Early AI Legislative Moves: The NDAA and AI Watermarks
Early AI Legislative Moves: The NDAA and AI Watermarks
Some promising AI provisions in the new Defense Bill
Can we really prove Biden signed this bill? Image source: Axios.
Happy Boxing Day! I hope everyone is enjoying the holidays and some much needed time off.
Days ago, President Biden signed the $886 billion annual defense appropriations bill -the NDAA. Per usual, it’s a behemoth. While hardly groundbreaking for AI policy, this bill contains a multitude of AI-relevant provisions that illustrate congress is moving beyond the ‘reacting and learning’ process that colored the past year into a new ‘shovel ready policy’ phase.
In the bill we find several novel firsts. Generative AI receives direct legislative attention in a variety of strategic planning requirements and a new generative AI bug bounty program. Deeper in the technical weeds, foundation models, or “foundational artificial intelligence” as the bill calls it, have been defined for (likely) the first time. This builds on the tradition of the defense sector defining and setting the scope of AI legal terminology (the term “Artificial intelligence” was legally defined in the 2021 defense policy bill).
I highlight these details because I find them interesting, but for every one else these in-the-weeds firsts should demonstrate the majority of these provisions are for wonks. That said one provision did stick out, not because it’s going to change the game per say, but because it represents the exact type of action fitting for this moment: The Creation of a Generative AI Watermarking Prize Competition.
I was quite happy to see this pass the legislative finish line – especially because this is a move I’ve been suggesting in many of my conversations. As the title of the new programs suggests, the Department of Defense is now required to allocate prize money (the amount unspecified) to incentivize private research into AI watermarking tools. This is a competition; whoever first meets whatever quality standards the department sets for these tools, gets the cash.
What exactly is this trying to incentivize? For the uninitiated, “AI watermarking” is the process of embedding some sort of ‘watermark’ or signal in AI generated outputs like imagery, text, audio, etc. In an ideal case, such watermarks wouldn’t stand out to the human eye – thus having little impact on the quality of the output – but could be detected by algorithms or platforms that might want to flag the content as generated. In a more ideal case, these watermarks couldn’t be removed, or couldn’t be removed without noticeably damaging the content. This is a major developing fielding of AI forensic development, and I don’t want to bore with excessive detail, for those interested in more, see this TechTarget breakdown.
Why is this important? Perhaps the biggest AI challenge we need to address (or at least develop norms around) in the short run is the ‘fake vs. real’ problem which watermarks could address. Today, believable generated content is increasingly common and often indistinguishable from genuine media. Not only is it common, generated media is also substantiated as a political challenge. In the Israel-Hamas War AI generators are in active use to propagandize, mislead, and deceive, inflaming tensions.
Worryingly, as many have long predicted, we are now starting to see AI generated media used to twist elections and sew doubt. In Slovakia’s September election – a slanderous DeepFake audio track of one candidate allegedly discussing rigging the election was released 48 hours before voters hit the polls. Due to required Slovakian news embargos before the vote, forensicists were unable to widely broadcast that the audio was debunked and many were likely swayed. While we cannot say how the audio may have impacted the poll, it may have contributed to the slandered candidate’s loss, and at the least sewed uncertainty, distrust, and democratic angst.
This challenge is not only politically impactful - for the average American, it is deeply salient. Of all the predicted AI risks, this is the AI challenge people will encounter both directly and day-to-day. Perception is a major AI progress risk; if the ‘average salient AI experience’ is disinformation or any other such negative, people will associate AI not with promise and abundance, but pessimism. With pessimism could come an AI backlash, and with an AI backlash comes hard edged regulation or a public that simply doesn’t want to use, pay for, or further develop this tech. We already saw this with Crypto where many advocates have worked overtime to try and rationalize away real problems, instead of taking them head-on and try to improve. Today, increasingly few take crypto seriously, regulations are on their way, and the public has all but soured. Ignoring things doesn’t work.1
Creating this program, Congress recognizes this challenge and is putting money down on solutions. More specifically, this prize challenge aligns with my view that the best path to a solution in this case is likely not to regulate, but to innovate. On this issue, a regulatory approach would meet powerful headwinds. Today, copies of high-quality open-source generative models are already out in ‘the wild,’ sitting on thousands of at-home hard drives. Whats more, these open models are dramatically shrinking in size. Smaller models ease the copying and transferring of program files and decreases reliance on data centers, a potential AI chokepoint many AI regulation advocates have hoped would provide some measure of control. No matter how stringent or resourced, it is simply hard to imagine how government actors would identify every copy of these generative programs let alone fully deter their use by bad actors.2 As we saw in the Slovakia case, even if one bad actor slips by, evading authorities to run one model and create one output, they can still create problems.
Prize challenges are an alternate path. Perhaps we can’t holistically stop generated content, but what we can do is invest in watermarking and other forensics tools that might build the trust the public will need to get excited again about AI promise. As an innovation incentive, the prize competition model is a good path forward. As I’ve mentioned, past prize competition efforts have found success catalyzing AI development – the DARPA Grand Challenge famously helped catapult driverless car tech forward in the 2000s. The prize competition model is also well suited to a problem where the path forward is unclear. Rather than try and predict what specific directions are worth government dollars (a wickedly hard challenge at this early R&D stage), congress is choosing to let the researchers choose their path, choose their methods, and allocate rewards only when we see success or promise.
As I said, I’m happy congress has chosen this route. Still, success remains unclear and depends heavily on unanswered scoping questions such as the size of the jackpot and what exact tech the Department will try and incentivize. On this issue, the future remains unclear but its good action is underway.
Stepping back, the reason I wanted to highlight this specific provision of this bill is not because its game changing, or necessarily a big deal, but because this competition is something to lean on as a model for this problem, and any other technical challenges. It’s quite common in DC for the first reaction to any AI issue to be a kneejerk ‘regulate it!’ In some cases that may indeed be the right choice (critical infrastructure security for instance) but in many other cases we must take seriously alternative innovation-first policy levers.
In the AI community, especially among techno-optimists, Its disappointingly not uncommon to hear folks try and minimize or explain away this issue. True optimism means recognizing challenges yet feeling empowered to knuckle down and solve them. That is how we will create abundance.
Deterrence should still be used of course and people should still be punished for law breaking. We need to recognize, however, that while deterrence can be part of a total policy response, it is unlikely to completely solve.