Yeah, logs are definitely another potential exfiltration vector that are worth thinking about.
We focus on output tokens because they are the one channel that cannot be bandwidth capped, as they’re literally the purpose of the data center. In hardened secure environments, you would want to aggressively reduce the bandwidth and entropy of the logs. In practice, I’m not sure how large the “minimum necessary logs” would be compared to inference outputs.
Yeah, I am confident that I’m not the first person to have that thought, logs are a classic channel for data exfiltration by insiders. I very much hope that all of the frontier labs do a better job at reducing the effectiveness of that channel than the abysmal industry standard.
BTW in case it wasn’t obvious I really do think your result is cool, and I expect probably sufficient to close off the token channel as a cost-effective exfiltration channel. You don’t have to outrun the bear, you just have to outrun your hiking partner and all that (“the bear” in this context being “an adversary who wants a frontier model” and “your hiking partner” being “just training their own frontier model, possibly on the outputs of your model”)
Yeah, logs are definitely another potential exfiltration vector that are worth thinking about.
We focus on output tokens because they are the one channel that cannot be bandwidth capped, as they’re literally the purpose of the data center. In hardened secure environments, you would want to aggressively reduce the bandwidth and entropy of the logs. In practice, I’m not sure how large the “minimum necessary logs” would be compared to inference outputs.
Yeah, I am confident that I’m not the first person to have that thought, logs are a classic channel for data exfiltration by insiders. I very much hope that all of the frontier labs do a better job at reducing the effectiveness of that channel than the abysmal industry standard.
BTW in case it wasn’t obvious I really do think your result is cool, and I expect probably sufficient to close off the token channel as a cost-effective exfiltration channel. You don’t have to outrun the bear, you just have to outrun your hiking partner and all that (“the bear” in this context being “an adversary who wants a frontier model” and “your hiking partner” being “just training their own frontier model, possibly on the outputs of your model”)