hill both ways in the snow to school”… and that “there’s nothing wrong with a good ol’ fashion abbicus, dag nabbit!”
Just because you can plug information into a calculator (or a LLM) doesn’t mean you understand the math that comes out of it (or the data). Which I think is rather that point of academia not wanting people to use chat gpt generated content.
On the other hand this is to prevent LLM’s using data generated by other LLM’s. Which is important because that’s how they degrade in quality.
That’s cool, but literally any other implementation won’t have that, or will have an incompatible watermark.
It’s probably some type of cypher. Which will take people exactly one (1) afternoon to crack.
A whole afternoon or just a portion?
