I imagine, if I were running the self-driving car company, one thing I might try to prevent this sort of thing is to record video, create a simulation of current street conditions, and constantly run lots of simulated cars through it. Any time the simulated car hits a simulated kid, shut the real-world cars down for a bit and call in the mech interp folks to figure out why.
Meanwhile in the real world, we should probably not allow the display of arbitrary data on highway billboards without a modicum of human review. For instance, putting QR codes on highway billboards is asking drivers to pick up their phones and try to scan them — which is illegal in the state of California.
It is possible adversarial image examples would appear innocuous to the human eye, even while having a strong effect on the model.
If so, I think any hope of human review stopping this sort of thing is gone, for we cannot hope to enforce image forensics on every public surface.
However, I am not sure whether adversarial examples can be so invisible in real-world setting without the signal getting smothered by sensor noise. Then an attacker would need adversarial examples robust to sensor noise.
I imagine, if I were running the self-driving car company, one thing I might try to prevent this sort of thing is to record video, create a simulation of current street conditions, and constantly run lots of simulated cars through it. Any time the simulated car hits a simulated kid, shut the real-world cars down for a bit and call in the mech interp folks to figure out why.
Meanwhile in the real world, we should probably not allow the display of arbitrary data on highway billboards without a modicum of human review. For instance, putting QR codes on highway billboards is asking drivers to pick up their phones and try to scan them — which is illegal in the state of California.
It is possible adversarial image examples would appear innocuous to the human eye, even while having a strong effect on the model.
If so, I think any hope of human review stopping this sort of thing is gone, for we cannot hope to enforce image forensics on every public surface.
However, I am not sure whether adversarial examples can be so invisible in real-world setting without the signal getting smothered by sensor noise. Then an attacker would need adversarial examples robust to sensor noise.