Or has something changed recently?
The main difference is that AI extension, by design, send the content of the pages you browse to a server.
A malicious "calculator" extension could also send all the content to a server, and extension users don't really have an idea of what each extension is actually doing.
So skip the "Malware posing as AI browser extension" section, it's same kind of security issues as a malware calculator extension.
The legitimate AI extension's problems are more interesting.
Article wastes a bit more time on other security issues you get from using AI LLM in general. Those apply whether you're using a browser extension or chat.openai.com directly.
The valid point that applies to narrowly AI browser extension are:
1) it could send sensitive data you wouldn't have sent otherwise. Most people would know what they're doing when they explicitly paste the stuff on chat.openai.com. But when it's now automated via the extension DOM scraping, it's a bit harder to realize how much you're giving away.
2) And the hidden text prompt injection. That's interesting as now your attacker could be the website you browse, if you have configured too many plugins (Zapier plugin giving access to your email)
These 2 parts of TFA are imo novel security issues that only exist with AI browser extension, and are interesting.
The risks listed in the article itself mostly seem to fall under the same, non-AI-extension, core problem of "you're given them all your data." And that's a risk for non-AI-based extensions too, but if you look at the code of an AI one, it's gonna be obvious that it's shipping it off to a third party server, right? And once that happens... you can't un-close that door.
(The risks about copyright and such of content you generate by using AI tools are interesting and different, but I don't know that I'd call them security ones.)
The prompt injection one is pretty interesting, but still seems to fall under "traditional" plugin security issues: if you authorize a plugin to read everything on your screen, AND have full integration with your email, or whatever, then... that's a huge risk. The AI/injection part makes it triggerable by a third-party, which certainly raises the alarm level a lot, but also: bad idea, period, IMO.
I think that the issue here is that AIs are probabilistic in nature, meaning that you can't fully predict their behavior in a particular situation just by reading the code. Instead in a tipical (non AI poweered) extension, the code is a precise description of what the extension will do in every possible situation.
I mean that ML models are inherently inscrutable, it is extremely hard to determine how they operate internally, so no-one can identify any definite boundaries of what it will and will not output, or why. Hence prompt engineering, Bing's Sydney alternate personality, and weird hallucinated image artifacts.
Sure, if a user is calling OpenAI, they obviously can't understand the details of how it generates text. But neither can OpenAI! And if it produces something surprising, there's no way to fix it by directly modifying the model, the only way to do it is via ML techniques in the first place.
Without this feature, extensions will keep insisting they need access, and the user will eventually fall for it.
Browser extensions needs to declare their permissions. With Manifest V3 we’re seeing even more need to declare permissions.
Any extension cannot do anything not explicitly granted to it by the user upon installation.
Why is the security policy for extensions still not architected like other web permissions?
There has been a shift on mobile already from "take it or leave it"-style permissions on install towards more fine grained control not overidable by the app manifest.
I think Browser extensions should behave similarly. Especially when it comes to which origins an extensions is allowed to act on.
The user should be able to restrict this regardless of the manifest, even forced to do.
Extensions that need to act on all or an unknown set of origins should require a big and scary prompt after installation, regardless of what the user agrees to during installation.
I say this as a happy user of uBlock origin and React DevTools.
But for the common user the default should be to deny permissions and require user interaction.
It’s worth contrasting clear communication such as the above to a EULA designed by scummy companies to not be read, browsers presumably have nothing to gain by exposing malicious plugins, so they’re a good candidate for the former.
If only we could get Mozilla executive to implement something actually useful instead of whatever meme tech they’ve lost their nut over this week, that’d be nice.
I'd like an UI similar to the mobile one. I brought up the origin thing because for lots of extensions I would like that kind of UI for origin control. Origin control is part of WebExtension API, but it's during installation, which forces even well-meaning developers to request overly broad permissions for some kinds of extensions.
so they're not a total security nightmare if they're only authorized to run on sites where you don't enter any private data. for example, looking through my extensions list, the py3redirect that autmatically redirects python2 documentation pages to python3 pages doesn't request access to anything other than python.org.
but otherwise, yeah, you're giving permission to execute arbitrary code on any website you visit, which is about as compromised as your browser can get.
I'm really tired of reading stuff like this above. Seriously, AI is a disruptive tech and some people will oppose any change, but this is too much. All of the "security issues" mentioned in the article are true for browser extensions,and perhaps even software in general.
Then the author talks about "copyright mess" just before describing how it is pretty much resolved in their company (copilot banned).
The only real "problem with AI" is really a "problem with cloud" or more precisely "problem with people's lack of understanding of it". Average people should be interested in finding software alternatives that don't undermine their privacy.
For example look at AI image up scaling. Every single android app other than mine sends user's images to a server somewhere. Are those images retained? Are they scanned for whatever "legal purposes" the maker deems adequate? No one knows. No one cares. Well specifically in the entire world about 90 people seem to care.
Why 90 people? Because that's how many users my android app has 6 months after release. (the app does all processing locally, free version is ad supported, paid version can be used 100% offline).
This is like handing out footgun coupons to all citizens who become "of age" and saying it's cool cause they were already legally allowed to buy footguns.
I'm sorry for the off-topic comment, but why do I keep seeing this? What am I missing here – is it that some people define intelligence as >= human, or that LLM are not intelligence because they're *just* statistical models?
Currently, most mentions of AI, outside of a proper technical discussion, are coming from crypto-tier grifters and starry-eyed suckers. Even further, a lot of discussions from otherwise technical people are sci-fi-tier fearmongering about some ostensible Skynet, or something, it's not quite clear, but it's clearly quite cringe. The latter is one of the many calibers of ammunition being used by AI incumbents to dig regulatory moats for themselves.
Anyway, I understand why the author is distinguishing himself with his LLM...AI disclaimer, given the above.
It feels a bit wrong to me, because as you say it's arguably a grift, in this case on the taxpayer who funds science grants. More charitably it might just be the applicant admitting that they have no idea what they are doing, and the funding agency seeing this as a good chance to explore the unknown. Still, unless the field is AI research (mine isn't) it seems like funding agencies should giving money to people who understand their tools.
I don't think there is anything wrong with using the colloquial definition of the term when communicating with funding agencies/the public.
If you pull up the TOC for an AI textbook, you'll find lots of things that aren't "intelligent". Machine learning is just a subset of it. I recall a professor in the AI department back in the 90s working on describing the shape of an object from a photograph (image to text) based on a number of tools (edge detection was one paper I recall).
Also in AI is writing a deductive first order logic solver is covered in there as are min-max trees and constraint satisfaction problems.
https://www.cs.ubc.ca/~poole/ci/contents.html (note chapter 4)
https://www.wiley.com/en-us/Mathematical+Methods+in+Artifici...
People are trying to put a box around "AI" to mean a particular thing - maybe they want AI to mean "artificial general intelligence" rather than all the things that are covered in the intro to AI class in college.
I ultimately believe that trying to use a term that has been very broad for decades to apply to only a small subset of the domain is going to end up being a fruitless Scotsman tilting at windmills.
... And you know what, I think it does a pretty good job at being intelligent. https://chat.openai.com/share/01d760b3-4171-4e28-a23b-0b6565...
True intelligence is, of course, definitionally the ability to do things like art or… err, wait, sorry, I haven’t checked recently, where have we put the goalposts nowadays?
It’s unsurprising that creating machines that seem to do some stuff very intelligently and some other things not very intelligently at all is causing some discontent with regard to our language.
I see a whole lot more gnashing of teeth about goalposts moving than I do about people proposing actual solid goalposts.
So what’s your definition?
> It’s unsurprising that creating machines that seem to do some stuff very intelligently and some other things not very intelligently at all is causing some discontent with regard to our language.
I think I agree about the language.
I don’t have a definition of intelligence. I don’t work in one of those fields that would need to define it, so my first attempt probably wouldn’t be very good, but I’d say intelligence isn’t a single thing, but a label we’ve arbitrarily applied to a bunch of behaviors that are loosely related at best. So, trying to say this thing is intelligent, this thing is not, is basically hopeless, especially when things that we don’t believe are intelligent are being made to exhibit those behaviors, one behavior at a time.
> I see a whole lot more gnashing of teeth about goalposts moving than I do about people proposing actual solid goalposts.
I might not see a ton of explicit “here are the goalpost” type statements. But, every time someone says “I’m using the term AI, but actually of course this isn’t intelligence,” the seem to me at least to be referencing some implicit goalposts. If there isn’t a way of classifying what is or isn’t intelligent, how can they say something isn’t it? I think the people making the distinction have the responsibility to tell us where they’ve made the cutoff.
Maybe I’m just quibbling. Now that I’ve written all that out, I’m beginning to wonder if I just don’t like the wording of the disclaimer. I’d probably be satisfied if instead of “this isn’t intelligence, but I’m going to call it AI,” people would say “Intelligence is too hard to define, so I’m going to call this AI, because why not?”
I say we take the word intelligence and throw it out the window. It's a bit like talking about the either before we discovered more about physics. We chose a word with an ethereal definition that may or may not apply depending on the context.
So what do we do instead? We define sets of capability and context and devise tests around that. If it turns out a test actually sucked or was not expansive enough, we don't get rid of that particular test. Instead we make a new more advanced test with better coverage. Under this domain no human would pass all the tests either. We could each individual sub test with ratings like 'far below human capability', 'average human capability', 'far beyond human capabilities'. These tests could be everywhere from emotional understanding and comprehension, to reasoning and logical ability, and even include embodiment tests.
Of course even then I see a day where some embodied robot beats the vast majority of emotional, intellectual, and physical tests and some human supremacist still comes back with "iTs n0t InTeLLigeNt"
Its denoising software.
Now some people don't like using the term AI for soft/weak/narrow AI, because it's a fleeting definition, mostly applied to things that are novel and that we didn't think computers were able to do. Playing chess used to be considered AI, but a short time after AI beat the human chess world master it was no longer considered AI. If you buy a chess computer capable of beating Magnus Carlsen today that's considered a clever algorithm, no longer AI. You see the same thing playing out in real time right now with LLMs, where they go from AI to "just algorithms" in record time.
“What do you mean it’s not intelligent?! It passed Test X!”
“Yes and now that tells us Test X was not a good test for whatever it is we refer to as ‘intelligence’”
This is exactly it for me.
As much as chatgpt doesnt want to give you answers because the fuzziness, it has the ability to make judgements on things like "This is the best" or "This is the worst".
Ofc with bias.
I just want to say that this seems to be how many, if not most people define intelligence internally. If an LLM gets something wrong or doesn't know something, then it must be completely unintelligent. (as if humans never get anything wrong!)
LLMs do a whole lot of “wrong in a way that indicates it is not ‘thinking’ the way an intelligent human would.”
The user interface to Chat GPT and similar tools, though, has made a lot of people think that gap is gone, and that instead of thinking they are using an AI tool in the technical sense, they now think they're talking to a full-fledged other being in the sci-fi sense; that that idea has now come true.
So a lot of people are careful to distinguish the one from the other in their writing.
But they're still models. Anyone claiming that Bayesian/statistical models have intelligence is confusing the map for the territory.
An intelligent thing should easily generalize in these situations but LLMs fail to. I use GPT4 every day and I frequently encounter this kind of thing.
It seems to me that the perceived difference is mostly in being able to admit that you don't know something, rather than make up an answer -- but making up an answer is still something that humans do sometimes.
Just like some people define stupid as <= them. Aptitude is a multivariate spectra. It is already hard to come up with a cutoff on a single measure, way harder to do so for a bunch of different skills that for some reason happen to correlate in humans (and sometimes they diverge wildly as in the case of savant syndrome).
Also, that huge 4.7MB image in the head of the article...
Edit: Wow! I just tried loading the page and see that the ridiculously large image still loads. That’s a particularly obnoxious website: the image’s HTTP header says that its Content-Length is 0 so it still gets downloaded by the browser.
Alternatively, maybe anti-virus software can phone home to get on-the-fly advice.
Modern antivirus software already does this, more or less. It's usually called something like "cloud scanning."
My takeaway lesson is that the permissions model for extensions is confusing and nearly useless.
[1] https://chrome.google.com/webstore/detail/obscura/nhlkgnilpm...
For example, a web clipper operates on multiple domains, but it can avoid it by using activetab permission instead and then offering optional permissions if it wants when you click on the clipper extension icon.
If you want something to be done automatically on multiple domains, this is not possible without that permission. Not unless you want to annoy users with prompts.
But I think at the moment it's easier to get someone to install an extension as long it mentions GPT or AI.
In case you're not joking
