We can say something like: for any fixed sequence of prediction problems, the predictions made by a particular ML algorithm are nearly as good as if we had used the optimal predictor from some class (with appropriate qualifiers), and in particular as good as if we had set the weights of all adversarial users to 0. There is no real threat model.
The blog post really didn’t come with a claim about security;I didn’t even note the above fact while writing the blog post, I pointed it out in response to the question “Why do you think ML would withstand a determined adversary here?” The blog post did come with a claim about “I think this will eventually work well,” and in discussion “I think we can just try it and see.” This was partly motivated by the observation that the setting is low stakes and the status quo implementations are pretty insecure.
(I’m clarifying because I will be somewhat annoyed if this blog post and discussion is later offered as evidence about my inability to think accurately about security, which seems plausible given the audience. I would not be annoyed if it was used as evidence that I am insufficiently attentive to security issues when thinking about improvements to stuff on the internet, though I’m not yet convinced of that given the difference between generating ideas and implementing step 2: “Spend another 5-10 hours searching for other problems and considerations.”)
We can say something like: for any fixed sequence of prediction problems, the predictions made by a particular ML algorithm are nearly as good as if we had used the optimal predictor from some class (with appropriate qualifiers), and in particular as good as if we had set the weights of all adversarial users to 0. There is no real threat model.
The blog post really didn’t come with a claim about security;I didn’t even note the above fact while writing the blog post, I pointed it out in response to the question “Why do you think ML would withstand a determined adversary here?” The blog post did come with a claim about “I think this will eventually work well,” and in discussion “I think we can just try it and see.” This was partly motivated by the observation that the setting is low stakes and the status quo implementations are pretty insecure.
(I’m clarifying because I will be somewhat annoyed if this blog post and discussion is later offered as evidence about my inability to think accurately about security, which seems plausible given the audience. I would not be annoyed if it was used as evidence that I am insufficiently attentive to security issues when thinking about improvements to stuff on the internet, though I’m not yet convinced of that given the difference between generating ideas and implementing step 2: “Spend another 5-10 hours searching for other problems and considerations.”)