Why AI robocalls are so hard to stop
This week, AI-generated audio recordings interfere with elections in New Hampshire and local politics in New York; what can be done about deepfake audio calls; and OpenAI (barely) enforces its election policies.
Election malarkey in New Hampshire and New York
Earlier this week in New Hampshire, some voters received phone calls from an AI-generated voice of Joe Biden, instructing them to “save” their vote for the general election in November – apparently attempting to suppress primary turnout in the state. Meanwhile, in New York, an (ostensibly) AI-generated audio clip circulated of a Democratic political boss in Harlem disparaging another Assemblymember. We didn’t expect to test our 2024 AI election predictions just one week into the primaries, but here we are.
We’ve written plenty about the unique dangers of and lack of solutions to deepfake audio. Now that the threat has become real, we’ll take a deeper dive into why deepfake audio distributed over the phone system is so hard to stop.
Many researchers believe that detecting any kind of synthetic content will be extraordinarily difficult or impossible, and solutions like watermarks for generated images and video will be imperfect at best. Audio is even harder. Even if watermarking or other detection methods could be applied to synthetic audio, telecom providers lack the legal authority to “listen in” on the content of phone calls and intervene. Other techniques must be used to stem the tide of suspicious or fraudulent media – regardless of whether or not the audio is AI-generated. Namely:
Identity verification and reputation scoring: solutions that rely on authenticating a sender as a trusted party and distributor of information, like verified accounts on Facebook and Instagram.
Collaborative filtering: aggregating individual reports to help make filtering decisions – think inputs to email spam filtering (once a few people flag something as suspicious the sender or similar content gets automatically shunted over to spam for others); or community notes on Twitter/X.
While these types of solutions can work well for online distribution platforms like email and social media platforms, they do not currently work for the telecom system.
The phone system has struggled with identity for decades; for many years, caller ID could be spoofed with a cheap box purchased from the back of hacker magazines. Five years ago, in response to increasing public frustration with robocalls, Congress passed the TRACED Act nearly unanimously and President Trump quickly signed it into law. The law gave the Federal Communications Commission (FCC) the authority to mandate a framework called STIR/SHAKEN that would give telephone carriers the information needed to block robocalls from suspicious sources and end the scourge of caller identity spoofing.
Many years and countless implementation deadlines later, STIR/SHAKEN hasn’t lived up to its promise. First, the protocol is unevenly implemented amongst the hundreds of “voice service providers” involved in connecting phone calls. That means that an attacker can exploit the weakest link in the system to spoof someone’s number, which apparently happened in New Hampshire – the calls appeared to come from the cell phone of the main Democratic party organizer of the Biden write-in effort in the state.
Second, even if the telephone carriers eventually succeed in stamping out caller ID spoofing, there are plenty of ways to easily generate thousands of bogus political calls. STIR/SHAKEN doesn’t actually do any identity verification – it just relies on “attestations” by companies that connect calls into the network that they are in fact doing an identity check. Even the most technologically sophisticated communication companies, like Twilio, cannot prevent their resellers from signing up fraudsters – which is why last year, in a highly public enforcement action, the FCC blamed Twilio for initiating illegal “homeowner benefit” calls and threatened to shut down all of Twilio’s voice traffic.
Third, industry efforts around call blocking are designed to shut down and prosecute shady voice providers or individual malicious callers after a pattern of bad behavior, not in real time. For example, last year after an initial warning, it took the FCC three months to shut down a spammy voice provider. Enforcement time measured in weeks or months is far too long to deal with a real-time political robocall attack happening on or right before election day. Phone carriers don’t generally collect individual subscriber reports about fraudulent calls themselves (unlike text messages), so they are unable to implement Gmail-style collaborative filtering to stop threats within minutes or hours.
Perhaps the best chance to prevent fraudulent AI robocalls in real time lies with the major smartphone operating system companies – Apple and Google. Both iOS and Android let users install third-party applications, like Truecaller, that connect to live databases of untrusted callers. These modern approaches are much more adept at identifying and blocking threats. With increased penetration amongst smartphone users and more aggressive blocking enforced during an election, we could see such attacks blunted for a large percentage of the population. That won’t solve the problem of fraudulent calls to landline subscribers, which still represent a quarter of Americans, but their implementation would dampen the overall impact.
Dean Phillips’ Super PAC forces OpenAI to enforce its political policies
The first test of OpenAI’s new prohibition on political use cases came just days after the company released its plan for the 2024 elections with the suspension of the developer of a bot supporting Dean Phillips for President. A few takeaways:
OpenAI isn’t doing a very good job enforcing its policies. OpenAI banned Dean Bot a day after the Washington Post reported on its existence, catching it only because of the press coverage. That the Super PAC behind the bot was created by an early OpenAI employee and that it was used for a highly visible presidential campaign is particularly embarrassing. It’s fair to assume that there are plenty of campaigns, political organizations, and malicious actors using the technology undetected.
Developers are already moving to open-source models. Last week, we wrote about this shift as the inevitable path for political AI, and the Dean Bot developers wasted no time pivoting to this approach, noting that they would be moving to an open-source model. There are plenty of options – Meta’s Llama2 is on par with GPT-3.5, which is more than enough power to answer voter questions about a presidential candidate.
Political use cases don’t have to be nefarious. Dean Bot was a benign and perhaps even ideal use of AI, featuring clear disclosures of its bot-ness and offering only explanatory information about Phillips to voters who opted in.
Following the 2016 election, Google and Facebook didn’t ban political advertising but instead put in place restrictions and transparency measures. This included publicly available libraries that made available political actors’ creative, spending, and targeting to the public and to researchers, who continue to use it, years later, to keep tabs on what is happening in the political and media ecosystem.
The Dean Bot saga may be quickly forgotten. However, the episode demonstrates that while OpenAI may have banned politics, political AI won’t disappear. Instead, it’ll move to harder-to-track platforms. OpenAI’s policies may reduce its own political and brand risk, but could be a net detractor for transparency in the space.
Of Note
Campaigns, Elections and Governance
OpenAI’s Altman discussed chip-making venture with members of Congress (The Washington Post)
A Fight Over a Fishing Regulation Could Help Tear Down the Administrative State (The New York Times)
Seeing a viral pro-Biden TikTok? A PAC might have paid for it. (Politico)
How the United States Can Set International Norms for Military Use of AI (Lawfare)
Washington takes aim at facial recognition (Politico)
Text of EU AI Act leaked, amid debate over the timeline for final approval (Tech Monitor)
Uber to counter California’s labor muscle with $30M political spend (Politico)
New Russian Disinformation Campaigns Prove the Past Is Prequel (Lawfare)
States turn their attention to regulating AI and deepfakes as 2024 kicks off (NBC News)
Technology
X can’t stop spread of explicit, fake AI Taylor Swift images (ArsTechnica)
Most Top News Sites Block AI Bots. Right-Wing Media Welcomes Them (Wired)
Facebook made a major change after years of PR disasters, and news sites are paying the price (CNBC)
Winner of Japan’s Top Literary Prize Admits She Used ChatGPT (Vice)