Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Blameless Users in a Clean Room: Defining Copyright Protection for Generative Models

Aloni Cohen

TL;DR

The paper challenges the notion that near access-freeness (NAF) suffices to provably protect copyrights in generative-model outputs. It introduces tainted models and shows NAF can still enable verbatim copying, then presents blameless copy protection as a framework that safeguards users who do not induce infringement, instantiated via clean-room copy protection. By formalizing a scrub-based data removal mechanism and linking differential privacy to clean-room guarantees under golden dataset assumptions, the authors derive concrete bounds on copying risk and discuss practical implications, including an indemnification approach for copyright liability. The work advances a mathematically grounded path toward reliable, deployment-time protections for blameless users, while acknowledging the substantial data and policy challenges ahead.

Abstract

Are there any conditions under which a generative model's outputs are guaranteed not to infringe the copyrights of its training data? This is the question of "provable copyright protection" first posed by Vyas, Kakade, and Barak (ICML 2023). They define near access-freeness (NAF) and propose it as sufficient for protection. This paper revisits the question and establishes new foundations for provable copyright protection -- foundations that are firmer both technically and legally. First, we show that NAF alone does not prevent infringement. In fact, NAF models can enable verbatim copying, a blatant failure of copy protection that we dub being tainted. Then, we introduce our blameless copy protection framework for defining meaningful guarantees, and instantiate it with clean-room copy protection. Clean-room copy protection allows a user to control their risk of copying by behaving in a way that is unlikely to copy in a counterfactual clean-room setting. Finally, we formalize a common intuition about differential privacy and copyright by proving that DP implies clean-room copy protection when the dataset is golden, a copyright deduplication requirement.

Blameless Users in a Clean Room: Defining Copyright Protection for Generative Models

TL;DR

The paper challenges the notion that near access-freeness (NAF) suffices to provably protect copyrights in generative-model outputs. It introduces tainted models and shows NAF can still enable verbatim copying, then presents blameless copy protection as a framework that safeguards users who do not induce infringement, instantiated via clean-room copy protection. By formalizing a scrub-based data removal mechanism and linking differential privacy to clean-room guarantees under golden dataset assumptions, the authors derive concrete bounds on copying risk and discuss practical implications, including an indemnification approach for copyright liability. The work advances a mathematically grounded path toward reliable, deployment-time protections for blameless users, while acknowledging the substantial data and policy challenges ahead.

Abstract

Are there any conditions under which a generative model's outputs are guaranteed not to infringe the copyrights of its training data? This is the question of "provable copyright protection" first posed by Vyas, Kakade, and Barak (ICML 2023). They define near access-freeness (NAF) and propose it as sufficient for protection. This paper revisits the question and establishes new foundations for provable copyright protection -- foundations that are firmer both technically and legally. First, we show that NAF alone does not prevent infringement. In fact, NAF models can enable verbatim copying, a blatant failure of copy protection that we dub being tainted. Then, we introduce our blameless copy protection framework for defining meaningful guarantees, and instantiate it with clean-room copy protection. Clean-room copy protection allows a user to control their risk of copying by behaving in a way that is unlikely to copy in a counterfactual clean-room setting. Finally, we formalize a common intuition about differential privacy and copyright by proving that DP implies clean-room copy protection when the dataset is golden, a copyright deduplication requirement.

Paper Structure

This paper contains 41 sections, 14 theorems, 27 equations, 1 table, 3 algorithms.

Table of Contents

  1. Introduction
  2. Our contributions
  3. A reader's guide
  4. Related work
  5. Notation
  6. The legal-technical interface
  7. Near access-free models do not provide provable copyright protection
  8. NAF Background
  9. NAF informally
  10. Known limitations of NAF
  11. NAF definition and the Copy Protection ($\mathsf{CP}$) algorithm
  12. Failures of NAF models
  13. $\mathsf{CP}$ can regurgitate training data
  14. $k$-NAF does not prevent full reconstruction
  15. The interaction between user and model
  16. ...and 26 more sections

Key Result

Theorem 3.3

Let $p$ be the model returned by $\mathsf{CP}$ (Algorithm alg:cp in Appendix app:NAF), and $q_1$ and $q_2$ be the models returned by $\mathsf{sharded\hbox{-}safe}$. Let $k_x \le -\log\bigl(1-d_{\mathrm {TV}}\bigl(q_1(\cdot|x), q_2(\cdot|x)\bigr)\bigr)$. Then $p$ is $k_x$-NAF for $x$ with respect to

Theorems & Definitions (47)

  • Definition 2.1: $\mathsf{SubSim}$
  • Definition 2.2: $\mathsf{ideas}$
  • Definition 3.1: Max KL divergence
  • Definition 3.2: $k_x$-NAF VyasKB23
  • Theorem 3.3: Copy Protection algorithm VyasKB23
  • Theorem 3.4
  • Theorem 3.5
  • Definition 4.1: User's output distribution
  • Definition 5.1: Tainted training
  • Example 5.2
  • ...and 37 more