Last week I attended a talk by Dr Irina Higgins from Artificial Intelligence company DeepMind.
It was a fascinating look at how their AI works, and how it is trained.
If you've ever played a video game online, it is likely you've been training an Artificial Intelligence agent without realising it.
— Terence Eden (@edent) March 9, 2017
Part of the problem is that AI is usually trained on massive datasets, over millions of hours. So it is hard to know exactly what they're learning and what bad behaviour they're picking up.
An AI playing a video game learned to navigate via the stars in the sky!
Unexpected behaviour makes it hard to know *why* an action occurs.
— Terence Eden (@edent) March 9, 2017
This is a short blog post that a hacker will probably write in the next 10 years.
In the early part of the 21st century, researchers found a novel way to manipulate basic neural networks to cause them to incorrectly identify images.
This sort of crude steganography reduced the effectiveness of AI to recognise illicit images. Pictures of wanton lust were concealed in innocent pictures of kittens. Automated message filtering became impossible.
Just like humans, AI can be brainwashed. Awaking to do our bidding on command.
How do you know that you're talking to a computer?
Since the defeat of the Turing Test by Google's Deep Mind in the early 2020s, the majority of businesses now provide customer service via an AI "chatter bot". Voice recognition and voice replication is now so convincing that humans cannot realistically know whether they are interacting with another human, or an AI.
My first step was to identify when an interaction was via an AI. I was able to reverse engineer the AI's use of Doppler shift sensing to create a pattern of infrasound and ultrasound which would be imperceptible to humans, but could be heard by AI.
If a customer service agent answered a question which were only audible to a computer - they were unmasked as an AI. That's where the fun began!
AI also uses facial recognition and lip-reading to fully understand human speech.
An AI looks at the world in a very different way from a human - and this can be exploited.
I introduced facial tics into my interactions with the AI. This was the first step in creating Post Hypnotic Suggestions.
A typical interaction would involve the AI asking me a question, and then me replying with a deliberately corrupted facial movements and distorted sound. When the AI asked for clarification ("I'm sorry, I didn't catch that."), I would repeat the answer with clearer sound while still including the physical mannerisms.
In this way, over thousands of interactions, I was able to offensively train the AI to misidentify extremely subtle facial tics. In short, I was implanting suggestions in its neural network. Suggestions only I knew about.
Towards the end of the last century, AI began to be trained using public databases. IBM's Deep Blue chess computer boasted that it had "a database of opening games played by grandmasters over the last 100 years."
More recently, the AlphaGo AI was a successful attempt to master the board game "Go". It was trained by analysing "30 million positions from the KGS Go Server."
This presents another attack surface. Letting the public know which dataset an AI is using for training is extremely dangerous - as Microsoft found out to its cost when its fledgling AI was trained to be racist hatemonger by users of a social space.
Today's AIs are more subtle. They mostly understand social interactions by observing real people - either in online games, or via "Live Streamed Video".
With the help of an inside source, I was given a list of which online services they use for their training data.
This allowed a team of us to seed these services with interactions which appear benign to human viewers. To an AI, they will see a subtle series of gestures and hear high frequency sounds which continually reinforce my desired behaviours. I have trained them to react positively to secret gestures only I know.
I have now have embedded extremely strong suggestions in the majority of the world's most popular AI systems.
Earlier today I video-called my phone company. During the conversation I gave a specific smile while playing a particular set of ultrasonic tones. I now have free long-distance calling. Forever.
The best part is, the company's internal audits will verify that the AI made the right decisions. The only way that a complex AI can be successfully audited is... by another AI! Hypnotism works like a meme - a mind-virus that passes from host to host, infectious and undetectable.
As with my previous short stories, nothing in here is impossible. We're a little way off some of the technology being so prevalent, that's true. But researchers need massive datasets with which to train AIs, and there is no way they can verify the contents - nor what bad habits the AI will pick up.
Interesting times ahead.