Black-Box Access is Insufficient for Rigorous AI Audits

Stephen Casper; Carson Ezell; Charlotte Siegmann; Noam Kolt; Taylor Lynn Curtis; Benjamin Bucknall; Andreas Haupt; Kevin Wei; Jérémy Scheurer; Marius Hobbhahn; Lee Sharkey; Satyapriya Krishna; Marvin Von Hagen; Silas Alberti; Alan Chan; Qinyi Sun; Michael Gerovitch; David Bau; Max Tegmark; David Krueger; Dylan Hadfield-Menell

doi:10.1145/3630106.3659037

Black-Box Access is Insufficient for Rigorous AI Audits

Stephen Casper
, Carson Ezell
, Charlotte Siegmann
, Noam Kolt
, Taylor Lynn Curtis
, Benjamin Bucknall
, Andreas Haupt
, Kevin Wei
, Jérémy Scheurer
, Marius Hobbhahn
, Lee Sharkey
, Satyapriya Krishna
, Marvin Von Hagen
, Silas Alberti
, Alan Chan
, Qinyi Sun
, Michael Gerovitch
, David Bau
, Max Tegmark
, David Krueger

Dylan Hadfield-Menell

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

47 Scopus citations

Abstract

External audits of AI systems are increasingly recognized as a key mechanism for AI governance. The effectiveness of an audit, however, depends on the degree of access granted to auditors. Recent audits of state-of-the-art AI systems have primarily relied on black-box access, in which auditors can only query the system and observe its outputs. However, white-box access to the system's inner workings (e.g., weights, activations, gradients) allows an auditor to perform stronger attacks, more thoroughly interpret models, and conduct fine-tuning. Meanwhile, outside-the-box access to training and deployment information (e.g., methodology, code, documentation, data, deployment details, findings from internal evaluations) allows auditors to scrutinize the development process and design more targeted evaluations. In this paper, we examine the limitations of black-box audits and the advantages of white- and outside-the-box audits. We also discuss technical, physical, and legal safeguards for performing these audits with minimal security risks. Given that different forms of access can lead to very different levels of evaluation, we conclude that (1) transparency regarding the access and methods used by auditors is necessary to properly interpret audit results, and (2) white- and outside-the-box access allow for substantially more scrutiny than black-box access alone.

Original language	English
Title of host publication	2024 ACM Conference on Fairness, Accountability, and Transparency, FAccT 2024
Publisher	Association for Computing Machinery, Inc
Pages	2254-2272
Number of pages	19
ISBN (Electronic)	9798400704505
DOIs	https://doi.org/10.1145/3630106.3659037
State	Published - 3 Jun 2024
Externally published	Yes
Event	2024 ACM Conference on Fairness, Accountability, and Transparency, FAccT 2024 - Rio de Janeiro, Brazil Duration: 3 Jun 2024 → 6 Jun 2024

Publication series

Name	2024 ACM Conference on Fairness, Accountability, and Transparency, FAccT 2024

Conference

Conference	2024 ACM Conference on Fairness, Accountability, and Transparency, FAccT 2024
Country/Territory	Brazil
City	Rio de Janeiro
Period	3/06/24 → 6/06/24

Bibliographical note

Publisher Copyright:
© 2024 Owner/Author.

Keywords

Adversarial Attacks
Auditing
Black-Box Access
Evaluation
Explainability
Fairness
Fine-Tuning
Governance
Interpretability
Policy
Regulation
Risk
White-Box Access

Access to Document

10.1145/3630106.3659037

Cite this

Casper, S., Ezell, C., Siegmann, C., Kolt, N., Curtis, T. L., Bucknall, B., Haupt, A., Wei, K., Scheurer, J., Hobbhahn, M., Sharkey, L., Krishna, S., Von Hagen, M., Alberti, S., Chan, A., Sun, Q., Gerovitch, M., Bau, D., Tegmark, M., ... Hadfield-Menell, D. (2024). Black-Box Access is Insufficient for Rigorous AI Audits. In 2024 ACM Conference on Fairness, Accountability, and Transparency, FAccT 2024 (pp. 2254-2272). (2024 ACM Conference on Fairness, Accountability, and Transparency, FAccT 2024). Association for Computing Machinery, Inc. https://doi.org/10.1145/3630106.3659037

@inproceedings{99a0de7edec447db8106f01a889ffb98,

title = "Black-Box Access is Insufficient for Rigorous AI Audits",

abstract = "External audits of AI systems are increasingly recognized as a key mechanism for AI governance. The effectiveness of an audit, however, depends on the degree of access granted to auditors. Recent audits of state-of-the-art AI systems have primarily relied on black-box access, in which auditors can only query the system and observe its outputs. However, white-box access to the system's inner workings (e.g., weights, activations, gradients) allows an auditor to perform stronger attacks, more thoroughly interpret models, and conduct fine-tuning. Meanwhile, outside-the-box access to training and deployment information (e.g., methodology, code, documentation, data, deployment details, findings from internal evaluations) allows auditors to scrutinize the development process and design more targeted evaluations. In this paper, we examine the limitations of black-box audits and the advantages of white- and outside-the-box audits. We also discuss technical, physical, and legal safeguards for performing these audits with minimal security risks. Given that different forms of access can lead to very different levels of evaluation, we conclude that (1) transparency regarding the access and methods used by auditors is necessary to properly interpret audit results, and (2) white- and outside-the-box access allow for substantially more scrutiny than black-box access alone.",

keywords = "Adversarial Attacks, Auditing, Black-Box Access, Evaluation, Explainability, Fairness, Fine-Tuning, Governance, Interpretability, Policy, Regulation, Risk, White-Box Access",

author = "Stephen Casper and Carson Ezell and Charlotte Siegmann and Noam Kolt and Curtis, \{Taylor Lynn\} and Benjamin Bucknall and Andreas Haupt and Kevin Wei and J{\'e}r{\'e}my Scheurer and Marius Hobbhahn and Lee Sharkey and Satyapriya Krishna and \{Von Hagen\}, Marvin and Silas Alberti and Alan Chan and Qinyi Sun and Michael Gerovitch and David Bau and Max Tegmark and David Krueger and Dylan Hadfield-Menell",

note = "Publisher Copyright: {\textcopyright} 2024 Owner/Author.; 2024 ACM Conference on Fairness, Accountability, and Transparency, FAccT 2024 ; Conference date: 03-06-2024 Through 06-06-2024",

year = "2024",

month = jun,

day = "3",

doi = "10.1145/3630106.3659037",

language = "אנגלית",

series = "2024 ACM Conference on Fairness, Accountability, and Transparency, FAccT 2024",

publisher = "Association for Computing Machinery, Inc",

pages = "2254--2272",

booktitle = "2024 ACM Conference on Fairness, Accountability, and Transparency, FAccT 2024",

}

Casper, S, Ezell, C, Siegmann, C, Kolt, N, Curtis, TL, Bucknall, B, Haupt, A, Wei, K, Scheurer, J, Hobbhahn, M, Sharkey, L, Krishna, S, Von Hagen, M, Alberti, S, Chan, A, Sun, Q, Gerovitch, M, Bau, D, Tegmark, M, Krueger, D & Hadfield-Menell, D 2024, Black-Box Access is Insufficient for Rigorous AI Audits. in 2024 ACM Conference on Fairness, Accountability, and Transparency, FAccT 2024. 2024 ACM Conference on Fairness, Accountability, and Transparency, FAccT 2024, Association for Computing Machinery, Inc, pp. 2254-2272, 2024 ACM Conference on Fairness, Accountability, and Transparency, FAccT 2024, Rio de Janeiro, Brazil, 3/06/24. https://doi.org/10.1145/3630106.3659037

Black-Box Access is Insufficient for Rigorous AI Audits. / Casper, Stephen; Ezell, Carson; Siegmann, Charlotte et al.
2024 ACM Conference on Fairness, Accountability, and Transparency, FAccT 2024. Association for Computing Machinery, Inc, 2024. p. 2254-2272 (2024 ACM Conference on Fairness, Accountability, and Transparency, FAccT 2024).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - Black-Box Access is Insufficient for Rigorous AI Audits

AU - Casper, Stephen

AU - Ezell, Carson

AU - Siegmann, Charlotte

AU - Kolt, Noam

AU - Curtis, Taylor Lynn

AU - Bucknall, Benjamin

AU - Haupt, Andreas

AU - Wei, Kevin

AU - Scheurer, Jérémy

AU - Hobbhahn, Marius

AU - Sharkey, Lee

AU - Krishna, Satyapriya

AU - Von Hagen, Marvin

AU - Alberti, Silas

AU - Chan, Alan

AU - Sun, Qinyi

AU - Gerovitch, Michael

AU - Bau, David

AU - Tegmark, Max

AU - Krueger, David

AU - Hadfield-Menell, Dylan

PY - 2024/6/3

Y1 - 2024/6/3

N2 - External audits of AI systems are increasingly recognized as a key mechanism for AI governance. The effectiveness of an audit, however, depends on the degree of access granted to auditors. Recent audits of state-of-the-art AI systems have primarily relied on black-box access, in which auditors can only query the system and observe its outputs. However, white-box access to the system's inner workings (e.g., weights, activations, gradients) allows an auditor to perform stronger attacks, more thoroughly interpret models, and conduct fine-tuning. Meanwhile, outside-the-box access to training and deployment information (e.g., methodology, code, documentation, data, deployment details, findings from internal evaluations) allows auditors to scrutinize the development process and design more targeted evaluations. In this paper, we examine the limitations of black-box audits and the advantages of white- and outside-the-box audits. We also discuss technical, physical, and legal safeguards for performing these audits with minimal security risks. Given that different forms of access can lead to very different levels of evaluation, we conclude that (1) transparency regarding the access and methods used by auditors is necessary to properly interpret audit results, and (2) white- and outside-the-box access allow for substantially more scrutiny than black-box access alone.

AB - External audits of AI systems are increasingly recognized as a key mechanism for AI governance. The effectiveness of an audit, however, depends on the degree of access granted to auditors. Recent audits of state-of-the-art AI systems have primarily relied on black-box access, in which auditors can only query the system and observe its outputs. However, white-box access to the system's inner workings (e.g., weights, activations, gradients) allows an auditor to perform stronger attacks, more thoroughly interpret models, and conduct fine-tuning. Meanwhile, outside-the-box access to training and deployment information (e.g., methodology, code, documentation, data, deployment details, findings from internal evaluations) allows auditors to scrutinize the development process and design more targeted evaluations. In this paper, we examine the limitations of black-box audits and the advantages of white- and outside-the-box audits. We also discuss technical, physical, and legal safeguards for performing these audits with minimal security risks. Given that different forms of access can lead to very different levels of evaluation, we conclude that (1) transparency regarding the access and methods used by auditors is necessary to properly interpret audit results, and (2) white- and outside-the-box access allow for substantially more scrutiny than black-box access alone.

KW - Adversarial Attacks

KW - Auditing

KW - Black-Box Access

KW - Evaluation

KW - Explainability

KW - Fairness

KW - Fine-Tuning

KW - Governance

KW - Interpretability

KW - Policy

KW - Regulation

KW - Risk

KW - White-Box Access

UR - https://www.scopus.com/pages/publications/85196675428

U2 - 10.1145/3630106.3659037

DO - 10.1145/3630106.3659037

M3 - ???researchoutput.researchoutputtypes.contributiontobookanthology.conference???

AN - SCOPUS:85196675428

T3 - 2024 ACM Conference on Fairness, Accountability, and Transparency, FAccT 2024

SP - 2254

EP - 2272

BT - 2024 ACM Conference on Fairness, Accountability, and Transparency, FAccT 2024

PB - Association for Computing Machinery, Inc

T2 - 2024 ACM Conference on Fairness, Accountability, and Transparency, FAccT 2024

Y2 - 3 June 2024 through 6 June 2024

ER -

Casper S, Ezell C, Siegmann C, Kolt N, Curtis TL, Bucknall B et al. Black-Box Access is Insufficient for Rigorous AI Audits. In 2024 ACM Conference on Fairness, Accountability, and Transparency, FAccT 2024. Association for Computing Machinery, Inc. 2024. p. 2254-2272. (2024 ACM Conference on Fairness, Accountability, and Transparency, FAccT 2024). doi: 10.1145/3630106.3659037

Black-Box Access is Insufficient for Rigorous AI Audits

Abstract

Publication series

Conference

Bibliographical note

Keywords

Access to Document

Other files and links

Fingerprint

Cite this