News: 1723158014

  ARM Give a man a fire and he's warm for a day, but set fire to him and he's warm for the rest of his life (Terry Pratchett, Jingo)

Lawyers say US cybersecurity law too ambiguous to protect AI security researchers

(2024/08/09)


black hat Existing US laws tackling those illegally breaking computer systems don't accommodate modern large language models (LLMs) and can open researchers up to prosecution for what ought to be sanctioned security testing, say a trio of Harvard scholars.

The Computer Fraud and Abuse Act (CFAA) doesn't even really apply to prompt injection attacks as written and interpreted by legal precedent, Harvard Berkman Klein Center for Internet and Society affiliates Ram Shankar Siva Kumar, Kendra Albert and Jonathon Penney [1]explained at Black Hat this week.

What that means, says Albert, a lawyer and instructor at Harvard Law School's cyber law clinic, is that it's hard to tell where prompt injection and other exploits of LLMs cross into the realm of illegality.

[2]

"Ram, John and I were having coffee last September, and [the two of them] were talking about whether prompt injection violates the CFAA," Albert told The Register . Albert isn't sure prompt injection does violate the CFAA, but the more the trio dug into this, the more they found uncertainty.

[3]

[4]

"There's a set of stuff that we're pretty sure violates the CFAA, which is stuff where you're not allowed to access the machine learning model at all," Albert said. "Where it gets interesting is where someone has permission to access a generative AI system or LLM, but is doing things with it that the people who created it would not want them to."

The CFAA may have been able to protect AI researchers a few years ago, but that all changed in 2021 when the US Supreme Court issued its [5]decision in Van Buren v United States . That decision effectively narrowed the CFAA by saying the Act only applies to someone who obtained information from areas of a computer (eg, files, folders or databases) which their account wasn't given official access to.

[6]

That may be well and good when we're talking about clearly defined computer systems with different areas restricted via user controls and the like, but neither Van Buren nor the CFAA map well onto LLM AIs, the Berkman Klein affiliates said.

"[The US Supreme Court] was sort of thinking about normal file structures, where you have access to this, or you don't have access to that," Albert said. "That doesn't really work well for machine learning systems more generally, and especially when you're using natural language to give a prompt to an LLM that then returns some output."

[7]How prompt injection attacks hijack today's top-end AI – and it's tough to fix

[8]Meta's AI safety system defeated by the space bar

[9]US won't prosecute 'good faith' security researchers under CFAA

[10]BEAST AI needs just a minute of GPU time to make an LLM fly off the rails

Illegal access, as far as the CFAA and SCOTUS is concerned, needs to involve some degree of breaking a barrier into a system, which Albert said isn't as clear-cut when a security researcher, penetration tester, red team member or just a kid on ChatGPT messing around with prompts, manages to break an AI's guard rails.

Even were one to argue that getting an AI to spill the contents of its database could be characterized as unauthorized entry under the CFAA, that's not clear either, said Siva Kumar, an adversarial machine learning researcher.

"There's a very probabilistic element [to AIs]," Siva Kumar told us. "Databases don't generate, they retrieve."

[11]

Trying to retrofit a 2021 legal decision onto LLMs, even after a few brief years, can't be done cleanly, he added. "We knew about [LLMs], but the Supreme Court didn't, and nobody anticipated this."

"[There's been] stunningly little attention paid to the legal ramifications of red teaming AI systems, compared to the volume of work around the legal implications of copyright," Siva Kumar added. "I still don't know even after working with Kendra and John - top legal scholars - if I'm covered doing a specific attack."

Albert said it's unlikely Congress will make changes to existing laws to account for prompt injection testing against AIs, and that the issue will likely end up being litigated in court to better define the difference between legitimate-but-exploitative and plainly malicious AI prompts.

In the meantime, Albert's worried that CFAA ambiguity and overly-litigious AI companies might chase away anyone acting in good faith, leaving undiscovered security vulnerabilities ripe for exploitation.

"The real risks of these kinds of legal regimes is great," Albert said. "You manage to discourage all of the people who would responsibly disclose [a vulnerability], and not deter any of the bad actors who would actually use these for harm."

So, how should security researchers act in this time of AI ambiguity?

"Get a lawyer," Albert suggested. ®

Get our [12]Tech Resources



[1] https://www.blackhat.com/us-24/briefings/schedule/#ignore-your-generative-ai-safety-instructions-violate-the-cfaa-39273

[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_specialfeatures/blackhatanddefcon&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2ZrWUaAyKk6Q5QOr4FRFfSQAAAEE&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0

[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_specialfeatures/blackhatanddefcon&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44ZrWUaAyKk6Q5QOr4FRFfSQAAAEE&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_specialfeatures/blackhatanddefcon&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33ZrWUaAyKk6Q5QOr4FRFfSQAAAEE&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0

[5] https://www.theregister.com/2021/06/03/supreme_court_cfaa/

[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_specialfeatures/blackhatanddefcon&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44ZrWUaAyKk6Q5QOr4FRFfSQAAAEE&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[7] https://www.theregister.com/2023/04/26/simon_willison_prompt_injection/

[8] https://www.theregister.com/2024/07/29/meta_ai_safety/

[9] https://www.theregister.com/2022/05/20/cfaa_rule_change/

[10] https://www.theregister.com/2024/02/28/beast_llm_adversarial_prompt_injection_attack/

[11] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_specialfeatures/blackhatanddefcon&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33ZrWUaAyKk6Q5QOr4FRFfSQAAAEE&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0

[12] https://whitepapers.theregister.com/



Base it on consent

johnrobyclayton

If a Large Deep Learning Model is exposed with an Interface,

And there is a login that has been granted,

With a description of what the user can use the interface for,

Then the user can do whatever has been consented to.

It is then completely up to the owners/suppliers/administrators of the Large Deep Learning Model/Interface to determine what is consented to using input filtering or prompt prohibitions.

If regulators place restrictions on what a Large Deep Learning Model/Interface can produce, then it is completely up to the owners/suppliers/administrators of the Large Deep Learning Model/Interface to comply with what regulators have consented to.

If you build a big honking tool that can be used to perform the most horrendous of actions, then you are completely responsible for making sure that it does perform such horrendous actions.

Unless something silly like a new amendment that gives every god fearing whatever the right to query any large deep learning model with any prompt they can come up with, no matter what tools they use to perhaps query the prompt interface at full auto.

I have never seen a list of prompts that are prohibited on a Large Deep Learning Model/Interface. Until there is, it is open slather for users and all responsibility falls on the owners/suppliers/administrators of the Large Deep Learning Model/Interface.

Anxious after the delay, Gruber doesn't waste any time getting the Koenig
[a modified Porsche] up to speed, and almost immediately we are blowing off
Alfas, Fiats, and Lancias full of excited Italians. These people love fast
cars. But they love sport too and no passing encounter goes unchallenged.
Nothing serious, just two wheels into your lane as you're bearing down on
them at 130-plus -- to see if you're paying attention.
-- Road & Track article about driving two absurdly fast
cars across Europe.