How does model disgorgement and algorithm deletion work? Espie Angelica A. de Leon discusses how artificial intelligence training data may infringe IP or privacy laws and explores emerging remedies.
Front and centre of the conversation about artificial intelligence are copyright infringement and data misuse. Training data fed into the AI model may include works that are copyright protected or personal information whose very use breaches privacy laws.
What is not part of the mainstream conversation are the terms “model disgorgement” and “algorithm deletion.” At least not yet.
Model disgorgement and algorithm deletion are remediation techniques for addressing the problem of AI systems including machine learning models, trained on copyrighted materials without the owner’s consent and personal data protected by privacy laws.
How do they work?
These terms are used interchangeably, along with other concepts such as model deletion, algorithmic disgorgement and algorithmic destruction. “Context is important to decide which term is most accurate,” noted Christopher J. Rourk, a partner at Jackson Walker in Dallas.
The word “model” obviously refers to the AI model or machine learning model. But what is an algorithm, exactly? Rourk explained: “An algorithm is usually considered to be more self-contained than a model, like lines of functional computer code, whereas a model might include ‘weights’ or other data that are part of the algorithms in the model at each node of a plurality of nodes – say, in a neural network – where the weights are adjusted at multiple nodes in response to training data.”
Model disgorgement and algorithm deletion work by extracting or deleting illegitimate or unauthorized data from the AI system, making it appear that such data was never used to train the model in the first place. Also part of the mechanism are the destruction of the AI model or the algorithms in it and the destruction of all products developed using the data that was taken out.
In the U.S., the Federal Trade Commission (FTC) has begun ordering model disgorgement in certain cases.
In 2019, the agency ordered Cambridge Analytica to destroy its algorithms in a data breach scandal that made headlines around the world. The London-based data analytics firm was found to have collected information about millions of Facebook users via the personality profiling app called This Is Your Digital Life for political purposes. The majority of the users did not provide their consent to the use of their personal data. Cambridge Analytica ceased operations on May 1, 2018, in the midst of the scandal.
In March 2022, the FTC ordered WW International, formally Weight Watchers International, to delete personal information it collected from children below 13 without their parents’ consent. The agency also ordered the destruction of models or algorithms created using the children’s data.
In May 2023, it ordered edutech platform Edmodo to delete models or algorithms that stemmed from data it collected from kids sans their parents’ permission. The California-based company harvested and used the data for advertising purposes.
These are just a few examples.
According to Dalvin Chien, a partner at Mills Oakley in Sydney, model disgorgement and algorithm deletion were more practical during the early days of AI when models were simpler. The models could be easily rebuilt, and the offending data could be easily identified and removed. Simple AI systems also meant lower upfront costs, making it less difficult to start from scratch when circumstances warrant it.
However, AI models have evolved. They now have stronger capabilities and processing techniques, which means AI companies have been investing more resources and time into building them. Given these, remediation techniques have to keep pace.
Here are some modern model disgorgement techniques which are also AI-enabled:
Retraining. This technique involves removing the data and then retraining the AI model. However, the volume of information that has been used to train the model is constantly increasing, making this technique increasingly difficult. “Nonetheless, it could still be viable if a faster way of identifying and removing offending data, such as by another AI, from a dataset is developed,” said Malcolm Liu, a senior associate at Mills Oakley in Sydney.
Unlearning. The AI model is taught to remove the effects of the offending data. Thus, it eliminates manual searching and actual removal of the data. ”For example, if a particular outcome is derived or a particular effect is applied as a result of the AI model using the offending data, the AI model disregards or gives less consideration to that outcome or effect,” said Chien. Unlearning also allows the AI model to continue its development.
Compartmentalization. “This is where instead of having a single AI model that is trained on a single but large dataset, multiple smaller AI models trained on smaller datasets are used instead, and their combined or averaged outputs are displayed. This way, if the offending data is located in the datasets of only one or a few of those smaller AI models, those AI models can be removed without substantially impacting the performance of the overall AI system,” Liu explained.
According to Rourk, it is difficult to detect whether copyright-protected work or data protected by privacy laws were used to train an AI model. He added it might even be an open legal question if copyright infringement or a violation of data privacy has occurred if there is no way for the training data to be output. A case in point is generic object recognition in image data.