This is an extremely hard problem. One way to demonstrate this is is to ask the less constrained question, how would you prevent an adversary from copying some arbitrary piece of data?
I think under a classical computing paradigm this is likely impossible. But is there a way we can make the data useless even if it is copied? This then becomes the realm of cryptography, and seems possible with fully homomorphic encryption and the like. This will boil down to “just don’t give it the secret keys”, which seems like a pretty solid subset of “just don’t give it the permission”.
Under a quantum computing paradigm this might be possible, but that would require waiting for QC hardware to become commonplace and I don’t think anyone is waiting for that.
In practice, it just requires hardware with limited functionality and physical security — hardware security modules exist.
An HSM-analogue for ML would be a piece of hardware that can have model weights loaded into its nonvolatile memory, can perform inference, but doesn’t provide a way to get the weights out. (If it’s secure enough against physical attack, it could also be used to run closed models on a user’s premises, etc.; there might be a market for that.)
Indeed! I was very close to writing a whole bit about TEEs, enclaves, and PUFs in my last comment, but I figured that it also boils down to “just don’t give it permission” so I left it out. I actually think designing secure hardware is incredibly interesting and there will probably be an increase in demand for secure computing environments and data provenance in the near future.
This is an extremely hard problem. One way to demonstrate this is is to ask the less constrained question, how would you prevent an adversary from copying some arbitrary piece of data?
I think under a classical computing paradigm this is likely impossible. But is there a way we can make the data useless even if it is copied? This then becomes the realm of cryptography, and seems possible with fully homomorphic encryption and the like. This will boil down to “just don’t give it the secret keys”, which seems like a pretty solid subset of “just don’t give it the permission”.
Under a quantum computing paradigm this might be possible, but that would require waiting for QC hardware to become commonplace and I don’t think anyone is waiting for that.
In practice, it just requires hardware with limited functionality and physical security — hardware security modules exist.
An HSM-analogue for ML would be a piece of hardware that can have model weights loaded into its nonvolatile memory, can perform inference, but doesn’t provide a way to get the weights out. (If it’s secure enough against physical attack, it could also be used to run closed models on a user’s premises, etc.; there might be a market for that.)
Indeed! I was very close to writing a whole bit about TEEs, enclaves, and PUFs in my last comment, but I figured that it also boils down to “just don’t give it permission” so I left it out. I actually think designing secure hardware is incredibly interesting and there will probably be an increase in demand for secure computing environments and data provenance in the near future.