Jump to content

Artificial intelligence

From Consumer_Action_Taskforce
Revision as of 07:28, 28 January 2025 by Kirb (talk | contribs) (+AI cat)

Artificial intelligence (AI) is a field of computer science producing software that aims to ultimately replace all manual labor. AI is not a new concept - it has been of interest as early as the 1950s. Since the November 2022 launch of ChatGPT, large language model (LLM) chatbots have been a main focus of the industry, with billions of dollars in funding allocated to producing more "intelligent" LLMs. Also a significant focus are text-to-image models, which "draw" an image using written instructions, and text-to-video models, which extend the text-to-image concept across several smooth video frames.

Generative artificial intelligence models are trained through vast amounts of existing human-generated content. Using the example of an LLM, by learning about common trends in sentence structure, the model is able to form complete sentences and show artificial "knowledge" of a topic. The artificial nature may cause hallucination through confidently-written, but mostly or entirely incorrect, output.

The current well-funded, lucrative industry of artificial intelligence tools has resulted in rampant unethical use of content. Startups intending to produce AI services have been scraping the internet for content to train future models at a concerning pace, with no regard for copyright law, as members of the field are concerned that they are approaching the limit of publicly-available content to train from.[1]

Unethical website scraping

While "mainstream" companies such as OpenAI, Anthropic, and Meta appear to correctly follow industry-standard practice for web crawlers, others ignore them, causing distributed denial of service attacks which damage access to freely-accessible websites. This is particularly an issue for websites that are large or contain many dynamic links.

Ethical website scrapers, known as "spiders" that crawl the web, follow a certain set of minimum guidelines. Specifically, they follow robots.txt, a text file found at the root of a domain that indicates:

  • Paths bots are allowed to index
  • Paths bots should not index
  • How long the bot should wait in between requests to the server, to reduce load
  • The sitemap of the website's content

These rules are typically configured for all bots, with minor adjustments made to individual bots as needed. Additionally, specific web pages may use the robots meta tag to control use of their output.

While it is good practice for a bot to respect robots.txt, there is no requirement for it, and there is no punishment for not following a website's wishes. It is additionally standard practice, but in no way enforced, that bots use a User-Agent header to uniquely identify itself. This allows a website operator to observe a bot's traffic patterns, potentially blocking the bot outright if its scraping is not desirable. The header also typically contains a URL or email address that can be used to contact the operator in case of anomalies observed in its traffic.

Unethical AI scraper bots do not follow robots.txt - in fact, they may not even request this file at all. They typically completely ignore it, instead opting to start from an entry point such as the root home page (/), working its way through an exponentially growing list of links as it finds them, with little to no delay between requests. The bots use false User-Agent header strings that would correspond to real web browsers on desktop or mobile operating systems - blocking them would also block legitimate users, or at least legitimate users on VPNs.

Some AI services opt to use separate User-Agent strings, potentially also ignoring robots.txt, when a request is made through user command rather than as part of model training. For example, ChatGPT identifies itself as ChatGPT-User rather than its standard OpenAI when it uses the "search the web" command - even if searching the web was an automatic decision. In a less favorable example, Perplexity AI in this same situation falsely identifies as a standard Chrome web browser running on Windows. AI companies defend this under the belief that they are not a "spider", but rather a "user agent" (like a web browser), when called upon by a user's request.[2]

Less legitimate bots use a wide distribution of IP addresses, further reducing options for the website to protect itself. This is in a clear attempt to bypass IP-based request throttling and rate limiting the website may implement. They are also known to ignore HTTP response status codes that indicate a server error (5xx), or warnings that the client needs to slow down (429 Too Many Requests) or has been entirely blocked (403 Forbidden).

Effect on users

To protect against unethical crawlers, due to concerns of both intellectual property and service disruption, websites adopt practices that affect the experience of real users:

  • Bot check walls: The user may be required to pass a security check "wall". While usually automatic for the user, this can affect legitimate bots. When a website protection service such as Cloudflare is not confident as to whether the visitor is legitimate, it may present a CAPTCHA to be manually filled out. An example is "Google Sorry", a CAPTCHA wall frequently seen when using Google Search via a VPN.
  • Login walls: Should bots be found to pass CAPTCHA walls, the website may advance to requiring logging in to view content. A major recent example of this is YouTube's "Sign in to confirm you're not a bot" messages.
  • JavaScript requirement: Most websites do not need JavaScript to deliver their content. However, as many scrapers expect content to be found directly in the HTML, it is often an easy workaround to use JavaScript to "insert" the content after the page has loaded. This may reduce the responsiveness of the website, increasing points of failure, and preventing security-conscious users who disable JavaScript from viewing the website.
  • IP address blocking: Blocking IP addresses, especially by blocking entire providers via their autonomous system number, always comes with some risk of blocking legitimate users. Particularly, this may restrict access to users making use of a VPN.
  • Heuristic blocking: Patterns in request headers may give away that the request is being made by an unethical bot, despite attempts to act as a legitimate visitor. Heuristics are imperfect and may block legitimate users, especially those that may use less common browsers.

In rare situations, a website operator may redirect detected bot traffic, such as to download speed test files hosted by ISPs containing multiple gigabytes of random garbage data. This may have the effect of disrupting the bot, but its effectiveness is unknown.

The need to respond to unethical scraping also further consolidates the web into the control of a few large web application firewall (WAF) services, most notably Cloudflare, as website owners find themselves otherwise unable to protect their service from being disrupted by such traffic.

Case studies

Diaspora

On 27 December 2024, the open-source social network project Diaspora noted that 70% of traffic across its infrastructure was in service of AI scrapers.[3] Particularly, the project noted that bots had followed links to crawl every individual edit in their MediaWiki instance, causing an exponential increase in the number of unique requests being made.

LVFS

The Linux Vendor Firmware Service (LVFS) provides a free central store of firmware updates, such as for UEFI motherboards and SSD controllers. This feature is integrated with many Linux distributions through the fwupd daemon. For situations where internet access is not permitted, the service allows users to make a local mirror of the entire 100+ GB store.

On 9 January 2025, the project announced that it would introduce a login wall around its mirror feature, citing unnecessary use of its bandwidth.[4] Up to 1,000 files may be downloaded per day without logging in. The author later mentioned on Mastodon that the problem appears to be caused by AI scraping.[5]

LWN.net

On 21 January 2025, Jonathan Corbet, maintainer of the Linux news website LWN.net, made the following post to social.kernel.org:

Should you be wondering why @LWN #LWN is occasionally sluggish... since the new year, the DDOS onslaughts from AI-scraper bots has picked up considerably. Only a small fraction of our traffic is serving actual human readers at this point. At times, some bot decides to hit us from hundreds of IP addresses at once, clogging the works. They don't identify themselves as bots, and robots.txt is the only thing they *don't* read off the site.

This is beyond unsustainable. We are going to have to put time into deploying some sort of active defenses just to keep the site online. I think I'd even rather be writing about accounting systems than dealing with this cr*p. And it's not just us, of course; this behavior is going to wreck the net even more than it's already wrecked.

He later commented:[6]

We do indeed see a kind of pattern. Every IP stays below the threshold for our fuses, but the overload is overwhelming. Any form of active defense will probably have to figure out to block entire subnets instead of individual addresses, and even that might not be enough.

Perplexity AI and news outlets

Perplexity AI, founded in August 2022, is a large language model that aims to be viewed as a general search engine. It encourages users to consume news through its summaries of stories.

On 15 June 2024, Apple blog MacStories found that Perplexity does not follow its own documented policies when accessing content the user requests from the web. In their testing, the scraper pretended to be Chrome 111 running on Windows 10, connecting from an IP address not found in Perplexity's posted IP address ranges.[7] Two days later, this was corroborated by WIRED.[8] Perplexity responded by removing its list of IP addresses.

On 27 June 2024, Amazon announced an investigation into Perplexity AI, citing a terms of service clause requiring bots hosted on Amazon Web Services to honor robots.txt:[2]

"AWS's terms of service prohibit abusive and illegal activities and our customers are responsible for complying with those terms," [AWS spokesperson Patrick] Neighorn said in a statement. "We routinely receive reports of alleged abuse from a variety of sources and engage our customers to understand those reports."

The Apple Wiki

The Apple Wiki, a MediaWiki instance that documents internal details of Apple's hardware and software, holds more than 50,000 articles. On 2 August 2024, with a repeat occurrence on 5 January 2025, the service was disrupted by scraping efforts.[9] The wiki contains a considerable amount of information that is scraped by legitimate security research tools, making it difficult for the website to block abusive requests. Efforts to block unethical scraping and protect the wiki have disrupted these legitimate tools. The large article count, combined with the more than 280,000 total edits, create an untenable situation where it is simply not possible to scrape the website without causing significant service disruption.

References

  1. https://observer.com/2024/12/openai-cofounder-ilya-sutskever-ai-data-peak/
  2. 2.0 2.1 https://www.wired.com/story/aws-perplexity-bot-scraping-investigation/
  3. https://pod.geraspora.de/posts/17342163
  4. https://lore.kernel.org/lvfs-announce/zDlhotSvKqnMDfkCKaE_u4-8uvWsgkuj18ifLBwrLN9vWWrIJjrYQ-QfhpY3xuwIXuZgzOVajW99ymoWmijTdngeFRVjM0BxhPZquUzbDfM=@hughsie.com/T/
  5. https://mastodon.social/@hughsie/113871373001227969
  6. https://www.heise.de/en/news/AI-bots-paralyze-Linux-news-site-and-others-10252162.html
  7. https://rknight.me/blog/perplexity-ai-is-lying-about-its-user-agent/
  8. https://www.wired.com/story/perplexity-is-a-bullshit-machine/
  9. https://theapplewiki.com/wiki/The_Apple_Wiki:Community_portal#Bot_traffic_abuse
Retrieved from "https://consumerrights.wiki/index.php?title=Artificial_intelligence&oldid=6174"