Facebook scientists have proposed using watermarks to identify when online images get used to train neural networks. The proposal appears to be aimed at least in part at the rise of big data startups, such as Clearview AI, that are scraping publicly available photographs from social networks and other sites and using them for facial recognition purposes, prompting privacy concerns (see: Facial Recognition: Big Trouble With Big Data Biometrics). Neural networks are a type of machine learning that involves using a large set of training data to devise rules that can be used to identify future patterns (see: What's Artificial Intelligence? To detect if training sets have used Facebook images, a team of the company's researchers has proposed building a system that can be used to find out. "We have developed a new technique to mark the images in a data set so that researchers can determine whether a particular machine learning model has been trained using those images," say Facebook researchers Alexandre Sablayrolles, Matthijs Douze and Hervé Jégou in a blog post.

We want to detect whether a particular image dataset has been used to train a model. We propose a new technique, \emph{radioactive data}, that makes imperceptible changes to this dataset such that any model trained on it will bear an identifiable mark. The mark is robust to strong variations such as different architectures or optimization methods. Given a trained model, our technique detects the use of radioactive data and provides a level of confidence (p-value). Our experiments on large-scale benchmarks (Imagenet), using standard architectures (Resnet-18, VGG-16, Densenet-121) and training procedures, show that we can detect usage of radioactive data with high confidence (p<10^-4) even when only 1% of the data used to trained our model is radioactive. Our method is robust to data augmentation and the stochasticity of deep network optimization. As a result, it offers a much higher signal-to-noise ratio than data poisoning and backdoor methods.