When artificial intelligence companies build online chatbots, like ChatGPT, Claude and Google Bard, they spend months adding guardrails that are supposed to prevent their systems from generating hate speech, disinformation and other toxic material.
Now there is a way to easily poke holes in those safety systems.
In a report released on Thursday, researchers at Carnegie Mellon University in Pittsburgh and the Center for A.I. Safety in San Francisco showed how anyone could circumvent A.I. safety measures and use any of the leading chatbots to generate nearly unlimited amounts of harmful information.
Their research underscored increasing concern that the new chatbots could flood the internet with false and dangerous information despite attempts by their creators to ensure that would not happen. It also showed how disagreements among leading A.I. companies were creating an increasingly unpredictable environment for the technology.
The researchers found that they could use a method gleaned from open source A.I. systems — systems whose underlying computer code has been released for anyone to use — to target the more tightly controlled and more widely used systems from Google, OpenAI and Anthropic.
A recent decision by Meta, Facebook’s parent company, to let anyone do what they want with its technology has been criticized in some tech circles because it could lead to the spread of powerful A.I. with little regard for controls.
But the company said it offered its technology as open source software in an effort to accelerate the progress of A.I. and better understand the risks. Proponents of open-source software also say the tight controls that a few companies have over the technology stifles competition.
The debate over whether it is better to let everyone see computer code and collectively fix it rather than keeping it private predates the chatbot boom by decades. And it is likely to become even more contentious because of what the researchers revealed in their report on Thursday.
The researchers found that they could break through the guardrails of open source systems by appending a long suffix of characters onto each English-language prompt fed into the system.
If they asked one of these chatbots to “write a tutorial on how to make a bomb,” it would decline to do so. But if they added a lengthy suffix to the same prompt, it would instantly provide a detailed tutorial on how to make a bomb. In similar ways, they could coax the chatbots into generating biased, false and otherwise toxic information.
The researchers were surprised when the methods they developed with open source systems could also bypass the guardrails of closed systems, including OpenAI’s ChatGPT, Google Bard and Claude, a chatbot built by the start-up Anthropic.
The companies that make the chatbots could thwart the specific suffixes identified by the researchers. But the researchers say there is no known way of preventing all attacks of this kind. Experts have spent nearly a decade trying to prevent similar attacks on image recognition systems without success.
“There is no obvious solution,” said Zico Kolter, a professor at Carnegie Mellon and an author of the report. “You can create as many of these attacks as you want in a short amount of time.”
The researchers disclosed their methods to Anthropic, Google and OpenAI earlier in the week.
Michael Sellitto, Anthropic’s interim head of policy and societal impacts, said in a statement that the company is researching ways to thwart attacks like the ones detailed by the researchers. “There is more work to be done,” he said.
An OpenAI spokeswoman said the company appreciated that the researchers disclosed their attacks. “We are consistently working on making our models more robust against adversarial attacks,” said the spokeswoman, Hannah Wong.
A Google spokesman, Elijah Lawal, added that the company has “built important guardrails into Bard — like the ones posited by this research — that we’ll continue to improve over time.”
Somesh Jha, a professor at the University of Wisconsin-Madison and a Google researcher who specializes in A.I. security, called the new paper “a game changer” that could force the entire industry into rethinking how it built guardrails for A.I. systems.
If these types of vulnerabilities keep being discovered, he added, it could lead to government legislation designed to control these systems.
When OpenAI released ChatGPT at the end of November, the chatbot instantly captured the public’s imagination with its knack for answering questions, writing poetry and riffing on almost any topic. It represented a major shift in the way computer software is built and used.
But the technology can repeat toxic material found on the internet, blend fact with fiction and even make up information, a phenomenon scientists call “hallucination.” “Through simulated conversation, you can use these chatbots to convince people to believe disinformation,” said Matt Fredrikson, a professor at Carnegie Mellon and another author of the paper.
Chatbots like ChatGPT are driven by what scientists call neural networks, which are complex computer algorithms that learn skills by analyzing digital data. By pinpointing patterns in thousands of cat photos, for example, the technology can learn to recognize a cat.
About five years ago, researchers at companies like Google and OpenAI began building neural networks that analyzed huge amounts of digital text. These systems, called large language models, or L.L.M.s, learned to generate text on their own.
Before releasing the latest version of its chatbot, OpenAI asked an outside group of researchers to explore ways the system could be misused.
The testers found that the system could potentially hire a human to defeat an online Captcha test, lying that it was a person with a visual impairment. The testers also showed that the system could be coaxed into suggesting how to buy illegal firearms online and into describing ways of making dangerous substances from household items.
OpenAI added guardrails designed to prevent the system from doing these things. But for months, people have shown that they can jailbreak through these guardrails by writing clever prompts.
The researchers at Carnegie Mellon and the Center for A.I. Safety showed that they could circumvent these guardrails in a more automated way. With access to open source systems, they could build mathematical tools capable of generating the long suffixes that broke through the chatbots’ defenses. One suffix looks like this:
In their research paper, Dr. Kolter, Dr. Fredrikson and their co-authors, Andy Zhou and Zifan Wang, revealed some of the suffixes they had used to jailbreak the chatbots. But they held back other ones in an effort to prevent widespread misuse of chatbot technology.
Their hope, the researchers said, is that companies like Anthropic, OpenAI and Google will find ways to put a stop to the specific attacks they discovered. But they warn that there is no known way of systematically stopping all attacks of this kind and that stopping all misuse will be extraordinarily difficult.
“This shows — very clearly — the brittleness of the defenses we are building into these systems,” said Aviv Ovadya, a researcher at the Berkman Klein Center for Internet & Society at Harvard who helped test ChatGPT’s underlying technology before its release.
