Over the past decade, computer scientists have made generational breakthroughs in machine learning and machine perception. This has enabled the development of technologies previously beyond the wildest dreams of consumers and engineers alike. It has, however, come at a cost. Just as the rise of big data brought with it a serious encroachment on privacy, the rise of machine learning and neural networks brings with it a cluster of major risks.
One of the most serious is deepfakes.
What are deepfakes? Put in the simplest terms possible, they are forged videos whose forgery is basically undetectable even to trained eyes. The potential threats arising from deepfakes are manifold, especially in a world where the pace of media consumption is dizzying and faith in expertise has been seriously eroded.
To get a clearer sense of this threat, we spoke to UC Berkeley’s Hany Farid, a computer scientist considered by many to be the father of digital forensics.
Farid outlined the problems as follows: “Everybody is reasonably aware that you can manipulate images and video and audio. We’ve been wrestling with those issues for many, many years. Historically the way you would do that in the digital age is to have a talented graphic designer go into Photoshop and combine two people together or remove something from an image. Or think of Forrest Gump, where Gump is meeting President Kennedy. It was a very tedious, manual, labor-intensive process. What deepfakes have done is to use AI-powered technology to create the fake content for you. For the most part, that eliminates many of the time and skill barriers to creating compelling fakes. That, in many ways, is where the real threat is. The threat is not necessarily that we can create fake videos and fake images and fake audio. The new threat is that we have democratized access to very powerful technology that allows the average person with a little bit of technical skill to create what used to require, for example, a Hollywood studio.”
Anonymous internet culture can generate enormous malice, and Farid shared some sobering thoughts about the potential dangers there. “We’ve now opened that gate to who can create a video of a President saying anything or a candidate saying anything. Obviously on the political side you can see how this can really wreak havoc on democratic elections. Or imagine somebody releasing a video purportedly of a private meeting of Jeff Bezos saying, ‘Amazon’s profits are down 20 percent.’ Stock market response is continuous, and you’re off to the races.”
So how did we get to this point? Where do deepfakes come from? “The core technology driving them,” said Farid, “is data-driven machine learning technologies called deep neural networks. The big innovation is two-fold, maybe three-fold. We have a lot more data today than we did five and 10 years ago, so these neural networks can learn really sophisticated representations. Then there is the innovation of deep learning: the neural networks have a much, much deeper architecture, allowing them to learn more sophisticated patterns. In addition to the data, the architectures, and the algorithms, there is phenomenal computing power (in the form of graphical processing units) that is driving the ability to do these very, very difficult computations very, very quickly. A lot of this is coming from the academy. Some of it is coming from industry. Google has made their Tensor Flow deep neural network available. There are now softwares that you can download from GitHub with tutorials on how to create deepfakes.”
Despite the phenomenal complexity of the underlying mathematics and engineering, the tech itself keeps getting more and more user-friendly for non-experts. “It’s relatively easy to do,” Farid said. “You need a little bit of skill. You don’t need to be a hardcore programmer, but you need a little bit of time and dedication and desire to do this. It’s largely being automated right now: you feed it the images of the person you want to splice into the video, you feed it the carrier video, tweak some parameters, and it’s off and running.”
Telling the products of this tech from the real thing can be difficult to impossible. As Farid put it, “there’s two mistakes that you can make. You can classify a real image as a deepfake and you can classify a deepfake as real content. Obviously there’s a trade-off between those two things. If I say everything is a deepfake, then I will have 100 percent accuracy for detecting deepfakes but my signal detection is pretty bad: I’m saying everything is fake. The tricky business with having the average person look at video and try to assess whether it’s real or not is in many cases real video just looks weird. When you start analyzing it for traces of manipulation, you will often mistake completely natural and expected artifacts in video that typically arise from compression for artifacts of a deepfake. I think what I’m more worried about is not where we are today but where we are going. I think the trend is that the average person will not be able to distinguish. That’s the trend that we’re seeing.”
The first mistake is bad enough. Farid points out that it might be used to trigger major instability. “One of the things that we are particularly concerned about here in my lab,” he told us, “is how this technology would be weaponized in the realm of geopolitical landscape. Is somebody going to create a video of President Trump saying, ‘I’ve launched nuclear weapons against North Korea’? Is somebody going to create a video of Senator Warren saying something inappropriate and try to derail her candidacy?”
But in his view the second mistake — classifying real content as fake — might represent the bigger threat. If enough deepfakes enter the media ecosystem, consumers might well start believing that all video is fake. This would upend video’s supremacy as an arbiter of truth in our society, and that carries some worrying implications with it. Farid cited the presidential campaign of Donald Trump as a way of thinking about this danger. “Two and a half years ago the Access Hollywood audio recording came out of President Trump saying what he does to women. At the time, he and the campaign apologized. They came up with an explanation as to why this wasn’t as bad as it sounded and they apologized. Fast forward to today. If that audio recording had come out today, does anybody think the campaign wouldn’t have said it was fake? Not only would they have said that, they would have had plausible deniability. So what happens when we live in a landscape where we know that fake content can be created compellingly and we have riding on top of that a fairly polarized society? We have people consuming way too much news on social media, which is an echo chamber. It’s going to be very hard to convince people of anything that they see or hear online.”
So what is being done on the tech side to combat the proliferation of deepfakes? Farid’s answer was brutally honest. “I think it’s probably fair to say,” he told us, “that today there is no operationalized technique for reliably detecting deepfakes. Part of that is because deepfakes are a relatively new phenomenon and we and other people are in the early stages of developing those techniques. I predict that by the end of the year, maybe by the fall, we certainly will have some techniques out there. I think the first round we’ll start seeing in the next six to 12 months. But there is very much a cat-and-mouse game to be played here. As we develop forensic techniques, deepfakers will learn them and try to circumvent them. I think the way that’s going to end up is the way most of these cat-and-mouse games end up. We will make it more difficult. You will need a little bit more skill. You’ll have to work a little bit harder. But in the end, you’ll probably still be able to create fake content. Yet if I can take out of the hands of the average person the ability to create compelling fakes that are undetectable, I will consider that success. If I have now moved it into the hands of a relatively small number of people, while that is still a risk, I think we can probably agree that it is significantly smaller risk than the average person on Reddit being able to create this fake content. So that’s our goal: to keep raising the bar.”
As to what the actual countermeasures will be, Farid suggested two techniques that rely on human nature. One is developing what he called a “soft biometric” to distinguish real recordings of, say, Barack Obama from deepfakes. “The basic idea is this,” he said. “When somebody is speaking, there is a correlation between what they say and how they say it. For example, when I frown and pinch my brow, something is upsetting to me. If I say something funny, I tend to smile and maybe lift my head up a little bit. How our faces move, how our head moves we are finding to be tightly correlated to what we are saying.” Another would be “controlled capture” technologies. These, he told us, function at the point of recording to authenticate the material. “Imagine,” Farid said, “that you witness a human rights violation, police misconduct, a natural disaster, some remarkable event — and you don’t want people down the line questioning the authenticity of your video or your image. So instead of capturing with a standard iPhone or Android camera, you use controlled capture software. There are companies out there that produce this commercially. At the point of recording you cryptographically sign the content. You put that on the blockchain, a distributed and immutable ledger. Then you can, with fairly high confidence, authenticate that content going down the line. This may be where we have to go. With Apple and the Androids building these directly into the app where you have the option, like turning a flash on and off, to securely record and not securely record.”
Farid does not share the utopian view of tech that permeates large segments of our society. “There were people in the early days sounding the alarm bells on AI,” he notes. “Elon Musk, of course, famously has been talking about concerns about the turning-over of decisions to AI-powered systems — anything from algorithms that make bail decisions to algorithms that make admissions decisions to universities. People have been concerned about that. And rightfully so. It didn’t take long for us to see what the threat of the tech behind deepfakes was, even before they started appearing. So how should the people who are developing these technologies think about what they’re doing? Because the reality is while there are some cool applications to these technologies, everybody also agrees that there are some nefarious applications. How do we as a community wrestle with moving technology forward, making advances, while knowing that those technologies are almost certainly going to be weaponized? If a biologist developed a deadly virus and said, ‘Let’s give this to the public and see what happens,’ I don’t think anybody would think that that was acceptable. Yet we do that almost all the time with technology.”