You store everything on a cloud instance, where you don’t get to see the model weights and they don’t get to see your data either, and checks are made only to ensure you are within terms of service or any legal restrictions.
Is it actually possible to build a fine-tuning-and-model-hosting product such that
The customer can’t access the model weights
The host can’t access the training data, or the inputs or outputs of inference (and this “can’t” is in the cryptography sense not the legal sense, because otherwise the host is a giant juicy target for hacking by state actors)
The model can be fine-tuned based on customer data
The system does not cost multiple orders of magnitude more than an alternative system which did not have these constraints
Maybe there’s something extremely clever you can do along the lines of “homomorphic encryption but performant and parallelizable” but if there is I am not aware of it. Nor are e.g. the folks who manage host vast.ai, which is a GPU sharing platform. I’m sure they would like to be able to write something more reassuring in the “security” section of their FAQ than “[the providers on our platform] have little to gain and much to lose from stealing customer data”. So if there’s a solution here I don’t think it’s a well-known one.
My impression is that a robust solution to this problem is effectively a license to print money. New EA cause area and funding source?
Is it actually possible to build a fine-tuning-and-model-hosting product such that
The customer can’t access the model weights
The host can’t access the training data, or the inputs or outputs of inference (and this “can’t” is in the cryptography sense not the legal sense, because otherwise the host is a giant juicy target for hacking by state actors)
The model can be fine-tuned based on customer data
The system does not cost multiple orders of magnitude more than an alternative system which did not have these constraints
Maybe there’s something extremely clever you can do along the lines of “homomorphic encryption but performant and parallelizable” but if there is I am not aware of it. Nor are e.g. the folks who manage host vast.ai, which is a GPU sharing platform. I’m sure they would like to be able to write something more reassuring in the “security” section of their FAQ than “[the providers on our platform] have little to gain and much to lose from stealing customer data”. So if there’s a solution here I don’t think it’s a well-known one.
My impression is that a robust solution to this problem is effectively a license to print money. New EA cause area and funding source?