
Loading summary
Liberty Vitter Capito
Hello and welcome to the Harvard Data Science Review Podcast. I'm Liberty Vitter Capito, feature editor of the Harvard Data Science Review, and along with my co host and editor in chief, Shali Meng, we'll be talking about things once only seen in science fiction movies, popularized by the mask pull scenes in Mission Impossible films, deep fake technology. It has become one of the most powerful and consequential applications of generative AI, blurring the line between reality and illusion and reshaping the way we trust what we see and hear online. This month we're exploring that phenomenon with Professor Su Weilu, whose lab develops cutting edge deepfake detection methods, and Professor Hany Farid, a pioneer of digital forensics. Together they'll guide us through the entire data journey, from the massive raw data sets that feed synthetic media to the pixel level signatures that betray it. Whether you're a computer scientist, a policymaker, or simply curious about how synthetic content is altering the information landscape, join us for an in depth conversation on turning data into both convincing illusions and resilient safeguards, and on how we can preserve trust and truth in a rapidly evolving digital world.
Shali Meng
Hanni, four years ago, almost to the day, we had you on talking about misinformation and disinformation and we were just talking before we started recording about how much the world has changed or if that's just a comment that we make because it feels fast and it would always feel fast. Or have these last four years actually been different than, let's say, the last 50? And in that sense, what's changed?
Hany Farid
Yeah, well, first of all, I'm old enough to have lived through the personal computer revolution, the Internet revolution, the mobile revolution and the social media revolution. And this one is different. And it's different on several levels. One is that it is much, much faster. We used to measure these changes in these 12 to 18 month cycle. Now I measure in 12 to 18 days, things are accelerating at a pace that I have not seen before in my 30 year odd career. That's number one. Number two is, I mean, no kidding, from four years ago, it's almost an unrecognizable world when it comes to generative AI and AI broadly and certainly on what we had talked about then, which is mis and disinformation, which has only gotten worse because social media continues its downward spiral into the absolute lowest common denominator. Now it's being fueled by generative AI, fake images, fake audio, fake video. And here's the thing, going forward, we don't have to wait four years by the way, we can talk a little bit sooner than that, but it's not slowing down. I think we are still very much on the steep side of this curve and there is absolutely more to come.
Shali Meng
Everyone at this point, or most people, I think, have heard the word a deep fake or have heard the word disinformation or misinformation in the past year. Could you give me some examples of when people have been fooled by this or when you've been asked is this real or not, that people might be able to understand a little bit more what they're seeing or think they're seen?
Hany Farid
Yeah, let me give you a few examples. I think this is the one that probably got the most attention and was a bit of an inflection point for generative AI deepfakes, which let me just define, that is broadly speaking the creation of images, audio and video largely by machine learning or artificial intelligence. That's the simple definition where you simply type give me an image of and it will hand you a photorealistic image. And I think one of the inflection points was the Pope in the white puffer coat. This was an image that was really, I think, shook people. Not because it was funny, it was not because it was cool, it was. But because a lot of people thought it was real. And it was this moment, I think, when people realized our eyes are not trustworthy. Now, don't get me wrong, our eyes were never trustworthy, but that was a moment where people realized it. Now we have seen phenomenal large scale fraud. We have seen companies lose 25, 35, $50 million because they are on a call with what they think is their CFO or their CEO and they are not. And I will tell you, every one of those that you read in the newspaper, there are 10 that you don't read about. We have continued to see small scale fraud where parents are getting phone calls from what they think are their loved ones and it is not. They are not in trouble and they are losing thousands of dollars. We continue to see horrific, terrible, gut wrenching, non consensual intimate imagery where women's likenesses are being inserted into explicit material and then being weaponized against them. We are now seeing that against children. We are also seeing disinformation campaigns around elections, around global conflicts. And here's the one that has always sort of kept me up at night is that when we live in this world where deepfakes, generative AI can create an image, an audio or video of anybody doing, saying anything, nothing has to be real. And Then when you see a video out of Gaza with human rights catastrophes, oh, it's fake. When you see human rights violations in Ukraine, it's fake. When you see a video of Donald Trump saying something ridiculous, it's fake. And so suddenly you get to deny reality. And what I've seen over the last four years, and really more than that is, is this alternate reality that we all now occupy because nobody knows what to believe anymore. And so you sort of throw your hands up in the air. And this is particularly true when the majority of Americans, and in fact the majority of the world's population gets their news, if you can generously call it that, on social media, which makes everything worse because your world is being filtered by these algorithms that are simply designed to keep you pointing and clicking. And that's what you and I talked about four years ago. And so there have been lots and lots of examples on an individual level, on an enterprise level, on a society level, on a democracy level. And it's honestly just about every day you see something like this.
Su Weilu
Let me follow up on that because what you said is really giving me a sense, right? We have been using this word deep, right? The deep learning, not deep fake, but it sounds like we're really getting ourself into deep. I'm not going to use four letters word, but deep trouble. And so in a way, as a data scientist, we feel kind of a mixed feeling, right? You know, we create this incredibly powerful tool, but like everything else in life, when it's something powerful, it can be used by all sides, right? So Xu Wei, we are the ones who understand all the deep trouble we're in. We're also kind of partially responsible for creating this thing. As a data scientist or computer science, what is our responsibility here? How do we even process the kind of a situation we're in, both as someone on technology side, but also as a consumer?
Xu Wei
Yeah, that's a very good question. I think if I put on my computer scientist hat, I'll say there are two levels of problems. We're dealing with the powerful AI systems right now. One is at the technical level, the other is at the user's level, whoever using those tools. The first level, technically speaking, the AI tools are not safety certified. So we design AI systems like the ChatGPT system, the ChatGPT, like chatbot systems or image generation, video generation, audio generation systems, they do not carry a built in safety certificate. That's a technical problem we have to solve. For instance, somebody can tweak the prompts you to make the system Generating something that is inappropriate, that's built into the system, whoever uses know the trick will be able to trigger that. So that requires a tactical level solution. That's why we pay a lot of attention these days about understanding the safety issues of generative AI models. How do we improve their overall fairness and security built into that design of the system? I think from this perspective, the safety issue of generated AI models are not so different from everything we have seen before, like Internet and social media. We have this mindset of build it and then fix it, right? We're still in the growing phase of generative AI models. So it's right now, the moment, the time, almost like the last part of the window, for us to build that design into the system so that we'll have something that's safer at least. So I think that's the technical side of the problem, the social side is that even though the system is perfectly safe, we cannot guarantee that it will not be used for bad purposes. People with bad intentions will use them, abuse them. There is a tactical solution for that too. So that's one of my major research topic is how do we make sure something is generated by AI or come from a real camera, real device, or we'll build in some tactical solutions so that we can trace those data or at least make it harder for somebody to misuse the tool to create something that's harmful. But there's a lot of social aspects of this. I think number one most important thing is user education. You know, a lot of people do not know about this because they thought this is like super technical, complicated topics, there's no way you can understand them. Turns out that the fundamental core ideas and the potential impacts can be easily explained to everyone, including older adults and teenagers. Actually, I gave talks to older adults and teenagers at the Buffalo area. They tend to be the group that's mostly engaged in this topic because they're curious, they want to know and they also understand the potential impact because many times they're on the receiving end of this kind of attacks. The second part of course is the government need to step in because making the AI model safe is the same way as saying making Internet safe, making social media safe is fundamentally against the profit generation model of all the enterprise, the companies behind them. This is where government coming in say how can we regulate and put some safeguarding rails against the misuses of these kind of issues. As a computer scientist, I feel like we're part of the reason of this problem, but we can also play a very active role as a Solution.
Su Weilu
What are the things in terms of data and the process involved in creating these fakes? Or these days, probably just so easy, you just say, hey, here's what I want, here's a prompt. Part of the danger probably is anyone with a bad intention can utilize these powerful tools to do what they want without much of the technical background.
Xu Wei
Is that the case in terms of using the tools? That's probably the case. Now I see again, Hany has longer history working in this area, but I've been working with generative AI models because we work on the detection of AI generated contents, we get ourselves familiar with the generated tools too. For the past three, four years, I've been seeing a clear generation change of the easiness, accessibility and the quality of those models. Starting from you have to know some coding at least, you have to have some basic idea of machine learning AI and being able to have a computer with a gpu. Now to the fact that you only need to know what you want to do and the web browser, have access to the web page, put your idea into words, give it to the software, it will generate it for you in a matter of seconds. So I think the accessibility part huge, improved. But in terms of getting the model is actually, I will say this is the bliss for data science because the models were trained on tens of billions, hundreds of billions, if not trillions of amount of data to reach this level of quality. And the training of those data becomes more and more like a monoplied this day. I mean, used to be I can do a homebrew model myself. Now I think nobody can. Any individual has the power, the computation power, resources or time to be able to create, recreate, model like stable diffusion or chatgpt. I mean we can refine it but not train it from the ground. So in some sense data science is being pushed to the limit, scale up and use up all the algorithm potentials to reach the current level of sophistication of generative AI tools.
Shali Meng
So Henny, I want to go a little bit deeper into detection. So I teach an intro data science class. And so we always do one day where we talk about deep fakes and I always put up, you know, images, you know, left and right, which one's real, which one's not. And frankly, up until about a year and a half ago, the students were pretty good at telling. Interestingly, they were better at telling when it wasn't a famous person because I think the deep fakes of the famous people are just so good. But you know, you put up Obama there and they have no idea which one's real and which one's not. And as you said with the puffer and the Pope, we just, we can't believe our eyes anymore. We. There's no way to tell as a human what's happening. So what are the techniques that you use to detect if something is real or not? And can you always detect it? Are there always signatures?
Hany Farid
So a couple of things. One is you're right up until, you know, maybe a year ago, six months ago, you know, the images where you could always. There's a little tell. I would say that's largely gone now. We actually do perceptual studies. We show the images to people and they're better than chance. They're not flipping a coin, but not much better. Also with voices, we just wrapped up a perceptual study. Slightly better than chance, not much better, certainly not consistently so. I would say video is a little bit further behind. I think with video you can still tell. But have me back in a year and I'll probably say it's over. We're through the so called uncanny valley. So we've got to give up on the perceptual. Either it's over or it will soon be over. So what are your options here? And there's sort of two main pillars for detection, what we call active forensics and passive forensics. So active forensics goes something like this. You are an OpenAI, a mid journey, a stable diffusion, a company that is in the business of generating AI generated content. And you are a responsible player in the space like OpenAI is in this regard. And what they say is when we create a piece of content we are going to insert some metadata that is cryptographically signed so you can tell it's from us. Maybe we're going to insert a watermark and maybe we're going to extract a digital signature that allows us to keep track of this content. There is an open standard for this called the C2PA, the Coalition for Content Provenance and Authentication. And for full disclosure, I'm affiliated with this, it's a not for profit Linux foundation and it has created a standard that says if you and we would like you to sign your content so that downstream we can detect it. Think about it as you're a biologist. You catch an animal, you tag it and you let it into the wild. Once you see the tag, you know what it is. So same idea. So this stuff is great. We love watermarks, we love metadata, we love signatures. They're not perfect. There's lots of convers we can have around it in terms of robustness and resilience and so on and so forth. But for the companies that participate, and importantly for the companies at the other end on the display side, that then will show the credentials, it's great. It helps the user. And today if you go to OpenAI and you generate an image, it will insert some metadata that tells you it was generated by them. And if you upload it to LinkedIn, LinkedIn will respect that credential and put a little cr in the top left corner saying this is a content credential, it was generated by AI. It doesn't solve all the problems, but it's part of a solution that will help consumers flag this, particularly when they use technologies from the companies that partake. But as C Way just said, you know, not everybody's a good guy out there, right? There's bad guys out there, there are cyber criminals, there's state sponsored actors, there's people using open source models that will simply rip out this technology. So there the passive techniques come in and this is our bread and butter. Now so here what we do is, is again two things. One is we look for artifacts in the images that are consistent with AI generated content, or we look for artifacts that are inconsistent with what you expect in the physical world. I'll give you a couple of examples in a minute, but let me just cut to the chase. It's not perfect. It's a really hard problem. It will not catch everything. It will catch a lot. And if you give us a little bit of time and you ask maybe somebody like Seaway and somebody like me and maybe two other world leaders in this space and you do some good investigation online, we're going to figure it out eventually. But that doesn't scale to a billion uploads every day to the Internet. So it sort of depends on what the scale is. You're asking about super hard problem. Let me give you a couple of examples of things we can do. So here again there's two or sensing a theme here in the, in the stratification, there's two basic approaches, what we call a data driven approach and a hypothesis driven approach. And the data driven approach approach is exactly what you think it is as a bunch of data scientists, right? Which is you say, okay, I'm going to get a bunch of AI generated images, I'm going to get a bunch of natural recorded images and I'm going to train a network to tell the difference. So that has lots of advantages. The advantage is it can find patterns that we may not have known about. The disadvantage is that it's not really particularly explainable. It tends not to work when you give it things that it hasn't seen before. The so called out of domain problem, it's vulnerable to counterattack. But it is absolutely part of an arsenal in forensics. The more hypothesis driven goes something like this. It says, well, we know that AI generated content ups and down samples, images during the denoising process in diffusion. We know that that leaves behind a very specific statistical artifact because of the way they up and down sample the image and we're going to go hunting for that artifact. Or we know that because generative AI today is fundamentally a statistical inference engine. It doesn't know about the physics of the world, it doesn't know about the geometry about the world, it doesn't know about the three dimensional properties of the world. It tends to get things like shadows and perspective, geometry and reflections and lighting physically inconsistent. Not so much so that the user of human visual system can tell the difference, but we can measure and tell the difference. Those are the hypothesis driven. Anybody's forensics toolkit will have all of these different techniques in them. And again, you start stacking these things up and you can do some damage. Sometimes it can be very fast, it can be done at scale and sometimes it takes time. There are days where I will get requests from the media and it takes seconds and there are days where it takes hours and days depending on how complicated it is. The curse for us is if you give us a really high resolution, high quality image, we're pretty good at it. You start degrading the image by adding compression, adversarial noise, you know, reducing the resolution, it gets harder and harder and harder. And one of the biggest challenges is that when social media gets their grubby little paws on content, they tend to rip out the metadata, they downsize the resolution, they reduce the quality, and by the time we get it, it's gone through God knows what nonsense and our job is a lot harder. So, you know, I think this is the proverbial arms race. We know this. We're in a cyber security world, right? We get better, the adversary gets better, we get better, the adversary gets better. And that's okay. It's okay that it's adversarial. And here's why. I'll give you an analogy. When I leave the house every morning, I lock my door and I lock my door, despite knowing that somebody can pick the lock, despite knowing that somebody can break a window and get into my house. Why? Because I deter the common criminal. Right. The crime of opportunity. I don't. My house is not 100% secure. And everything in cyber security is like this, right? We knock off the bottom layers and now we are dealing with a relatively small, hopefully very sophisticated, very well funded and very technically competent adversary. And that's a more manageable problem than a 14 year old in their basement disrupting a national election in the United States. And so that's what we have to do. We just simply raise the bar to make it harder, more time consuming and more risky and then we declare success.
Su Weilu
Two points here. I want to reflect a little bit on it as a statistician. But first is when you say the data driven and the hypothesis driven, you pretty much summarize the whole statistical field, right?
Hany Farid
Yeah.
Su Weilu
I always tell my students like there's only two way you get the information, data and hypothesis.
Hany Farid
Yes, right.
Su Weilu
But now you're saying back there, that's the two way to think about how to do those things. The other thing you mentioned about locking your door, I think it's a great analogy. Life itself is statistical. There's always risk, right? And you try to prevent the most and you can't prevent everything, but if anything can prevent everything, that you probably destroys everything. So you leave some risk that you manage.
Hany Farid
100%. 100% mitigation.
Su Weilu
Mitigation. So my plug line here is for all the people listening, take some statistic courses, okay? Understand the statistical reasoning, the risk, the bias, the trade off, all the stuff. But most serious question, I guess is a more philosopher question. Exactly. On the point you mentioned, you're saying, well, yes, we can deal with the vast majority, we can deter them. Then we deal with this small group of people. Now let's think about this small group people. Well, this small group people could be any of us. Because any of us could have worked for things on the other side sometime, unwillingly, unknowingly, whatever we discover, people use it. Right? So I'm a strong believer that any system in the end kind of survives is because you have these balancing force to create the equilibrium, right? You're going to pull each other. The question then is what you worry about is can sometime, you know, a system, one force become too strong, there's not enough balancing force that the thing gets haywire, then, you know, break. Do you see a danger of that in this race? I know we're always going to stay on one side. But you mentioned all these, you know, stakes sponsored. Right. They can throw in tons of money and we know how bad stakes can do terrible things. How do we make sure that we don't even. We understand in theory things going to be balanced. But at some point, maybe just a one stale, one gigantic evil company did something, then we just didn't have enough time to catch and then we all kind of fall.
Hany Farid
Right? I do worry about this, and here's why I worry about it. It's not hypothetical. So if the types of workshops, and I don't even call them conferences by the way, the types of workshops that Seaway and I publish our works at, you can measure the participants in I don't know what sway like 100 or so people. Right. We typically attach those to a conference that's for example, computer vision or AI that hosts 10,000 people. That gives you a sense of the counterbalance. Here we have 100 people attending our workshop and those are the world's leading experts in this, compared to two orders of magnitude at the other side of the aisle. Computer Vision, computer graphics, AI, ML. So it is imbalanced in terms of where the graduate students are, where the faculty are in this space. And that's part of that historic. Our field is relatively young compared to ML has been around for a long time. Statistics has been around for a long time. Computer Vision has been around for a long time. But here's the big one. That's nothing compared to this. Go over to the South Bay and go down where all the venture capitalists are and ask them where they are investing their dollars. People don't want to invest in defense. They want to invest in the other side of the aisle. So the investments in the open AIs of the world, in the anthropics of the world is in the billions of dollars. And the investment in defense. Look, defense doesn't make you money. In fact, it loses you money because you're playing defense. So the vc, the dollars are not there. And so we are outgunned. There is no question about it. And it is imbalanced. We are one psychopathic trillionaire CEO away from catastrophe if they decide to really unleash the power. Now, I do take a little comfort in the following. So if you look at the last 20 years and you look at the disaster that has been social media, I mean really, I would argue disastrous in terms of privacy toxicity, horrific mental health issues to young people. I think we've learned a little bit of a lesson. Not entirely a lesson. And you are seeing a little bit more responsibility coming out of the big AI company. You are. Look at Google and OpenAI and say they are making exactly the same mistakes. Some of them are the same. That's number one. Number two, and this, I take comfort in this also is that the business model of AI is very different than the business model of social media. This is not an attention economy. I pay for ChatGPT, I pay for access to Veo and Gemini, and that's good. We don't want to be the product, we want to be the customer. And so I take some comfort in the business model is one of a service. You are providing a service. And I think there's a different sense of responsibility when you are creating a product and I am your customer. So I'm taking some comfort in that. I am, however, seeing we are making some of the same mistakes of move fast and break things and our regulators are mostly falling asleep at the wheel here in the us I think in the eu, in the uk, in Australia and a few other parts of the world, some of the regulatory landscape is a little bit more promising. I do think, at least here in the US we are not necessarily entirely burying our head in the sand. I think there is an awareness that we have to do something. There's just a disagreement on what we should do.
Su Weilu
I see.
Shali Meng
So if we have an Elon Musk decide that he wants to unleash, you know, as you said, sort of, can you paint that picture for us? What would happen? Yeah. What, what's the actual. I mean, let's talk about the worst case scenario.
Hany Farid
Good. I'll give you a couple of examples because we're getting glimpses of. So first of all, you asked the question of Seaway earlier, which is what, what can we do to put in some, some guardrails? And there are a few things we can do. We can put in semantic guardrails. On the prompt it says you can't ask for nudity, you can't ask for violence, you can't ask for children in sexual explicit material. You can put guardrails on the output which says if you generate an image that we think is harmful, we will block it. You can also put guardrails on the data that is being ingested so that you don't ingest the most horrific, vitriolic, nasty, ugly things of the Internet. Elon Musk can say, nope, I'm not going to do that anymore. I'm going to allow you to create child abuse material. I'm going to allow you to create non consensual intimate injury. I'm going to spew climate denialism. I'm going to Spew Holocaust denialism. I'm going to allow this thing to do anything I want. In fact, I'm going to encourage it to do it. And here's the thing is I can tell you because Seaway and I spend a lot of time on campuses. Students are now, they don't care about Google. Nobody's Googling anymore, right? It's over. They're getting their information from these, these bots. And if that becomes your sole interaction with the world, in some ways it's worse than social media, it's worse than Google, because it's literally one human being controlling one bot that people now are starting to get all their information from. And that can get very ugly very fast.
Shali Meng
You're right. At the beginning of this, you talked about the fraud. You talked about the really bad things that can happen to individuals. How do individuals protect themselves from the fraud? From the, the parents that get the phone call from the kid or the CEO, you know, the CFO that transfers $50 million because he thinks his CEO just told him to?
Hany Farid
Yeah, yeah. There's three things at the top of my list and they are education, education, education. You got to be aware of what's going on. You got to know. For example, I have ingrained this in my parents skull. Don't click on a link in an email, right? How many times have we said that to our parents? How many times do we have conversations with our kids about how to remain safe? This is about being aware that when you get a call at 3 in the morning and somebody's screaming at you to take a breath, my wife and I have a code word, right? One of us gets a phone call, we have a code word. And by the way, we have the code word because somebody spoofed my voice and tried to call a lawyer on a very sensitive case we are working on and extract information from him. So there are some things you can do to protect yourself, but honestly, the biggest one is just be aware of the threat. And again, it's just like locking your door. There are little things you can do, call them back, code word. But at the end of the day, the more you are aware of the threat and your surroundings, the safer you will be. There's nothing you can do but, well, listen for breathing or do this or pay attention to this. It's not going to help you because no matter what I tell you today, in two weeks the problem will have gone away and you have a false sense of security. So honestly, it's just, it's like everything in cyber security is how do you protect yourself from malware, ransomware, viruses? It's awareness, awareness, awareness, education, education, education, and then mitigation. This is all about mitigating threats.
Xu Wei
I can add a comment on this. So my daughter, I have two daughters, both of them are teenagers. They've been seeing me doing this a lot of times because I gave talks. Sometimes they sell my slides and they ask me questions like, what are deep fakes? And I show them the pictures and all this stuff. From time to time, they saw a picture, an image on social media. They will ask themselves, is this real? And I think that's the whole value of education, is that split second. Because before you make any decision on anything, you ask yourself, is this real? Because AI can create something very realistic, right? And a lot of times we talk about this situation, there's always a doomsday scenario where AI will make something that nobody can tell the differences. I think there's a cognitive reason for that. And there is also. I'm hopeful I'm more on the optimistic side of situation based on my interaction with users, teenagers and older adults. One thing is we're always too much carried away by the message. So we did some psychophysics study, ask the undergrad students to tell what is AI generated, what is not. But if we tell them, you are looking at some images potentially be AI, some images potentially be real photos, their accuracy is actually, as Hany reported in his paper, was not fantastic, but not very bad either. But when I take them to a different task, I ask them to recognize faces. Have you seen these faces before? Have you noticed any features of that face? And I sneak in AI generated faces, and then I ask them question, have you noticed any AI generated faces? Their performance is terrible. And I think this is what happened in real life because we're browsing social media, we saw an image, you know, our mind didn't have this mechanism, say, hey, pause for a second, check if this is AI generated. We're so much taken away by the message and we start to being taken in. That's where we fall for this. So I think education will be a very effective means against this kind of cognitive shortfall for this. The other point I want to make is when we talk about this doomsday scenario, we kind of like think human brains are static, we do not grow. But I make the analogy with the virus, like COVID 19, the first round of virus coming in, people got sick, people even got killed from the infected by the disease. But we developed metrics like we have vaccines, we have medications, these are the technical tools like detection tools, tagging tools, watermarks and whatnot. But more importantly, people develop better hygiene habits. We wash our hands, we put on the masks. This is the same kind of mechanism. I think human brain are flexible. We survive hundreds of millions of evolution because we adapt to the scenario. This is something new. But when people ask me about this, that relates me to the scenario. Twenty years ago, when email is a new thing, we get spam email. I got an email from some friends in Ivory coast to say I have this big bank account. The first few emails I do file for it. But afterwards I learned this is bogus and I do not talk emails anymore. I think similar things would. Well, we're just seeing the early phase of people falling for AI generated scams. I would not say we're completely safe, but we'll say the bar will be raised on one side because technical advances in detection, in watermarking and the other technologies. The other part is human learn to cope with this, to coexist with AI generated content. So simple stuff will not fool us anymore. Somebody want to do a better job, they better spend more time and resource into this. So I agree with Professor Meng. At a certain point in time we'll reach that equilibrium. And I'm 100% sure that equilibrium will be reached one day. What we're trying to do now is accelerate that time, make it sooner.
Su Weilu
Speaking of that, how do we speed things up? How can we take advantage of the general AI itself for education purpose?
Xu Wei
All right, I'll go first. In the past few years I've done a lot of public education efforts in this area because after go through all my technical works, I realized we developed all this detecting tools for AI generated contents, but if nobody wants to use them, they're useless. Eventually it has to be in the user's end and they have to have a need to use them. Right. So that's why I got into this user education side of the research work. Now I think foolishly I picked the two most difficult group of people to start with, namely the teenagers and older adults. I'm taking this example as my parents and my kids. These are the two group people who seem to know all who doesn't want to be taught. Okay, So I gave them a lecture and give my students a lecture. It doesn't take any effect actually. Probably generate some resistance and doubts.
Su Weilu
Interesting.
Xu Wei
But they are curious. They are actually open to new ideas. So I think education depends on delivery. How do we package the information, make them accessible to this specific user groups. I give a Lot of talks at local senior homes libraries. I take advantage of the fact that Buffalo Bills, our favorite city football game, has never won a Super bowl and was so close to super bowl every year. Everybody is hopeful starting the season, then become super disappointed at the end. So I made the deep fake Buffalo Bills make Josh Allen say we won the super bowl, we did really well, you know, and make it as realistic as possible. I like that example because I pick an innocuous example. You know, football is, I mean it hurts a few fans feelings but every time I say I wish this is reality. So people actually get a lot from this, but they also see the dangerous side of things. I say if I can make Josh Allen say this, how about I make somebody else saying similar things and this time it's not that light hearted, right? There's a fine line here, you know, on one side you want them to be aware. On the other side I don't want to be a fear monger. When I started doing this, I had a situation where one gentleman came to me, he's in his late 70s, I believe he came to me saying I will not believe anything I see from now on, on tv, on Internet, whatsoever. Right. That's not the right attitude either. So I realized that we need to pick that center line to make the message effective. Another approach I use is gamification. So like the older adults like to do puzzles, how about instead of doing a wordle or candy crash, let's see if you can pick up the AI fakes here, right? And we make a small game and test it on the older adult users. It turns out to be very effective. Now the purpose here is not to train them to detect AI defects, but to plant that idea in their mind that there are AI generated images. You see something, this will come up and protect you. So I think the delivery is the part that matters most.
Hany Farid
I'll add two things to this. First of all, conversations like this, I mean the reason sue and I agree to these conversations is this is important. And I think academics should continue to do engage with the public on these conversations. The other thing I've done, and everybody here knows this as an academic, is, you know, when we write our technical papers, we write them for our friends, for technical audiences, and they are often sort of impenetrable to the average person. And recently what I've started doing is using generative AI us explicitly about generative AI to summarize my technical papers in podcast like conversations. And if you have not seen this, it is breathtaking and it's well, sorry, I realize I'm on a podcast with two people who do this for a living. I'm not saying you're going to be out of business, you're very good at what you do. But no kidding, these things are weirdly good. First of all, they're incredibly engaging. They sound like a podcast. But the summarization of very technical things is mind bogglingly good. And so now what I've started to do is all my technical papers, I push them through one of these generative AI podcast summaries and I link to that so that people don't have to go download a PDF and read through all the equations. They can just listen to a podcast and make the work more accessible. And then the last thing I would add on that is in addition to these types of conversations is talking with and getting our regulators in Capitol Hill, in Brussels, in UK smarter about this stuff as fast as possible is engaging with the people who want to engage with this and get smart about it because they're the ones who are eventually going to have to pass the laws to protect us.
Shali Meng
You know, we talked, honey, four years ago, and you're saying that things are now being measured in days instead of years. Instead of looking back, let's look forward. What should we be afraid of that's going to happen in the next five years that we're not talking about right now?
Hany Farid
I'm afraid of everything these days. So I'm not the right person to ask about this. First of all, I mean, predicting the future is unbelievably hard and the best of times, and I don't know. But here's a few things that I don't think we're talking enough about because we're already starting to see it. So we've been talking about deep fakes and fraud and disinformation, but something else is brewing. So I teach at UC Berkeley, which is, I don't know, a top five computer science department in the world. Two years ago, our graduating students, undergraduate, master's, Ph.D. were graduating with five, 10 offers, $250,000 salaries, tens of thousand signing bonuses, and they had the run of the place. Now, not so much. Something is brewing. Unemployment is up for computer scientists, and I think we are the tip of the spear. Something is coming and it's very disruptive and it's going to disrupt a lot of industries. This is not ATM machines disrupting cashiers at a bank. This is something very different. What we don't know is will the disruption be counterbalanced? We were Speaking earlier about counterbalancing with the creation of new jobs and what will those loads look like and how we retrain people, or do we have to start talking about universal basic income? Has the entire social contract is up in the air now? Now there's very different people who say different things. Some people say, yes, right, unemployment is going to be 2530, there will be no more jobs because AI will do everything. And other people say this is complete and utter nonsense. I don't know. But I think we should start thinking about it because it seems, you know, we were talking earlier about statistics, right? The expected value of something very low probability with a very high cost is very high. And so we should multiply those two numbers together and be a little concerned about that. So that's number one. Number two, and said this earlier, and I think this worth, is worth repeating the word monopoly is that the winners in today's AI are the winners from 10 years ago in social media because they have all the data. And we have to start talking about not US monopolies, but global 8 billion people monopolies. And how do we have a fair marketplace for AI when five companies in the world control everything? I think that's a conversation we have to start having. And the last thing is that we haven't touched on is content creators. Because the reality is, is that the vast, vast majority of content that Sway described nicely earlier, that all of these models have been trained on, has been just taken right indiscriminately. And that, you know, I'm not a legal scholar and I don't want to opine on whether this is fair use or not, but it doesn't seem right. And I think we have to start having a conversation of what does that look like going forward? And make no question about it, there's something exciting here for content creators, but it's coming on the back of content creators. And I think we should be having a conversation about whether that's fair and how to make it more fair. And I think that's not a conversation five years from now. I think we're going to be having this conversation in the coming years, because you can already see it. I'm sure sue is seeing the same thing in Buffalo is students are nervous, they don't know what's going on. And it's a combination of many things, right? There's political disruption, there's two global wars, there's riots in Los Angeles right now. There's a lot happening. But I will tell you, there is real anxiety about what the workforce is going to look like and I think we have to start thinking carefully about that and most importantly at the university level is how do we train the next generation to be prepared for this and how do, what are the skills that they are going to need to be able to be productive? And I don't have great answers for all this, but I'm starting to think about it.
Xu Wei
Shui I agree with Tany on all the accounts, but additionally I'm concerned about the integrity of information. In our information ecosystem we are seeing the signal to noise ratio continuously decreased and that comes with a cost. So truth now is a rarity and all the existence of all this falsified information with help of deepfakes is actually increasing the cost of fact checking. Just like Hany mentioned this early on some of the cases, even though you look at the images or the videos or the audios, there are some clear artifacts but you have to come up with something explainable, concrete to be able to prove it is not real. So every tools now come with a tag and every deepfake is adding that cost of fact checking and that slow down the process. Maybe this is their goal. Their goal is not to confuse us, but the goal is to slow it down. Right. And that's really concerning. Well, on the one side I bank my hope into users increased capacity to tell real from fake. On the other hand, I think this is where collectively the government and also private enterprise in the market need to come in some agreement that to at least maintain a minimum standard of information integrity in our social media and information ecosystem so that we don't see 99.9% of the content coming to us are fake, then we lose faith into the information system and we are 100% away from the reason we build Internet. We build social media because we share information. Now if we have all the information but we do not trust them, what's the use of them? Right? So I think that's my worst fear of nightmares.
Hany Farid
Can I tell you what the paradox of the Internet is? Sway said it exactly right, is that it was meant to democratize access to information, which it did, but it didn't discriminate between good information and bad information. And arguably because of the business model of social media favors bad information over good information. And that's the thing. I don't if you would ask any of us 20 years ago, 25 years ago, I don't, I don't think we saw this coming. But here we are.
Shali Meng
I think that the idea of slowing down is fascinating because you know once it's been up for a couple days, it's done all the damage that it's going to do.
Hany Farid
It's not days liberty. It's half half life of a social media profile is 90 seconds. Ninety seconds is the half life of a social media post when half of views it's insane how fast it is. It takes nothing. And so by the time Thi Wei and I get the call from the fact checkers and we clean it up, it's a postmortem, right? The bodies are littered on the street by now. We're cleaning it up. It's good. But there's still dead bodies on the road.
Su Weilu
Before I ask our final question, there's a magic of one question I want to add to all the concern you have. I think for me there's one more thing really worries me is that with all these content good the bad uglies out there and they are all contributing to the data for the future training and they're also contributing to think about how in the future the historians their job. I'm not even sure what the historian do. They look at things, say they can create all kinds fake histories they did not know and how do we human just collectively deal with all the issues? I guess again it's a gigantic question for the educators, right for us to think together. So with that I want to ask you that if you could wave a magic wand and instantly creates one perfect detection capability, what deep fake related issues would you target First?
Hany Farid
I think this is pretty easy for me. I'm going to give you two answers but in this order. Child sexual abuse and non consensual intimate imagery. People are creating horrific abuse images of children with real children's faces, sending it to them and then extorting them. And those kids are panicking, in some cases taking their lives. And it is horrific, horrific, horrific, really brutal. The non consensual intimate imagery is largely targeting women from high profile women like the Taylor Swifts to people who just attract unwanted attention and again just really gut wrenching images that are. Because I've talked to the victims of these horrific crimes, I probably would start there and then work my way down.
Xu Wei
I agree with Hanyi. I think images of those nature have the least controversial about whether we should control them or not. I think starting from there is definitely the good start.
Su Weilu
I really want to thank both of you not only for your knowledge of how do we deal with these issues, but really for your passion and I think we all share the same passions that we have now. Now create this incredible tool, the tool is going to be even more powerful. And we also have this really responsibility to make sure that tools, at least, you know, we can partially control if we cannot fully control its damage. Like everything else, we should not be panicking, but we should be very vigilant for all the people listening. This is a real podcast. There's nothing fake here.
Hany Farid
So he said. So he said.
Su Weilu
I have my voice has something detectable. You guys can tell? Okay, I delivered the signature woodmark of my voice, but thank you again. This has been both fun and very educational.
Shali Meng
Thank you guys so much.
Xu Wei
Wonderful.
Hany Farid
Thank you.
Xu Wei
Thank you.
Liberty Vitter Capito
I'm Liberty Vitter Capito. And on behalf of Shao Meng and our guests, Professor Su Weilu and Hani Farid, thank you for joining us. And a special thanks to our producers, Rebecca McLeod and Tina, Toby Mack, and assistant producers Arianwyn Frank, Gavin Yang and Belle Riley. Stay curious and meet us next month when we dig into the data behind dieting and the rise of food bans. This was the Harvard Data Science Review. Everything Data science and data science for everyone.
Release Date: June 18, 2025
Host: Liberty Vitter Capito
Guests: Professor Su Weilu and Professor Hany Farid
In the episode titled "The Deep Trouble of Deepfake: What Can or Should We Do?", the Harvard Data Science Review delves into the pervasive issue of deepfake technology. Hosted by Liberty Vitter Capito and co-host Shali Meng, the podcast features enlightening discussions with Professor Su Weilu, a specialist in deepfake detection, and Professor Hany Farid, a pioneer in digital forensics. The conversation explores the rapid evolution of deepfakes, their societal impacts, detection methodologies, and the broader implications for trust and truth in the digital age.
Shali Meng initiates the conversation by reflecting on the drastic changes in the realm of misinformation over the past four years. She asks Professor Hany Farid about the transformations witnessed since his last appearance on the podcast.
Hany Farid responds at [01:52], highlighting the unprecedented speed at which generative AI and deepfake technologies have advanced. "Things are accelerating at a pace that I have not seen before in my 30-year career," he states, emphasizing the shift from yearly to monthly—甚至是每12到18天—cycle of advancements. He underscores the exacerbation of misinformation through generative AI, fake images, audio, and videos, indicating that the situation is still on the steep ascent with more challenges anticipated.
Shali Meng probes further at [03:21], seeking tangible examples of deepfakes deceiving the public.
Hany Farid provides several alarming instances:
High-Profile Fraud: "Companies lose 25, 35, $50 million because they are on a call with what they think is their CFO or CEO and they are not."
Individual Scams: Parents receiving fraudulent calls impersonating loved ones, leading to financial losses.
Non-Consensual Imagery: The creation and distribution of intimate images without consent, affecting women and children.
Disinformation Campaigns: Manipulating perceptions around elections and global conflicts, where "nothing has to be real," fostering an alternate reality that erodes trust.
He poignantly remarks at [05:57], "nothing has to be real," illustrating the bleak landscape where distinguishing reality from fabrication becomes increasingly arduous.
Professor Su Weilu at [06:46] reflects on the dual-edged nature of deepfake technology, acknowledging its powerful capabilities and the ethical dilemmas it presents. She questions the responsibility of data scientists in navigating this complex terrain.
Xu Wei responds by delineating the challenges at two levels:
Technical Level: The absence of safety certifications in AI tools, making it easier for malicious actors to exploit them. He emphasizes the need for integrating fairness and security into AI system designs from the onset.
User Level: Despite technical safeguards, there's a persistent risk of misuse by individuals with nefarious intentions. Xu advocates for:
User Education: Enhancing public awareness and understanding of deepfakes.
Regulatory Intervention: Implementing governmental regulations to enforce safety measures, akin to internet and social media safety protocols.
He states at [10:47], "There's no way you can understand them," highlighting the misconception that deepfake technology is too complex for the general populace to grasp.
Shali Meng transitions the discussion to detection methodologies at [13:35], questioning the efficacy and reliability of current deepfake detection techniques.
Hany Farid elaborates on two primary detection pillars:
Active Forensics: Involves embedding metadata, cryptographic signatures, or watermarks into AI-generated content to signify its origin. He references the C2PA (Coalition for Content Provenance and Authentication) standard, explaining, "when you see the tag, you know what it is." While effective for content generated by compliant platforms, it falters against malicious actors who can strip or alter these markers.
Passive Forensics: Focuses on identifying inherent artifacts and inconsistencies within the content itself, such as:
Statistical Anomalies: Irregularities in image downsampling, noise patterns, or lighting inconsistencies.
Physical Inconsistencies: Misalignment in shadows, geometry, or reflections that deviate from real-world physics.
He emphasizes the challenges at [20:28], stating, "It's a really hard problem. It will not catch everything," acknowledging the limitations of current detection capabilities, especially with high-quality, compressed content prevalent on social media platforms.
The discussion shifts to the ongoing battle between deepfake creators and detectors, characterized by continuous advancements on both sides.
Hany Farid describes this dynamic as an "arms race," where:
Enhancements in Detection: As detection tools improve, so do the sophisticated techniques employed by deepfake developers to evade scrutiny.
Surface-Level Defenses: Simple measures like locking doors deter common criminals, but sophisticated adversaries require more robust defenses.
He analogizes this to cybersecurity, emphasizing perpetual vigilance and adaptation: "We knock off the bottom layers and now we are dealing with a relatively small, hopefully very sophisticated, very well-funded and very technically competent adversary." [Hany Farid, [20:28]]
Hany Farid and Xu Wei underscore the paramount importance of education in combating deepfakes. They advocate for:
Public Awareness: Empowering individuals with knowledge to critically assess and question the authenticity of the content they encounter.
Interactive Education Methods: Utilizing relatable examples and gamification to engage diverse demographics, such as teenagers and older adults, enhancing their ability to identify deepfakes.
Xu Wei shares personal anecdotes at [27:37], illustrating effective educational strategies, such as:
Relatable Scenarios: Creating benign deepfake examples, like manipulating sports outcomes, to demonstrate the technology's potential before delving into more sinister applications.
Gamification: Developing interactive games that challenge users to detect deepfakes, thereby reinforcing their critical evaluation skills.
Looking ahead, Hany Farid articulates several pressing concerns:
Workforce Disruption: The advent of AI could significantly impact employment sectors, potentially leading to unprecedented unemployment rates among computer scientists.
Monopolization of AI: A handful of corporations hold vast amounts of data and computational resources, creating a monopolistic landscape that stifles competition and innovation. "The winners in today's AI are the winners from 10 years ago in social media because they have all the data." [Hany Farid, [38:29]]
Integrity of Information: The proliferation of deepfakes diminishes the signal-to-noise ratio in information ecosystems, escalating the costs and complexities of fact-checking and eroding public trust.
Content Creator Rights: The indiscriminate use of creators' content to train AI models raises ethical and legal questions about fair use and compensation.
He warns at [43:59], "We build social media because we share information. Now if we have all the information but we do not trust them, what's the use of them?"
As the conversation wraps up, Hany Farid and Xu Wei emphasize the necessity for collaborative efforts between academia, industry, and government to address the multifaceted challenges posed by deepfakes. They advocate for:
Enhanced Detection Tools: Continued innovation in forensic techniques to keep pace with evolving deepfake technologies.
Regulatory Frameworks: Developing comprehensive policies that balance innovation with security and ethical considerations.
Public Engagement: Sustaining open dialogues and educational initiatives to empower individuals and communities in navigating the digital information landscape.
Su Weilu closes the discussion with a poignant reminder at [47:16]: "This has been both fun and very educational." Reinforcing the episode's core message, she urges listeners to remain vigilant and informed in the face of technological advancements that challenge the very fabric of truth and trust.
Deepfakes have evolved rapidly, posing significant threats across individual, corporate, and societal levels.
Detection relies on a combination of active and passive forensic techniques, each with its own strengths and limitations.
Education and Awareness are crucial in equipping individuals to critically assess digital content.
Regulatory and Ethical Considerations must keep pace with technological advancements to safeguard information integrity and protect vulnerable populations.
Collaborative Efforts across sectors are essential to mitigate the risks associated with deepfake technology and preserve trust in the digital ecosystem.
Hany Farid [01:52]: "Things are accelerating at a pace that I have not seen before in my 30-year career."
Hany Farid [05:57]: "Nothing has to be real."
Hany Farid [20:28]: "It's a really hard problem. It will not catch everything."
Hany Farid [38:29]: "The winners in today's AI are the winners from 10 years ago in social media because they have all the data."
Hany Farid [43:59]: "If we have all the information but we do not trust them, what's the use of them?"
This episode serves as a comprehensive exploration of the deepfake phenomenon, offering listeners a nuanced understanding of its complexities and the multifaceted strategies required to address its challenges. Whether you're a data scientist, policymaker, or a curious individual, the insights shared by Professors Su Weilu and Hany Farid provide valuable guidance on navigating and mitigating the deep troubles posed by deepfake technologies.