AI companies generally have a solid grasp of their models to discourage misuse. For example, if you ask ChatGpt to provide someone's phone number or instructions to do something illegal, it will just tell them that it won't help. However, as many examples over time have shown, clever and quick engineering or model tweaks can sometimes say that these models would otherwise not. Unwanted information is hidden inside the model, allowing access to it using appropriate techniques.
Currently, businesses tend to address this issue by applying guardrails. The idea is to check if the prompt or AI response contains unauthorized material. Instead, Machine Illarning asks if AI can forget about information that the company doesn't want to know. This technique edits leaky models and specific training data and uses them to create new models. Essentially, it's an original version that has never learned that data. Machine Inlarning has a connection to older techniques from AI Research, but it has only been applied to large-scale language models in the past few years.
Jinju Kim, a master's student at Sungkyunkwan University who worked on paper with KO and others, sees Guardrails as a fence around the bad data they have been placed to keep people apart. “We can't get through the fences, but some people still try to go under and above the fence,” Kim says. But if she hasn't learned, she tries to completely remove the bad data, so there's nothing behind the fence.
But the way the current text-to-speech system is designed makes this a little more complicated. These so-called “zero-shot” models are a good imitation if they come with enough data, even a small sample of someone's voice, using examples of people's speeches to learn to recreate voices that contain those not included in the training set. So “learning” means that you must not only “forget” your trained voice, but you must learn not to mimic certain untrained voices. Meanwhile, it still needs to work well with other voices.
To demonstrate how to obtain these results, Kim taught the recreation of VoiceBox, a speech generation model from Meta. When prompted to create a text sample with one of the voices to edit, you should respond with a random voice instead. To make these voices realistic, the model is to “teach” itself using random voices of its creation.
The results of the team, presented at the International Conference on Machine Learning this week, encourage models to mimic the “slammed” voice. As a result, it adapts to cutting-edge tools for measuring speech similarity. In fact, this definitely makes the new voice different. However, forgetfulness is costly. The model is worsened by about 2.8%, mimicking the allowed voice. These percentages are a bit difficult to interpret, but the demos released online by researchers provide very convincing results, both in how well the editors are forgotten and how well the rest remember. Below is a sample demo.
KO says the unlearning process takes “a few days” depending on the number of speakers researchers want the model to forget. And their way of doing this requires an audio clip about five minutes long for each speaker that will forget the voice.
Unlearning the machine, data is often replaced by randomness, so it is not possible to reverse engineer the original. In this paper, the randomness of forgotten speakers is very high. The signs claim that they are truly forgotten by the model.
“We've seen people optimizing randomness in other contexts,” says Weidech Patil, a doctoral student at the University of North Carolina at Chapel Hill, studying machine learning. “This is one of the first works I've seen in my speech.” Patil holds a study workshop on machines belonging to conferences, and there is also the study of voice-unlocking.
