文章探讨了AI图像生成技术带来的潜在风险，特别关注了GPT-4o在生成逼真图像方面的能力。文章指出，这项技术可能对法律系统、政治和社会稳定、以及个人隐私造成严重威胁。为了应对这些风险，文章提出了两种主要的缓解策略：一是利用隐形水印技术，二是建立AI图像数据库，通过反向图像搜索来识别AI生成图像。此外，文章还讨论了针对开源模型的应对措施，包括强制水印训练和全面禁止。作者对未来可能采取的行动表示悲观，认为在问题变得无法挽回之前，可能难以采取有效的应对措施。

⚖️ **法律系统风险：** AI生成逼真图像的能力可能导致法律系统面临挑战。虚假图像可能被用于伪造证据，导致无辜者被定罪或有罪者逍遥法外。

📢 **政治和社会操纵：** 随着AI生成图像技术的普及，社会可能面临大规模的虚假信息传播。对科技不熟悉的人群更容易受到误导，进而影响选举、个人声誉等。

💔 **隐私和同意权侵犯：** AI技术可能被滥用于生成色情和诽谤内容，侵犯个人隐私。低成本的生成工具使得任何人都可以成为受害者。

💧 **水印技术：** 现有解决方案包括隐形水印，例如Google DeepMind的SynthID。但水印的有效性在长期内存在不确定性，可能被恶意技术破解。

🔍 **AI图像数据库：** 建议建立一个AI图像数据库，用户可以上传可疑图像进行反向搜索。这种方法避免了与黑客之间的对抗，并利用了现有的反向图像搜索技术。

Published on April 19, 2025 1:54 PM GMT

1. The Risks (and Motivation)

On the 25^th March 2025, OpenAI quietly unveiled their latest image generation capabilities, built into GPT-4o. This model was made available to all users with their $20/month ‘Plus’ membership, meaning over 11 million users have access to this model. 

The latest model is significantly more capable than the previous, notably in its ability to produce photorealistic images, and images including text (e.g. receipts and road signs). 

This is a sobering advancement in the state-of-the-art, and I now believe that we are no further than 12 months from the release of AI models which can produce images that cannot be detected by humans or computers. 

This technology will have enormous ramifications across the entire planet. Some examples of the damaging consequences of this technology are listed below:

1.1 Legal System Risks

While I have been unable to find a figure specifically for images, a study by Nottingham Trent University in 2017 found that CCTV proved useful in 65% of criminal cases. The possibility to automatically generate images of crimes will lead to one of two outcomes. The first is that the legal system (absurdly) continues to allow photographic evidence in the courtroom, and hundreds, thousands, or more, individuals are wrongfully convicted. The second is that the legal system no longer deems photographic evidence as valid, and individuals are found not guilty despite photographic evidence existing of their crimes. 

1.2 Political and Social Manipulation

Society will see sweeping change as a result of this technology. While people who are technology-literate will quickly begin to disregard all photographic evidence as unreliable, those who are not informed (specifically older generations), will become victim to constant disinformation campaigns. These will affect the electoral system in every country, and will be extremely damaging to many individuals in the public eye. 

1.3 Privacy and Consent Violations

As we have already seen, pornographic and compromising content involving anybody in the public eye will become increasingly common. This may not be restricted to public figures, as low-cost technology of this kind may enable this content to be generated by anybody, of anybody, with only a few images of the victim. 

2. Approaches to Risk Mitigation

It is clear, given the risks outlined previously, that systems need to be developed to identify AI-generated images.

2.1 Steganographic Watermarking

Steganographic watermarks, hidden inside of images and invisible to the human eye, are currently the industry’s only attempt at a real solution. Google’s DeepMind has created the current state-of-the-art, called SynthID. 

“It doesn’t compromise image or video quality, and allows the watermark to remain detectable — even after modifications like cropping, adding filters, changing colors, changing frame rates and saving with various lossy compression schemes”. – Google DeepMind

This kind of watermarking, at least for now, may be effective, but not every AI provider is doing it. OpenAI, for example, is still only watermarking their images with metadata which can easily be erased. 

In the long-term, it is unclear to what extent this watermarking will continue to be effective. One can easily envision adversarial technologies being created for the express purpose of removing these watermarks. Google has stated that SynthID is resilient to cropping, compression, etc, but they have not publicly stated its resilience to malicious attack. In past experiments AI watermarking has proven to be flimsy at best. 

2.2 The Alternative: An AI Image Database

So, what is the alternative? I am proposing an alternative strategy towards AI image identification which does not require a cat-and-mouse chase between researchers and adversaries. 

A provider of an AI image generating tool could create a central portal, to which users can upload any image they deem suspicious. This portal would then perform a reverse-image-search on a database containing all images that the platform has ever generated. If a match is found, the image is confirmed to be AI generated. 

This approach is preferable for a number of reasons:

No cat-and-mouse chase: There will be no option for hackers to reverse-engineer and remove identifying features in post, as identifying features are not used. The image itself is the identifying feature.  The beaten track: As can be seen with technologies like Google Lens, reverse-image-search technology is already very advanced. Even with heavy image alteration, algorithms have been devised which can still identify similarities with a source image. 

This idea could be further improved if it were to be shared between providers. If OpenAI, Google, Anthropic, etc were to collaborate in the name of Safe AI, a central portal could be devised which checks all of their databases at once for matching images. 

If organisations are not willing to collaborate, then forward-thinking governments could enforce this collaboration by devising their own central portal, and mandating cooperation with its developers. The EU is one such government which has already developed a positive track record for AI regulation, and represents a population large enough to be taken seriously by these companies. 

3. What About Open-Source?

Clearly this solution would not work for open-source models, as these would not be linked to a single image lookup database. There are two potential courses of action for governments to mitigate open-source risk:

3.1 Mandating Training with Watermarks

It may be possible to train an image generation model to produce watermarks on all images natively (e.g. by training the model exclusively on images that have been watermarked). In this case, governments may be able to mandate that open-source models are permitted, but only if they have been trained in this way. 

If watermarking can only be performed as a separate function, then it will be pointless for governments to mandate watermarking capabilities of open-source models, as bad actors will be able to simply remove the watermarking functionality on their own machines. 

3.2 Outright Bans

This is an extreme precaution, but desperate times call for desperate measures. If the previous approach was unsuccessful, the only way to mitigate the risk of these models would be to ban open-source variants of AI image-generating models that are capable of generating photorealistic images. 

Some may argue that it is unconstitutional or unrealistic to ban AI models, as they are essentially huge repositories of matrices, and therefore ‘just maths’. However, there is already a large variety of digital (“just maths”) files which are deemed illegal to own, including (but not limited to): Classified government documents, illegal numbers, and illegal pornography. Therefore, there is clearly already a legal precedent to enable this kind of regulation. 

4. Conclusion

I believe that the vast majority of the public have not considered the vast and far-reaching implications of this technology, and neither have the government. I have outlined above some mitigations that would (thinking optimistically) greatly mitigate these effects, however I’m not optimistic that any action will be taken on this front until it is too late.

Discuss